iThemes Security (formerly Better WP Security) - Version 6.5.0

Version Description

  • Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
    • Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP directly.
    • Enhancement: Enabling SSL support will only log you out if you are not already on an https connection.
    • Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
    • Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
    • Bug Fix: Bumped version number of some scripts to ensure that they refresh properly.
    • Bug Fix: Fixed way to work around Hide Backend on some hosts.
Download this release

Release Info

Developer chrisjean
Plugin Icon 128x128 iThemes Security (formerly Better WP Security)
Version 6.5.0
Comparing to
See all releases

Code changes from version 6.4.0 to 6.5.0

Files changed (29) hide show
  1. better-wp-security.php +1 -1
  2. core/admin-pages/js/script.js +4 -0
  3. core/admin-pages/page-logs.php +1 -1
  4. core/admin-pages/page-settings.php +1 -1
  5. core/core.php +1 -1
  6. core/history.txt +9 -0
  7. core/lib.php +66 -25
  8. core/lib/class-itsec-lib-password-requirements.php +4 -2
  9. core/modules/away-mode/settings-page.php +36 -36
  10. core/modules/file-change/settings-page.php +1 -1
  11. core/modules/malware/class-itsec-malware-scanner.php +37 -1
  12. core/modules/malware/js/settings-page.js +12 -3
  13. core/modules/malware/settings-page.php +10 -3
  14. core/modules/security-check/scanner.php +4 -1
  15. core/modules/security-check/settings-page.php +3 -1
  16. core/modules/ssl/class-itsec-ssl-admin.php +4 -2
  17. core/modules/ssl/class-itsec-ssl.php +38 -39
  18. core/modules/ssl/js/settings-page.js +18 -9
  19. core/modules/ssl/settings-page.php +68 -35
  20. core/modules/ssl/settings.php +4 -3
  21. core/modules/ssl/setup.php +7 -0
  22. core/modules/ssl/validator.php +33 -12
  23. core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php +0 -46
  24. core/modules/wordpress-tweaks/settings-page.php +0 -29
  25. core/modules/wordpress-tweaks/settings.php +0 -2
  26. core/modules/wordpress-tweaks/setup.php +9 -0
  27. core/modules/wordpress-tweaks/validator.php +0 -9
  28. history.txt +8 -0
  29. readme.txt +14 -1369
better-wp-security.php CHANGED
@@ -6,7 +6,7 @@
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
- * Version: 6.4.0
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
+ * Version: 6.5.0
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
core/admin-pages/js/script.js CHANGED
@@ -571,6 +571,10 @@ var itsecSettingsPage = {
571
 
572
  var $window = jQuery( window ), height = $window.height(), width = $window.width(), offset = $el.offset();
573
 
 
 
 
 
574
  return offset.top < height && offset.left < width;
575
  },
576
 
571
 
572
  var $window = jQuery( window ), height = $window.height(), width = $window.width(), offset = $el.offset();
573
 
574
+ if ( ! $el ) {
575
+ return false;
576
+ }
577
+
578
  return offset.top < height && offset.left < width;
579
  },
580
 
core/admin-pages/page-logs.php CHANGED
@@ -2,7 +2,7 @@
2
 
3
 
4
  final class ITSEC_Logs_Page {
5
- private $version = 1.5;
6
 
7
  private $self_url = '';
8
  private $modules = array();
2
 
3
 
4
  final class ITSEC_Logs_Page {
5
+ private $version = 1.7;
6
 
7
  private $self_url = '';
8
  private $modules = array();
core/admin-pages/page-settings.php CHANGED
@@ -2,7 +2,7 @@
2
 
3
 
4
  final class ITSEC_Settings_Page {
5
- private $version = 1.6;
6
 
7
  private static $instance;
8
 
2
 
3
 
4
  final class ITSEC_Settings_Page {
5
+ private $version = 1.7;
6
 
7
  private static $instance;
8
 
core/core.php CHANGED
@@ -25,7 +25,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
25
  *
26
  * @access private
27
  */
28
- private $plugin_build = 4072;
29
 
30
  /**
31
  * Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync
25
  *
26
  * @access private
27
  */
28
+ private $plugin_build = 4074;
29
 
30
  /**
31
  * Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync
core/history.txt CHANGED
@@ -555,3 +555,12 @@
555
  Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
556
  Bug Fix: Fixed method of working around Hide Backend.
557
  Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.
 
 
 
 
 
 
 
 
 
555
  Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
556
  Bug Fix: Fixed method of working around Hide Backend.
557
  Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.
558
+ 3.6.0 - 2017-08-07 - Chris Jean & Timothy Jacobs
559
+ Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
560
+ Bug Fix: Bumped version number of some scripts to ensure that they refresh properly.
561
+ Bug Fix: Fixed way to work around Hide Backend on some hosts.
562
+ 3.7.0 - 2017-08-17 - Chris Jean & Timothy Jacobs
563
+ Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
564
+ Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP directly.
565
+ Enhancement: Enabling SSL support will only log you out if you are not already on an https connection.
566
+ Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
core/lib.php CHANGED
@@ -312,6 +312,21 @@ final class ITSEC_Lib {
312
  return $GLOBALS['__itsec_remote_ip'];
313
  }
314
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
315
  if ( ITSEC_Modules::get_setting( 'global', 'proxy_override' ) ) {
316
  $GLOBALS['__itsec_remote_ip'] = $_SERVER['REMOTE_ADDR'];
317
  return $GLOBALS['__itsec_remote_ip'];
@@ -591,29 +606,6 @@ final class ITSEC_Lib {
591
 
592
  }
593
 
594
- /**
595
- * Checks jQuery version.
596
- *
597
- * Checks if the jquery version saved is vulnerable to http://bugs.jquery.com/ticket/9521
598
- *
599
- * @since 4.0.0
600
- *
601
- * @return mixed|bool true if known safe false if unsafe or null if untested
602
- */
603
- public static function is_jquery_version_safe() {
604
-
605
- $jquery_version = ITSEC_Modules::get_setting( 'wordpress-tweaks', 'jquery_version' );
606
-
607
- if ( ! empty( $jquery_version ) && version_compare( $jquery_version, '1.6.3', '>=' ) ) {
608
-
609
- return true;
610
-
611
- }
612
-
613
- return false;
614
-
615
- }
616
-
617
  /**
618
  * Set a 404 error.
619
  *
@@ -1002,7 +994,6 @@ final class ITSEC_Lib {
1002
  */
1003
  public static function get_url_path( $url, $prefix = '' ) {
1004
  $path = (string) parse_url( $url, PHP_URL_PATH );
1005
- $path = preg_replace( '|//+|', '/', $path );
1006
  $path = untrailingslashit( $path );
1007
 
1008
  if ( ! empty( $prefix ) && 0 === strpos( $path, $prefix ) ) {
@@ -1021,7 +1012,8 @@ final class ITSEC_Lib {
1021
  */
1022
  public static function get_request_path() {
1023
  if ( ! isset( $GLOBALS['__itsec_lib_get_request_path'] ) ) {
1024
- $GLOBALS['__itsec_lib_get_request_path'] = self::get_url_path( $_SERVER['REQUEST_URI'], self::get_home_root() );
 
1025
  }
1026
 
1027
  return $GLOBALS['__itsec_lib_get_request_path'];
@@ -1084,4 +1076,53 @@ final class ITSEC_Lib {
1084
  public static function release_lock( $name ) {
1085
  delete_site_option( "itsec-lock-{$name}" );
1086
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1087
  }
312
  return $GLOBALS['__itsec_remote_ip'];
313
  }
314
 
315
+
316
+ $ip = apply_filters( 'itsec-get-ip', false );
317
+
318
+ if ( false !== $ip ) {
319
+ $ip = filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE );
320
+
321
+ if ( ! empty( $ip ) ) {
322
+ $GLOBALS['__itsec_remote_ip'] = $ip;
323
+ return $ip;
324
+ }
325
+ }
326
+
327
+ unset( $ip );
328
+
329
+
330
  if ( ITSEC_Modules::get_setting( 'global', 'proxy_override' ) ) {
331
  $GLOBALS['__itsec_remote_ip'] = $_SERVER['REMOTE_ADDR'];
332
  return $GLOBALS['__itsec_remote_ip'];
606
 
607
  }
608
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
609
  /**
610
  * Set a 404 error.
611
  *
994
  */
995
  public static function get_url_path( $url, $prefix = '' ) {
996
  $path = (string) parse_url( $url, PHP_URL_PATH );
 
997
  $path = untrailingslashit( $path );
998
 
999
  if ( ! empty( $prefix ) && 0 === strpos( $path, $prefix ) ) {
1012
  */
1013
  public static function get_request_path() {
1014
  if ( ! isset( $GLOBALS['__itsec_lib_get_request_path'] ) ) {
1015
+ $request_uri = preg_replace( '|//+|', '/', $_SERVER['REQUEST_URI'] );
1016
+ $GLOBALS['__itsec_lib_get_request_path'] = self::get_url_path( $request_uri, self::get_home_root() );
1017
  }
1018
 
1019
  return $GLOBALS['__itsec_lib_get_request_path'];
1076
  public static function release_lock( $name ) {
1077
  delete_site_option( "itsec-lock-{$name}" );
1078
  }
1079
+
1080
+ /**
1081
+ * Replace a tag with a given value.
1082
+ *
1083
+ * Will look in the content for a tag matching the {{ $tag_name }} pattern.
1084
+ *
1085
+ * @param string $content
1086
+ * @param string $tag
1087
+ * @param string $replacement
1088
+ *
1089
+ * @return string
1090
+ */
1091
+ public static function replace_tag( $content, $tag, $replacement ) {
1092
+ return preg_replace( '/{{ \$' . preg_quote( $tag, '/' ) . ' }}/', $replacement, $content );
1093
+ }
1094
+
1095
+ /**
1096
+ * Replace multiple tags.
1097
+ *
1098
+ * @param string $content
1099
+ * @param array $tags Array of tag names to replacements.
1100
+ *
1101
+ * @return string
1102
+ */
1103
+ public static function replace_tags( $content, $tags ) {
1104
+ foreach ( $tags as $tag => $replacement ) {
1105
+ $content = self::replace_tag( $content, $tag, $replacement );
1106
+ }
1107
+
1108
+ return $content;
1109
+ }
1110
+
1111
+ /**
1112
+ * Get a percentage value indicating the probability that the site supports SSL.
1113
+ *
1114
+ * The need for a probability value is that a site could appear to support SSL yet the certificate is self-signed.
1115
+ *
1116
+ * @return int
1117
+ */
1118
+ public static function get_ssl_support_probability() {
1119
+ if ( is_ssl() ) {
1120
+ $probability = 50; // The site appears to be on an SSL connection but it could be self-signed or otherwise
1121
+ // not valid to a visitor.
1122
+ } else {
1123
+ $probability = 0;
1124
+ }
1125
+
1126
+ return apply_filters( 'itsec-ssl-support-probability', $probability );
1127
+ }
1128
  }
core/lib/class-itsec-lib-password-requirements.php CHANGED
@@ -179,8 +179,10 @@ class ITSEC_Lib_Password_Requirements {
179
  return;
180
  }
181
 
182
- $user->user_pass = $_POST['pass1'];
183
- $error = wp_update_user( $user );
 
 
184
 
185
  if ( is_wp_error( $error ) ) {
186
  $this->error_message = $error->get_error_message();
179
  return;
180
  }
181
 
182
+ $error = wp_update_user( array(
183
+ 'ID' => $user->ID,
184
+ 'user_pass' => $_POST['pass1']
185
+ ) );
186
 
187
  if ( is_wp_error( $error ) ) {
188
  $this->error_message = $error->get_error_message();
core/modules/away-mode/settings-page.php CHANGED
@@ -1,78 +1,78 @@
1
  <?php
2
 
