• Upgrade Your Account
    Hello Guest! Upgrade your account to download from our sections Here
    How to upgrade your account to download resources Learn More.
iThemes Security Pro

iThemes Security Pro 5.9.5

5.8.0 - 2019-02-13 - Chris Jean & Timothy Jacobs
New Feature: Add "Click to Continue" button to email Two-Factor method to simplify usage.
Enhancement: Don't require logging in again after overriding Two-Factor in Sync in mid-login.
Enhancement: Improve redirecting after processing a login interstitial from a front-end login form.
Tweak: Add display description for log when safe guarding against an empty config file write.
Bug Fix: Include Hide Backend token when emailing a password reset URL.
Bug Fix: Duplicate key error when consolidating Dashboard Events.
Bug Fix: Fix Recaptcha opt-in CSS not always loading.
5.9.0 - 2019-02-19 - Chris Jean & Timothy Jacobs
New Feature: A new dashboard widget powered by the iThemes Security Dashboard.
Bug Fix: Prevent "headers already sent" warning when logging in with the Two-Factor email method on certain systems.
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.
5.9.1 - 2019-02-20 - Chris Jean & Timothy Jacobs
Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from running.
Bug Fix: Error on the WordPress dashboard screen when the Security Dashboard module does not completely load.
5.9.2 - 2019-02-20 - Chris Jean & Timothy Jacobs
Bug Fix: Load new dashboard widget on Multisite network admin dashboard properly.
5.9.3 - 2019-03-12 - Chris Jean & Timothy Jacobs
Important: Replace Google QR Code API with an iThemes Security hosted solution. Google's API will be shutdown on March 14th, 2019. If you'd like to generate QR codes locally, a plugin is available in the members panel under "Plugins": iThemes Security - Local QR Code.
Enhancement: Add support for deleting dashboards.
Enhancement: Order cards in the dashboard widget in the same order as the mobile breakpoint in the Security Dashboard.
Enhancement: New WP-CLI command for retrieving, releasing and creating lockouts.
Tweak: Improve dashboard a11y.
Tweak: Improve dashboard performance by decreasing the bundle size, improving cache stability, and async loading less used libraries.
Tweak: Allow the log description column to word break for URLs or other strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
Bug Fix: Removing the last role or user from a shared dashboard would not work.
5.9.4 - 2019-03-22 - Chris Jean & Timothy Jacobs
Bug Fix: Hide backend bypass.
5.9.5 - 2019-05-06 - Chris Jean & Timothy Jacobs
Bug Fix: For WordPress 5.2 installs, prevent updating a plugin via Grade Report if the new plugin update has PHP version requirements that are not met.
5.7.0 - 2019-01-16 - Chris Jean & Timothy Jacobs
New Feature: reCAPTCHA v3 support. Can toggle between loading the api on all pages ( recommended ) or only the required pages. Adjust the Block Threshold from the recommended default of "0.5" based on the data in the Google reCAPTCHA console.
New Feature: On page reCAPTCHA opt-in to allow users to agree to Google's ToS without refreshing the page.
5.1.4 - 2018-05-22 - Chris Jean & Timothy Jacobs
Enhancement: The number of users listed in the User Security Check model is now limited to 20 by default. This can be modified by using the itsec_user_security_check_users_per_page filter.
Enhancement: Introduce Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should improve performance for large sites using File Change.

5.2.0 - 2018-05-24 - Chris Jean & Timothy Jacobs
New Feature: Added support for the new WordPress privacy features.
Enhancement: Removed sending the remote_ip argument to Google's reCAPTCHA server as it reduces the amount of personal information that is sent.
Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations.

5.2.1 - 2018-05-24 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed "Cannot modify header information - headers already sent" warning issue that could happen when using reCAPTCHA on sites that add customizations to the login page.
Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data.
Bug Fix: Skip recovery if File Change storage is empty.

5.2.2 - 2018-05-31 - Chris Jean & Timothy Jacobs
Enhancement: Add UI to cancel in progress File Scan.
Enhancement: Improved rendering of the Grade Report grade pie chart on HiDPI screens.
Enhancement: Include current grade in the Security Digest.
Tweak: Don't write to the tracked files setting if the file hash has not changed.
Tweak: Exclude File Change storage settings from Importer/Exporter.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
Bug Fix: Away Mode would not lock out users who were already logged-in during the "away" period.
Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling loop on the first step.
Bug Fix: Issue with Importing settings when File Change is active.

5.3.0 - 2018-06-07 - Chris Jean & Timothy Jacobs
New Feature: Integration with Have I Been Pwned to prevent users from using passwords found in data breaches.
Enhancement: Introduce Password Requirements module for managing and enforcing password requirements.
Enhancement: Continually evaluate password strength for users instead of only during registration.
Enhancement: Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events.
Bug Fix: Password strength would not be evaluated if password was set using custom PHP or CLI commands.
Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password.
Bug Fix: Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped.

5.3.1 - 2018-06-11 - Chris Jean & Timothy Jacobs
Enhancement: Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly.
Enhancement: Show if a "force password change" is in-effect and allow for the change to be removed.
Enhancement: Add debug settings JSON editor.
Tweak: If no last password change date is recorded for the user, treat their registration date as the last change date.
Bug Fix: If a password requirement has been disabled or is no longer available, don't consider the password as needing a change.
Bug Fix: Remove distributed storage table on uninstall.
Bug Fix: Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted.

