Wordpress Security Scan on File Upload Ithemes

Details
Reviews
Back up
Development

The All-time WordPress Security Plugin to Secure & Protect WordPress

On average, xxx,000 websites are hacked every mean solar day. Every 39 seconds, a new cyberattack happens somewhere on the web.

The adept news is that most security disasters can exist prevented. Using iThemes Security, you lot can identify and stop attacks on your website. Saving yourself the fourth dimension and cost of repairing a hacked website.

Secure your Website in Minutes

The iThemes Security setup and onboarding experience is designed to allow anyone to secure their WordPress website in nether 10 minutes, without needing a caste in cybersecurity.

Knowing that you have enabled all the right security settings for your website will get out you feeling similar your site has never been more than secure.

Security Site Templates to Fit Your Type of Site

An eCommerce site requires a different level of security than your average blog. iTheme Security Site Templates make it quick and easy to utilise the correct security settings for your website.

Cull from six dissimilar site templates to apply the type of security your site needs:
i. Ecommerce – websites that sell products or services
2. Network – websites that connect people or communities
3. Not-Turn a profit – websites that promote your cause and collect donations
4. Blog – websites that share your thoughts or kickoff a conversation
5. Portfolio – websites that showcase your craft
vi. Brochure – simple websites that promote your business

Real-Time Website Security Dashboard

Every day, lots of action is happening on your website that you can't run into. Many of these activities can be related to your site's security, so monitoring these events is vital to keeping your site secure.

The iThemes Security Pro plugin provides a real-time WordPress security dashboard that monitors security-related events on your site effectually the clock. The iThemes Security Dashboard is a dynamic dashboard with all your WordPress website's security action stats in one place, including beast forcefulness attacks, banned users, active lockouts, site scan results, and user security stats (Pro).

WordPress Login Security

Secure your WordPress login with several layers of security

Two-Gene Authentication (2FA) – Brand your WordPress login nearly impenetrable to assault by requiring users to enter a security code along with a password to login. The iThemes Security plugin allows you to add together two-factor authentication to your WordPress login with several hallmark methods, including mobile apps similar Authy and Google Authenticator, e-mail, and backup codes.
Password Requirements – Create and enforce a password policy for your users in less than a minute.
reCAPTCHA (Pro) – Stop bad bots from engaging in abusive activities on your website, such as attempting to break into your website using compromised passwords, posting spam, or even scraping your content.
Passwordless Logins (Pro) – WordPress security made easy. Secure your user accounts with 2fa & potent passwords while allowing real users login with a click of a mouse.
Trusted Devices (Pro) – Identify the devices you and other users use to cake session hijacking attacks and limit Ambassador privileges to Trusted Devices.

The Right Amount of Security for Every User Level

Different types of user levels require unlike levels of security. During the iThemes Security setup process, you can place your website's fundamental user groups. Once the dissimilar types of users are identified, you can apply the level of security that is just right for each user group.

Here are a couple of examples of how User Groups are useful for securing your site:

For Clients – Let's say you are configuring iThemes Security on a client'southward website. You will make up one's mind whether or not they are required to utilise two-cistron authentication and if they should accept admission to the iThemes Security settings.
For Customers – If you have an eCommerce website, you will decide whether or non you want to protect customer accounts with a password policy.

Privilege Escalation (Pro) as well adds a safe, secure way to grant temporary admin-level admission to your website.

Cake Bad Bots & Ban User Agents with Lockouts

Ban Users – Permanently cake repeat offenders from accessing your site.
Local Animal Strength Protection – Automatically place and terminate the well-nigh common method of attack on WordPress sites.
Network Brute Force Protection – The network is the iThemes Security customs and is over a million websites potent. If someone tries to pause into websites in the iThemes Security community, iThemes Security will block them across the network.
Magic Links (Pro) – Security shouldn't get in your way. Magic Links let you to log in to your WordPress site while your username is locked out by the iThemes Security Local Fauna Force Protection feature.

Monitor Your Site's Security Wellness

File Change Detection – iThemes Security logs changes made to your website that tin can help detect malicious activity on your website.
Site Scanner – Enable twice-daily checks for known vulnerabilities of WordPress core file, plugins and themes. Using the Google Rubber Browsing API, the Site Browse also checks your Google's blocklist status and volition alert you if Google has found whatsoever malware on your website.
Site Scanner (Pro) – Unlock Version Management to automatically apply a patch to vulnerable software detected by the Site Browse when 1 is available.
User Logging (Pro) – Keep a tape of user activity in your WordPress security logs, including login/logout, user registration, adding/removing plugins, switching themes, changes to posts and pages, and more.
Version Management (Pro) – The Version Direction characteristic in iThemes Security Pro allows yous to auto-update WordPress, plugins, and themes. Beyond that, Version Direction also has options to harden your website when you are running outdated software and browse for erstwhile websites.

Website Security Utilities

Enforce SSL – Forcefulness all connections to the website to be made over SSL/TLS.
Database Backups – Create backups of your WordPress database. (Non a consummate backup.)
Geolocation (Pro) – Improve Trusted Devices by connecting to an external location or mapping API.

Advanced Security Tools

Place Server IPs – Preclude bug caused past inadvertently locking out your server IPs.
Change User ID 1 – Change the user ID for the first WordPress user.
Change Database Prefix -Modify the database prefix that WordPress uses.
Check File Permission – Come across the file and directory permissions of key areas of your site.
Server Config Rules – View or flush the server security rules generated past iThemes Security.
wp-config.php Rules – View or flush the wp-config.php security rules generated by iThemes Security.
Alter WordPress Salts – Secure your site later on a successful attack by irresolute the WordPress salts used to secure cookies and security tokens.
Hide Login URL – The Hide Backend setting can change the login URL of your site.