3
  final class ITSEC_Away_Mode_Settings_Page extends ITSEC_Module_Settings_Page {
4
- private $version = 1;
5
-
6
-
7
  public function __construct() {
8
  $this->id = 'away-mode';
9
  $this->title = __( 'Away Mode', 'better-wp-security' );
10
  $this->description = __( 'Disable access to the WordPress Dashboard on a schedule.', 'better-wp-security' );
11
  $this->type = 'recommended';
12
-
13
  parent::__construct();
14
  }
15
-
16
  public function enqueue_scripts_and_styles() {
17
  wp_enqueue_script( 'itsec-away-mode-settings-page-script', plugins_url( 'js/settings-page.js', __FILE__ ), array( 'jquery-ui-datepicker' ), $this->version, true );
18
-
19
  wp_enqueue_style( 'itsec-jquery-ui', plugins_url( 'css/jquery-ui.min.css', __FILE__ ), array(), '1.11.4' );
20
  wp_enqueue_style( 'itsec-jquery-ui-datepicker', plugins_url( 'css/jquery.datepicker.css', __FILE__ ), array( 'itsec-jquery-ui' ), '2014.03.27' );
21
  }
22
-
23
  protected function render_description( $form ) {
24
-
25
  ?>
26
  <p><?php _e( 'As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. The options below will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers this could also be useful to disable site access based on a schedule for classroom or other reasons.', 'better-wp-security' ); ?></p>
27
  <?php
28
-
29
  }
30
-
31
  private function set_datetime_options( $form, $prefix, $has_meridiems ) {
32
  $timestamp = $form->get_option( $prefix );
33
  $timestamp += ITSEC_Core::get_time_offset();
34
-
35
  $form->set_option( "{$prefix}_date", date( 'Y-m-d', $timestamp ) );
36
-
37
  if ( $has_meridiems ) {
38
  $form->set_option( "{$prefix}_hour", intval( date( 'g', $timestamp ) ) );
39
  $form->set_option( "{$prefix}_meridiem", date( 'a', $timestamp ) );
40
  } else {
41
  $form->set_option( "{$prefix}_hour", intval( date( 'G', $timestamp ) ) );
42
  }
43
-
44
  $form->set_option( "{$prefix}_minute", intval( date( 'i', $timestamp ) ) );
45
  }
46
-
47
  protected function render_settings( $form ) {
48
  global $wp_locale;
49
-
50
-
51
  $settings = $form->get_options();
52
  $validator = ITSEC_Modules::get_validator( $this->id );
53
-
54
-
55
  $types = $validator->get_valid_types();
56
-
57
-
58
  if ( 1 === $settings['start'] ) {
59
  $tomorrow = date( 'Y-m-d', current_time( 'timestamp' ) + DAY_IN_SECONDS );
60
  $new_start = strtotime( "$tomorrow 1:00 am" ) - ITSEC_Core::get_time_offset();
61
-
62
  $form->set_option( 'start', $new_start );
63
  }
64
-
65
  if ( 1 === $settings['end'] ) {
66
  $tomorrow = date( 'Y-m-d', current_time( 'timestamp' ) + DAY_IN_SECONDS );
67
  $new_end = strtotime( "$tomorrow 6:00 am" ) - ITSEC_Core::get_time_offset();
68
-
69
  $form->set_option( 'end', $new_end );
70
  }
71
-
72
-
73
  $date_format = get_option( 'date_format' );
74
  $time_format = get_option( 'time_format' );
75
-
76
  if ( false !== strpos( $time_format, 'G' ) ) {
77
  for ( $hour = 0; $hour < 24; $hour++ ) {
78
  $hours[$hour] = $hour;
@@ -85,7 +85,7 @@ final class ITSEC_Away_Mode_Settings_Page extends ITSEC_Module_Settings_Page {
85
  for ( $hour = 1; $hour <= 12; $hour++ ) {
86
  $hours[$hour] = $hour;
87
  }
88
-
89
  if ( false !== strpos( $time_format, 'A' ) ) {
90
  $am = $wp_locale->get_meridiem( 'AM' );
91
  $pm = $wp_locale->get_meridiem( 'PM' );
@@ -93,28 +93,28 @@ final class ITSEC_Away_Mode_Settings_Page extends ITSEC_Module_Settings_Page {
93
  $am = $wp_locale->get_meridiem( 'am' );
94
  $pm = $wp_locale->get_meridiem( 'pm' );
95
  }
96
-
97
  $meridiems = array(
98
  'am' => $am,
99
  'pm' => $pm,
100
  );
101
  }
102
-
103
  for ( $minute = 0; $minute <= 59; $minute++ ) {
104
  $minutes[$minute] = sprintf( '%02d', $minute );
105
  }
106
-
107
-
108
  $this->set_datetime_options( $form, 'start', isset( $meridiems ) );
109
  $this->set_datetime_options( $form, 'end', isset( $meridiems ) );
110
-
111
-
112
  /* translators: 1: date, 2: time */
113
  $datetime_format = _x( '%1$s \a\t %2$s', 'Date and time format', 'better-wp-security' );
114
  $datetime_format = sprintf( $datetime_format, $date_format, $time_format );
115
-
116
  $current_datetime = date_i18n( $datetime_format );
117
-
118
  ?>
119
  <p><?php printf( __( 'Please note that according to your <a href="%s">WordPress Timezone settings</a> your current time is:', 'better-wp-security' ), admin_url( 'options-general.php#timezone_string' ) ); ?></p>
120
  <p class="current-date-time"><?php echo $current_datetime; ?></p>
@@ -169,7 +169,7 @@ final class ITSEC_Away_Mode_Settings_Page extends ITSEC_Module_Settings_Page {
169
  </tr>
170
  </table>
171
  <?php
172
-
173
  }
174
  }
175
 
1
  <?php
2
 
3
  final class ITSEC_Away_Mode_Settings_Page extends ITSEC_Module_Settings_Page {
4
+ private $version = 2;
5
+
6
+
7
  public function __construct() {
8
  $this->id = 'away-mode';
9
  $this->title = __( 'Away Mode', 'better-wp-security' );
10
  $this->description = __( 'Disable access to the WordPress Dashboard on a schedule.', 'better-wp-security' );
11
  $this->type = 'recommended';
12
+
13
  parent::__construct();
14
  }
15
+
16
  public function enqueue_scripts_and_styles() {
17
  wp_enqueue_script( 'itsec-away-mode-settings-page-script', plugins_url( 'js/settings-page.js', __FILE__ ), array( 'jquery-ui-datepicker' ), $this->version, true );
18
+
19
  wp_enqueue_style( 'itsec-jquery-ui', plugins_url( 'css/jquery-ui.min.css', __FILE__ ), array(), '1.11.4' );
20
  wp_enqueue_style( 'itsec-jquery-ui-datepicker', plugins_url( 'css/jquery.datepicker.css', __FILE__ ), array( 'itsec-jquery-ui' ), '2014.03.27' );
21
  }
22
+
23
  protected function render_description( $form ) {
24
+
25
  ?>
26
  <p><?php _e( 'As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. The options below will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers this could also be useful to disable site access based on a schedule for classroom or other reasons.', 'better-wp-security' ); ?></p>
27
  <?php
28
+
29
  }
30
+
31
  private function set_datetime_options( $form, $prefix, $has_meridiems ) {
32
  $timestamp = $form->get_option( $prefix );
33
  $timestamp += ITSEC_Core::get_time_offset();
34
+
35
  $form->set_option( "{$prefix}_date", date( 'Y-m-d', $timestamp ) );
36
+
37
  if ( $has_meridiems ) {
38
  $form->set_option( "{$prefix}_hour", intval( date( 'g', $timestamp ) ) );
39
  $form->set_option( "{$prefix}_meridiem", date( 'a', $timestamp ) );
40
  } else {
41
  $form->set_option( "{$prefix}_hour", intval( date( 'G', $timestamp ) ) );
42
  }
43
+
44
  $form->set_option( "{$prefix}_minute", intval( date( 'i', $timestamp ) ) );
45
  }
46
+
47
  protected function render_settings( $form ) {
48
  global $wp_locale;
49
+
50
+
51
  $settings = $form->get_options();
52
  $validator = ITSEC_Modules::get_validator( $this->id );
53
+
54
+
55
  $types = $validator->get_valid_types();
56
+
57
+
58
  if ( 1 === $settings['start'] ) {
59
  $tomorrow = date( 'Y-m-d', current_time( 'timestamp' ) + DAY_IN_SECONDS );
60
  $new_start = strtotime( "$tomorrow 1:00 am" ) - ITSEC_Core::get_time_offset();
61
+
62
  $form->set_option( 'start', $new_start );
63
  }
64
+
65
  if ( 1 === $settings['end'] ) {
66
  $tomorrow = date( 'Y-m-d', current_time( 'timestamp' ) + DAY_IN_SECONDS );
67
  $new_end = strtotime( "$tomorrow 6:00 am" ) - ITSEC_Core::get_time_offset();
68
+
69
  $form->set_option( 'end', $new_end );
70
  }
71
+
72
+
73
  $date_format = get_option( 'date_format' );
74
  $time_format = get_option( 'time_format' );
75
+
76
  if ( false !== strpos( $time_format, 'G' ) ) {
77
  for ( $hour = 0; $hour < 24; $hour++ ) {
78
  $hours[$hour] = $hour;
85
  for ( $hour = 1; $hour <= 12; $hour++ ) {
86
  $hours[$hour] = $hour;
87
  }
88
+
89
  if ( false !== strpos( $time_format, 'A' ) ) {
90
  $am = $wp_locale->get_meridiem( 'AM' );
91
  $pm = $wp_locale->get_meridiem( 'PM' );
93
  $am = $wp_locale->get_meridiem( 'am' );
94
  $pm = $wp_locale->get_meridiem( 'pm' );
95
  }
96
+
97
  $meridiems = array(
98
  'am' => $am,
99
  'pm' => $pm,
100
  );
101
  }
102
+
103
  for ( $minute = 0; $minute <= 59; $minute++ ) {
104
  $minutes[$minute] = sprintf( '%02d', $minute );
105
  }
106
+
107
+
108
  $this->set_datetime_options( $form, 'start', isset( $meridiems ) );
109
  $this->set_datetime_options( $form, 'end', isset( $meridiems ) );
110
+
111
+
112
  /* translators: 1: date, 2: time */
113
  $datetime_format = _x( '%1$s \a\t %2$s', 'Date and time format', 'better-wp-security' );
114
  $datetime_format = sprintf( $datetime_format, $date_format, $time_format );
115
+
116
  $current_datetime = date_i18n( $datetime_format );
117
+
118
  ?>
119
  <p><?php printf( __( 'Please note that according to your <a href="%s">WordPress Timezone settings</a> your current time is:', 'better-wp-security' ), admin_url( 'options-general.php#timezone_string' ) ); ?></p>
120
  <p class="current-date-time"><?php echo $current_datetime; ?></p>
169
  </tr>
170
  </table>
171
  <?php
172
+
173
  }
174
  }
175
 
core/modules/file-change/settings-page.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
 
3
  final class ITSEC_File_Change_Settings_Page extends ITSEC_Module_Settings_Page {
4
- private $script_version = 1;
5
 
6
 
7
  public function __construct() {
1
  <?php
2
 
3
  final class ITSEC_File_Change_Settings_Page extends ITSEC_Module_Settings_Page {
4
+ private $script_version = 2;
5
 
6
 
7
  public function __construct() {
core/modules/malware/class-itsec-malware-scanner.php CHANGED
@@ -4,6 +4,8 @@ final class ITSEC_Malware_Scanner {
4
  protected static $transient_name = 'itsec_cached_sucuri_scan';
5
 
