Solid Security
Fixes
- Hide Backend bypass on certain Apache configurations.
- Properly return error that occurs during a backup.
- Regex warning on PHP 7.3 in the File Change module.
- Resolve warning when a user is set to "No Role".
Tweaks
- Allow the log description column to word break for URLs or other strings with no spaces.
Fixes
- Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.
Tweaks
- When ITSEC_DISABLE_MODULES is set, prevent hide backend from running.
Tweaks
- Add Per-Content SSL toggle to the upcoming Block Editor interface.
- Add filter to the recipients list for email notifications: "itsec_notification_{$notification}_email_recipients" and "itsec_notification_email_recipients".
- Add define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the Temporary IP Whitelisting for logged-in administrators.
- Improve redirecting after processing a login interstitial from a front-end login form.
- Add loopback IP detection to Security Check.
- Detect Server IPs in Security Check.
- Add additional safety checks when writing to system config files. This will log a "Critical Issue" when the writing of an empty or partial config file is detected and prevented.
- Improve File Change locking to help prevent failing scans on sites with inconsistent cron scheduling.
- Improve "System Tweaks – Suspicious Query Strings – SQLI" to reduce false positives.
- Improve "System Tweaks – Disable PHP" to block PHP files in apache configurations that serve files with a trailing dot.
- Remove "Seznam Bot" from HackRepair List as it isn't present in the latest version.
Fixes
- Include Hide Backend token when emailing a password reset URL.
- Notification Center. Only send notifications to users with an exact role match of selected roles instead of a fuzzy match based on selected capabilities.
- Error when trying to edit reusable blocks with per-post SSL enabled.
- Resolve warnings on PHP 5.2.
Tweaks
- Allow for selecting the particular Proxy header a server is configured to use. Improve the language to indicate the importance of configuring this setting. H/t Filippo Cavallarin CEO at wearesegment.com
- Block access to git and svn repositories when System Tweaks -> Protect System Files is enabled.
- Update jQuery Validation library to 1.17.0
Fixes
- Improve detection of blocking the File Change Scan from being scheduled if one is already being run.
- Prevent infinite recursion error when trying to access directories outside of the allowed file tree.
Features
- Allow for globally setting recipients for admin-targeted notifications. All new notifications will default to the recipients in this list. Notifications can be set to use the default list or switch to a custom list.
Fixes
- 404 detection for plugins that mark is_404 later in the hook sequence.
- REST API Protection blocked the Taxonomies route for all users.
- Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module.
- Fixed how the Grade Report enable/disable status is stored to fix admin page loading issues on some sites.
- Fix serialization of closure error when a plugin registering a hook with a closure is in the boot-up stack and the notification center is triggered too early in the cycle.
Tweaks
- Added a setting to enable/disable the Grade Report feature of Pro.
- Check if an IP is blacklisted on page load for compatibility with servers that cannot process server configuration level bans immediately.
- Display a time diff until the next event on the Debug page.
- Use Logging API for tracking Notification Center errors.
- Register Scheduler Events whenever the plugin build changes.
- Allow for filtering logs by any module recorded.
- Account for 3rd-party Backup Plugin in Security Check.
Fixes
- Improved input sanitization on the logs page to prevent triggering warnings.
Security
- Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
Tweaks
- Fire a WordPress action whenever settings are updated.
Fixes
- Provide default values for enabled requirements.
Security
- Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Fixes
- Away Mode would not lock out users who were already logged-in during the "away" period.
- Enforce the Strong Passwords requirement during Security Check.
- Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
- If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
- Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
- Password strength would not be evaluated if password was set using custom PHP or CLI commands.
- Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
- Remove distributed storage table on uninstall.
Tweaks
- Add UI to cancel in progress File Scan.
- Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
- Add debug settings JSON editor.
- Continually evaluate password strength for users instead of only during registration.
- Introduce Password Requirements module for managing and enforcing password requirements.
- Accessing password requirement settings would not resolve properly in some instances.
- Don't write to the tracked files setting if the file hash has not changed.
- If no last password change date is recorded for the user, treat their registration date as the last change date.
Fixes
- Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data.
- Skip recovery if File Change storage is empty.
Fixes
- Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
- Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
- Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.