Solid Security
Fixes
- Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header.
- Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory.
- Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
- Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
Tweaks
- Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy.
- Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
- All links in Security that have target="_blank" now have added rel attributes to protect against tabnapping.
- Updated remaining ip-lookup.net links to instead link to traceip.net in keeping with other links that were previously updated to traceip.net.
Features
- Added setting to block requests for PHP files in the plugins directory in System Tweaks.
- Added setting to block requests for PHP files in the themes directory in System Tweaks.
Fixes
- Fixed data save issue that could cause multiple notification emails to be sent in a short period of time.
- Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value.
- Removed redundant entries in the HackRepair blacklist.
- Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory.
- Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries.
- Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value.
- Replaced static references to wp-includes with the WPINC define.
- Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language.
- Added escaping to some translation strings.
- Removed unused files from the WordPress Tweaks module directory.
- Fixed the Daily Digest email reversing the user and host lockout counts.
- The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
Tweaks
- Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests.
- Updated the database backup email to a new design.
- Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
Fixes
- Fixed issue that reported invalid counts for host and user lockouts in the daily digest email.
- Fixed issue that caused the daily digest email to be sent every day, even if no lockouts occurred and no file changes were found.
- Fixed issue that could prevent saving of File Change settings, resulting in an error messages of "A validation function for file-change received data that did not have the required entry for latest_changes."
- Fixed iThemes Security Pro logo appearing in daily digest emails.
Features
- Added new Daily Digest email design.
Fixes
- Removed the "Wget" user agent from the Hack Repair blacklist as it can block wp-cron jobs on some hosts.
- Fixed error "PHP message: PHP Fatal error: 'continue' not in the 'loop' or 'switch' context".
Security
- Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
- Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
Fixes
- The Security > Security Check link now works as expected in multisite.
- Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
- Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
- Corrected a settings description typo in Global Settings.
- Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
Tweaks
- Added placeholder for the Version Management module of iThemes Security Pro.
- Updated build number to trigger some updates.
Compatibilitys
- Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
Fixes
- Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
- Prevented some notices from displaying to users who do not need to see them.
- Limited notices to only display on specific pages on the dashboard.
Tweaks
- Removed legacy code that is no longer needed.
- Started tracking when a user was last seen as logged in and active for future use.
- Added a placeholder for the Pro feature "User Security Check".
Features
- Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used.
Fixes
- Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
Tweaks
- The "Ban Lists" setting of Banned Users is now enabled by default.
Features
- Added a new File Permissions section on the settings page to bring back the directory and file permissions listing feature found on the Security > Dashboard page of older plugin versions.
Fixes
- Fixed a situation where adding a very large list of IP's in the Ban Hosts list would generate an invalid .htaccess file on some servers.
Tweaks
- The Database Backups, Local Brute Force Protection, Network Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features are now active by default on new installations.
- The WordPress Tweaks feature now uses the "Disable File Editor" setting by default on new installations.
- The WordPress Tweaks feature now sets the "Multiple Authentication Attempts per XML-RPC Request" setting to "Block" by default on new installations.
- Improved the styling of notices.
Fixes
- Fixed SQL query for Database Backups when "Backup Full Database" is enabled.
Fixes
- Throw a real 403 instead of a faked 404 for hide backend - Fixes compatability with certain plugins including WordPress SEO. Hat tip to Joost de Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.