6
  public static function scan() {
 
 
7
  global $itsec_logger;
8
 
9
 
@@ -20,7 +22,41 @@ final class ITSEC_Malware_Scanner {
20
  return $results;
21
  }
22
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
23
  protected static function get_scan_results() {
 
24
  $response = get_site_transient( self::$transient_name );
25
  $cached = true;
26
 
@@ -100,7 +136,7 @@ final class ITSEC_Malware_Scanner {
100
 
101
  $body = @json_decode( $body, true );
102
 
103
- if ( is_null( $body ) && isset( $response['headers'] ) && isset( $response['headers']['content-type'] ) ) {
104
  if ( 'application/json' === $response['headers']['content-type'] ) {
105
  return new WP_Error( 'itsec-malware-scanner-invalid-json-data-in-scan-response', __( 'The scan did not complete successfully. The Sucuri server should send its response in JSON encoding. The response indicates that the encoding is JSON, but the data could not be decoded. This problem could be due to a temporary Sucuri server issue or a compatibility issue on your server. If the problem continues, please contact iThemes Security support.', 'better-wp-security' ), $response );
106
  } else {
4
  protected static $transient_name = 'itsec_cached_sucuri_scan';
5
 
6
  public static function scan() {
7
+
8
+ /** @var ITSEC_Logger $itsec_logger */
9
  global $itsec_logger;
10
 
11
 
22
  return $results;
23
  }
24
 
25
+ /**
26
+ * This attempts to determine if this is a temporary Sucuri error or something the user needs to take action on.
27
+ *
28
+ * @param WP_Error|array $results
29
+ *
30
+ * @return bool
31
+ */
32
+ public static function is_sucuri_error( $results ) {
33
+ if ( ! is_wp_error( $results ) ) {
34
+ return false;
35
+ }
36
+
37
+ $code = $results->get_error_code();
38
+
39
+ // Networking error probably due to a server issue.
40
+ if ( strpos( $code, 'itsec' ) === false ) {
41
+ return false;
42
+ }
43
+
44
+ $plugin_conflict_codes = array(
45
+ 'itsec-malware-scanner-wp-remote-get-response-malformed',
46
+ 'itsec-malware-scanner-wp-remote-get-response-missing-body',
47
+ 'itsec-malware-scanner-wp-remote-get-response-empty-body',
48
+ );
49
+
50
+ // Probably a plugin conflict.
51
+ if ( in_array( $code, $plugin_conflict_codes, true ) ) {
52
+ return false;
53
+ }
54
+
55
+ return true;
56
+ }
57
+
58
  protected static function get_scan_results() {
59
+
60
  $response = get_site_transient( self::$transient_name );
61
  $cached = true;
62
 
136
 
137
  $body = @json_decode( $body, true );
138
 
139
+ if ( is_null( $body ) && isset( $response['headers'], $response['headers']['content-type'] ) ) {
140
  if ( 'application/json' === $response['headers']['content-type'] ) {
141
  return new WP_Error( 'itsec-malware-scanner-invalid-json-data-in-scan-response', __( 'The scan did not complete successfully. The Sucuri server should send its response in JSON encoding. The response indicates that the encoding is JSON, but the data could not be decoded. This problem could be due to a temporary Sucuri server issue or a compatibility issue on your server. If the problem continues, please contact iThemes Security support.', 'better-wp-security' ), $response );
142
  } else {
core/modules/malware/js/settings-page.js CHANGED
@@ -44,16 +44,25 @@
44
 
45
  handleResponse: function( results ) {
46
  $('#itsec-malware-scan-start').hide();
 
 
 
 
47
 
48
  if ( results.errors.length > 0 ) {
49
  var message;
50
 
51
  $.each( results.errors, function( index, error ) {
52
- message = '<div class="error inline"><p><strong>' + error + '</strong></p></div>';
 
 
 
 
 
 
 
53
  $('.itsec-malware-scan-results-wrapper').append( message );
54
  } );
55
- } else {
56
- $('.itsec-malware-scan-results-wrapper').html( results.response );
57
  }
58
  },
59
  };
44
 
45
  handleResponse: function( results ) {
46
  $('#itsec-malware-scan-start').hide();
47
+
48
+ if ( results.response && results.response.length ) {
49
+ $('.itsec-malware-scan-results-wrapper').html( results.response );
50
+ }
51
 
52
  if ( results.errors.length > 0 ) {
53
  var message;
54
 
55
  $.each( results.errors, function( index, error ) {
56
+ message = '<div class="notice notice-error notice-alt"><p><strong>' + error + '</strong></p></div>';
57
+ $('.itsec-malware-scan-results-wrapper').append( message );
58
+ } );
59
+ }
60
+
61
+ if ( results.warnings.length > 0 ) {
62
+ $.each( results.warnings, function( index, warning ) {
63
+ message = '<div class="notice notice-warning notice-alt"><p>' + warning + '</p></div>';
64
  $('.itsec-malware-scan-results-wrapper').append( message );
65
  } );
 
 
66
  }
67
  },
68
  };
core/modules/malware/settings-page.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
 
3
  class ITSEC_Settings_Page_Sidebar_Widget_Malware_Scan extends ITSEC_Settings_Page_Sidebar_Widget {
4
- private $script_version = 1;
5
 
6
 
7
  public function __construct() {
@@ -29,13 +29,20 @@ class ITSEC_Settings_Page_Sidebar_Widget_Malware_Scan extends ITSEC_Settings_Pag
29
  require_once( dirname( __FILE__ ) . '/class-itsec-malware-scanner.php' );
30
  require_once( dirname( __FILE__ ) . '/class-itsec-malware-scan-results-template.php' );
31
 
 
 
32
  if ( ! ITSEC_Core::current_user_can_manage() ) {
33
  $results = new WP_Error( 'itsec-settings-malware-scan-insufficient-privileges', __( 'An error prevented the scan from completing as expected. The currently logged in user does not have sufficient permissions to run this scan. You may need to log out of the site and log back in.', 'better-wp-security' ) );
34
  } else {
35
- $results = ITSEC_Malware_Scanner::scan();
 
36
  }
37
 
38
- ITSEC_Response::set_response( ITSEC_Malware_Scan_Results_Template::get_html( $results, true ) );
 
 
 
 
39
  }
40
 
41
  public function render( $form ) {
1
  <?php
2
 
3
  class ITSEC_Settings_Page_Sidebar_Widget_Malware_Scan extends ITSEC_Settings_Page_Sidebar_Widget {
4
+ private $script_version = 2;
5
 
6
 
7
  public function __construct() {
29
  require_once( dirname( __FILE__ ) . '/class-itsec-malware-scanner.php' );
30
  require_once( dirname( __FILE__ ) . '/class-itsec-malware-scan-results-template.php' );
31
 
32
+ $temporary_error = false;
33
+
34
  if ( ! ITSEC_Core::current_user_can_manage() ) {
35
  $results = new WP_Error( 'itsec-settings-malware-scan-insufficient-privileges', __( 'An error prevented the scan from completing as expected. The currently logged in user does not have sufficient permissions to run this scan. You may need to log out of the site and log back in.', 'better-wp-security' ) );
36
  } else {
37
+ $results = ITSEC_Malware_Scanner::scan();
38
+ $temporary_error = ITSEC_Malware_Scanner::is_sucuri_error( $results );
39
  }
40
 
41
+ if ( $temporary_error ) {
42
+ ITSEC_Response::add_warning( __( 'Malware scanning is temporarily unavailable, please try again later.', 'better-wp-security' ) );
43
+ } else {
44
+ ITSEC_Response::set_response( ITSEC_Malware_Scan_Results_Template::get_html( $results, true ) );
45
+ }
46
  }
47
 
48
  public function render( $form ) {
core/modules/security-check/scanner.php CHANGED
@@ -39,9 +39,10 @@ final class ITSEC_Security_Check_Scanner {
39
  require_once( dirname( __FILE__ ) . '/feedback.php' );
40
 
41
  self::$feedback = new ITSEC_Security_Check_Feedback();
42
-
43
  self::$available_modules = ITSEC_Modules::get_available_modules();
44
 
 
 
45
  self::enforce_activation( 'ban-users', __( 'Banned Users', 'better-wp-security' ) );
46
  self::enforce_setting( 'ban-users', 'enable_ban_lists', true, __( 'Enabled the Enable Ban Lists setting in Banned Users.', 'better-wp-security' ) );
47
 
@@ -66,6 +67,8 @@ final class ITSEC_Security_Check_Scanner {
66
  self::enforce_setting( 'wordpress-tweaks', 'rest_api', 'restrict-access', __( 'Changed the REST API setting in WordPress Tweaks to "Restricted Access".', 'better-wp-security' ) );
67
 
68
  self::enforce_setting( 'global', 'write_files', true, __( 'Enabled the Write to Files setting in Global Settings.', 'better-wp-security' ) );
 
 
69
  }
70
 
71
  private static function add_network_brute_force_signup() {
39
  require_once( dirname( __FILE__ ) . '/feedback.php' );
40
 
41
  self::$feedback = new ITSEC_Security_Check_Feedback();
 
42
  self::$available_modules = ITSEC_Modules::get_available_modules();
43
 
44
+ do_action( 'itsec-security-check-before-default-checks', self::$feedback, self::$available_modules );
45
+
46
  self::enforce_activation( 'ban-users', __( 'Banned Users', 'better-wp-security' ) );
47
  self::enforce_setting( 'ban-users', 'enable_ban_lists', true, __( 'Enabled the Enable Ban Lists setting in Banned Users.', 'better-wp-security' ) );
48
 
67
  self::enforce_setting( 'wordpress-tweaks', 'rest_api', 'restrict-access', __( 'Changed the REST API setting in WordPress Tweaks to "Restricted Access".', 'better-wp-security' ) );
68
 
69
  self::enforce_setting( 'global', 'write_files', true, __( 'Enabled the Write to Files setting in Global Settings.', 'better-wp-security' ) );
70
+
71
+ do_action( 'itsec-security-check-after-default-checks', self::$feedback, self::$available_modules );
72
  }
73
 
74
  private static function add_network_brute_force_signup() {
core/modules/security-check/settings-page.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
 
3
  final class ITSEC_Security_Check_Settings_Page extends ITSEC_Module_Settings_Page {
4
- private $script_version = 2;
5
 
6
 
7
  public function __construct() {
@@ -39,6 +39,8 @@ final class ITSEC_Security_Check_Settings_Page extends ITSEC_Module_Settings_Pag
39
  require_once( dirname( __FILE__ ) . '/scanner.php' );
40
 
41
  ITSEC_Security_Check_Scanner::activate_network_brute_force( $_POST['data'] );
 
 
42
  }
43
  }
44
 
1
  <?php
2
 
3
  final class ITSEC_Security_Check_Settings_Page extends ITSEC_Module_Settings_Page {
4
+ private $script_version = 3;
5
 
6
 
7
  public function __construct() {
39
  require_once( dirname( __FILE__ ) . '/scanner.php' );
40
 
41
  ITSEC_Security_Check_Scanner::activate_network_brute_force( $_POST['data'] );
42
+ } else {
43
+ do_action( "itsec-security-check-{$data['method']}", $_POST['data'] );
44
  }
45
  }
46
 
core/modules/ssl/class-itsec-ssl-admin.php CHANGED
@@ -2,7 +2,9 @@
2
 
3
  class ITSEC_SSL_Admin {
4
  function run() {
5
- if ( 1 === ITSEC_Modules::get_setting( 'ssl', 'frontend' ) ) {
 
 
6
 
7
  add_action( 'post_submitbox_misc_actions', array( $this, 'ssl_enable_per_content' ) );
8
  add_action( 'save_post', array( $this, 'save_post' ) );
@@ -54,7 +56,7 @@ class ITSEC_SSL_Admin {
54
  if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
55
  return $id;
56
  }
57
-
58
  if ( ! current_user_can( 'edit_post', $id ) ) {
59
  return $id;
60
  }
2
 
