Solid Security
Fixes
- PHP warnings when invalid entries are stored in the WordPress Cron storage.
- Update the list of tables added to wpdb.
- Remove default value for text columns. This caused an issue on MySQL 8 and is unnecessary.
- Missing borders in the sidebar widgets on WordPress 5.5.
- Notice actions didn't trigger when "Hide Admin Bar" is enabled.
- Some users would be force to choose a strong password twice in a row.
- Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
- Passwords Requirements compatibility with Restrict Content Pro.
- PHP warnings that may occur when initializing default user groups on a new installation.
Tweaks
- iThemes Security requires WordPress 5.4 or later.
- Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
- Store the time a ban was added, and the lockout module responsible for the ban.
- Overwrite Restrict Content Pro's detected IP address with the IP detected by iThemes Security.
- Disable SSL verification when performing the Security Check Loopback test. Some hosts can't properly verify loopback requests. This verification is unnecessary in this circumstance, and disabling SSL verification aligns iThemes Security with default WordPress loopback behavior.
Features
- The new, improved WordPress Security Site Scan powered by iThemes checks if Google has detected malware and added your site to their threat list.
Tweaks
- Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.
- Cap banned hosts persisted to .htaccess or nginx.conf to the most recent 100. This number can be adjusted with the "itsec_ban_users_max_hosts_for_server_config" filter. Older banned hosts will be locked out after WordPress loads.
- Ensure randomly generated passwords are considered strong by the Strong Passwords library.
- Suggest a 32 character password when forcing a password change.
- Change insensitive language to be more inclusive.
Fixes
- PHP warning when a user's email address is updated outside of the user edit admin page.
- Fix login interstitials on WP Engine when using a front-end login form.
- PHP warning when checking opaque tokens.
- PHP warning after successfully connecting a site to iThemes Sync via the login connection flow.
- File Change Security Message would not appear for new installs.
Fixes
- PHP warning when evaluating password requirements.
Features
- Save Time Securing WordPress With User Groups!
- Simplified connection flow when setting up iThemes Sync.
Fixes
- The "Mulisite Tweaks -> Hide Updates" setting prevented auto-updates from running with WP Cron.
- Backup event was not added when the WP Cron Scheduler was reset manually.
- Admin Notices Popover was not being hidden when clicking outside the Popover on WP 5.3.
- New Password Requirements for already created accounts were not enforced until the second login.
- Update admin notices styling to be compatible with WordPress 5.4.
- Periodically clear expired opaque tokens.
- Don't block registration page when "wp-signup.php" is the Hide Backend register slug.
- Users with weak passwords would not be forced to change their password if the strong password requirement had been enabled after their password strength was checked.
- Remove "get_magic_quotes()" call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.4.
- Warning when loading the settings page on PHP 7.4.
- Warning when loading the debug page on PHP 7.4.
Tweaks
- iThemes Security requires PHP 5.6 or greater and WordPress 5.2 or greater.
- Add a warning if a WordPress Salt is set to an invalid value.
- Include child log items in the logs list table. These are helpful for debugging issues.
- Improve performance of the logs page on sites with large number of log items.
- Check tables exist after completing a DB upgrade.
- When logging $_SERVER, only log a snapshot of available properties.
Fixes
- Properly notate that iThemes Security requires PHP 5.5 or greater.
Features
- iThemes Security now includes Security Check Pro to automatically and correctly determine your visitors IP addresses. Enable this scan by running Security Check and opting in to Security Check Pro or activate the Security Check Pro module in Advanced Modules. H/t Jeremy Voisin
Tweaks
- Run Security Check Pro IP Detection automatically once a day.
- Manually re-run Security Check Pro IP Detection from the Global Settings page.
Features
- New Lockout Template screen.
Fixes
- Brute Force module reporting invalid logins using an email address incorrectly.
- Improve lockout compatibility with caching plugins.
- Fix admin notice not being dismissed due to a REST API route that was more narrowly defined than necessary.
- Admin Notices list did not refresh after dismissing a notice.
- Strong Passwords zxcvbn Library was not evaluating penalty strings correctly.
- Fix PHP warning if there are multiple detected proxy headers.
Tweaks
- iThemes Security requires PHP 5.4 or later.
- Add confirmation button to Login Interstitial Async Actions when on a different device.
- Add filter to "Lookup IP" link.
- There were significant changes to the internals of the iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout class directly, all the API functions will continue to work, but will emit deprecation notices when legacy behavior is being used. Please update any integrations.
Tweaks
- New iThemes Sync Verb support for File Change.
- Add additional information about the login attempt when calling the Network Brute Force API.
Fixes
- Hide Backend Bypass.
- Strict Standards error during Sync request.
- wp_die() if a login interstitial session fails to be created instead of throwing a fatal error.
Tweaks
- iThemes Security Admin Notices are now conveniently located in the new Security Messages Menu. Check your notices in the Security menu on the WordPress Admin Bar.
- Add Security Message when a Notification Center email fails to send.
- Replace Trace IP with IP Tracker Online.
- Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"
Fixes
- Hide backend bypass.