Solid Security
Features
- Added support for iThemes Sync to run the Security Check feature from inside the Sync service.
- Added support for the ITSEC_DISABLE_MODULES define.
- Allow for searching through modules and settings.
Fixes
- Compatability with JetPack SSO and Password Requirements.
- Ensure viewport meta is defined when loading the password requirements update password form.
- Fix fatal error when registering a new user without specifying a role ( iThemes Exchange ).
- Fix fatal error when updating a profile.
- Fix strong passwords not being recognized as strong on the profile page.
- Fixed an infinite loop that could occur when expiring a cookie and Hide Backend is enabled.
- Fixed bugs that prevented reporting of specific error messages related to updating the wp-config.php file.
- Fixed compatibility issue with the Jetpack plugin when Hide Backend is enabled which could prevent Jetpack from redirecting users to the wordpress.com login page.
- Fixed issue that could prevent "Register" and "Lost your password?" links from working properly on the login page when Hide Backend is enabled.
- Fixed issue where access to wp-admin/admin-post.php when Hide Backend is enabled.
- Fixed password-protected posts not properly handling the password when Hide Backend is enabled.
- Fixed source of notice that could appear when reseting a user's password when the Strong Passwords Enforcement feature is enabled.
- Fixed source of warning that could appear when creating a backup while running a PHP version less than 5.4.
- Fixed the ability to manually enter a page number to navigate to on the Security > Logs page.
- Hide Backend is now compatible with Jetpack Single Sign On.
- Hide Backend now hides registration pages on multisite sites.
- Removed warning: "Non-static method ITSEC_Setup::uninstall() should not be called statically".
- The Hide Backend hidden login URL is no longer leaked by password-protected content.
Tweaks
- Changed default Hide Backend Register Slug from wp-register.php to wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php for registrations. This will not affect existing sites.
- Enforce strong passwords during log-in. Can be disabled via the ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
- Fire an action, "itsec_change_admin_user_id", when the admin user id changes.
- Hide Backend functions purely in PHP code now rather than relying half on PHP code and half on .htaccess and nginx.conf modifications. This allows Hide Backend to function on web servers and server configurations that it was previously not compatible with.
- Improved efficiency of Hide Backend code, increasing site performance when the feature is enabled.
- Introduce password requirements module to centralize handling of password updates.
- Link to other module settings pages without forcing the page to refresh.
- Removed AhrefsBot from the HackRepair blacklist as they are legitimate bot.
- The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.
- Updated Disable File Locking description.
- Updated or added phpDoc to many functions.
- Use canonical roles library to determine if a new user or an updated role requires a strong password.
Fixes
- When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
- Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
- Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.
Fixes
- A database backup will no longer be created when first activating the plugin.
- Added compatibility for MySQL strict mode in database creation syntax.
- Removed warning about a "non well formed numeric value encountered" in PHP 7.1.
- Modifications to wp-config.php, .htaccess, and nginx.conf files are now properly re-added upon reactivation.
- Fixed full settings for Hide Backend being displayed after disabling the feature and saving the settings.
- Enabling or disabling the Hide Backend feature will update the "Log Out" link so that it works as expected without having to load a new page.
- Enabling or disabling the Hide Backend feature now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future point.
- Fixed issue that could cause improper database table creation on multisite sites.
- Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.
Tweaks
- Improved plugin performance by reducing the number of queries made on each page.
- Reduced memory and CPU usage due to various code improvements.
Fixes
- Fixed bug that prevented Away Mode from activating on some sites.
Fixes
- Fixed bug that prevented Network Brute Force Protection from working properly on some sites.
Tweaks
- Added logging for failed two-factor, OAuth, and REST API authentications.
- Added logging details about the source of login failures and the type of authentication that failed.
- Due to improvements in tracking authentication failures, brute force attempts using alternate authentication methods are more reliably found and blocked.
- The server's IP is treated as whitelisted and will not be considered for lockouts or bans.
- Reduced memory usage when creating a backup.
- Changed log entry description of "IP Flagged as bad by iThemes IPCheck" to "IP Flagged by Network Brute Force Protection". This should help clarify the meaning of the log entry.
- Improved efficiency of the Network Brute Force Protection feature.
Fixes
- Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
Tweaks
- Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
- Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".
Features
- Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.
Fixes
- Fixed issue that could cause database backup emails to be sent without the backup zip attached.
Features
- Updated the lockouts notification email to a new design. This new design also cleaned up the translation strings to allow better translations.
- Added a "Protect Against Tabnapping" feature in the WordPress Tweaks section. Details of what this feature protects against can be found here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
Tweaks
- Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.
Fixes
- Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header.
- Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory.
- Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
- Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
Tweaks
- Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy.
- Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
- All links in Security that have target="_blank" now have added rel attributes to protect against tabnapping.
- Updated remaining ip-lookup.net links to instead link to traceip.net in keeping with other links that were previously updated to traceip.net.