Need Assistance?

Free support may be available with the community'south aid in the WordPress.org support forums (Note: this is community-provided support. iThemes does not monitor the WordPress.org support forums).

Our Help Centre will help you go an iThemes Security practiced.

Get added peace of mind with professional support from our expert team and pro features to accept your site's security to the side by side level with iThemes Security Pro.

Recover From a Hacked Site

iThemes Security makes regular backups of your WordPress database, assuasive you to get back online quickly in the consequence of a hack or security breach. Use iThemes Security to create and electronic mail database backups on a customizable schedule.

For complete site backups and the ability to restore or move WordPress to a new host or domain, check out BackupBuddy.

Translations

Spanish past Andrew Kurtis

Please let us know if you would like to contribute a translation.

iThemes Sync Integration

Manage more than than 1 WordPress site? Release lockouts and continue your themes, plugins, and WordPress core up to engagement from one dashboard with iThemes Sync Pro. Starting time your costless trial of Themes Sync Pro.

License

Released under the terms of the GNU General Public License.

Why does iThemes Security require the latest WordPress version? Tin can't I use a slightly older version?

1 of the best security practices for a WordPress site owner is keeping software up to appointment. Because of this, nosotros only test this plugin on the latest stable version of WordPress and will only guarantee information technology works in the latest version.

Will this plugin completely terminate all attacks on my site?

No. iThemes Security is designed to help better the security of your WordPress installation from many common attack methods, but it cannot prevent every possible attack. Null replaces diligence and practiced practice. This plugin makes it a piddling easier for you to utilize both.

Is this plugin simply for new WordPress installs or can I employ it on existing sites, too?

Many of the changes made by this plugin are complex and can break existing sites. While iThemes Security tin be installed on either a new or existing site, nosotros strongly recommend making a consummate backup of your existing site before applying whatsoever features included in this plugin.

Will this plugin piece of work on all servers and hosts?

iThemes Security requires Apache or LiteSpeed and mod_rewrite or NGINX to piece of work.

What changes does this plugin make that can break my site?

iThemes Security makes meaning changes to your database and other site files which can exist problematic for existing WordPress sites. Again, we strongly recommended making a complete backup of your site earlier using this plugin. While bug are rare, most support requests involve the failure to make a proper backup before installation. DISCLAIMER: Under no circumstances do we release this plugin with any warranty, implied or otherwise. Nosotros cannot exist held responsible for any impairment that might arise from the use of this plugin.
Fixing iThemes Security Lockouts
What is Changed By iThemes Security

I think they put most of the features behind the paywall now so it's pretty useless compared to other plugins. The UI is AWFULLLLLLLL

It took 30 minutes search back and along through quondam videos, guides and forum posts to find zilch merely outdated and bad guides. One of the key reasons making it difficult is because under the lockout activities y'all cant remove the lockout. Some other beingness, that under settings you can't find a "whitelist IP" considering information technology is chosen "Authorized Hosts" I just needed to either undo/remove a lockout or whitelist an IP, apparently that is difficult to find. Then for those needing it, information technology is under settings > configure > Global Settings - And so you scroll downward.

Atrocious UI: Afterward using this plugin for a long time on other sites, today I tried to setup a new site and install the plugin on it: I literally could not complete the setup! Currently, I have deactivated the plugin, waiting for a UI rework. Where the X is the skip-wizard-only-get-me-to-settings button??

I would love to requite this plugin 5 stars merely new UI is merely terrible. Very complicated to setup and large footstep back for user who know how to piece of work with the plugin.

If y'all need to downgrade WP, this plugin doesn't work anymore and there is no possibility to get an older and compatible version. You demand to use another more than flexible plugin

The quondam UI was grouped in easy to understand pages. Now we are FORCED into a cartoon themed magician? And nosotros are forced to provide at to the lowest degree ane user for notifications? And you are now hiding settings? This went from Solid Gold to Cartoon Garbage.

Read all iii,896 reviews

"iThemes Security" is open source software. The following people have contributed to this plugin.

Contributors

8.1.1

Bug Set up: Fault when visiting the Notifications page afterwards activating a module with notifications for the first time.
Bug Ready: Update deprecated withState usages to useState.

8.1.0

Important: iThemes Security now requires WordPress 5.8 or later.
New Feature: Include the total iThemes Security Site Scanner in iThemes Security Free. Scheduled scans are disabled by default.
Tweak: Add new "Get Pro" page that includes an overview of features in iThemes Security Pro.
Bug Set: Curl to tiptop of window when navigating.
Bug Fix: Permit searching for Password Requirements.
Bug Set up: Don't load WordPress and System Tweaks modules when the ITSEC_DISABLE_MODULES constant is enabled.
Bug Fix: Prevent incidentally loading the Two-Cistron module when it is unregistered.
Bug Set up: Conditionally display the NGINX File Path setting.
Problems Fix: Allow saving Notifications when "default recipients must incorporate at least i item" error is present.
Bug Fix: Help styling on WordPress 5.9.
Bug Ready: Compatibility with plugins that expected a logged-in user during lockouts.

8.0.two

Enhancement: Reintroduce Feature Flags management UI.
Tweak: Reposition "Advanced" and "Tools" carte du jour items to be more readable on lengthy screens.
Bug Gear up: When the Change Admin User tool is run, update whatever User Groups referencing the old user id.
Bug Fix: WordPress footer would announced in the middle of the logs page.
Bug Fix: Add missing translation strings file.

viii.0.one

Bug Fix: Sites that did not support HTTPS, only had the SSL module active, simply non configured, on upgrade would go redirected to the HTTPS version of the site.
Bug Fix: Unregister the iThemes Security 2-Cistron module when the Two-Cistron Feature Plugin is enabled.
Bug Fix: Permit activation on WordPress 5.7.0.
Bug Fix: Add missing textdomains.