3
  class ITSEC_SSL_Admin {
4
  function run() {
5
+ $settings = ITSEC_Modules::get_settings( 'ssl' );
6
+
7
+ if ( 'advanced' === $settings['require_ssl'] && 1 === $settings['frontend'] ) {
8
 
9
  add_action( 'post_submitbox_misc_actions', array( $this, 'ssl_enable_per_content' ) );
10
  add_action( 'save_post', array( $this, 'save_post' ) );
56
  if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
57
  return $id;
58
  }
59
+
60
  if ( ! current_user_can( 'edit_post', $id ) ) {
61
  return $id;
62
  }
core/modules/ssl/class-itsec-ssl.php CHANGED
@@ -54,6 +54,12 @@ class ITSEC_SSL {
54
  $this->add_config_hooks();
55
 
56
  add_action( 'template_redirect', array( $this, 'do_conditional_ssl_redirect' ), 0 );
 
 
 
 
 
 
57
 
58
  if ( is_ssl() ) {
59
  $this->http_site_url = site_url( '', 'http' );
@@ -63,9 +69,15 @@ class ITSEC_SSL {
63
  add_filter( 'script_loader_src', array( $this, 'script_loader_src' ) );
64
  add_filter( 'style_loader_src', array( $this, 'style_loader_src' ) );
65
  add_filter( 'upload_dir', array( $this, 'upload_dir' ) );
 
 
66
  }
67
  }
68
 
 
 
 
 
69
  /**
70
  * Redirects to or from SSL where appropriate
71
  *
@@ -74,62 +86,46 @@ class ITSEC_SSL {
74
  * @return void
75
  */
76
  public function do_conditional_ssl_redirect() {
77
- $hide_options = get_site_option( 'itsec_hide_backend', array() );
78
-
79
- if ( isset( $hide_options['enabled'] ) && ( $hide_options['enabled'] === true ) && ( $_SERVER['REQUEST_URI'] == ITSEC_Lib::get_home_root() . $hide_options['slug'] ) ) {
80
- return;
81
- }
82
-
83
-
84
  $settings = ITSEC_Modules::get_settings( 'ssl' );
 
85
 
86
  if ( 2 === $settings['frontend'] ) {
87
  $protocol = 'https';
88
- } else if ( ( 1 === $settings['frontend'] ) && is_singular() ) {
89
  global $post;
90
 
91
- $bwps_ssl = get_post_meta( $post->ID, 'bwps_enable_ssl' );
92
 
93
- if ( ! empty( $bwps_ssl ) ) {
94
- if ( $bwps_ssl[0] ) {
95
  $protocol = 'https';
96
- update_post_meta( $post->ID, 'itsec_enable_ssl', true );
97
- }
98
-
99
- delete_post_meta( $post->ID, 'bwps_enable_ssl' );
100
- }
101
-
102
- if ( ! isset( $protocol ) ) {
103
- $enable_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl' );
104
-
105
- if ( ! empty( $enable_ssl ) ) {
106
- if ( $enable_ssl[0] ) {
107
- $protocol = 'https';
108
- } else {
109
- delete_post_meta( $post->ID, 'itsec_enable_ssl' );
110
- }
111
  }
112
  }
113
  } else {
114
  return;
115
  }
116
 
117
- if ( ! isset( $protocol ) ) {
118
- $protocol = 'http';
119
- }
120
-
121
  $is_ssl = is_ssl();
122
 
123
- if ( $is_ssl && ( 'http' == $protocol ) ) {
124
- $redirect = "http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
125
  } else if ( ! $is_ssl && ( 'https' == $protocol ) ) {
126
- $redirect = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
127
  }
 
128
 
129
- if ( isset( $redirect ) ) {
130
- wp_redirect( $redirect, 301 );
131
- exit();
132
- }
 
 
 
 
 
 
133
  }
134
 
135
  /**
@@ -188,8 +184,11 @@ class ITSEC_SSL {
188
  }
189
 
190
  public function filter_wp_config_modification( $modification ) {
191
- if ( ITSEC_Modules::get_setting( 'ssl', 'admin' ) ) {
192
- $modification .= "define( 'FORCE_SSL_LOGIN', true ); // " . __( 'Force SSL for Dashboard - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard', 'better-wp-security' ) . "\n";
 
 
 
193
  $modification .= "define( 'FORCE_SSL_ADMIN', true ); // " . __( 'Force SSL for Dashboard - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard', 'better-wp-security' ) . "\n";
194
  }
195
 
54
  $this->add_config_hooks();
55
 
56
  add_action( 'template_redirect', array( $this, 'do_conditional_ssl_redirect' ), 0 );
57
+ $settings = ITSEC_Modules::get_settings( 'ssl' );
58
+
59
+ if ( 'enabled' === $settings['require_ssl'] ) {
60
+ add_filter( 'option_siteurl', array( $this, 'get_https_url' ), 5 );
61
+ add_filter( 'option_home', array( $this, 'get_https_url' ), 5 );
62
+ }
63
 
64
  if ( is_ssl() ) {
65
  $this->http_site_url = site_url( '', 'http' );
69
  add_filter( 'script_loader_src', array( $this, 'script_loader_src' ) );
70
  add_filter( 'style_loader_src', array( $this, 'style_loader_src' ) );
71
  add_filter( 'upload_dir', array( $this, 'upload_dir' ) );
72
+ } else if ( 'enabled' === $settings['require_ssl'] && 'GET' === $_SERVER['REQUEST_METHOD'] ) {
73
+ $this->redirect_to_https();
74
  }
75
  }
76
 
77
+ public function get_https_url( $url ) {
78
+ return preg_replace( '/^http:/', 'https:', $url );
79
+ }
80
+
81
  /**
82
  * Redirects to or from SSL where appropriate
83
  *
86
  * @return void
87
  */
88
  public function do_conditional_ssl_redirect() {
 
 
 
 
 
 
 
89
  $settings = ITSEC_Modules::get_settings( 'ssl' );
90
+ $protocol = 'http';
91
 
92
  if ( 2 === $settings['frontend'] ) {
93
  $protocol = 'https';
94
+ } else if ( 1 === $settings['frontend'] && is_singular() ) {
95
  global $post;
96
 
97
+ $enable_ssl = get_post_meta( $post->ID, 'itsec_enable_ssl' );
98
 
99
+ if ( ! empty( $enable_ssl ) ) {
100
+ if ( $enable_ssl[0] ) {
101
  $protocol = 'https';
102
+ } else {
103
+ delete_post_meta( $post->ID, 'itsec_enable_ssl' );
 
 
 
 
 
 
 
 
 
 
 
 
 
104
  }
105
  }
106
  } else {
107
  return;
108
  }
109
 
 
 
 
 
110
  $is_ssl = is_ssl();
111
 
112
+ if ( $is_ssl && ( 'http' === $protocol ) ) {
113
+ $this->redirect_to_http();
114
  } else if ( ! $is_ssl && ( 'https' == $protocol ) ) {
115
+ $this->redirect_to_https();
116
  }
117
+ }
118
 
119
+ private function redirect_to_http() {
120
+ $redirect = "http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
121
+ wp_redirect( $redirect, 301 );
122
+ exit();
123
+ }
124
+
125
+ private function redirect_to_https() {
126
+ $redirect = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
127
+ wp_redirect( $redirect, 301 );
128
+ exit();
129
  }
130
 
131
  /**
184
  }
185
 
186
  public function filter_wp_config_modification( $modification ) {
187
+ $settings = ITSEC_Modules::get_settings( 'ssl' );
188
+
189
+ if ( 'enabled' === $settings['require_ssl'] ) {
190
+ $modification .= "define( 'FORCE_SSL_ADMIN', true ); // " . __( 'Redirect All HTTP Page Requests to HTTPS - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard', 'better-wp-security' ) . "\n";
191
+ } else if ( 'advanced' === $settings['require_ssl'] && $settings['admin'] ) {
192
  $modification .= "define( 'FORCE_SSL_ADMIN', true ); // " . __( 'Force SSL for Dashboard - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard', 'better-wp-security' ) . "\n";
193
  }
194
 
core/modules/ssl/js/settings-page.js CHANGED
@@ -1,9 +1,18 @@
1
- (function( $ ) {
2
- $(document).ready(function() {
3
- $( document ).on( 'change', '#itsec-ssl-admin', function( e ) {
4
- if ( this.checked && ! confirm( itsec_ssl.translations.ssl_warning ) ) {
5
- $(this).attr( 'checked', false );
6
- }
7
- } );
8
- });
9
- })( jQuery );
 
 
 
 
 
 
 
 
 
1
+ jQuery( document ).ready( function () {
2
+ var updateVisibleSections = function() {
3
+ var requireSSL = jQuery( '#itsec-ssl-require_ssl' ).val();
4
+
5
+ if ( 'advanced' === requireSSL ) {
6
+ jQuery( '.itsec-ssl-advanced-setting' ).show();
7
+ } else {
8
+ jQuery( '.itsec-ssl-advanced-setting' ).hide();
9
+ }
10
+ };
11
+
12
+
13
+ var $container = jQuery( '#wpcontent' );
14
+
15
+ $container.on( 'change', '#itsec-ssl-require_ssl', updateVisibleSections );
16
+
17
+ updateVisibleSections();
18
+ } );
core/modules/ssl/settings-page.php CHANGED
@@ -1,79 +1,112 @@
1
  <?php
2
 
3
  final class ITSEC_SSL_Settings_Page extends ITSEC_Module_Settings_Page {
4
- private $script_version = 1;
5
-
6
-
7
  public function __construct() {
8
  $this->id = 'ssl';
9
  $this->title = __( 'SSL', 'better-wp-security' );
10
  $this->description = __( 'Configure use of SSL to ensure that communications between browsers and the server are secure.', 'better-wp-security' );
11
  $this->type = 'recommended';
12
-
13
  parent::__construct();
14
  }
15
-
16
  public function enqueue_scripts_and_styles() {
17
  $vars = array(
18
  'translations' => array(
19
  'ssl_warning' => __( 'Are you sure you want to enable SSL? If your server does not support SSL you will be locked out of your WordPress Dashboard.', 'better-wp-security' ),
20
  ),
21
  );
22
-
23
  wp_enqueue_script( 'itsec-ssl-admin-script', plugins_url( 'js/settings-page.js', __FILE__ ), array( 'jquery' ), $this->script_version, true );
24
  wp_localize_script( 'itsec-ssl-admin-script', 'itsec_ssl', $vars );
25
  }
26
-
27
  protected function render_description( $form ) {
28
-
29
  ?>
30
- <p><?php _e( 'Secure Socket Layers (SSL) is a technology that is used to encrypt the data sent between your server or host and a visitor to your web page. When SSL is activated, it makes it almost impossible for an attacker to intercept data in transit, therefore making the transmission of form, password or other encrypted data much safer.', 'better-wp-security' ); ?></p>
31
- <p><?php _e( 'This plugin gives you the option of turning on SSL (if your server or host supports it) for all or part of your site. The options below allow you to automatically use SSL for major parts of your site such as the login page, the admin dashboard or the site as a whole. You can also turn on SSL for any post or page by editing the content and selecting "Enable SSL" in the publishing options of the content in question.', 'better-wp-security' ); ?></p>
32
  <?php
33
-
34
  }
35
-
36
  protected function render_settings( $form ) {
37
- $has_ssl = ITSEC_Lib::get_ssl();
38
-
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
39
  $frontend_modes = array(
40
- 0 => __( 'Off', 'better-wp-security' ),
41
- 1 => __( 'Per Content', 'better-wp-security' ),
42
- 2 => __( 'Whole Site', 'better-wp-security' ),
43
  );
44
-
 
 
 
 
 