5.3.2 - 2018-06-12 - Chris Jean & Timothy Jacobs
Bug Fix: Accessing password requirement settings would not resolve properly in some instances.

5.3.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
Tweak: Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report.
Bug Fix: Provide default values for enabled requirements.

5.3.4 - 2018-06-27 - Chris Jean & Timothy Jacobs
Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
Tweak: Display the subject line of the Two-Factor Email when logging in.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
Bug Fix: Don't track post status transitions to the identical post status.
5.1.1 - 2018-04-25 - Chris Jean & Timothy Jacobs
Enhancement: Allow for customizing access to the Application Passwords feature.
Misc: Added comment to prevent Tide from marking the plugin as not compatible with PHP 5.3.
Tweak: Differentiate between "Enforced Two-Factor" and "Configured Two-Factor" in User Security Check.
Bug Fix: Improve clearing of previous File Change file hashes.
Bug Fix: Internal links to a filtered logs page.
Bug Fix: Prevent duplicate "user-logged-in" log items when logging-in with Two Factor.
Bug Fix: Prevent multiple session tokens from being created when logging-in with Two Factor.
Bug Fix: Prevent missing provider information when logging a successful Two Factor authentication.
Bug Fix: Fixed incorrect detail text for Local Brute Force Protection on the Grade Report.
5.1.2 - 2018-05-02 - Chris Jean & Timothy Jacobs
Tweak: Two-Factor Flow: Allow the user to proceed after downloading or copying the backup codes without dismissing the notice.
Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
Tweak: File Change: Move "latest_changes" entry to a separate storage bucket to improve performance on large sites.
Bug Fix: Fix error on Multisite settings page when Two-Factor is not enabled.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: iThemes Licensing: Fixed the "View details" link failing to work properly after updating.
Bug Fix: iThemes Licensing: Fixed an issue that could cause data changes to not save properly on specific background page requests.
Bug Fix: iThemes Licensing: Added a compatibility fix to avoid conflicts with plugins that change the plugin_action_links filter value from an array to a string.
Compatibility Fix: iThemes Licensing: Updated handing of wp_remote_get() response due to changes documented in https://core.trac.wordpress.org/ticket/33055.
Enhancement: iThemes Licensing: Added ability to manage licensing from WP-CLI.
5.1.3 - 2018-05-03 - Chris Jean & Timothy Jacobs
Bug Fix: iThemes Licensing: Fixed fatal error that could occur when clicking the "View details" link for an available plugin update.
5.1.0 - 2018-04-19 - Chris Jean & Timothy Jacobs
New Feature: Add Two-Factor On-Board flow.
Enhancement: Support disabling enforced Two-Factor the first time a user logs-in.
Enhancement: Introduced Login Interstitial framework to consolidate code between Password Requirements & Two Factor.
Bug Fix: Resolve warnings when upgrading file change settings.
Bug Fix: Allow read-only Application Passwords to make HEAD requests.
5.0.2 - 2018-04-17 - Chris Jean & Timothy Jacobs
Tweak: Move Online Files hashes to a separate storage setting to improve performance on sites with large number of plugins or themes.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is caused by a new file extension being excluded.
Bug Fix: Improved detection of REST API requests on sites without a home dir.
Bug Fix: Improve File Change recovery system on high-traffic websites.
Bug Fix: Fix warnings on debug file change log items.
5.0.1 - 2018-04-12 - Chris Jean & Timothy Jacobs
Big Fix: Fixed a fatal error condition that could occur on the Grade Report page when specific combinations of manual roles for Two-Factor Protection > User Type Protection were selected.
5.0.0 - 2018-04-12 - Chris Jean & Timothy Jacobs
New Feature: Added Grade Report, a tool to identify security weaknesses on the site with options to fix the detected issues.
Bug Fix: Ensure all users with the `manage_options` capability are available when selecting contacts in the Notification Center.
Enhancement: Added minimal API for adding additional entries to the Security admin menu.
4.8.2 - 2018-02-12 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed "undefined offset" error when displaying specific migrated old log entries.
4.8.3 - 2018-02-12 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed issue that could cause login attempts to bypass recaptcha protection.
4.8.1 - 2017-02-08 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed schema issue with new logs table.

4.8.0 - 2017-02-08 - Chris Jean & Timothy Jacobs
Enhancement: Updated logging system to keep track of more information and have more options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Enhancement: Added malware scan support for scanning all sites in a Multisite Network.
Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.

4.7.4 - 2017-01-29 - Chris Jean & Timothy Jacobs
New Feature: Online Files Comparison now supports WordPress.org plugins.
Enhancement: Add support for changing position of the Invisible Recaptcha badge.
Enhancement: Display user lockouts in Lockout Sidebar.
Tweak: Use the current site URL instead of the network URL when sending Two Factor Email codes.
Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed.
Bug Fix: Fixed method that could be used to discover hidden login slug on some sites.
Bug Fix: Hide Backend notifications not being properly sent when first enabled.
Bug Fix: Load translations on the plugins_loaded hook.
Bug Fix: Log logins with User Logging when logging in with Two Factor.
Bug Fix: Prevent login page being hidden when following the "Confirm Email Address" notification URL.
Bug Fix: Update to the REST API "Restricted Access" feature to protect against methods to work around the restricted access.