Solid Security
Security
- Fixed display of unescaped data on logs page. Thanks to Paweł Kuryłowicz from SecuRing for finding and reporting this issue.
Fixes
- The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
- Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.
Tweaks
- Updated logging system to keep track of more information and have more options to filter and sort log entries.
- Improved efficiency of File Change Detection scanning.
Fixes
- Fixed issue that could register loading the logging page as a failed login attempt on some sites.
Fixes
- Load translations on the plugins_loaded hook.
- Fixed method that could be used to discover hidden login slug on some sites.
- Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed.
- Update to the REST API "Restricted Access" feature to protect against methods to work around the restricted access.
- Prevent login page being hidden when following the "Confirm Email Address" notification URL.
- Hide Backend notifications not being properly sent when first enabled.
Tweaks
- Display user lockouts in Lockout Sidebar.
Deprecateds
- The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have been deprecated. Use ITSEC_USE_CRON instead.
Features
- Introduces a scheduling framework for handling events. Cron is now used by default, and will switch to using an alternate scheduling system if it detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-config.php file.
Fixes
- Preserve notification settings when the responsible module is deactivated.
- Process 404 lockouts on the 'wp' hook to prevent a headers have already been sent warning message.
- Ensure Hide Backend emails are properly sent when activating Hide Backend before saving the Notification Center for the first time.
- Prevent warning from being issued on new installs by allowing previous settings to be preserved if they exist.
- Better handle WP_Error objects in mail errors that occurred before updating to first patch release.
- A non static method was being called statically.
- Fix occasional duplicate backups and file scans.
- Fixed issue where scheduled events could repeat on sites that do not properly support WordPress's cron system.
- Reactivating Away Mode now replaces the active file if you had previously removed it.
- Ensure lockouts take effect immediately, even on systems where changes to server configuration files do not take effect immediately.
Features
- Introduces the Notification Center, a centralized place to manage and customize email notifications sent by iThemes Security.
Fixes
- Corrected some Javascript and CSS links not generating correctly on Windows servers.
Tweaks
- Updated queries and prepare statements to account for changes to the esc_sql() function in WordPress 4.8.3.
Fixes
- Fixed SQL query bug that resulted in the "Minutes to Remember Bad Login (check period)" setting being ignored.
- Fixed bug that prevents wp-admin/install.php blocking from working properly on nginx servers.
- Don't attempt to do an SSL redirect when WP CLI is running.
Features
- Added a new setting in WordPress Tweaks: "Login with Email Address or Username".
- Added Magic Links, a new Pro-only feature, to be activated by Security Check.
Fixes
- Error when searching for modules preventing modules from appearing.
- Use the wp_options table when acquiring locks in Multisite.
- Prevent duplicate daily digest emails on sites with high load.
Tweaks
- Host email images from the plugin instead of relying on iThemes servers to help email clients marking messages as spam or blocking images.
- Rearranged modules to be listed alphabetically.
Fixes
- Fixed logical error that prevented backups from executing.
- Fixed issue that could cause database locks to flood the database.
Fixes
- Enabling SSL support will only log you out if you are not already on an https connection.
- Bumped version number of some scripts to ensure that they refresh properly.
- Fixed way to work around Hide Backend on some hosts.
Tweaks
- Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
- Added the itsec-get-ip filter to allow code to supply the remote IP directly.
- Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
- Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
Fixes
- Prevent 404s when following links in email notifications on a site with Hide Backend enabled.
- Ensure uninstall process is not run when another version of iThemes Security is still active.
- Fixed method of working around Hide Backend.
- Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.
Tweaks
- Replaced file locking with database locking. This method of locking is compatible with all systems as it does not require the ability to write files. It also allows for locking to work on sites that have multiple front-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed.
- Add "Copy to Clipboard" functionality for server and wp-config rules.