8.0.0

Important: iThemes Security at present requires WordPress v.seven and PHP 7.0 or after.
New: iThemes Security gets a redesigned interface focused on making it easier to configure and find what yous're looking for. Read More: https://ithemes.com/?p=65086.
New: Instantly search over everything in iThemes Security with a new instant search feature.
New: Security Tools have been grouped into their ain page. "Identify Server IPs" and "Security Bank check Pro" tin be run manually without using Debug Mode.
New: Relevant content from the Help Centre, iThemes Blog, and iThemes YouTube channel is surfaced in a new Help surface area based on the current page. Click the "Help" push button in the toolbar or the "Info" icon next to the page championship to access information technology.
New: The settings UI is now fully responsive and works corking across mobile, tablet, and desktop devices.
New: Two-Factor is now function of the core iThemes Security plugin.
Enhancement: Improved keyboard and screen reader support.
Enhancement: The Banned Users Carte tin add together multiple bans at one time.
Tweak: Add a new Global setting to command "Automatically Temporarily Authorize Hosts".
Tweak: When the Global setting "Hide Security Menu in Admin Bar" is enabled, notices will no longer be printed on non-iThemes Security pages. Instead, y'all tin admission the Message Center from the Settings or Dashbaord toolbars.
Tweak: The Database Backups module is no longer available if you lot have BackupBuddy installed. If this behavior isn't desired, enable the "ITSEC_ENABLE_BACKUPS" constant.
Tweak: The Geolocation API configuration used by Trusted Devices has been moved into it's own dedicated "Geolocation" module.
Tweak: Motion "Take I Been Pwned" integration to the Cadre plugin.
Tweak: Reduce filename length and complexity for built CSS and JS files.
Removed: The post-obit modules have been removed: 404 Detection, Away Mode, Modify Content Directory, and Multisite Tweaks.
Removed: The following WordPress and System Tweaks have been removed: Remove Windows Live Writer Header, EditURI Header, Annotate Spam, Mitigate Attachment File Traversal Set on, Protect Confronting Tabnapping, Filter Long URL Strings, Filter Non-English Characters, Filter Request Methods, Remove File Writing Permissions.
Removed: The "Backup Total Database" setting has been removed from the Backups module.
Removed: The "Require SSL", "Front End SSL Mode", and "SSL for Dashboard" settings accept been removed from the SSL module.
Problems Ready: Set fatal errors when using PHP eight.
Bug Fix: Gear up infinite loop when restricting who tin can employ App Passwords on multisite installs.
Bug Fix: Ensure the ITSEC_Setup course does not exist before trying to load it. Display schema errors on multisite in the Network Admin.
Bug Fix: Labels for Disable PHP Execution in Plugins and Themes were reversed.
Bug Fix: Add missing constants to the debug page.
Bug Gear up: Remove deleted recipients when saving notifications.
Issues Fix: Correct Site Scan statuses for scans with no bug.
Dev Note: Modules are now based on a module.json configuration file. If you are registering custom iThemes Security module, yous should update it to include a module.json file that adheres to the core/module-schema.json JSON Schema.
Dev Note: The Network Brute Force module had information technology's folder updated to "network-brute-strength" from "ipcheck".
Dev Note: New Object Oriented API for creating Password Requirements.
Dev Note: New Settings and Modules REST API endpoints.
Dev Note: New RPC REST API namespace. In that location is no backward compatibility promise for these API endpoints.

seven.9.1

Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
Tweak: Add filters to short-circuit lock APIs.
Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
Bug Fix: Tweak checkbox styles.
Bug Fix: Improved compatibility with WP Engine.
Bug Set up: Laissez passer the WP_Error object to the wp_login_failed hook.
Bug Fix: Preclude wp_no_robots deprecation warning on WordPress 5.seven.

7.ix.0

Of import: iThemes Security requires WordPress 5.four or later.
Enhancement: Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
Enhancement: Store the time a ban was added, and the lockout module responsible for the ban.
Enhancement: Overwrite Restrict Content Pro'due south detected IP accost with the IP detected past iThemes Security.
Tweak: Disable SSL verification when performing the Security Bank check Loopback exam. Some hosts can't properly verify loopback requests. This verification is unnecessary in this circumstance, and disabling SSL verification aligns iThemes Security with default WordPress loopback behavior.
Problems Gear up: PHP warnings when invalid entries are stored in the WordPress Cron storage.
Bug Set up: Update the listing of tables added to wpdb.
Issues Fix: Remove default value for text columns. This caused an event on MySQL 8 and is unnecessary.
Bug Fix: Missing borders in the sidebar widgets on WordPress 5.5.
Problems Fix: Notice actions didn't trigger when "Hibernate Admin Bar" is enabled.
Bug Set: Some users would be force to cull a strong password twice in a row.
Bug Fix: Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
Problems Ready: Passwords Requirements compatibility with Restrict Content Pro.
Bug Set: PHP warnings that may occur when initializing default user groups on a new installation.

7.8.0

New Feature: The new, improved WordPress Security Site Scan powered by iThemes checks if Google has detected malware and added your site to their threat list.
Enhancement: Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.
Tweak: Cap banned hosts persisted to .htaccess or nginx.conf to the most contempo 100. This number tin exist adjusted with the "itsec_ban_users_max_hosts_for_server_config" filter. Older banned hosts will be locked out after WordPress loads.
Tweak: Ensure randomly generated passwords are considered strong by the Strong Passwords library.
Tweak: Suggest a 32 character password when forcing a password change.
Tweak: Alter insensitive language to be more inclusive.
Problems Gear up: PHP warning when a user's email address is updated outside of the user edit admin page.
Problems Fix: Fix login interstitials on WP Engine when using a front-end login grade.
Bug Fix: PHP warning when checking opaque tokens.
Bug Fix: PHP alarm after successfully connecting a site to iThemes Sync via the login connexion flow.
Bug Ready: File Change Security Message would not appear for new installs.

