Kadence Security Pro
Tweaks
- Log Plugin activation/deactivation/uninstall and Theme switching in the User Logging module.
- Log WordPress, Plugin and Theme installs & updates in the Version Management module.
- Use Logging API for tracking Notification Center errors.
- Register Scheduler Events whenever the plugin build changes.
- Allow for filtering logs by any module recorded.
Fixes
- Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module.
- Incorrect notice for delayed plugins if the custom per-plugin setting had been switched off.
- Incorrect User Logging log when logging in via the Login Interstitial framework.
Features
- Granular Version Management control. Select which plugins or themes to auto-update. Optionally, use the delay feature to wait for a release to be stable for a certain number of days for sensitive or critical plugins.
- Optionally, receive an email notification whenever your Grade Report changes. A maximum of once per-day.
Tweaks
- Grade report notice styling and disable the "Resolve Issues" button when working.
- Add Security Check Pro debug page.
- Display a time diff until the next event on the Debug page.
Fixes
- 404 detection for plugins that mark is_404 later in the hook sequence.
- Plugin and theme updates were hidden after updating a single package via the Grade Report.
- Correct grammar for Email Two-Factor method.
- Warning when using Grade Report when the Password Requirements module is disabled by constant.
- The Dashboard Widget did not count users who didn't have a primary provider set.
- Show "File Scan" button on dashboard widget even if "Write to Files" is disabled.
Tweaks
- Add setting to customize On-Board text.
- Require user to confirm Two-Factor email method when signing up via On-Boarding. Can be disabled by disabling the new Two-Factor Email Confirmation email in the Notification Center.
- Add setting for customizing who is required to use two-factor when "Vulnerable User Protection" and "Vulnerable Site Protection" are enabled and who is presented the On-Board flow.
- Check if an IP is blacklisted on page load for compatibility with servers that cannot process server configuration level bans immediately.
Fixes
- Provide better error messages in case the server for SSL support detection is non-responsive.
Tweaks
- Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
- Display the subject line of the Two-Factor Email when logging in.
- Fire a WordPress action whenever settings are updated.
Fixes
- Improved input sanitization on the logs page to prevent triggering warnings.
- Don't track post status transitions to the identical post status.
Security
- Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Tweaks
- Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report.
Fixes
- Provide default values for enabled requirements.
Fixes
- Accessing password requirement settings would not resolve properly in some instances.
Tweaks
- Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly.
- Show if a "force password change" is in-effect and allow for the change to be removed.
- Add debug settings JSON editor.
- If no last password change date is recorded for the user, treat their registration date as the last change date.
Fixes
- If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
- Remove distributed storage table on uninstall.
- Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted.
Features
- Integration with Have I Been Pwned to prevent users from using passwords found in data breaches.
Tweaks
- Introduce Password Requirements module for managing and enforcing password requirements.
- Continually evaluate password strength for users instead of only during registration.
- Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
Fixes
- Password strength would not be evaluated if password was set using custom PHP or CLI commands.
- Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
- Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped.
Tweaks
- Add UI to cancel in progress File Scan.
- Improved rendering of the Grade Report grade pie chart on HiDPI screens.
- Include current grade in the Security Digest.
- Don't write to the tracked files setting if the file hash has not changed.
- Exclude File Change storage settings from Importer/Exporter.
Fixes
- Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
- Away Mode would not lock out users who were already logged-in during the "away" period.
- Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
- Issue with Importing settings when File Change is active.
Fixes
- Fixed "Cannot modify header information - headers already sent" warning issue that could happen when using reCAPTCHA on sites that add customizations to the login page.
- Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data.
- Skip recovery if File Change storage is empty.