Solid Security
Fixes
- Update Password Strength library to the latest version. This fixes discrepancies between the realtime password strength estimation and the enforced password strength.
Security
- Prevent open redirects attacks against the Enforce SSL module. This attack requires spoofing the Host header which requires additional conditions to exploit. Thanks to nlpro for reporting the issue. Read More: https://ithemes.com/?p=84309
Tweaks
- Add "All" tab to the Features page.
- Don't show "Ban" buttons in Security Dashboard if the user won't be able to create a ban.
Fixes
- Prevent Headers Already Sent warning when a lockout occurs during a WP Cron request on some server setups.
- Manually load Sodium Polyfill for servers that have an older version of libsodium installed.
- Error when saving the File Change settings when the "notify_admin" setting was set.
- Prevent a redirect loop when logging in on sites that take more than 5 seconds to load the Dashboard.
Fixes
- File Logs not rotating.
- PHP warning when loading Icon Fonts in certain configurations.
- Don't attempt to Hide Backend when a Cron request is being processed.
- Prevent entering invalid date values when selecting a custom date range in the Security Dashboard.
- Preliminary PHP 8.1 compatibility.
- File Change "notify_admin" settings validation error.
Tweaks
- iThemes Security now requires PHP 7.3 and WordPress 5.9 or later.
- Add "Ban Lockout" button to the Active Lockouts card.
- Thanks to Calvin Alkan for reporting the security issues fixed in this release.
Security
- Add support for encrypting Two-Factor Mobile App secrets. Enable via Tools -> Set Encryption Key.
- Deprecate Automatic Proxy Detection. Instead, manually configure Proxy Detection or use Security Check. Fix IP spoofing attacks.
Tweaks
- Require a Title when creating a new Dashboard.
Fixes
- Don't attempt to send a Site Scan notification for Clean scans preventing a fatal error after scheduled site scans.
Fixes
- Error when visiting the Notifications page after activating a module with notifications for the first time.
- Update deprecated withState usages to useState.
Features
- Include the full iThemes Security Site Scanner in iThemes Security Free. Scheduled scans are disabled by default.
Fixes
- Scroll to top of window when navigating.
- Allow searching for Password Requirements.
- Don't load WordPress and System Tweaks modules when the
ITSEC_DISABLE_MODULESconstant is enabled. - Prevent incidentally loading the Two-Factor module when it is unregistered.
- Conditionally display the NGINX File Path setting.
- Allow saving Notifications when "default recipients must contain at least 1 item" error is present.
- Help styling on WordPress 5.9.
- Compatibility with plugins that expected a logged-in user during lockouts.
Tweaks
- iThemes Security now requires WordPress 5.8 or later.
- Add new "Go Pro" page that includes an overview of features in iThemes Security Pro.
Features
- Reintroduce Feature Flags management UI.
Fixes
- When the Change Admin User tool is run, update any User Groups referencing the old user id.
- WordPress footer would appear in the middle of the logs page.
- Add missing translation strings file.
Tweaks
- Reposition "Advanced" and "Tools" menu items to be more readable on lengthy screens.
Fixes
- Sites that did not support HTTPS, but had the SSL module active, but not configured, on upgrade would get redirected to the HTTPS version of the site.
- Unregister the iThemes Security Two-Factor module when the Two-Factor Feature Plugin is enabled.
- Allow activation on WordPress 5.7.0.
- Add missing textdomains.
Features
- iThemes Security gets a redesigned interface focused on making it easier to configure and find what you're looking for. Read More: https://ithemes.com/?p=65086.
- Instantly search over everything in iThemes Security with a new instant search feature.
- Relevant content from the Help Center, iThemes Blog, and iThemes YouTube channel is surfaced in a new Help area based on the current page. Click the "Help" button in the toolbar or the "Info" icon next to the page title to access it.
- Two-Factor is now part of the core iThemes Security plugin.
Fixes
- Fix fatal errors when using PHP 8.
- Fix infinite loop when restricting who can use App Passwords on multisite installs.
- Ensure the ITSEC_Setup class does not exist before trying to load it. Display schema errors on multisite in the Network Admin.
- Labels for Disable PHP Execution in Plugins and Themes were reversed.
- Add missing constants to the debug page.
- Remove deleted recipients when saving notifications.
- Correct Site Scan statuses for scans with no issues.
Tweaks
- iThemes Security now requires WordPress 5.7 and PHP 7.0 or later.
- Security Tools have been grouped into their own page. "Identify Server IPs" and "Security Check Pro" can be run manually without using Debug Mode.
- The settings UI is now fully responsive and works great across mobile, tablet, and desktop devices.
- Improved keyboard and screen reader support.
- The Banned Users Card can add multiple bans at once.
- Add a new Global setting to control "Automatically Temporarily Authorize Hosts".
- When the Global setting "Hide Security Menu in Admin Bar" is enabled, notices will no longer be printed on non-iThemes Security pages. Instead, you can access the Message Center from the Settings or Dashbaord toolbars.
- The Database Backups module is no longer available if you have BackupBuddy installed. If this behavior isn't desired, enable the "ITSEC_ENABLE_BACKUPS" constant.
- The Geolocation API configuration used by Trusted Devices has been moved into it's own dedicated "Geolocation" module.
- Move "Have I Been Pwned" integration to the Core plugin.
- Reduce filename length and complexity for built CSS and JS files.
- The following modules have been removed: 404 Detection, Away Mode, Change Content Directory, and Multisite Tweaks.
- The following WordPress and System Tweaks have been removed: Remove Windows Live Writer Header, EditURI Header, Comment Spam, Mitigate Attachment File Traversal Attack, Protect Against Tabnapping, Filter Long URL Strings, Filter Non-English Characters, Filter Request Methods, Remove File Writing Permissions.
- The "Backup Full Database" setting has been removed from the Backups module.
- The "Require SSL", "Front End SSL Mode", and "SSL for Dashboard" settings have been removed from the SSL module.
- Modules are now based on a module.json configuration file. If you are registering custom iThemes Security module, you should update it to include a module.json file that adheres to the core/module-schema.json JSON Schema.
- The Network Brute Force module had it's folder updated to "network-brute-force" from "ipcheck".
- New Object Oriented API for creating Password Requirements.
- New Settings and Modules REST API endpoints.
- New RPC REST API namespace. There is no backward compatibility promise for these API endpoints.
Security
- Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
Tweaks
- Add filters to short-circuit lock APIs.
- Remove non-SSL fallbacks for Security Check Pro and Version Management.
Fixes
- Tweak checkbox styles.
- Improved compatibility with WP Engine.
- Pass the
WP_Errorobject to thewp_login_failedhook. - Prevent wp_no_robots deprecation warning on WordPress 5.7.