7.7.one

Bug Fix: PHP warning when evaluating password requirements.

7.7.0

Important: iThemes Security requires PHP v.6 or greater and WordPress 5.2 or greater.
New Characteristic: Save Time Securing WordPress With User Groups!
New Characteristic: Simplified connexion flow when setting up iThemes Sync.
Enhancement: Add a warning if a WordPress Salt is set to an invalid value.
Enhancement: Include child log items in the logs listing tabular array. These are helpful for debugging issues.
Enhancement: Improve performance of the logs page on sites with large number of log items.
Enhancement: Cheque tables exist after completing a DB upgrade.
Tweak: When logging $_SERVER, only log a snapshot of available backdrop.
Bug Fix: The "Mulisite Tweaks -> Hibernate Updates" setting prevented auto-updates from running with WP Cron.
Issues Fix: Backup event was not added when the WP Cron Scheduler was reset manually.
Issues Ready: Admin Notices Popover was not beingness subconscious when clicking exterior the Popover on WP 5.3.
Bug Ready: New Password Requirements for already created accounts were not enforced until the 2nd login.
Bug Ready: Update admin notices styling to exist compatible with WordPress v.4.
Bug Fix: Periodically clear expired opaque tokens.
Bug Set: Don't block registration folio when "wp-signup.php" is the Hide Backend register slug.
Bug Prepare: Users with weak passwords would not be forced to modify their password if the strong password requirement had been enabled after their password strength was checked.
Issues Fix: Remove "get_magic_quotes()" call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.iv.
Bug Fix: Warning when loading the settings page on PHP seven.iv.
Issues Fix: Warning when loading the debug folio on PHP 7.4.

7.6.1

Bug Fix: Properly notate that iThemes Security requires PHP v.5 or greater.

7.6.0

Breaking Change: iThemes Security requires PHP 5.5 or later.
New Feature: iThemes Security now includes Security Check Pro to automatically and correctly decide your visitors IP addresses. Enable this browse by running Security Check and opting in to Security Bank check Pro or activate the Security Cheque Pro module in Advanced Modules. H/t Jeremy Voisin
Enhancement: Run Security Check Pro IP Detection automatically once a day.
Enhancement: Manually re-run Security Check Pro IP Detection from the Global Settings page.

seven.five.0

Breaking Change: iThemes Security requires PHP 5.4 or later.
Enhancement: New Lockout Template screen.
Enhancement: Add confirmation button to Login Interstitial Async Actions when on a different device.
Enhancement: Add filter to "Lookup IP" link.
Developer Note: At that place were significant changes to the internals of the iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout class directly, all the API functions will continue to work, merely will emit deprecation notices when legacy behavior is beingness used. Please update whatever integrations.
Problems Set up: Animal Force module reporting invalid logins using an email address incorrectly.
Bug Fix: Improve lockout compatibility with caching plugins.
Bug Gear up: Set up admin discover not beingness dismissed due to a REST API route that was more than narrowly divers than necessary.
Bug Prepare: Admin Notices list did not refresh after dismissing a notice.
Bug Fix: Potent Passwords zxcvbn Library was not evaluating penalty strings correctly.
Bug Set up: Prepare PHP warning if there are multiple detected proxy headers.

7.iv.1

Enhancement: New iThemes Sync Verb support for File Change.
Tweak: Add additional data virtually the login endeavor when calling the Network Fauna Forcefulness API.
Bug Set up: Hide Backend Bypass.
Bug Fix: Strict Standards error during Sync request.
Problems Fix: wp_die() if a login interstitial session fails to exist created instead of throwing a fatal mistake.

7.4.0

New: iThemes Security Admin Notices are now conveniently located in the new Security Letters Menu. Check your notices in the Security card on the WordPress Admin Bar.
Enhancement: Add Security Bulletin when a Notification Center email fails to send.
Enhancement: Replace Trace IP with IP Tracker Online.
Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"

7.3.3

Bug Fix: Hide backend bypass.

7.three.2

Tweak: Let the log description column to discussion intermission for URLs or other strings with no spaces.
Bug Set: Hide Backend bypass on certain Apache configurations.
Bug Prepare: Properly return mistake that occurs during a backup.
Bug Fix: Regex alert on PHP vii.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Part".

7.3.one

Enhancement: When ITSEC_DISABLE_MODULES is set, preclude hide backend from running.
Bug Set up: Tabnapping: Apply noopener to links instead of using blankshield script when available to preclude new pop-up blocker behavior from killing the links.

vii.three.0

Enhancement: Add together Per-Content SSL toggle to the upcoming Block Editor interface.
Enhancement: Add filter to the recipients list for email notifications: "itsec_notification_{$notification}_email_recipients" and "itsec_notification_email_recipients".
Enhancement: Add together define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the Temporary IP Whitelisting for logged-in administrators.
Enhancement: Improve redirecting after processing a login interstitial from a front-terminate login grade.
Enhancement: Add together loopback IP detection to Security Check.
Enhancement: Discover Server IPs in Security Bank check.
Tweak: Add together additional safety checks when writing to arrangement config files. This will log a "Critical Issue" when the writing of an empty or partial config file is detected and prevented.
Tweak: Ameliorate File Modify locking to assist preclude declining scans on sites with inconsistent cron scheduling.
Tweak: Improve "Organisation Tweaks – Suspicious Query Strings – SQLI" to reduce false positives.
Tweak: Ameliorate "System Tweaks – Disable PHP" to block PHP files in apache configurations that serve files with a trailing dot.
Tweak: Remove "Seznam Bot" from HackRepair List as it isn't present in the latest version.
Bug Prepare: Include Hide Backend token when emailing a password reset URL.
Bug Set: Notification Heart – Just send notifications to users with an exact part friction match of selected roles instead of a fuzzy match based on selected capabilities.
Problems Fix: Error when trying to edit reusable blocks with per-post SSL enabled.
Bug Set: Resolve warnings on PHP 5.two.

