5.8.0 - 2019-02-13 - Chris Jean & Timothy Jacobs
New Feature: Add "Click to Continue" button to email Two-Factor method to simplify usage.
Enhancement: Don't require logging in again after overriding Two-Factor in Sync in mid-login.
Enhancement: Improve redirecting after processing a login interstitial from a front-end login form.
Tweak: Add display description for log when safe guarding against an empty config file write.
Bug Fix: Include Hide Backend token when emailing a password reset URL.
Bug Fix: Duplicate key error when consolidating Dashboard Events.
Bug Fix: Fix Recaptcha opt-in CSS not always loading.
5.9.0 - 2019-02-19 - Chris Jean & Timothy Jacobs
New Feature: A new dashboard widget powered by the iThemes Security Dashboard.
Bug Fix: Prevent "headers already sent" warning when logging in with the Two-Factor email method on certain systems.
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.
5.9.1 - 2019-02-20 - Chris Jean & Timothy Jacobs
Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from running.
Bug Fix: Error on the WordPress dashboard screen when the Security Dashboard module does not completely load.
5.9.2 - 2019-02-20 - Chris Jean & Timothy Jacobs
Bug Fix: Load new dashboard widget on Multisite network admin dashboard properly.
5.9.3 - 2019-03-12 - Chris Jean & Timothy Jacobs
Important: Replace Google QR Code API with an iThemes Security hosted solution. Google's API will be shutdown on March 14th, 2019. If you'd like to generate QR codes locally, a plugin is available in the members panel under "Plugins": iThemes Security - Local QR Code.
Enhancement: Add support for deleting dashboards.
Enhancement: Order cards in the dashboard widget in the same order as the mobile breakpoint in the Security Dashboard.
Enhancement: New WP-CLI command for retrieving, releasing and creating lockouts.
Tweak: Improve dashboard a11y.
Tweak: Improve dashboard performance by decreasing the bundle size, improving cache stability, and async loading less used libraries.
Tweak: Allow the log description column to word break for URLs or other strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
Bug Fix: Removing the last role or user from a shared dashboard would not work.
5.9.4 - 2019-03-22 - Chris Jean & Timothy Jacobs
Bug Fix: Hide backend bypass.
5.9.5 - 2019-05-06 - Chris Jean & Timothy Jacobs
Bug Fix: For WordPress 5.2 installs, prevent updating a plugin via Grade Report if the new plugin update has PHP version requirements that are not met.
5.7.0 - 2019-01-16 - Chris Jean & Timothy Jacobs
New Feature: reCAPTCHA v3 support. Can toggle between loading the api on all pages ( recommended ) or only the required pages. Adjust the Block Threshold from the recommended default of "0.5" based on the data in the Google reCAPTCHA console.
New Feature: On page reCAPTCHA opt-in to allow users to agree to Google's ToS without refreshing the page.
5.1.4 - 2018-05-22 - Chris Jean & Timothy Jacobs
Enhancement: The number of users listed in the User Security Check model is now limited to 20 by default. This can be modified by using the itsec_user_security_check_users_per_page filter.
Enhancement: Introduce Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should improve performance for large sites using File Change.
5.2.0 - 2018-05-24 - Chris Jean & Timothy Jacobs
New Feature: Added support for the new WordPress privacy features.
Enhancement: Removed sending the remote_ip argument to Google's reCAPTCHA server as it reduces the amount of personal information that is sent.
Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations.
5.2.1 - 2018-05-24 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed "Cannot modify header information - headers already sent" warning issue that could happen when using reCAPTCHA on sites that add customizations to the login page.
Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data.
Bug Fix: Skip recovery if File Change storage is empty.
5.2.2 - 2018-05-31 - Chris Jean & Timothy Jacobs
Enhancement: Add UI to cancel in progress File Scan.
Enhancement: Improved rendering of the Grade Report grade pie chart on HiDPI screens.
Enhancement: Include current grade in the Security Digest.
Tweak: Don't write to the tracked files setting if the file hash has not changed.
Tweak: Exclude File Change storage settings from Importer/Exporter.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
Bug Fix: Away Mode would not lock out users who were already logged-in during the "away" period.
Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
Bug Fix: Issue with Importing settings when File Change is active.
5.3.0 - 2018-06-07 - Chris Jean & Timothy Jacobs
New Feature: Integration with Have I Been Pwned to prevent users from using passwords found in data breaches.
Enhancement: Introduce Password Requirements module for managing and enforcing password requirements.
Enhancement: Continually evaluate password strength for users instead of only during registration.
Enhancement: Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
Bug Fix: Password strength would not be evaluated if password was set using custom PHP or CLI commands.
Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
Bug Fix: Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped.
5.3.1 - 2018-06-11 - Chris Jean & Timothy Jacobs
Enhancement: Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly.
Enhancement: Show if a "force password change" is in-effect and allow for the change to be removed.
Enhancement: Add debug settings JSON editor.
Tweak: If no last password change date is recorded for the user, treat their registration date as the last change date.
Bug Fix: If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
Bug Fix: Remove distributed storage table on uninstall.
