Kadence Security Pro
Tweaks
- Check tables exist after completing a DB upgrade.
Fixes
- Users with weak passwords would not be forced to change their password if the strong password requirement had been enabled after their password strength was checked.
Tweaks
- Add LifterLMS support to the reCAPTCHA module.
Fixes
- Don't block registration page when "wp-signup.php" is the Hide Backend register slug.
Fixes
- Update security dashboard and admin notices styling to be compatible with WordPress 5.4.
- Periodically clear expired opaque tokens.
- Exclude "Process Update" and "Process Stop" logs when other process logs are hidden.
- Exclude process logs from the Malware Scan card.
Tweaks
- Use dashicons instead of font-awesome, and native font stack instead of Open Sans on the Grade Report.
Fixes
- Due to a Google reCAPTCHA API change, trying to use v3 or Invisible reCAPTCHA may have always resulted in the "You must submit the reCAPTCHA to proceed. Please try again." error. You may have to empty your server cache or browser cache to receive the fix.
Tweaks
- Further improve logs performance.
Tweaks
- Add super admins as a selectable role for User Groups.
- Add reCAPTCHA to the Reset Password form.
- Add support for resending a Two-Factor Email code.
- Add support for resending a Passwordless Login email.
- Allow selecting users across all sites in a network for User Groups, Security Profile cards, and User Security Check.
- Include all super admins by default in the Security Profile card, even if they are not a member of the network's main site.
- Display all of a user's roles in the Security Profile card.
- When logging in with Passwordless Login, skip Two-Factor if the primary Two-Factor method is Email.
- Force a space after each Two-Factor Backup Code to assist with copying and pasting.
- Include the website URL in the download file for Two-Factor Backup Codes.
- Add a warning if a WordPress Salt is set to an invalid value.
- Allow re-entering the Two-Factor Onboard flow even after Two-Factor is setup by visiting /wp-login.php?itsec_after_interstitial=2fa-on-board directly.
- Add a new WP CLI command for managing user Two-Factor enrollment.
- Add a new WP CLI command for retrieving logs.
- Include child log items in the logs list table. These are helpful for debugging issues.
- Improve performance of the logs page on sites with large number of log items.
- Only show Lockout Bypass Magic Link for valid users.
- When logging $_SERVER, only log a snapshot of available properties.
Fixes
- New Password Requirements for already created accounts were not enforced until the second login.
- User Security Check would not display in Multisite.
- Prevent fatal error if invalid user IDs are encountered by User Groups.
- Infinite loop when trying to use Application Passwords on Multisite.
- User Logging did not correctly capture the user id of the logged-out user on WordPress 5.3.
- Warnings when doing a settings import.
Deprecateds
- The "getlockouts", "releaselockout", and "getrecent" WP CLI commands. Use the "lockout" and "log" commands instead. They will be removed in a future release.
Tweaks
- Harden iThemes Sync connection flow by adding a second verification check.
Fixes
- Prevent UnknownIdentifierException errors when modules are loaded before expected.
- Add additional type checks.
Fixes
- A fatal error could occur when upgrading to User Groups if a custom role had been selected for Two-Factor or Passwordless Login that has since been deleted but the module's settings had not been updated.
Tweaks
- iThemes Security requires PHP 5.6 or greater and WordPress 5.2 or greater.
Features
- Save Time Securing WordPress With User Groups!
- Simplified connection flow when setting up iThemes Sync.
Fixes
- Warning when loading the settings page on PHP 7.4.
- Warning when loading the debug page on PHP 7.4.
Tweaks
- Updated Trusted Devices MaxMind GeoLite2 integration to account for their new Terms of Service to account for the CCPA. Users must now provide a free license key when using the MaxMind GeoLite2 Geolocation method.
Fixes
- Backup event was not added when the WP Cron Scheduler was reset manually.
- Admin Notices Popover was not being hidden when clicking outside the Popover on WP 5.3.
Tweaks
- Allow LastPass to autofill password fields.
Fixes
- Passwordless Login would trip some ModSecurity rules when used with LastPass autofill.
- The username first Passwordless Login flow was not working on WordPress 5.3 if the user did not have permission to use Passwordless Login.
- Harden Version Management against plugins that were populating invalid update API data.
- The "Mulisite Tweaks -> Hide Updates" setting prevented auto-updates from running with WP Cron.
- Remove "get_magic_quotes()" call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.4.