vii.two.0

Enhancement: Let for selecting the particular Proxy header a server is configured to use. Better the language to point the importance of configuring this setting. H/t Filippo Cavallarin CEO at wearesegment.com
Enhancement: Block admission to git and svn repositories when System Tweaks -> Protect System Files is enabled.
Tweak: Update jQuery Validation library to 1.17.0
Bug Fix: Improve detection of blocking the File Change Scan from existence scheduled if one is already being run.
Problems Fix: Prevent space recursion mistake when trying to admission directories outside of the allowed file tree.

7.1.0

New Feature: Allow for globally setting recipients for admin-targeted notifications. All new notifications will default to the recipients in this list. Notifications can be fix to use the default listing or switch to a custom listing.
Enhancement: Added a setting to enable/disable the Form Report feature of Pro.
Tweak: Bank check if an IP is blacklisted on folio load for compatibility with servers that cannot process server configuration level bans immediately.
Tweak: Display a fourth dimension unequal until the next consequence on the Debug page.
Tweak: Use Logging API for tracking Notification Center errors.
Tweak: Register Scheduler Events whenever the plugin build changes.
Tweak: Allow for filtering logs by whatsoever module recorded.
Tweak: Business relationship for 3rd-party Backup Plugin in Security Cheque.
Bug Set up: 404 detection for plugins that marking is_404 afterwards in the hook sequence.
Bug Fix: Residuum API Protection blocked the Taxonomies route for all users.
Bug Fix: Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module.
Issues Set: Fixed how the Grade Report enable/disable status is stored to fix admin page loading issues on some sites.
Bug Fix: Set serialization of closure error when a plugin registering a hook with a closure is in the boot-upwards stack and the notification middle is triggered likewise early in the cycle.

seven.0.4

Enhancement: Add mitigation for the WordPress Zipper File Traversal and Deletion vulnerability.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Ready: Improved input sanitization on the logs page to prevent triggering warnings.

7.0.3

Security Fix: Fixed SQL injection vulnerability in the logs page. Annotation: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at lookout man.co.com, for reporting this vulnerability.
Issues Fix: Provide default values for enabled requirements.

7.0.2

Enhancement: Add UI to abolish in progress File Scan.
Enhancement: Add together basic admin debug page to assistance diagnosing and resolving issues. Particularly with the events.
Enhancement: Add together debug settings JSON editor.
Enhancement: Continually evaluate countersign strength for users instead of only during registration.
Enhancement: Introduce Password Requirements module for managing and enforcing password requirements.
Bug Prepare: Accessing password requirement settings would not resolve properly in some instances.
Problems Prepare: Away Fashion would not lock out users who were already logged-in during the "abroad" menses.
Bug Fix: Enforce the Potent Passwords requirement during Security Cheque.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events.
Problems Prepare: If a countersign requirement has been disabled or is no longer available, don't consider the countersign as needing a change.
Bug Set up: Only hibernate "Acknowledge Weak Password" checkbox if the user was non allowed to use a weak password.
Bug Set: Password strength would not be evaluated if password was set using custom PHP or CLI commands.
Issues Set up: Prevent File Modify from getting stuck in an space rescheduling loop on the beginning step.
Bug Gear up: Remove distributed storage tabular array on uninstall.
Tweak: Don't write to the tracked files setting if the file hash has not inverse.
Tweak: If no concluding password change date is recorded for the user, treat their registration date as the last change date.

7.0.1

Bug Fix: Fixed an "Uncaught Error: Telephone call to undefined office esc_like()" error that could occur when exporting or erasing personal data.
Bug Set: Skip recovery if File Modify storage is empty.

vii.0.0

New Characteristic: Added support for the new WordPress privacy features.
Enhancement: Added minimal API for adding additional entries to the Security admin card.
Enhancement: File Alter Scan uses a new batching mechanism to prevent crashing on hosts but withal generating only 1 report per-day.
Enhancement: Innovate Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should ameliorate performance for big sites using File Alter.
Enhancement: Introduced Login Interstitial framework to consolidate code between Countersign Requirements & 2 Gene.
Bug Fix: Added power to show object data for classes that are not loaded to the Logs page.
Problems Fix: Inverse the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations.
Bug Set: Ensure all users with the manage_options capability are available when selecting contacts in the Notification Center.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: Set warnings on debug file change log items.
Bug Fix: Fixed logging system references to "fatal-error" that should be "fatal".
Problems Fix: Improve File Change recovery system on loftier-traffic websites.
Bug Gear up: Improve clearing of previous File Alter file hashes.
Problems Fix: Improved detection of Residual API requests on sites without a home dir.
Issues Set: Internal links to a filtered logs page.
Problems Ready: Prevent PHP alert about converting an assortment to a string when calculation notification data.
Issues Set: Prevent PHP warning when completing database backups that are not emailed to any recipients.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page.
Bug Prepare: Resolve warnings when upgrading file change settings.
Minor: File Scan "chunk" option is removed.
Minor: Make recovering file scan log smaller.
Modest: Page Load Scheduler: Unschedule unmarried events before running them. This mirrors the behavior of the WP Cron scheduler.
Small: Security Digest at present includes all lockouts that have occurred since the terminal electronic mail.
Pocket-size: Shrink storage size of file scans.
Minor: Specifying a manual file scan list has been removed.
Minor: Track raw retention used by the file change scanner equally well.
Minor: Updated list of File Modify excluded file types to include more media extensions.
Misc: Added annotate to prevent Tide from marker the plugin equally not compatible with PHP 5.3.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is acquired by a new file extension being excluded.
Tweak: File Modify: Move "latest_changes" entry to a dissever storage bucket to ameliorate operation on large sites.
Tweak: File Modify: Only scan a maximum of 10 plugins in a single chunk.

half-dozen.9.2

Problems Ready: Stock-still state of affairs that could cause lockout notifications being sent for whitelisted IPs.
Problems Gear up: Stock-still issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Simply".
Bug Fix: Stock-still issue that prevented log database entries from purging and log file entries from rotating on a schedule.

