6.6.3 - 2020-08-06 - Timothy Jacobs
Bug Fix: Bump lib/updater
6.6.4 - 2020-08-07 - Timothy Jacobs
Bug Fix: Update lib/updater to the latest version. Fixed fatal error that can happen when upgrading to the 1.6.1 version of this code: Ithemes_Updater_Settings::get_licensed_site_url() in server.php:199".
6.6.5 - 2020-08-13 - Timothy Jacobs
Bug Fix: On WordPress 5.5, use the new auto-update notification instead of the debug email.
Bug Fix: Updated lib/updater to 1.6.4 Added support for the auto-update feature introduced in WordPress 5.5.
6.7.0 - 2020-09-16 - Timothy Jacobs
Important: iThemes Security requires WordPress 5.4 or later.
New Feature: Manage bans from the Security Dashboard with the new Banned Users card.
Enhancement: Support writing a note describing why a ban was added.
Enhancement: Store the time a ban was added, and the lockout module responsible for the ban.
Enhancement: Add a WP CLI command for managing bans, wp itsec ban.
Enhancement: Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
Bug Fix: PHP warnings when invalid entries are stored in the WordPress Cron storage.
Bug Fix: Update the list of tables added to wpdb.
Bug Fix: Remove default value for text columns. This caused an issue on MySQL 8 and is unnecessary.
Bug Fix: Missing borders in the sidebar widgets on WordPress 5.5.
Bug Fix: Notice actions didn't trigger when "Hide Admin Bar" is enabled.
6.7.1 - 2020-09-24 - Timothy Jacobs
Enhancement: Add WP CLI command to run the Change Admin User tool.
Tweak: Disable SSL verification when performing the Security Check Loopback test. Some hosts can't properly verify loopback requests. This verification is unnecessary in this circumstance, and disabling SSL verification aligns iThemes Security with default WordPress loopback behavior.
Tweak: Override WordPress' built in auto update notices at a higher priority. This fixes issues with iThemes Security's settings being overwritten by other systems.
Bug Fix: Some users would be force to choose a strong password twice in a row.
Bug Fix: Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
Bug Fix: Fix issues with initializing a site scan from a non-licensed domain name.
6.8.0 - 2020-10-12 - Timothy Jacobs
New Feature: iThemes Security now supports Passwordless Login and reCAPTCHA v3 for Restrict Content Pro ( version 6.4.3 and later ).
Enhancement: Overwrite Restrict Content Pro's detected IP address with the IP detected by iThemes Security.
Tweak: Application Passwords compatibility with WordPress 5.6.
Bug Fix: Two Factor and Passwords Requirements compatibility with Restrict Content Pro.
Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.
6.8.1 - 2020-11-05 - Timothy Jacobs
Bug Fix: Improved compatibility with WP Engine.
Bug Fix: Version Management compatibility with WordPress 5.6.
Bug Fix: Follow Core UI patterns for Application Passwords.
Bug Fix: Pass the `WP_Error` object to the `wp_login_failed` hook.
6.8.2 - 2020-12-07 - Timothy Jacobs
Bug Fix: Version Management compatibility with further changes in WordPress 5.6.
6.8.3 - 2020-12-16 - Timothy Jacobs
Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
Bug Fix: Tweak checkbox styles.
Security Improvement: To improve server compatibility, requests to the iThemes updater servers would automatically downgrade from https to http when https connections failed. This update removes the automatic downgrade. If your server cannot make outbound https connections, you can re-enable the downgrade capability by adding the following define in your site's wp-config.php file:
define( 'ITHEMES_ALLOW_HTTP_FALLBACK', true );
6.8.4 - 2021-04-13 - Timothy Jacobs
Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
Tweak: Add filters to short-circuit lock APIs.
Bug Fix: Prevent wp_no_robots deprecation warning on WordPress 5.7.
5.9.2 - 2019-02-20 - Chris Jean & Timothy Jacobs
Bug Fix: Load new dashboard widget on Multisite network admin dashboard properly.
5.9.3 - 2019-03-12 - Chris Jean & Timothy Jacobs
Important: Replace Google QR Code API with an iThemes Security hosted solution. Google's API will be shutdown on March 14th, 2019. If you'd like to generate QR codes locally, a plugin is available in the members panel under "Plugins": iThemes Security - Local QR Code.