 
45
  ?>
46
- <p><?php _e( 'Note: While this plugin does give you the option of encrypting everything, SSL may not be for you. SSL does add overhead to your site which will increase download times slightly. Therefore we recommend you enable SSL at a minimum on the login page, then on the whole admin section and finally on individual pages or posts with forms that require sensitive information.', 'better-wp-security' ); ?></p>
47
-
48
- <?php if ( $has_ssl ) : ?>
49
- <div class="itsec-warning-message"><?php _e( '<strong>WARNING:</strong> Your server does appear to support SSL. Using these features without SSL support on your server or host will cause some or all of your site to become unavailable.', 'better-wp-security' ); ?></div>
50
  <?php else : ?>
51
- <div class="itsec-warning-message"><?php _e( '<strong>WARNING:</strong> Your server does not appear to support SSL. Your server MUST support SSL to use these features. Using these features without SSL support on your server or host will cause some or all of your site to become unavailable.', 'better-wp-security' ); ?></div>
 
 
 
 
52
  <?php endif; ?>
53
-
54
- <p><?php _e( 'Note: When turning SSL on you will be logged out and you will have to log back in. This is to prevent possible cookie conflicts that could make it more difficult to get in otherwise.', 'better-wp-security' ); ?></p>
55
-
56
  <table class="form-table itsec-settings-section">
57
  <tr>
58
- <th scope="row"><label for="itsec-ssl-frontend"><?php _e( 'Front End SSL Mode', 'better-wp-security' ); ?></label></th>
 
 
 
 
 
 
 
 
 
 
 
59
  <td>
60
  <?php $form->add_select( 'frontend', $frontend_modes ); ?>
61
- <br />
62
- <label for="itsec-ssl-frontend"><?php _e( 'Front End SSL Mode', 'better-wp-security' ); ?></label>
63
- <p class="description"><?php _e( 'Enables secure SSL connection for the front-end (public parts of your site). Turning this off will disable front-end SSL control, turning this on "Per Content" will place a checkbox on the edit page for all posts and pages (near the publish settings) allowing you to turn on SSL for selected pages or posts. Selecting "Whole Site" will force the whole site to use SSL.', 'better-wp-security' ); ?></p>
64
  </td>
65
  </tr>
66
- <tr>
67
- <th scope="row"><label for="itsec-ssl-admin"><?php _e( 'SSL for Dashboard', 'better-wp-security' ); ?></label></th>
68
  <td>
69
  <?php $form->add_checkbox( 'admin' ); ?>
70
- <label for="itsec-ssl-admin"><?php _e( 'Force SSL for Dashboard', 'better-wp-security' ); ?></label>
71
- <p class="description"><?php _e( 'Forces all dashboard access to be served only over an SSL connection.', 'better-wp-security' ); ?></p>
72
  </td>
73
  </tr>
74
  </table>
75
  <?php
76
-
77
  }
78
  }
79
 
1
  <?php
2
 
3
  final class ITSEC_SSL_Settings_Page extends ITSEC_Module_Settings_Page {
4
+ private $script_version = 3;
5
+
6
+
7
  public function __construct() {
8
  $this->id = 'ssl';
9
  $this->title = __( 'SSL', 'better-wp-security' );
10
  $this->description = __( 'Configure use of SSL to ensure that communications between browsers and the server are secure.', 'better-wp-security' );
11
  $this->type = 'recommended';
12
+
13
  parent::__construct();
14
  }
15
+
16
  public function enqueue_scripts_and_styles() {
17
  $vars = array(
18
  'translations' => array(
19
  'ssl_warning' => __( 'Are you sure you want to enable SSL? If your server does not support SSL you will be locked out of your WordPress Dashboard.', 'better-wp-security' ),
20
  ),
21
  );
22
+
23
  wp_enqueue_script( 'itsec-ssl-admin-script', plugins_url( 'js/settings-page.js', __FILE__ ), array( 'jquery' ), $this->script_version, true );
24
  wp_localize_script( 'itsec-ssl-admin-script', 'itsec_ssl', $vars );
25
  }
26
+
27
  protected function render_description( $form ) {
28
+
29
  ?>
30
+ <p><?php echo wp_kses( __( 'SSL is an important feature for every site. It protects user accounts from being compromised, protects the content from modifications by ISPs and attackers, protects potentially-sensitive information submitted to the site from <a href="https://en.wikipedia.org/wiki/Packet_analyzer">network sniffing</a>, could speed up performance of your site (depending on server configuration), and could improve your site\'s <a href="https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html">search engine rankings</a>.', 'better-wp-security' ), array( 'a' => array( 'href' => array() ) ) ); ?></p>
 
31
  <?php
32
+
33
  }
34
+
35
  protected function render_settings( $form ) {
36
+ $ssl_support_probability = ITSEC_Lib::get_ssl_support_probability();
37
+
38
+ $settings = ITSEC_Modules::get_settings( 'ssl' );
39
+ $ssl_is_enabled = false;
40
+
41
+ if ( 'enabled' === $settings['require_ssl'] || ( 'advanced' === $settings['require_ssl'] && $settings['admin'] ) ) {
42
+ $ssl_is_enabled = true;
43
+ }
44
+
45
+ $require_ssl_options = array(
46
+ 'disabled' => esc_html__( 'Disabled', 'better-wp-security' ),
47
+ 'enabled' => esc_html__( 'Enabled', 'better-wp-security' ),
48
+ 'advanced' => esc_html__( 'Advanced', 'better-wp-security' ),
49
+ );
50
+
51
+ if ( 100 === $ssl_support_probability ) {
52
+ $require_ssl_options['enabled'] = esc_html( 'Enabled (recommended)', 'better-wp-security' );
53
+ }
54
+
55
  $frontend_modes = array(
56
+ 0 => esc_html__( 'Off', 'better-wp-security' ),
57
+ 1 => esc_html__( 'Per Content', 'better-wp-security' ),
58
+ 2 => esc_html__( 'Whole Site', 'better-wp-security' ),
59
  );
60
+
61
+ if ( 'advanced' === $settings['require_ssl'] ) {
62
+ $hide_advanced_setting = '';
63
+ } else {
64
+ $hide_advanced_setting = ' style="display:none;"';
65
+ }
66
+
67
  ?>
68
+ <?php if ( 100 === $ssl_support_probability ) : ?>
69
+ <div class="inline notice notice-success notice-alt"><p><?php esc_html_e( 'Your site appears to support SSL. It is highly recommended that you select the "Enabled" setting below. This redirects all http traffic to your site to the https address, thus requiring everyone to access the site via SSL. In other words, it will force everyone to use a secure connection to the site.', 'better-wp-security' ); ?></p></div>
70
+ <?php elseif ( $ssl_support_probability > 0 ) : ?>
71
+ <div class="inline notice notice-warning notice-alt"><p><?php esc_html_e( 'Your site might support SSL. If the site is configured with a valid certificate that is not self-signed, it is highly recommended that you select the "Enabled" setting below. This redirects all http traffic to your site to the https address, thus requiring everyone to access the site via SSL. In other words, it will force everyone to use a secure connection to the site.', 'better-wp-security' ); ?></p></div>
72
  <?php else : ?>
73
+ <div class="inline notice notice-error notice-alt"><p><?php esc_html_e( 'Your site does not appear to support SSL. Only enable SSL if you know that the site properly supports SSL since enabling it on a site that does not properly support it will block all access to the site.', 'better-wp-security' ); ?></p></div>
74
+ <?php endif; ?>
75
+
76
+ <?php if ( ! $ssl_is_enabled && ! is_ssl() ) : ?>
77
+ <div class="inline notice notice-info notice-alt"><p><?php esc_html_e( 'Note: After enabling this feature, you will be logged out and you will have to log back in. This is to prevent possible cookie conflicts that could make it more difficult to get in otherwise.', 'better-wp-security' ); ?></p></div>
78
  <?php endif; ?>
79
+
 
 
80
  <table class="form-table itsec-settings-section">
81
  <tr>
82
+ <th scope="row"><label for="itsec-ssl-require_ssl"><?php esc_html_e( 'Redirect All HTTP Page Requests to HTTPS', 'better-wp-security' ); ?></label></th>
83
+ <td>
84
+ <?php $form->add_select( 'require_ssl', $require_ssl_options ); ?>
85
+ <ul>
86
+ <li><?php echo wp_kses( __( '<strong>Disabled</strong> - Use the site\'s default handling of page requests.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
87
+ <li><?php echo wp_kses( __( '<strong>Enabled</strong> - Redirect all http page requests to https.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
88
+ <li><?php echo wp_kses( __( '<strong>Advanced</strong> - Choose different settings for front-end and dashboard page requests.', 'better-wp-security' ), array( 'strong' => array() ) ); ?></li>
89
+ </ul>
90
+ </td>
91
+ </tr>
92
+ <tr class="itsec-ssl-advanced-setting"<?php echo $hide_advanced_setting; ?>>
93
+ <th scope="row"><label for="itsec-ssl-frontend"><?php esc_html_e( 'Front End SSL Mode', 'better-wp-security' ); ?></label></th>
94
  <td>
95
  <?php $form->add_select( 'frontend', $frontend_modes ); ?>
96
+ <p class="description"><?php esc_html_e( 'Enables secure SSL connection for the front-end (public parts of your site). Turning this off will disable front-end SSL control, turning this on "Per Content" will place a checkbox on the edit page for all posts and pages (near the publish settings) allowing you to turn on SSL for selected pages or posts. Selecting "Whole Site" will force the whole site to use SSL.', 'better-wp-security' ); ?></p>
 
 
97
  </td>
98
  </tr>
99
+ <tr class="itsec-ssl-advanced-setting"<?php echo $hide_advanced_setting; ?>>
100
+ <th scope="row"><label for="itsec-ssl-admin"><?php esc_html_e( 'SSL for Dashboard', 'better-wp-security' ); ?></label></th>
101
  <td>
102
  <?php $form->add_checkbox( 'admin' ); ?>
103
+ <label for="itsec-ssl-admin"><?php esc_html_e( 'Force SSL for Dashboard', 'better-wp-security' ); ?></label>
104
+ <p class="description"><?php esc_html_e( 'Forces all dashboard access to be served only over an SSL connection.', 'better-wp-security' ); ?></p>
105
  </td>
106
  </tr>
107
  </table>
108
  <?php
109
+
110
  }
111
  }
112
 
core/modules/ssl/settings.php CHANGED
@@ -4,11 +4,12 @@ final class ITSEC_SSL_Settings extends ITSEC_Settings {
4
  public function get_id() {
5
  return 'ssl';
6
  }
7
-
8
  public function get_defaults() {
9
  return array(
10
- 'frontend' => 0,
11
- 'admin' => false,
 
12
  );
13
  }
14
  }
4
  public function get_id() {
5
  return 'ssl';
6
  }
7
+
8
  public function get_defaults() {
9
  return array(
10
+ 'require_ssl' => 'disabled',
11
+ 'frontend' => 0,
12
+ 'admin' => false,
13
  );
14
  }
15
  }
core/modules/ssl/setup.php CHANGED
@@ -94,6 +94,13 @@ if ( ! class_exists( 'ITSEC_SSL_Setup' ) ) {
94
  }
95
  }
96
 
 
 
 
 
 
 
 
97
  }
98
 
99
  }
94
  }
95
  }
96
 
97
+ if ( $itsec_old_version < 4074 ) {
98
+ $settings = ITSEC_Modules::get_settings( 'ssl' );
99
+
100
+ if ( 0 !== $settings['frontend'] || $settings['admin'] ) {
101
+ ITSEC_Modules::set_setting( 'ssl', 'require_ssl', 'advanced' );
102
+ }
103
+ }
104
  }
105
 