6.nine.i

Security Fix: Fixed brandish of unescaped information on logs page.
Enhancement: The logging arrangement now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
Problems Fix: Fixed the File Modify scanner in that it previously could fail to exclude selected directories on some systems.

half dozen.9.0

Enhancement: Updated logging organization to keep runway of more data and have more than options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Bug Fix: Fixed consequence that could register loading the logging folio as a failed login endeavour on some sites.

half dozen.viii.one

Enhancement: Display user lockouts in Lockout Sidebar.
Issues Prepare: Load translations on the plugins_loaded hook.
Bug Fix: Fixed method that could be used to detect hidden login slug on some sites.
Issues Fix: Fixed issue that could prevent Sync from loading Malware Browse results if a scan previously failed.
Issues Fix: Update to the REST API "Restricted Access" characteristic to protect confronting methods to piece of work around the restricted admission.
Issues Ready: Prevent login page existence hidden when following the "Confirm Email Accost" notification URL.
Bug Fix: Hide Backend notifications not beingness properly sent when beginning enabled.

half-dozen.8.0

New Feature: Introduces a scheduling framework for handling events. Cron is now used by default, and will switch to using an alternating scheduling system if it detects an error. To disable this detection ready ITSEC_DISABLE_CRON_TEST in your wp-config.php file.
Of import: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have been deprecated. Utilize ITSEC_USE_CRON instead.
Enhancement: Preserve notification settings when the responsible module is deactivated.
Bug Set up: Process 404 lockouts on the 'wp' hook to prevent a headers have already been sent alert bulletin.
Problems Set up: Ensure Hide Backend emails are properly sent when activating Hide Backend earlier saving the Notification Middle for the first fourth dimension.
Bug Ready: Prevent warning from being issued on new installs by assuasive previous settings to be preserved if they exist.
Bug Prepare: Better handle WP_Error objects in mail service errors that occurred before updating to outset patch release.
Bug Set: A not static method was beingness chosen statically.
Bug Fix: Set up occasional indistinguishable backups and file scans.
Bug Fix: Stock-still issue where scheduled events could echo on sites that do not properly support WordPress's cron system.
Bug Prepare: Reactivating Abroad Mode at present replaces the active file if y'all had previously removed it.
Bug Fix: Ensure lockouts have effect immediately, fifty-fifty on systems where changes to server configuration files do not have result immediately.

6.7.0

New Characteristic: Introduces the Notification Heart, a centralized identify to manage and customize e-mail notifications sent by iThemes Security.
Enhancement: Updated queries and prepare statements to business relationship for changes to the esc_sql() role in WordPress iv.8.3.
Problems Fix: Corrected some Javascript and CSS links non generating correctly on Windows servers.

6.6.1

Bug Fix: Fixed SQL query bug that resulted in the "Minutes to Recall Bad Login (bank check menstruation)" setting existence ignored.
Problems Fix: Fixed bug that prevents wp-admin/install.php blocking from working properly on nginx servers.
Bug Fix: Don't effort to do an SSL redirect when WP CLI is running.

6.half dozen.0

New Feature: Added a new setting in WordPress Tweaks: "Login with Email Address or Username".
Enhancement: Host e-mail images from the plugin instead of relying on iThemes servers to assistance email clients marking letters as spam or blocking images.
Bug Ready: Mistake when searching for modules preventing modules from appearing.
Bug Fix: Utilise the wp_options table when acquiring locks in Multisite.
Issues Fix: Forestall duplicate daily digest emails on sites with high load.
Misc: Added Magic Links, a new Pro-only feature, to be activated by Security Check.
Misc: Rearranged modules to be listed alphabetically.

6.5.1

Problems Set up: Fixed logical error that prevented backups from executing.
Bug Fix: Fixed result that could cause database locks to flood the database.

6.5.0

Enhancement: Simplified the SSL module to offering a simple Enable/Disable setting and simplified explanations. The legacy settings are bachelor by selecting Advanced.
Enhancement: Added the itsec-go-ip filter to allow code to supply the remote IP direct.
Enhancement: Enabling SSL back up will simply log you out if yous are not already on an https connection.
Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
Removed Old Feature: Removed the "Supersede jQuery With a Rubber Version" feature every bit its employ (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years former and is no longer a concern.
Bug Ready: Bumped version number of some scripts to ensure that they refresh properly.
Bug Fix: Fixed way to work around Hibernate Backend on some hosts.

half dozen.four.0

Enhancement: Replaced file locking with database locking. This method of locking is uniform with all systems equally information technology does not require the ability to write files. Information technology also allows for locking to work on sites that have multiple forepart-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed.
Enhancement: Add "Re-create to Clipboard" functionality for server and wp-config rules.
Bug Fix: Forbid 404s when following links in email notifications on a site with Hide Backend enabled.
Problems Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
Bug Set: Fixed method of working around Hibernate Backend.
Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.

