Solid Security
Features
- Added setting to block requests for PHP files in the plugins directory in System Tweaks.
- Added setting to block requests for PHP files in the themes directory in System Tweaks.
Fixes
- Fixed data save issue that could cause multiple notification emails to be sent in a short period of time.
- Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value.
- Removed redundant entries in the HackRepair blacklist.
- Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory.
- Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries.
- Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value.
- Replaced static references to wp-includes with the WPINC define.
- Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language.
- Added escaping to some translation strings.
- Removed unused files from the WordPress Tweaks module directory.
- Fixed the Daily Digest email reversing the user and host lockout counts.
- The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
Tweaks
- Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests.
- Updated the database backup email to a new design.
- Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
Fixes
- Fixed issue that reported invalid counts for host and user lockouts in the daily digest email.
- Fixed issue that caused the daily digest email to be sent every day, even if no lockouts occurred and no file changes were found.
- Fixed issue that could prevent saving of File Change settings, resulting in an error messages of "A validation function for file-change received data that did not have the required entry for latest_changes."
- Fixed iThemes Security Pro logo appearing in daily digest emails.
Features
- Added new Daily Digest email design.
Fixes
- Removed the "Wget" user agent from the Hack Repair blacklist as it can block wp-cron jobs on some hosts.
- Fixed error "PHP message: PHP Fatal error: 'continue' not in the 'loop' or 'switch' context".
Security
- Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
- Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
Fixes
- The Security > Security Check link now works as expected in multisite.
- Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
- Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
- Corrected a settings description typo in Global Settings.
- Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
Tweaks
- Added placeholder for the Version Management module of iThemes Security Pro.
- Updated build number to trigger some updates.
Compatibilitys
- Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
Fixes
- Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
- Prevented some notices from displaying to users who do not need to see them.
- Limited notices to only display on specific pages on the dashboard.
Tweaks
- Removed legacy code that is no longer needed.
- Started tracking when a user was last seen as logged in and active for future use.
- Added a placeholder for the Pro feature "User Security Check".
Features
- Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used.
Fixes
- Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
Tweaks
- The "Ban Lists" setting of Banned Users is now enabled by default.
Features
- Added a new File Permissions section on the settings page to bring back the directory and file permissions listing feature found on the Security > Dashboard page of older plugin versions.
Fixes
- Fixed a situation where adding a very large list of IP's in the Ban Hosts list would generate an invalid .htaccess file on some servers.
Tweaks
- The Database Backups, Local Brute Force Protection, Network Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features are now active by default on new installations.
- The WordPress Tweaks feature now uses the "Disable File Editor" setting by default on new installations.
- The WordPress Tweaks feature now sets the "Multiple Authentication Attempts per XML-RPC Request" setting to "Block" by default on new installations.
- Improved the styling of notices.
Fixes
- Fixed SQL query for Database Backups when "Backup Full Database" is enabled.
Fixes
- Throw a real 403 instead of a faked 404 for hide backend - Fixes compatability with certain plugins including WordPress SEO. Hat tip to Joost de Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.
Fixes
- Comparisons of IPv4 addresses and ranges now include the IP's at the edge of the ranges.
- IPv4 tests now work as expected when deciding if a blacklisted IP or range overlaps a whitelisted IP's and ranges.
- Fixed styling issue that affected the display of the horizontal tabs on settings pages in WordPress 4.5.
- Replaced old module sorting order in settings screens.
- Fixed PHP 7 compatibility issue that triggers the following error: "Uncaught Error: Call to undefined function mysql_get_client_info()".
- Fixed warnings and errors that could occur when deleting the plugin.
- Fixed warning that could occur on a failed login when Local Brute Force Detection is disabled.
- All data added to the options table by iThemes Security is removed on uninstall.
- Fixed the cause of the following warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not have a method 'execute_deactivate'
Tweaks
- When a lockout is being executed, wp_logout() will only be called if the current page request comes from a logged in user. This prevents plugins that log logout events from logging log outs from unknown users.
- Improved the descriptions used for some of the data displayed in the "System Information" section of Security > Dashboard.
- Added "Use MySQLi" entry to the "System Information" section of Security > Dashboard to show whether the MySQLi driver is enabled.
- Updated the "SQL Mode" entry in the "System Information" section of Security > Dashboard to show the full details if that value is set.
- Improved code that ensures that tables and options table entries created by iThemes Security are removed on uninstall only when no other iThemes Security plugin is active.