Kadence Security Pro
Tweaks
- Add WP CLI command to run the Change Admin User tool.
- Disable SSL verification when performing the Security Check Loopback test. Some hosts can't properly verify loopback requests. This verification is unnecessary in this circumstance, and disabling SSL verification aligns iThemes Security with default WordPress loopback behavior.
- Override WordPress' built in auto update notices at a higher priority. This fixes issues with iThemes Security's settings being overwritten by other systems.
Fixes
- Some users would be force to choose a strong password twice in a row.
- Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
- Fix issues with initializing a site scan from a non-licensed domain name.
Tweaks
- iThemes Security requires WordPress 5.4 or later.
- Support writing a note describing why a ban was added.
- Store the time a ban was added, and the lockout module responsible for the ban.
- Add a WP CLI command for managing bans, wp itsec ban.
- Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
Features
- Manage bans from the Security Dashboard with the new Banned Users card.
Fixes
- PHP warnings when invalid entries are stored in the WordPress Cron storage.
- Update the list of tables added to wpdb.
- Remove default value for text columns. This caused an issue on MySQL 8 and is unnecessary.
- Missing borders in the sidebar widgets on WordPress 5.5.
- Notice actions didn't trigger when "Hide Admin Bar" is enabled.
Fixes
- On WordPress 5.5, use the new auto-update notification instead of the debug email.
- Updated lib/updater to 1.6.4 Added support for the auto-update feature introduced in WordPress 5.5.
Fixes
- Update lib/updater to the latest version. Fixed fatal error that can happen when upgrading to the 1.6.1 version of this code: Ithemes_Updater_Settings::get_licensed_site_url() in server.php:199".
Fixes
- Bump lib/updater
Tweaks
- Disable the WordPress 5.5 Auto-Update UI when iThemes Security Version Management is being used to manage auto-updates.
- Make the Site Scanner Report a configurable admin notice.
- Add a security message if a user needs to update their license information.
- Check if a licensed user is defined when checking license status.
- Use an opaque token for site scan verification to reduce invalid secret errors.
Fixes
- Error when trying to run Security Check on new installations.
Tweaks
- Add support for updating a plugin/theme directly from the Site Scanner vulnerability details page.
- Update site scanner notification language to be less alarming.
- Change insensitive language to be more inclusive.
Features
- The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro can now automatically apply the fix for you.
Tweaks
- Added support for muting specific vulnerability notifications. After performing a new site scan, click the link for details about a vulnerability. Then click the "mute" button to stop being notified about that particular issue.
- Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.
- Cap banned hosts persisted to .htaccess or nginx.conf to the most recent 100. This number can be adjusted with the "itsec_ban_users_max_hosts_for_server_config" filter. Older banned hosts will be locked out after WordPress loads.
Fixes
- File Change Security Message would not appear for new installs.
Tweaks
- Ensure randomly generated passwords are considered strong by the Strong Passwords library.
- Suggest a 32 character password when forcing a password change.
Fixes
- PHP warning when a user's email address is updated outside of the user edit admin page.
- Fix login interstitials on WP Engine when using a front-end login form.
- PHP warning when checking opaque tokens.
- PHP warning after succesfully connecting a site to iThemes Sync via the login connection flow.
Tweaks
- Deprecated Dashboard Widget has been removed.
Fixes
- PHP warning when evaluating password requirements.