half dozen.3.0

Of import: The fashion that Hide Backend functions changes in this release. Previously, if your Hibernate Backend Login Slug was wplogin, going to instance.com/wplogin would upshot in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks equally follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may non exist desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once yous admission the login folio using the Login Slug page, a cookie is set with an expiration fourth dimension of 1 hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug outset. If you wish to confirm that Hibernate Backend is working properly on your site, opening upwardly a private browsing window is a quick way to test without having to log out and clear cookies.
New Feature: Added support for iThemes Sync to run the Security Check feature from inside the Sync service.
New Feature: Added back up for the ITSEC_DISABLE_MODULES define.
Issues Fix: Removed alarm: "Non-static method ITSEC_Setup::uninstall() should not be called statically".
Problems Fix: Stock-still the ability to manually enter a page number to navigate to on the Security > Logs page.
Bug Set: Stock-still source of alert that could announced when creating a fill-in while running a PHP version less than five.4.
Bug Fix: Fixed source of detect that could announced when reseting a user's password when the Strong Passwords Enforcement feature is enabled.
Bug Fix: Fixed bugs that prevented reporting of specific error messages related to updating the wp-config.php file.
Bug Fix: Fixed an space loop that could occur when expiring a cookie and Hide Backend is enabled.
Bug Ready: Fixed compatibility issue with the Jetpack plugin when Hide Backend is enabled which could prevent Jetpack from redirecting users to the wordpress.com login folio.
Bug Set up: Stock-still event where admission to wp-admin/admin-mail.php when Hide Backend is enabled.
Bug Fix: Fixed consequence that could prevent "Annals" and "Lost your countersign?" links from working properly on the login page when Hide Backend is enabled.
Bug Fix: Gear up fatal error when updating a profile.
Issues Gear up: Gear up strong passwords not being recognized as stiff on the profile page.
Bug Set up: Fix fatal error when registering a new user without specifying a role ( iThemes Substitution ).
Bug Set up: Compatability with JetPack SSO and Password Requirements.
Problems Ready: Ensure viewport meta is divers when loading the password requirements update password form.
Problems Fix: Hide Backend is now compatible with Jetpack Single Sign On.
Bug Fix: Hide Backend now hides registration pages on multisite sites.
Bug Ready: Stock-still password-protected posts non properly handling the password when Hide Backend is enabled.
Enhancement: Removed AhrefsBot from the HackRepair blacklist equally they are legitimate bot.
Enhancement: Improved efficiency of Hide Backend code, increasing site functioning when the characteristic is enabled.
Enhancement: Enforce strong passwords during log-in. Can be disabled via the ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
Enhancement: Use canonical roles library to decide if a new user or an updated role requires a strong password.
Enhancement: Introduce password requirements module to centralize handling of password updates.
Enhancement: The Hide Backend hidden login URL is no longer leaked by countersign-protected content.
Enhancement: Permit for searching through modules and settings.
Enhancement: Link to other module settings pages without forcing the page to refresh.
Enhancement: Fire an action, "itsec_change_admin_user_id", when the admin user id changes.
Enhancement: Inverse default Hide Backend Annals Slug from wp-register.php to wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php for registrations. This will non impact existing sites.
Enhancement: Hide Backend functions purely in PHP code now rather than relying half on PHP code and half on .htaccess and nginx.conf modifications. This allows Hide Backend to function on web servers and server configurations that it was previously not compatible with.
Misc: Updated or added phpDoc to many functions.
Misc: Updated Disable File Locking clarification.

6.ii.i

Bug Gear up: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
Bug Fix: Having more than 1 iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file volition no longer upshot in having all the file content between each section removed when updating the file.
Problems Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.

6.2.0

Enhancement: Improved plugin functioning past reducing the number of queries made on each folio.
Enhancement: Reduced memory and CPU usage due to diverse code improvements.
Bug Fix: A database backup will no longer be created when beginning activating the plugin.
Problems Ready: Added compatibility for MySQL strict mode in database cosmos syntax.
Problems Fix: Removed alarm most a "not well formed numeric value encountered" in PHP 7.1.
Bug Fix: Modifications to wp-config.php, .htaccess, and nginx.conf files are now properly re-added upon reactivation.
Bug Prepare: Fixed full settings for Hide Backend being displayed after disabling the feature and saving the settings.
Bug Fix: Enabling or disabling the Hide Backend feature will update the "Log Out" link so that it works every bit expected without having to load a new page.
Bug Fix: Enabling or disabling the Hide Backend characteristic now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future signal.
Issues Fix: Fixed result that could cause improper database table creation on multisite sites.
Issues Fix: Stock-still a bug that could forestall settings from saving properly if the site was migrated to a new server or a new habitation path on the server.

half-dozen.1.i

Issues Fix: Stock-still issues that prevented Away Way from activating on some sites.

6.one.0

Enhancement: Added logging for failed two-factor, OAuth, and REST API authentications.
Enhancement: Added logging details nigh the source of login failures and the type of authentication that failed.
Enhancement: Due to improvements in tracking authentication failures, brute forcefulness attempts using alternating hallmark methods are more reliably constitute and blocked.
Enhancement: The server'due south IP is treated as whitelisted and volition not exist considered for lockouts or bans.
Enhancement: Reduced memory usage when creating a backup.
Enhancement: Inverse log entry clarification of "IP Flagged equally bad by iThemes IPCheck" to "IP Flagged past Network Beast Force Protection". This should help clarify the meaning of the log entry.
Enhancement: Improved efficiency of the Network Animate being Force Protection feature.
Issues Fix: Fixed bug that prevented Network Creature Strength Protection from working properly on some sites.

