Kadence Security Pro
Features
- Allow for globally setting recipients for admin-targeted notifications. All new notifications will default to the recipients in this list. Notifications can be set to use the default list or switch to a custom list.
Tweaks
- Allow for disabling Grade Report for certain users. This will hide the Grade Report in the admin and remove it from the Security Digest sent to those users. If one of these users is configured to receive the "Grade Report Change" email they WILL still receive that notification.
- Account for 3rd-party Backup Plugin in Security Check.
- On upgrade, disable "Grade Report Change" email when more than one recipient is designated to receive the notification.
Tweaks
- Log Plugin activation/deactivation/uninstall and Theme switching in the User Logging module.
- Log WordPress, Plugin and Theme installs & updates in the Version Management module.
- Use Logging API for tracking Notification Center errors.
- Register Scheduler Events whenever the plugin build changes.
- Allow for filtering logs by any module recorded.
Fixes
- Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module.
- Incorrect notice for delayed plugins if the custom per-plugin setting had been switched off.
- Incorrect User Logging log when logging in via the Login Interstitial framework.
Features
- Granular Version Management control. Select which plugins or themes to auto-update. Optionally, use the delay feature to wait for a release to be stable for a certain number of days for sensitive or critical plugins.
- Optionally, receive an email notification whenever your Grade Report changes. A maximum of once per-day.
Tweaks
- Grade report notice styling and disable the "Resolve Issues" button when working.
- Add Security Check Pro debug page.
- Display a time diff until the next event on the Debug page.
Fixes
- 404 detection for plugins that mark is_404 later in the hook sequence.
- Plugin and theme updates were hidden after updating a single package via the Grade Report.
- Correct grammar for Email Two-Factor method.
- Warning when using Grade Report when the Password Requirements module is disabled by constant.
- The Dashboard Widget did not count users who didn't have a primary provider set.
- Show "File Scan" button on dashboard widget even if "Write to Files" is disabled.
Tweaks
- Add setting to customize On-Board text.
- Require user to confirm Two-Factor email method when signing up via On-Boarding. Can be disabled by disabling the new Two-Factor Email Confirmation email in the Notification Center.
- Add setting for customizing who is required to use two-factor when "Vulnerable User Protection" and "Vulnerable Site Protection" are enabled and who is presented the On-Board flow.
- Check if an IP is blacklisted on page load for compatibility with servers that cannot process server configuration level bans immediately.
Fixes
- Provide better error messages in case the server for SSL support detection is non-responsive.
Tweaks
- Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
- Display the subject line of the Two-Factor Email when logging in.
- Fire a WordPress action whenever settings are updated.
Fixes
- Improved input sanitization on the logs page to prevent triggering warnings.
- Don't track post status transitions to the identical post status.
Security
- Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Tweaks
- Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report.
Fixes
- Provide default values for enabled requirements.
Fixes
- Accessing password requirement settings would not resolve properly in some instances.
Tweaks
- Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly.
- Show if a "force password change" is in-effect and allow for the change to be removed.
- Add debug settings JSON editor.
- If no last password change date is recorded for the user, treat their registration date as the last change date.
Fixes
- If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
- Remove distributed storage table on uninstall.
- Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted.
Features
- Integration with Have I Been Pwned to prevent users from using passwords found in data breaches.
Tweaks
- Introduce Password Requirements module for managing and enforcing password requirements.
- Continually evaluate password strength for users instead of only during registration.
- Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
Fixes
- Password strength would not be evaluated if password was set using custom PHP or CLI commands.
- Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
- Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped.
Tweaks
- Add UI to cancel in progress File Scan.
- Improved rendering of the Grade Report grade pie chart on HiDPI screens.
- Include current grade in the Security Digest.
- Don't write to the tracked files setting if the file hash has not changed.
- Exclude File Change storage settings from Importer/Exporter.
Fixes
- Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
- Away Mode would not lock out users who were already logged-in during the "away" period.
- Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
- Issue with Importing settings when File Change is active.