Enhancement: Add support for deleting dashboards.
Enhancement: Order cards in the dashboard widget in the same order as the mobile breakpoint in the Security Dashboard.
Enhancement: New WP-CLI command for retrieving, releasing and creating lockouts.
Tweak: Improve dashboard a11y.
Tweak: Improve dashboard performance by decreasing the bundle size, improving cache stability, and async loading less used libraries.
Tweak: Allow the log description column to word break for URLs or other strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
Bug Fix: Removing the last role or user from a shared dashboard would not work.
5.9.4 - 2019-03-22 - Chris Jean & Timothy Jacobs
Bug Fix: Hide backend bypass.
5.9.5 - 2019-05-06 - Chris Jean & Timothy Jacobs
Bug Fix: For WordPress 5.2 installs, prevent updating a plugin via Grade Report if the new plugin update has PHP version requirements that are not met.
6.0.0 - 2019-05-30 - Chris Jean & Timothy Jacobs
New: iThemes Security Admin Notices are now conveniently located in the new Security Messages Menu. Check your notices in the Security menu on the WordPress Admin Bar.
Enhancement: Add filters to customize the available Two Factor providers for a user.
Enhancement: Add a dismissible warning if iThemes Security isn't licensed.
Tweak: Remove "pin" link from a Security Profile when that profile has already been pinned.
Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"
Tweak: Minor UI and a11y improvements to the Security Dashboard.
6.0.1 - 2019-06-06 - Chris Jean & Timothy Jacobs
Enhancement: Add Security Message when a Notification Center email fails to send.
Enhancement: Add Security Message when the Malware Scanner finds malware or encounters an error.
Enhancement: Replace Trace IP with IP Tracker Online.
6.0.2 - 2019-06-28 - Chris Jean & Timothy Jacobs
Enhancement: New iThemes Sync Verb support for File Change.
Tweak: Add additional information about the login attempt when calling the Network Brute Force API.
Bug Fix: Ensure Dashboard classes are always loaded.
5.8.0 - 2019-02-13 - Chris Jean & Timothy Jacobs
New Feature: Add "Click to Continue" button to email Two-Factor method to simplify usage.
Enhancement: Don't require logging in again after overriding Two-Factor in Sync in mid-login.
Enhancement: Improve redirecting after processing a login interstitial from a front-end login form.
Tweak: Add display description for log when safe guarding against an empty config file write.
Bug Fix: Include Hide Backend token when emailing a password reset URL.
Bug Fix: Duplicate key error when consolidating Dashboard Events.
Bug Fix: Fix Recaptcha opt-in CSS not always loading.
5.9.0 - 2019-02-19 - Chris Jean & Timothy Jacobs
New Feature: A new dashboard widget powered by the iThemes Security Dashboard.
Bug Fix: Prevent "headers already sent" warning when logging in with the Two-Factor email method on certain systems.
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.
5.9.1 - 2019-02-20 - Chris Jean & Timothy Jacobs
Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from running.
Bug Fix: Error on the WordPress dashboard screen when the Security Dashboard module does not completely load.
5.9.2 - 2019-02-20 - Chris Jean & Timothy Jacobs
Bug Fix: Load new dashboard widget on Multisite network admin dashboard properly.
5.9.3 - 2019-03-12 - Chris Jean & Timothy Jacobs
Important: Replace Google QR Code API with an iThemes Security hosted solution. Google's API will be shutdown on March 14th, 2019. If you'd like to generate QR codes locally, a plugin is available in the members panel under "Plugins": iThemes Security - Local QR Code.
Enhancement: Add support for deleting dashboards.
Enhancement: Order cards in the dashboard widget in the same order as the mobile breakpoint in the Security Dashboard.
Enhancement: New WP-CLI command for retrieving, releasing and creating lockouts.
Tweak: Improve dashboard a11y.
Tweak: Improve dashboard performance by decreasing the bundle size, improving cache stability, and async loading less used libraries.
Tweak: Allow the log description column to word break for URLs or other strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
Bug Fix: Removing the last role or user from a shared dashboard would not work.