6.0.0

Problems Prepare: Removed "comodo" from the listing of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The characteristic now has proper back up for protecting privacy on your site without preventing the Balance API from performance.
Enhancement: Updated Security Cheque to enforce setting the "Residuum API" setting to "Restricted Access".

5.9.0

New Characteristic: Added a "Residue API" feature in the WordPress Tweaks department. This new feature allows you to block or restrict access to the Residue API.

5.8.1

Bug Fix: Fixed issue that could crusade database fill-in emails to be sent without the backup zip fastened.

v.eight.0

Enhancement: Updated the lockouts notification electronic mail to a new design. This new pattern also cleaned up the translation strings to allow better translations.
New Characteristic: Added a "Protect Against Tabnapping" feature in the WordPress Tweaks section. Details of what this characteristic protects against can exist found here: https://www.jitbit.com/alexblog/256-targetblank—the-nearly-underestimated-vulnerability-ever/
Misc: Updated the description for the Lockout Period setting to indicate that the default value of fifteen minutes is recommended.

5.7.i

Bug Set up: Remote IP is now correctly identified if the server is behind a opposite proxy that sends requests with more than one IP listed in a single header.
Bug Fix: Fixed the link for a user in the logs page so that information technology properly works on sites that are within a subdirectory.
Issues Fix: Improved how Stiff Password Enforcement works on countersign resets to better compatibility with diverse plugins.
Bug Fix: Improved the logic for determining whether a user should take Strong Password Enforcement applied. This covers situations where the user may have a custom office, a customized default function, or added capabilities beyond their role.
Enhancement: Improved the logic for determing the requesting IP address to better handle situations where the site is behind a contrary proxy.
Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
Enhancement: All links in Security that have target="_blank" at present accept added rel attributes to protect against tabnapping.
Misc: Updated remaining ip-lookup.internet links to instead link to traceip.net in keeping with other links that were previously updated to traceip.internet.

v.7.0

Bug Gear up: Stock-still data save issue that could crusade multiple notification emails to be sent in a curt period of time.
Problems Gear up: Stock-still event that could cause the malware scanner to neglect on sites that alter the arg_separator.output php.ini value from its default value.
Bug Set: Removed redundant entries in the HackRepair blacklist.
Bug Ready: Enabling Protect System Files in System Tweaks will now only cake install.php for the current site. This fixes the outcome where the setting tin block installation of a site in a subdirectory.
Bug Set up: Fixed trouble that could crusade requests for iThemes Security data from iThemes Sync to fail due to big amounts of log entries.
Problems Ready: Scheduled backups now run if the ITSEC_BACKUP_CRON ascertain is set with a non-boolean value.
Bug Fix: Replaced static references to wp-includes with the WPINC define.
Problems Fix: Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control lawmaking characters and are not associated with a linguistic communication.
Bug Gear up: Added escaping to some translation strings.
Problems Fix: Removed unused files from the WordPress Tweaks module directory.
Issues Fix: Fixed the Daily Assimilate email reversing the user and host lockout counts.
Bug Set up: The database backup email no longer sends from the email accost configured in Settings > General. It now defaults to the aforementioned from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
Enhancement: Updated the server config rules generated past the System Tweaks settings. They are now more than consistent between Apache, LiteSpeed, and nginx. They are also more efficient and accept been improved to limit accidentally blocking non-targeted requests.
Enhancement: Updated the database backup electronic mail to a new design.
Enhancement: Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
New Feature: Added setting to block requests for PHP files in the plugins directory in System Tweaks.
New Feature: Added setting to block requests for PHP files in the themes directory in Organisation Tweaks.

v.six.4

Issues Fix: Stock-still outcome that reported invalid counts for host and user lockouts in the daily assimilate email.
Issues Fix: Fixed event that caused the daily digest email to exist sent every day, even if no lockouts occurred and no file changes were found.
Problems Fix: Stock-still upshot that could prevent saving of File Modify settings, resulting in an error messages of "A validation office for file-modify received data that did not have the required entry for latest_changes."
Problems Fix: Stock-still iThemes Security Pro logo appearing in daily digest emails.

v.6.3

Issues Set up: Removed the "Wget" user agent from the Hack Repair blacklist equally it can block wp-cron jobs on some hosts.
Bug Fix: Stock-still error "PHP message: PHP Fatal error: 'continue' not in the 'loop' or 'switch' context".
Enhancement: Added new Daily Assimilate email design.

5.half-dozen.2

Security Fix: Fixed event where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting united states of america about this effect.
Security Fix: Updated log output to foreclose specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us almost this effect.
Bug Fix: The Security > Security Check link now works as expected in multisite.
Problems Gear up: Fixed problems that could prevent the "Filter Long URL Strings" feature from working properly.
Issues Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
Bug Fix: Corrected a settings clarification typo in Global Settings.
Bug Fix: Stock-still problems that could consequence in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is prepare to "Block".
Misc: Added placeholder for the Version Management module of iThemes Security Pro.
Misc: Updated build number to trigger some updates.

5.half dozen.1

Bug Fix: Fixed a potential logging issue that could forbid some lockout notices from existence properly logged on non-English sites.
Bug Gear up: Prevented some notices from displaying to users who do not need to see them.
Bug Fix: Limited notices to just brandish on specific pages on the dashboard.
Compatibility Ready: Inverse proper name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
Code Cleanup: Removed legacy code that is no longer needed.
Enhancement: Started tracking when a user was last seen as logged in and active for hereafter apply.
Misc: Added a placeholder for the Pro feature "User Security Check".

v.6.0

New Feature: Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used.
Bug Set: Fixed the ability to remove the itsec_away.confg file in guild to disable Away Mode.
Enhancement: The "Ban Lists" setting of Banned Users is now enabled past default.

clarkgick1989.blogspot.com

Source: https://wordpress.org/plugins/better-wp-security/