Kadence Security Pro
Tweaks
- Reintroduce Feature Flags management UI.
- Reposition "Advanced" and "Tools" menu items to be more readable on lengthy screens.
Fixes
- Sites that did not support HTTPS, but had the SSL module active, but not configured, on upgrade would get redirected to the HTTPS version of the site.
- When the Change Admin User tool is run, update any User Groups referencing the old user id.
- Unregister the iThemes Security Two-Factor module when the Two-Factor Feature Plugin is enabled.
- Add missing and correct erroneous textdomains.
- WordPress footer would appear in the middle of the logs page.
Tweaks
- Move "Have I Been Pwned" integration to the Core plugin.
- Reduce filename length and complexity for built CSS and JS files.
Fixes
- Disable XML-RPC rules in server config files. Previously, XML-RPC was being disabled using the XML-RPC enabled filter.
- Fatal error on logs page when User Logging and Two-Factor are enabled and a user logs in using Two-Factor.
- Add missing constants to the debug page.
- Fatal error when sending the "Inactive Users" notification.
- Remove deleted recipients when saving notifications.
- Allow using reserved words as prefixes for the Hide Backend Login Slug.
- Enforce SSL would not redirect users from HTTP to HTTPS on the front-end of the website.
- Correct Site Scan statuses for scans with no issues.
Fixes
- Prevent Password Requirements being re-enabled if they were disabled before upgrading to iThemes Security 7.0, but had a group selected for them.
- Arguments to the implode function were reversed, causing a Fatal Error on PHP 8.
- Allow installing on WordPress 5.7.0, not just 5.7.1+.
- Ensure values passed to the TextareaListControl is an array.
- Don't run the dashboard migration if unneeded.
- Labels for Disable PHP Execution in Plugins and Themes were reversed.
- Activate the Geolocation module if Trusted Devices provided Geolocation API keys.
Tweaks
- iThemes Security now requires WordPress 5.7 and PHP 7.0 or later.
- The settings UI is now fully responsive and works great across mobile, tablet, and desktop devices.
- Improved keyboard and screen reader support.
- The User Security Profile Card now supports searching for specific users and filtering by User Role.
- The User Security Profile Card can now be used to Force password changes, force a user to lockout, and send a Two-Factor setup reminder.
- The Banned Users Card can add multiple bans at once.
- Add a new Global setting to control "Automatically Temporarily Authorize Hosts".
- When the Global setting "Hide Security Menu in Admin Bar" is enabled, notices will no longer be printed on non-iThemes Security pages. Instead, you can access the Message Center from the Settings or Dashbaord toolbars.
- The Security Dashboard has moved back to the Security menu and is now the default page.
- Your first security dashboard will be created automatically when you visit the dashboard for the first time. Create your own by clicking the dashboard's title, then select "Create New Dashboard".
- The Database Backups module is no longer available if you have BackupBuddy installed. If this behavior isn't desired, enable the "ITSEC_ENABLE_BACKUPS" constant.
- Activating the Magic Links module now enables the feature. The extraneous "Enable Lockout Bypass" setting has been removed.
- The Geolocation API configuration used by Trusted Devices has been moved into it's own dedicated "Geolocation" module.
- Modules are now based on a module.json configuration file. If you are registering custom iThemes Security module, you should update it to include a module.json file that adheres to the core/module-schema.json JSON Schema.
- Add a WP CLI command for running tools. See "wp help itsec tool" for more information.
- Split the Two-Factor and Dashboard module into a Core module and a Pro module. Settings for these modules are still stored in the base module.
- The Network Brute Force module had it's folder updated to "network-brute-force" from "ipcheck".
- New Object Oriented API for creating Password Requirements.
- New Settings and Modules REST API endpoints.
- New RPC REST API namespace. There is no backward compatibility promise for these API endpoints.
Features
- iThemes Security gets a redesigned interface focused on making it easier to configure and find what you're looking for. Read More: https://ithemes.com/?p=64448.
- Instantly search over everything in iThemes Security with a new instant search feature.
- Security Tools have been grouped into their own page. "Identify Server IPs" and "Security Check Pro" can be run manually without using Debug Mode.
- Relevant content from the Help Center, iThemes Blog, and iThemes YouTube channel is surfaced in a new Help area based on the current page. Click the "Help" button in the toolbar or the "Info" icon next to the page title to access it.
Deprecateds
- The following modules have been removed: 404 Detection, Away Mode, Change Content Directory, and Multisite Tweaks.
- The following WordPress and System Tweaks have been removed: Remove Windows Live Writer Header, EditURI Header, Comment Spam, Mitigate Attachment File Traversal Attack, Protect Against Tabnapping, Filter Long URL Strings, Filter Non-English Characters, Filter Request Methods, Remove File Writing Permissions.
- The "Backup Full Database" setting has been removed from the Backups module.
- The "Require SSL", "Front End SSL Mode", and "SSL for Dashboard" settings have been removed from the SSL module.
- The "Strengthen when Outdated" setting has been removed from the Version Management module.
Fixes
- Fix fatal errors when using PHP 8.
- Fix infinite loop when restricting who can use App Passwords on multisite installs.
- Ensure the ITSEC_Setup class does not exist before trying to load it. Display schema errors on multisite in the Network Admin.
Tweaks
- Add notice for the upcoming major 7.0 release.
Security
- Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
Tweaks
- Add filters to short-circuit lock APIs.
Fixes
- Prevent wp_no_robots deprecation warning on WordPress 5.7.
Tweaks
- Remove non-SSL fallbacks for Security Check Pro and Version Management.
Fixes
- Tweak checkbox styles.
Security
- To improve server compatibility, requests to the iThemes updater servers would automatically downgrade from https to http when https connections failed. This update removes the automatic downgrade. If your server cannot make outbound https connections, you can re-enable the downgrade capability by adding the following define in your site's wp-config.php file: define( 'ITHEMES_ALLOW_HTTP_FALLBACK', true );
Fixes
- Version Management compatibility with further changes in WordPress 5.6.
Fixes
- Improved compatibility with WP Engine.
- Version Management compatibility with WordPress 5.6.
- Follow Core UI patterns for Application Passwords.
- Pass the
WP_Errorobject to thewp_login_failedhook.
Features
- iThemes Security now supports Passwordless Login and reCAPTCHA v3 for Restrict Content Pro ( version 6.4.3 and later ).
Tweaks
- Overwrite Restrict Content Pro's detected IP address with the IP detected by iThemes Security.
- Application Passwords compatibility with WordPress 5.6.
Fixes
- Two Factor and Passwords Requirements compatibility with Restrict Content Pro.
- PHP warnings that may occur when initializing default user groups on a new installation.