106
  }
core/modules/ssl/validator.php CHANGED
@@ -4,27 +4,48 @@ class ITSEC_SSL_Validator extends ITSEC_Validator {
4
  public function get_id() {
5
  return 'ssl';
6
  }
7
-
8
  protected function sanitize_settings() {
9
- $this->sanitize_setting( 'positive-int', 'frontend', __( 'Front End SSL Mode', 'better-wp-security' ) );
10
- $this->sanitize_setting( array( 0, 1, 2 ), 'frontend', __( 'Front End SSL Mode', 'better-wp-security' ) );
11
- $this->sanitize_setting( 'bool', 'admin', __( 'SSL for Dashboard', 'better-wp-security' ) );
 
12
  }
13
-
14
  protected function validate_settings() {
15
  if ( ! $this->can_save() ) {
16
  return;
17
  }
18
-
19
-
20
  $previous_settings = ITSEC_Modules::get_settings( $this->get_id() );
21
-
 
 
 
 
 
 
 
22
  if ( $this->settings['admin'] !== $previous_settings['admin'] ) {
 
 
 
 
 
 
 
 
 
 
 
 
 
23
  ITSEC_Response::regenerate_wp_config();
24
-
25
- if ( $this->settings['admin'] ) {
26
- ITSEC_Response::force_logout();
27
- }
28
  }
29
  }
30
  }
4
  public function get_id() {
5
  return 'ssl';
6
  }
7
+
8
  protected function sanitize_settings() {
9
+ $this->sanitize_setting( array( 'disabled', 'enabled', 'advanced' ), 'require_ssl', esc_html__( 'Require SSL', 'better-wp-security' ) );
10
+ $this->sanitize_setting( 'positive-int', 'frontend', esc_html__( 'Front End SSL Mode', 'better-wp-security' ) );
11
+ $this->sanitize_setting( array( 0, 1, 2 ), 'frontend', esc_html__( 'Front End SSL Mode', 'better-wp-security' ) );
12
+ $this->sanitize_setting( 'bool', 'admin', esc_html__( 'SSL for Dashboard', 'better-wp-security' ) );
13
  }
14
+
15
  protected function validate_settings() {
16
  if ( ! $this->can_save() ) {
17
  return;
18
  }
19
+
20
+
21
  $previous_settings = ITSEC_Modules::get_settings( $this->get_id() );
22
+
23
+ $regenerate_wp_config = false;
24
+ $force_logout = false;
25
+
26
+ if ( $this->settings['require_ssl'] !== $previous_settings['require_ssl'] ) {
27
+ $regenerate_wp_config = true;
28
+ }
29
+
30
  if ( $this->settings['admin'] !== $previous_settings['admin'] ) {
31
+ $regenerate_wp_config = true;
32
+ }
33
+
34
+ if (
35
+ ( 'enabled' === $this->settings['require_ssl'] && 'enabled' !== $previous_settings['require_ssl'] ) ||
36
+ ( 'advanced' === $this->settings['require_ssl'] && 'advanced' !== $previous_settings['require_ssl'] && $this->settings['admin'] ) ||
37
+ ( 'advanced' === $this->settings['require_ssl'] && $this->settings['admin'] && ! $previous_settings['admin'] )
38
+ ) {
39
+ $force_logout = true;
40
+ }
41
+
42
+
43
+ if ( $regenerate_wp_config ) {
44
  ITSEC_Response::regenerate_wp_config();
45
+ }
46
+
47
+ if ( $force_logout && ! is_ssl() ) {
48
+ ITSEC_Response::force_logout();
49
  }
50
  }
51
  }
core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php CHANGED
@@ -70,8 +70,6 @@ final class ITSEC_WordPress_Tweaks {
70
 
71
  $this->settings = ITSEC_Modules::get_settings( 'wordpress-tweaks' );
72
 
73
- add_action( 'wp_print_scripts', array( $this, 'store_jquery_version' ) );
74
-
75
  // Functional code for the allow_xmlrpc_multiauth setting.
76
  if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && ! $this->settings['allow_xmlrpc_multiauth'] ) {
77
  add_filter( 'authenticate', array( $this, 'block_multiauth_attempts' ), 0, 3 );
@@ -97,10 +95,6 @@ final class ITSEC_WordPress_Tweaks {
97
 
98
  add_filter( 'rest_dispatch_request', array( $this, 'filter_rest_dispatch_request' ), 10, 4 );
99
 
100
- if ( $this->settings['safe_jquery'] ) {
101
- add_action( 'wp_enqueue_scripts', array( $this, 'current_jquery' ) );
102
- }
103
-
104
  //Process remove login errors
105
  if ( $this->settings['login_errors'] ) {
106
  add_filter( 'login_errors', '__return_null' );
@@ -280,30 +274,6 @@ final class ITSEC_WordPress_Tweaks {
280
  die( __( 'XML-RPC services are disabled on this site.' ) );
281
  }
282
 
283
- /**
284
- * Attempt to force the core version of jQuery to be loaded.
285
- *
286
- * This will deregister the current version of jQuery and re-enqueue with the core version of the script.
287
- *
288
- * This could probably be refactored to use the 'script_loader_src' filter.
289
- */
290
- public function current_jquery() {
291
-
292
- if ( ! is_admin() ) {
293
-
294
- wp_deregister_script( 'jquery' );
295
- wp_deregister_script( 'jquery-core' );
296
-
297
- wp_register_script( 'jquery', false, array( 'jquery-core', 'jquery-migrate' ), '1.11.0' );
298
- wp_register_script( 'jquery-core', '/' . WPINC . '/js/jquery/jquery.js', false, '1.11.0' );
299
-
300
- wp_enqueue_script( 'jquery' );
301
- wp_enqueue_script( 'jquery-core' );
302
-
303
- }
304
-
305
- }
306
-
307
  /**
308
  * Redirects to 404 page if the requested author has 0 posts.
309
  *
@@ -368,22 +338,6 @@ final class ITSEC_WordPress_Tweaks {
368
 
369
  }
370
 
371
- /**
372
- * Gets the version of jQuery enqueued
373
- */
374
- function store_jquery_version() {
375
- global $wp_scripts;
376
-
377
- if ( ( is_home() || is_front_page() ) && is_user_logged_in() ) {
378
- $stored_jquery_version = ITSEC_Modules::get_setting( 'wordpress-tweaks', 'jquery_version' );
379
- $current_jquery_version = $wp_scripts->registered['jquery']->ver;
380
-
381
- if ( $current_jquery_version !== $stored_jquery_version ) {
382
- ITSEC_Modules::set_setting( 'wordpress-tweaks', 'jquery_version', $current_jquery_version );
383
- }
384
- }
385
- }
386
-
387
  /**
388
  * Removes the pingback header
389
  *
70
 
71
  $this->settings = ITSEC_Modules::get_settings( 'wordpress-tweaks' );
72
 
 
 
73
  // Functional code for the allow_xmlrpc_multiauth setting.
74
  if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && ! $this->settings['allow_xmlrpc_multiauth'] ) {
75
  add_filter( 'authenticate', array( $this, 'block_multiauth_attempts' ), 0, 3 );
95
 
96
  add_filter( 'rest_dispatch_request', array( $this, 'filter_rest_dispatch_request' ), 10, 4 );
97
 
 
 
 
 
98
  //Process remove login errors
99
  if ( $this->settings['login_errors'] ) {
100
  add_filter( 'login_errors', '__return_null' );
274
  die( __( 'XML-RPC services are disabled on this site.' ) );
275
  }
276
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
277
  /**
278
  * Redirects to 404 page if the requested author has 0 posts.
279
  *
338
 
339
  }
340
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
341
  /**
342
  * Removes the pingback header
343
  *
core/modules/wordpress-tweaks/settings-page.php CHANGED
@@ -38,22 +38,6 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
38
  'default-access' => esc_html__( 'Default Access', 'better-wp-security' ),
39
  );
40
 
41
-
42
- $jquery_version = ITSEC_Modules::get_setting( $this->id, 'jquery_version' );
43
- $jquery_version_is_safe = ITSEC_Lib::is_jquery_version_safe();
44
-
45
- if ( empty( $jquery_version ) ) {
46
- $jquery_description = sprintf( __( 'Your current jQuery version is undetermined. Please <a href="%1$s" target="_blank" rel="noopener noreferrer">check your homepage</a> to see if you even need this feature' ), site_url() );
47
- } else {
48
- $jquery_description = sprintf( __( 'Your current jQuery version is %1$s' ), $jquery_version );
49
- }
50
-
51
- if ( $jquery_version_is_safe ) {
52
- $jquery_description_color = 'green';
53
- } else {
54
- $jquery_description_color = 'red';
55
- }
56
-
57
  ?>
58
  <p><?php esc_html_e( 'Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.', 'better-wp-security' ); ?></p>
59
  <p><?php esc_html_e( 'Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.', 'better-wp-security' ); ?></p>
@@ -124,19 +108,6 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
124
  </ul>
125
  </td>
126
  </tr>
127
- <tr>
128
- <th scope="row"><label for="itsec-wordpress-tweaks-safe_jquery"><?php esc_html_e( 'Replace jQuery With a Safe Version', 'better-wp-security' ); ?></label></th>
129
- <td>
130
- <?php if ( $jquery_version_is_safe ) : ?>
131
- <?php $form->add_checkbox( 'safe_jquery' ); ?>
132
- <label for="itsec-wordpress-tweaks-safe_jquery"><?php esc_html_e( 'Enqueue a safe version of jQuery', 'better-wp-security' ); ?></label>
133
- <p class="description"><?php esc_html_e( 'Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).', 'better-wp-security' ); ?></p>
134
- <?php endif; ?>
135
-
136
- <p class="description" style="color: <?php echo esc_attr( $jquery_description_color ); ?>"><?php echo $jquery_description; ?></p>
137
- <p class="description"><?php printf( wp_kses( __( 'Note that this only checks the homepage of your site and only for users who are logged in. This is done intentionally to save resources. If you think this is in error <a href="%s" target="_blank" rel="noopener noreferrer">click here to check again</a>. This will open your homepage in a new window allowing the plugin to determine the version of jQuery actually being used. You can then come back here and reload this page to see your version.', 'better-wp-security' ), array( 'a' => array( 'href' => array(), 'target' => array(), 'rel' => array() ) ) ), site_url() ); ?></p>
138
- </td>
139
- </tr>
140
  <tr>
141
  <th scope="row"><label for="itsec-wordpress-tweaks-login_errors"><?php esc_html_e( 'Login Error Messages', 'better-wp-security' ); ?></label></th>
142
  <td>
38
  'default-access' => esc_html__( 'Default Access', 'better-wp-security' ),
39
  );
40
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
41
  ?>
42
  <p><?php esc_html_e( 'Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.', 'better-wp-security' ); ?></p>
43
  <p><?php esc_html_e( 'Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.', 'better-wp-security' ); ?></p>
108
  </ul>
109
  </td>
110
  </tr>
 
 
 
 
 
 
 
 
 
 
 
 
 
111
  <tr>
112
  <th scope="row"><label for="itsec-wordpress-tweaks-login_errors"><?php esc_html_e( 'Login Error Messages', 'better-wp-security' ); ?></label></th>
113
  <td>
core/modules/wordpress-tweaks/settings.php CHANGED
@@ -14,11 +14,9 @@ final class ITSEC_Wordpress_Tweaks_Settings extends ITSEC_Settings {
14
  'disable_xmlrpc' => 0,
15
  'allow_xmlrpc_multiauth' => false,
16
  'rest_api' => 'default-access',
17
- 'safe_jquery' => false,
18
  'login_errors' => false,
19
  'force_unique_nicename' => false,
20
  'disable_unused_author_pages' => false,
21
- 'jquery_version' => '',
22
  'block_tabnapping' => false,
23
  );
24
  }
14
  'disable_xmlrpc' => 0,
15
  'allow_xmlrpc_multiauth' => false,
16
  'rest_api' => 'default-access',
 