Bug Fix: Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted.
5.3.2 - 2018-06-12 - Chris Jean & Timothy Jacobs
Bug Fix: Accessing password requirement settings would not resolve properly in some instances.
5.3.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Tweak: Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report.
Bug Fix: Provide default values for enabled requirements.
5.3.4 - 2018-06-27 - Chris Jean & Timothy Jacobs
Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
Tweak: Display the subject line of the Two-Factor Email when logging in.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
Bug Fix: Don't track post status transitions to the identical post status.
5.1.1 - 2018-04-25 - Chris Jean & Timothy Jacobs
Enhancement: Allow for customizing access to the Application Passwords feature.
Misc: Added comment to prevent Tide from marking the plugin as not compatible with PHP 5.3.
Tweak: Differentiate between "Enforced Two-Factor" and "Configured Two-Factor" in User Security Check.
Bug Fix: Improve clearing of previous File Change file hashes.
Bug Fix: Internal links to a filtered logs page.
Bug Fix: Prevent duplicate "user-logged-in" log items when logging-in with Two Factor.
Bug Fix: Prevent multiple session tokens from being created when logging-in with Two Factor.
Bug Fix: Prevent missing provider information when logging a successful Two Factor authentication.
Bug Fix: Fixed incorrect detail text for Local Brute Force Protection on the Grade Report.
5.1.2 - 2018-05-02 - Chris Jean & Timothy Jacobs
Tweak: Two-Factor Flow: Allow the user to proceed after downloading or copying the backup codes without dismissing the notice.
Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
Tweak: File Change: Move "latest_changes" entry to a separate storage bucket to improve performance on large sites.
Bug Fix: Fix error on Multisite settings page when Two-Factor is not enabled.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: iThemes Licensing: Fixed the "View details" link failing to work properly after updating.
Bug Fix: iThemes Licensing: Fixed an issue that could cause data changes to not save properly on specific background page requests.
Bug Fix: iThemes Licensing: Added a compatibility fix to avoid conflicts with plugins that change the plugin_action_links filter value from an array to a string.
Compatibility Fix: iThemes Licensing: Updated handing of wp_remote_get() response due to changes documented in https://core.trac.wordpress.org/ticket/33055.
Enhancement: iThemes Licensing: Added ability to manage licensing from WP-CLI.
5.1.3 - 2018-05-03 - Chris Jean & Timothy Jacobs
Bug Fix: iThemes Licensing: Fixed fatal error that could occur when clicking the "View details" link for an available plugin update.
5.1.0 - 2018-04-19 - Chris Jean & Timothy Jacobs
New Feature: Add Two-Factor On-Board flow.
Enhancement: Support disabling enforced Two-Factor the first time a user logs-in.
Enhancement: Introduced Login Interstitial framework to consolidate code between Password Requirements & Two Factor.
Bug Fix: Resolve warnings when upgrading file change settings.
Bug Fix: Allow read-only Application Passwords to make HEAD requests.
5.0.2 - 2018-04-17 - Chris Jean & Timothy Jacobs
Tweak: Move Online Files hashes to a separate storage setting to improve performance on sites with large number of plugins or themes.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is caused by a new file extension being excluded.
Bug Fix: Improved detection of REST API requests on sites without a home dir.
Bug Fix: Improve File Change recovery system on high-traffic websites.
Bug Fix: Fix warnings on debug file change log items.
5.0.1 - 2018-04-12 - Chris Jean & Timothy Jacobs
Big Fix: Fixed a fatal error condition that could occur on the Grade Report page when specific combinations of manual roles for Two-Factor Protection > User Type Protection were selected.
5.0.0 - 2018-04-12 - Chris Jean & Timothy Jacobs
New Feature: Added Grade Report, a tool to identify security weaknesses on the site with options to fix the detected issues.
Bug Fix: Ensure all users with the `manage_options` capability are available when selecting contacts in the Notification Center.
Enhancement: Added minimal API for adding additional entries to the Security admin menu.
4.8.1 - 2017-02-08 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed schema issue with new logs table.
4.8.0 - 2017-02-08 - Chris Jean & Timothy Jacobs
Enhancement: Updated logging system to keep track of more information and have more options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Enhancement: Added malware scan support for scanning all sites in a Multisite Network.
Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.
4.7.4 - 2017-01-29 - Chris Jean & Timothy Jacobs
New Feature: Online Files Comparison now supports WordPress.org plugins.
Enhancement: Add support for changing position of the Invisible Recaptcha badge.
Enhancement: Display user lockouts in Lockout Sidebar.
Tweak: Use the current site URL instead of the network URL when sending Two Factor Email codes.
Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed.
Bug Fix: Fixed method that could be used to discover hidden login slug on some sites.
Bug Fix: Hide Backend notifications not being properly sent when first enabled.
Bug Fix: Load translations on the plugins_loaded hook.
Bug Fix: Log logins with User Logging when logging in with Two Factor.
Bug Fix: Prevent login page being hidden when following the "Confirm Email Address" notification URL.
Bug Fix: Update to the REST API "Restricted Access" feature to protect against methods to work around the restricted access.