5.9.4 - 2019-03-22 - Chris Jean & Timothy Jacobs
Bug Fix: Hide backend bypass.
5.9.5 - 2019-05-06 - Chris Jean & Timothy Jacobs
Bug Fix: For WordPress 5.2 installs, prevent updating a plugin via Grade Report if the new plugin update has PHP version requirements that are not met.
5.7.0 - 2019-01-16 - Chris Jean & Timothy Jacobs
New Feature: reCAPTCHA v3 support. Can toggle between loading the api on all pages ( recommended ) or only the required pages. Adjust the Block Threshold from the recommended default of "0.5" based on the data in the Google reCAPTCHA console.
New Feature: On page reCAPTCHA opt-in to allow users to agree to Google's ToS without refreshing the page.
5.1.4 - 2018-05-22 - Chris Jean & Timothy Jacobs
Enhancement: The number of users listed in the User Security Check model is now limited to 20 by default. This can be modified by using the itsec_user_security_check_users_per_page filter.
Enhancement: Introduce Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should improve performance for large sites using File Change.
5.2.0 - 2018-05-24 - Chris Jean & Timothy Jacobs
New Feature: Added support for the new WordPress privacy features.
Enhancement: Removed sending the remote_ip argument to Google's reCAPTCHA server as it reduces the amount of personal information that is sent.
Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations.
5.2.1 - 2018-05-24 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed "Cannot modify header information - headers already sent" warning issue that could happen when using reCAPTCHA on sites that add customizations to the login page.
Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data.
Bug Fix: Skip recovery if File Change storage is empty.
5.2.2 - 2018-05-31 - Chris Jean & Timothy Jacobs
Enhancement: Add UI to cancel in progress File Scan.
Enhancement: Improved rendering of the Grade Report grade pie chart on HiDPI screens.
Enhancement: Include current grade in the Security Digest.
Tweak: Don't write to the tracked files setting if the file hash has not changed.
Tweak: Exclude File Change storage settings from Importer/Exporter.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
Bug Fix: Away Mode would not lock out users who were already logged-in during the "away" period.
Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
Bug Fix: Issue with Importing settings when File Change is active.
5.3.0 - 2018-06-07 - Chris Jean & Timothy Jacobs
New Feature: Integration with Have I Been Pwned to prevent users from using passwords found in data breaches.
Enhancement: Introduce Password Requirements module for managing and enforcing password requirements.
Enhancement: Continually evaluate password strength for users instead of only during registration.
Enhancement: Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
Bug Fix: Password strength would not be evaluated if password was set using custom PHP or CLI commands.
Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
Bug Fix: Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped.
5.3.1 - 2018-06-11 - Chris Jean & Timothy Jacobs
Enhancement: Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly.
Enhancement: Show if a "force password change" is in-effect and allow for the change to be removed.
Enhancement: Add debug settings JSON editor.
Tweak: If no last password change date is recorded for the user, treat their registration date as the last change date.
Bug Fix: If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
Bug Fix: Remove distributed storage table on uninstall.
Bug Fix: Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted.
5.3.2 - 2018-06-12 - Chris Jean & Timothy Jacobs
Bug Fix: Accessing password requirement settings would not resolve properly in some instances.
5.3.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Tweak: Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report.
Bug Fix: Provide default values for enabled requirements.
5.3.4 - 2018-06-27 - Chris Jean & Timothy Jacobs
Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
Tweak: Display the subject line of the Two-Factor Email when logging in.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
Bug Fix: Don't track post status transitions to the identical post status.
5.1.1 - 2018-04-25 - Chris Jean & Timothy Jacobs
Enhancement: Allow for customizing access to the Application Passwords feature.
Misc: Added comment to prevent Tide from marking the plugin as not compatible with PHP 5.3.
Tweak: Differentiate between "Enforced Two-Factor" and "Configured Two-Factor" in User Security Check.
Bug Fix: Improve clearing of previous File Change file hashes.
Bug Fix: Internal links to a filtered logs page.
Bug Fix: Prevent duplicate "user-logged-in" log items when logging-in with Two Factor.
Bug Fix: Prevent multiple session tokens from being created when logging-in with Two Factor.