17
  'login_errors' => false,
18
  'force_unique_nicename' => false,
19
  'disable_unused_author_pages' => false,
 
20
  'block_tabnapping' => false,
21
  );
22
  }
core/modules/wordpress-tweaks/setup.php CHANGED
@@ -132,6 +132,15 @@ if ( ! class_exists( 'ITSEC_WordPress_Tweaks_Setup' ) ) {
132
  ITSEC_Modules::set_settings( 'wordpress-tweaks', $settings );
133
  }
134
  }
 
 
 
 
 
 
 
 
 
135
  }
136
 
137
  }
132
  ITSEC_Modules::set_settings( 'wordpress-tweaks', $settings );
133
  }
134
  }
135
+
136
+ if ( $itsec_old_version < 4073 ) {
137
+ $settings = ITSEC_Modules::get_settings( 'wordpress-tweaks' );
138
+
139
+ unset( $settings['safe_jquery'] );
140
+ unset( $settings['jquery_version'] );
141
+
142
+ ITSEC_Modules::set_settings( 'wordpress-tweaks', $settings );
143
+ }
144
  }
145
 
146
  }
core/modules/wordpress-tweaks/validator.php CHANGED
@@ -8,14 +8,6 @@ class ITSEC_WordPress_Tweaks_Validator extends ITSEC_Validator {
8
  protected function sanitize_settings() {
9
  $previous_settings = ITSEC_Modules::get_settings( $this->get_id() );
10
 
11
- if ( ! isset( $this->settings['jquery_version'] ) ) {
12
- $this->settings['jquery_version'] = $previous_settings['jquery_version'];
13
- }
14
-
15
- if ( ! isset( $this->settings['safe_jquery'] ) ) {
16
- $this->settings['safe_jquery'] = false;
17
- }
18
-
19
  $this->sanitize_setting( 'bool', 'wlwmanifest_header', __( 'Windows Live Writer Header', 'better-wp-security' ) );
20
  $this->sanitize_setting( 'bool', 'edituri_header', __( 'EditURI Header', 'better-wp-security' ) );
21
  $this->sanitize_setting( 'bool', 'comment_spam', __( 'Comment Spam', 'better-wp-security' ) );
@@ -24,7 +16,6 @@ class ITSEC_WordPress_Tweaks_Validator extends ITSEC_Validator {
24
  $this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
25
  $this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
26
  $this->sanitize_setting( array( 'default-access', 'restrict-access' ), 'rest_api', __( 'REST API', 'better-wp-security' ) );
27
- $this->sanitize_setting( 'bool', 'safe_jquery', __( 'Replace jQuery With a Safe Version', 'better-wp-security' ) );
28
  $this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
29
  $this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );
30
  $this->sanitize_setting( 'bool', 'disable_unused_author_pages', __( 'Disable Extra User Archives', 'better-wp-security' ) );
8
  protected function sanitize_settings() {
9
  $previous_settings = ITSEC_Modules::get_settings( $this->get_id() );
10
 
 
 
 
 
 
 
 
 
11
  $this->sanitize_setting( 'bool', 'wlwmanifest_header', __( 'Windows Live Writer Header', 'better-wp-security' ) );
12
  $this->sanitize_setting( 'bool', 'edituri_header', __( 'EditURI Header', 'better-wp-security' ) );
13
  $this->sanitize_setting( 'bool', 'comment_spam', __( 'Comment Spam', 'better-wp-security' ) );
16
  $this->sanitize_setting( array( 0, 1, 2 ), 'disable_xmlrpc', __( 'XML-RPC', 'better-wp-security' ) );
17
  $this->sanitize_setting( 'bool', 'allow_xmlrpc_multiauth', __( 'Multiple Authentication Attempts per XML-RPC Request', 'better-wp-security' ) );
18
  $this->sanitize_setting( array( 'default-access', 'restrict-access' ), 'rest_api', __( 'REST API', 'better-wp-security' ) );
 
19
  $this->sanitize_setting( 'bool', 'login_errors', __( 'Login Error Messages', 'better-wp-security' ) );
20
  $this->sanitize_setting( 'bool', 'force_unique_nicename', __( 'Force Unique Nickname', 'better-wp-security' ) );
21
  $this->sanitize_setting( 'bool', 'disable_unused_author_pages', __( 'Disable Extra User Archives', 'better-wp-security' ) );
history.txt CHANGED
@@ -669,3 +669,11 @@
669
  Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
670
  Bug Fix: Fixed method of working around Hide Backend.
671
  Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.
 
 
 
 
 
 
 
 
669
  Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
670
  Bug Fix: Fixed method of working around Hide Backend.
671
  Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected.
672
+ 6.5.0 - 2017-08-23 - Chris Jean & Timothy Jacobs
673
+ Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
674
+ Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP directly.
675
+ Enhancement: Enabling SSL support will only log you out if you are not already on an https connection.
676
+ Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
677
+ Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
678
+ Bug Fix: Bumped version number of some scripts to ensure that they refresh properly.
679
+ Bug Fix: Fixed way to work around Hide Backend on some hosts.
readme.txt CHANGED
@@ -1,9 +1,9 @@
1
  === iThemes Security (formerly Better WP Security) ===
2
- Contributors: ithemes, chrisjean, gerroald, mattdanner
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.6
5
- Tested up to: 4.8
6
- Stable tag: 6.4.0
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
@@ -188,6 +188,15 @@ Free support may be available with the help of the community in the <a href="htt
188
 
189
  == Changelog ==
190
 
 
 
 
 
 
 
 
 
 
191
  = 6.4.0 =
192
  * Enhancement: Replaced file locking with database locking. This method of locking is compatible with all systems as it does not require the ability to write files. It also allows for locking to work on sites that have multiple front-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed.
193
  * Enhancement: Add "Copy to Clipboard" functionality for server and wp-config rules.
@@ -343,1371 +352,7 @@ Free support may be available with the help of the community in the <a href="htt
343
  * Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
344
  * Enhancement: The "Ban Lists" setting of Banned Users is now enabled by default.
345
 