Bug Fix: Prevent missing provider information when logging a successful Two Factor authentication.
Bug Fix: Fixed incorrect detail text for Local Brute Force Protection on the Grade Report.
5.1.2 - 2018-05-02 - Chris Jean & Timothy Jacobs
Tweak: Two-Factor Flow: Allow the user to proceed after downloading or copying the backup codes without dismissing the notice.
Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
Tweak: File Change: Move "latest_changes" entry to a separate storage bucket to improve performance on large sites.
Bug Fix: Fix error on Multisite settings page when Two-Factor is not enabled.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: iThemes Licensing: Fixed the "View details" link failing to work properly after updating.
Bug Fix: iThemes Licensing: Fixed an issue that could cause data changes to not save properly on specific background page requests.
Bug Fix: iThemes Licensing: Added a compatibility fix to avoid conflicts with plugins that change the plugin_action_links filter value from an array to a string.
Compatibility Fix: iThemes Licensing: Updated handing of wp_remote_get() response due to changes documented in core.trac.wordpress.org.
Enhancement: iThemes Licensing: Added ability to manage licensing from WP-CLI.
5.1.3 - 2018-05-03 - Chris Jean & Timothy Jacobs
Bug Fix: iThemes Licensing: Fixed fatal error that could occur when clicking the "View details" link for an available plugin update.
5.1.0 - 2018-04-19 - Chris Jean & Timothy Jacobs
New Feature: Add Two-Factor On-Board flow.
Enhancement: Support disabling enforced Two-Factor the first time a user logs-in.
Enhancement: Introduced Login Interstitial framework to consolidate code between Password Requirements & Two Factor.
Bug Fix: Resolve warnings when upgrading file change settings.
Bug Fix: Allow read-only Application Passwords to make HEAD requests.
5.0.2 - 2018-04-17 - Chris Jean & Timothy Jacobs
Tweak: Move Online Files hashes to a separate storage setting to improve performance on sites with large number of plugins or themes.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is caused by a new file extension being excluded.
Bug Fix: Improved detection of REST API requests on sites without a home dir.
Bug Fix: Improve File Change recovery system on high-traffic websites.
Bug Fix: Fix warnings on debug file change log items.
5.0.1 - 2018-04-12 - Chris Jean & Timothy Jacobs
Big Fix: Fixed a fatal error condition that could occur on the Grade Report page when specific combinations of manual roles for Two-Factor Protection > User Type Protection were selected.
5.0.0 - 2018-04-12 - Chris Jean & Timothy Jacobs
New Feature: Added Grade Report, a tool to identify security weaknesses on the site with options to fix the detected issues.
Bug Fix: Ensure all users with the `manage_options` capability are available when selecting contacts in the Notification Center.
Enhancement: Added minimal API for adding additional entries to the Security admin menu.
4.8.2 - 2018-02-12 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed "undefined offset" error when displaying specific migrated old log entries.
4.8.3 - 2018-02-12 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed issue that could cause login attempts to bypass recaptcha protection.
4.8.1 - 2017-02-08 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed schema issue with new logs table.
4.8.0 - 2017-02-08 - Chris Jean & Timothy Jacobs
Enhancement: Updated logging system to keep track of more information and have more options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Enhancement: Added malware scan support for scanning all sites in a Multisite Network.
Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.
4.7.4 - 2017-01-29 - Chris Jean & Timothy Jacobs
New Feature: Online Files Comparison now supports WordPress.org plugins.
Enhancement: Add support for changing position of the Invisible Recaptcha badge.
Enhancement: Display user lockouts in Lockout Sidebar.
Tweak: Use the current site URL instead of the network URL when sending Two Factor Email codes.
Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed.
Bug Fix: Fixed method that could be used to discover hidden login slug on some sites.
Bug Fix: Hide Backend notifications not being properly sent when first enabled.
Bug Fix: Load translations on the plugins_loaded hook.
Bug Fix: Log logins with User Logging when logging in with Two Factor.
Bug Fix: Prevent login page being hidden when following the "Confirm Email Address" notification URL.
Bug Fix: Update to the REST API "Restricted Access" feature to protect against methods to work around the restricted access.