346
- = 5.5.0 =
347
- * New Feature: Added a new File Permissions section on the settings page to bring back the directory and file permissions listing feature found on the Security > Dashboard page of older plugin versions.
348
- * Bug Fix: Fixed a situation where adding a very large list of IP's in the Ban Hosts list would generate an invalid .htaccess file on some servers.
349
- * Enhancement: The Database Backups, Local Brute Force Protection, Network Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features are now active by default on new installations.
350
- * Enhancement: The WordPress Tweaks feature now uses the "Disable File Editor" setting by default on new installations.
351
- * Enhancement: The WordPress Tweaks feature now sets the "Multiple Authentication Attempts per XML-RPC Request" setting to "Block" by default on new installations.
352
- * Enhancement: Improved the styling of notices.
353
-
354
- = 5.4.5 =
355
- * Bug Fix: Fixed SQL query for Database Backups when "Backup Full Database" is enabled.
356
-
357
- = 5.4.4 =
358
- * Bug Fix: Fixed bug that could cause some sites to lose settings when upgrading.
359
-
360
- = 5.4.3 =
361
- * Bug Fix: Don't rely on externally loaded MailChimp JavaScript.
362
-
363
- = 5.4.2 =
364
- * Bug Fix: Fixed links to Settings, Logs, and creating a backup on Multisite.
365
- * Enhancement: The "Write to Files" setting is now enabled by default.
366
-
367
- = 5.4.1 =
368
- * Bug Fix: Fixed error that would prevent nginx servers from being able to make use of the "Reduce Comment Spam" feature of the WordPress Tweaks module.
369
- * Bug Fix: Restored missing log filter for 404 Detection log entries.
370
-
371
- = 5.4.0 =
372
- * Enhancement: New user interface with both grid and list views for managing settings.
373
- * Enhancement: New automatic temp whitelisting of IPs for users that manage iThemes Security settings.
374
- * Enhancement: Better feedback on errors when modifying wp-config.php or server config files.
375
- * Enhancement: Improved code efficiency of the Away Mode feature so that it takes less processing time when active.
376
- * Enhancement: Rather than disabling features that have invalid user input, the user now can fix the issue before saving.
377
- * Enhancement: Improved the efficiency of the plugin's loading code, reducing the amount of time taken to run the plugin.
378
- * New Feature: Global settings now has a "Show Error Codes" setting that can provide an error message's specific error code when it is enabled.
379
- * Bug Fix: More than one IP can now be temp whitelisted.
380
- * Bug Fix: Fixed a bug where some modules would be enabled or disabled when they shouldn't be after upgrading to the latest version.
381
- * Bug Fix: Will not send notification emails about the new login address when Hide Backend is enabled and doing an upgrade.
382
- * Compatibility Fix: Updated handling of wp_remote_get() responses in preparation for changes coming in WordPress 4.6.
383
-
384
- = 5.3.7 =
385
- * Bug Fix: Throw a real 403 instead of a faked 404 for hide backend - Fixes compatability with certain plugins including WordPress SEO. Hat tip to Joost de Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.
386
-
387
- = 5.3.6 =
388
- * Security Fix: Better caps checks for dismissal of changed file dialog - Thanks to Julio Potier for notifying us of this issue.
389
- * Bug Fix: Make file change warning dialog text properly translatable
390
- * Enhancement: Adding 'itsec_log_event' action for logged events
391
-
392
- = 5.3.5 =
393
- * Security Fix: No longer using document.location to build 'Show Intro' link in admin - Thanks to David Lodge (Pen Test Partners) for notifying us of this issue.
394
- * Bug Fix: Fixed some notices when certain multisite options are used on BuddyPress
395
- * Enhancement: New itsec_white_ips filter to allow plugins that work with external services to whitelist service IPs
396
-
397
- = 5.3.4 =
398
- * Bug Fix: Fixed issue that could cause a fatal error after changing the content directory.
399
- * Bug Fix: Updated the link to sign up for security guide download to point to a https address. This is better security and prevents warnings when submitting from a http site in some browsers.
400
- * Bug Fix: If a cryptographically secure log file name can't be generated, queue up log file writes until we can.
401
-
402
- = 5.3.3 =
403
- * Bug Fix: Fixed temporary whitelisting by preventing a temporarily whitelisted IP from being locked out.
404
-
405
- = 5.3.2 =
406
- * Bug Fix: Updated code that generates the backups and logs directories to ensure that it attempts to create the parent directory if it does not exist yet.
407
- * Bug Fix: Removed warnings that could be generated if the logs directory could not be created.
408
- * Bug Fix: Database backup files sent via email no longer have a name without an extension if zipping up the file fails.
409
-
410
- = 5.3.1 =
411
- * Security Fix: Hardened the created backups and logs directories. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
412
- * Security Fix: More secure backup and log file names. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
413
- * Bug Fix: The "NGINX Conf File" setting is now properly respected, causing the generated NGINX configuration file to be stored in that location.
414
- * Enhancement: Generated database backup file names now contain a human-readable timestamp in the format of YYYYMMDD-HHMMSS.
415
- * Enhancement: Zipped database backup files no longer contain a deeply nested directory structure. Instead, they only contain the sql file.
416
- * Enhancement: When the "Force Unique Nickname" feature is enabled, the generated display name now uses an improved randomization function.
417
- * Enhancement: Improved tabbing of rules in generated nginx.conf files.
418
- * Enhancement: Removed the "See what's new button" as it has fulfilled its purpose.
419
-
420
- = 5.3.0 =
421
- * New Feature: Added support for IPv6 addresses. This includes support for IPv6 in lockouts, ban hosts, and white lists.
422
- * Bug Fix: Fixed issue that could cause username-based lockouts to fail for long usernames.
423
- * Bug Fix: Fixed issue that prevented wildcard IP ranges from being blacklisted or whitelisted.
424
- * Bug Fix: Removed warnings generated when the Away Mode module is disabled and iThemes Sync contacts the site.
425
- * Enhancement: Updated descriptions of valid IP and IP range formats for the Lockout White List and the Ban Hosts settings.
426
- * Enhancement: Updated host entries in log details to link to traceip.net rather than ip-adress.com. This is because ip-adress.com does not support IPv6 addresses.
427
- * Enhancement: Updated some translatable strings relating to blacklisting and whitelisting to allow for better translations.
428
- * Enhancement: Added details about how wildcard IP ranges are converted to CIDR format (this improves performance).
429
-
430
- = 5.2.1 =
431
- * Bug Fix: Comparisons of IPv4 addresses and ranges now include the IP's at the edge of the ranges.
432
- * Bug Fix: IPv4 tests now work as expected when deciding if a blacklisted IP or range overlaps a whitelisted IP's and ranges.
433
- * Bug Fix: Fixed styling issue that affected the display of the horizontal tabs on settings pages in WordPress 4.5.
434
- * Bug Fix: Replaced old module sorting order in settings screens.
435
- * Bug Fix: Fixed PHP 7 compatibility issue that triggers the following error: "Uncaught Error: Call to undefined function mysql_get_client_info()".
436
- * Bug Fix: Fixed warnings and errors that could occur when deleting the plugin.
437
- * Bug Fix: Fixed warning that could occur on a failed login when Local Brute Force Detection is disabled.
438
- * Bug Fix: All data added to the options table by iThemes Security is removed on uninstall.
439
- * Bug Fix: Fixed the cause of the following warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not have a method 'execute_deactivate'
440
- * Enhancement: When a lockout is being executed, wp_logout() will only be called if the current page request comes from a logged in user. This prevents plugins that log logout events from logging log outs from unknown users.
441
- * Enhancement: Improved the descriptions used for some of the data displayed in the "System Information" section of Security > Dashboard.
442
- * Enhancement: Added "Use MySQLi" entry to the "System Information" section of Security > Dashboard to show whether the MySQLi driver is enabled.
443
- * Enhancement: Updated the "SQL Mode" entry in the "System Information" section of Security > Dashboard to show the full details if that value is set.
444
- * Enhancement: Improved code that ensures that tables and options table entries created by iThemes Security are removed on uninstall only when no other iThemes Security plugin is active.
445
-
446
- = 5.2.0 =
447
- * Security Fix: Fixed PHP code that could allow AJAX requests to list directories and files outside the directory structure of the WordPress installation. Note that these AJAX requests required a logged in user with admin-level privileges. This vulnerability was unable to be exploited by non-privileged or anonymous requests.
448
- * Bug Fix: Updated the SSL feature to use 301 redirects rather than 302 redirects.
449
- * Bug Fix: Fixed situations where security nonces would incorrectly trigger "security check" errors when enabling specific combinations of features on the settings page.
450
- * Bug Fix: Enabling scheduled database backups and setting a backup interval of 0 days no longer results in a backup being created on every page load.
451
- * Bug Fix: Module-specific data is properly initialized/removed on plugin activation, deactivation, and uninstallation.
452
- * Feature Removal: Removed the "Security Status" portion of the Security > Dashboard page. This is in preparation for a new tool that provides suggestions tailored to the site and server that Security is running on.
453
- * Enhancement: Updated the way the feature modules function in order to allow them to be redesigned in a more efficient and flexible way for future releases.
454
- * Enhancement: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
455
- * Enhancement: Updated the Database Backup feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
456
- * Enhancement: Added localization support for some non-localized strings.
457
- * Enhancement: Improved detection of multiple active versions of iThemes Security.
458
-
459
- = 5.1.1 =
460
- * Enhancement: Removed Yandex and Sogou from the HackRepair blacklist as they are legitimate search engine bots.
461
- * Enhancement: Added detailed information about Sucuri malware scan errors to Malware Scan log details.
462
- * Bug Fix: No longer enables display of database errors when an event is logged.
463
-
464
- = 5.1.0 =
465
- * New Feature: Added "Multiple Authentication Attempts per XML-RPC Request" setting to the WordPress Tweaks section. When this setting is set to "Block", iThemes Security will block brute force login attacks against XML-RPC as described by Sucuri in this blog post: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
466
- * Enhancement: Updated text describing the XML-RPC setting in the WordPress Tweaks section to better explain what the setting is for and which setting is recommended.
467
- * Enhancement: Improved IP detection when proxy detection is active by processing the header set by CloudFlare.
468
- * Enhancement: Added a filter named itsec_filter_remote_addr_headers which can be used to change which headers are searched for the client IP. This allows for tailoring the IP detection for specific reverse proxies and load balancers.
469
- * Bug Fix: Updated the Banned Users settings to no longer add a newline to the Ban Hosts input each time the settings page is saved.
470
- * Compatibility Fix: Updated code triggered by the ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY define. This avoids plugin compatibility issues that prevent disabling the SSL peer verification.
471
-
472
- = 5.0.1 =
473
- * Compatibility Fix: Added support for ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY. Setting it to true can bypass "SSL peer certificate or SSH remote key was not OK" errors on servers with bad SSL configurations.
474
-
475
- = 5.0.0 =
476
- * Compatibility Fix: Changed translation domain from it-l10n-better-wp-security to better-wp-security. This change was necessary in order to be included in the translate.wordpress.org project.
477
- * New Feature: Added malware scanning provided by Sucuri SiteCheck.
478
-
479
- = 4.9.0 =
480
- * Feature Removal: Removed the "Remove WordPress Generator Meta Tag" and "Display Random Version" features as they are not recommended due to limited security benefit and creating compatibility issues.
481
- * Enhancement: Added the ability to undo the Content Directory change.
482
- * Bug Fix: No longer tries to load a non-existent JavaScript file for the salts module.
483
- * Bug Fix: Fixed an issue with one-time database backups on multi-site installs.
484
- * Bug Fix: Fixed issues related to locating .htaccess or nginx.conf files on sites with WordPress installed in a separate directory.
485
- * Bug Fix: Fixed issues with PHP blocking in uploads directory not working with certain non-standard setups.
486
- * Bug Fix: Minor change to fix a warning that can appear after changing the Content Directory.
487
- * Bug Fix: Fixed a PHP fatal error that could occur on some servers when adding a ban to the site's .htaccess or nginx.conf file.
488
-
489
- = 4.8.0 =
490
- * Feature Removal: Removed the malware scanning features as VirusTotal no longer supports scanning from WordPress sites. A replacement is in the works.
491
- * Bug Fix: The close button on the "Thank you for activating iThemes Security" message now appears in the correct location.
492
- * Bug Fix: Removed the site's URL being displayed in the "Replace jQuery With a Safe Version" setting details.
493
- * Bug Fix: Updated .htaccess rules to be compatible with Apache 2.4 without the auth compat module.
494
- * Bug Fix: Enabling and disabling the "Remove File Writing Permissions" setting now updates the file permissions properly.
495
- * Bug Fix: Web servers that cannot be recognized now default to Apache.
496
- * Enhancement: Updated the hackrepair lists.
497
-
498
- = 4.7.0 =
499
- * Enhancement: Updated to use new file modification API.
500
- * Enhancement: Added HackRepair.com blacklist for Nginx.
501
- * Enhancement: Improved Nginx support for System Tweak features.
502
- * Enhancement: Updates to wp-config.php, .htaccess, and nginx.conf files now support more systems.
503
- * Enhancement: Combined the "Force SSL for Dashboard" and "Force SSL for Login" settings to a unified "Force SSL for Dashboard" setting. This is due to how the FORCE_SSL_LOGIN define was deprecated in WP 4.0.0.
504
- * Enhancement: Added comments to wp-config.php, .htaccess, and nginx.conf updates that indicate which settings affect the specific entries.
505
- * Enhancement: Added translation support for previously static strings, including strings used for comments in wp-config.php, .htaccess, and nginx.conf files.
506
- * Enhancement: Improved generation of valid referers for use by the Reduce Comment Spam feature.
507
- * Enhancement: Broadened the server support in the import settings code.
508
- * Enhancement: Added new library classes for managing files, directories, and config files.
509
- * Enhancement: Improved error messages for when file writes fail.
510
- * Enhancement: Improved error messages for when export file creation fails.
511
- * Enhancement: Improved error messages for situations when the .htaccess, nginx.conf, or wp-config.php files may need to be manually updated.
512
- * Bug Fix: Added support for Apache 2.4 without the access_compat module.
513
- * Bug Fix: Fixed condition where forcing SSL on front-end pages could cause infinite redirection loops with specific setups of nginx to Apache reverse proxy servers.
514
- * Bug Fix: Fixed scenarios where the site would be forced to load via https but scripts, stylesheets, and images would load via http.
515
- * Bug Fix: Fixed invalid nginx.conf rule generation for the Reduce Comment Spam feature.
516
- * Bug Fix: Corrected invalid parsing of some IP formats in Ban Hosts list.
517
- * Bug Fix: Improved error handling when reading or updating config files.
518
- * Bug Fix: Fixed various warnings that would display when changing settings.
519
- * Bug Fix: Fixed a situation where creation of a zipped export file would fail, but an email would still be sent as if the zip was created successfully.
520
-
521
- = 4.6.13 =
522
- * Security fix for XSS vulnerability. Thanks to Ole Aass (@oleaass) for finding and disclosing this vulnerability to the iThemes Security team.
523
-
524
- = 4.6.12 =
525
- * Enhancement: Translation files can now be stored in WP_LANG_DIR/plugins/better-wp-security/ so that translation files will not be overwritten on when the plugin updates.
526
- * Bug Fix: The file permissions check will no longer list a warning if the plugins directory has permissions of 755.
527
- * Bug Fix: Fixed incorrect text describing the "Backups to Retain" database backup setting.
528
-
529
- = 4.6.10 =
530
- * Bug Fix: Fixed regression that prevented adding wildcard IP's in the form of 'XXX.XXX.XXX.*' to Ban Hosts.
531
- * Bug Fix: When a file scan is run from iThemes Sync, a warning will no longer be added to the site's error log.
532
-
533
- = 4.6.8 =
534
- * Enhancement: Minor refactoring for performance and scalability.
535
- * Enhancement: Add ITSEC_BACKUP_CRON constant to replace plugin's backup scheduler with wp_cron.
536
- * Enhancement: Add dashboard reminder to salts to prompt for periodic salt changes.
537
- * Enhancement: Limit the number of lockouts that can be displayed at any given time in the dashboard.
538
- * Fix: Make sure header error messages are suppressed when performing a lockout.
539
- * Fix: Fix error message from missing login information when displaying lockouts.
540
-
541
- = 4.6.6 =
542
- * Fix: Quick banning IPs will now work correctly if existing htaccess rules are in place
543
- * Fix: minor bug fixes and typo corrections.
544
-
545
- = 4.6.2 =
546
- * New Feature: Change WordPress Salts
547
- * Enhancement: Refactored ITSEC_Lib and ITSEC_Files for better usability and new functions to make changing salts possible
548
-
549
- = 4.5.10 =
550
- * Fix: Fixed typo on file change warning emails.
551
- * Fix: Fixed duplicate module listsing on log page dropdown
552
- * Fix: Fixed missing lockouts on iThemes Sync dashboard
553
-
554
- = 4.5.8 =
555
- * New Feature: Add file/folder permissions check to Dashboard
556
- * Fix/Enhancement: Code refactoring of numerous modules
557
- * Fix: Hiding available updates in multi-site will no longer block wp-cli from detecting updates.
558
- * Fix: Removed leftover JavaScript debugging statements.
559
-
560
- = 4.5.6 =
561
- * New Pro Feature: Google reCAPTCHA
562
- * Fixed: Removed unneeded fields in malware
563
-
564
- = 4.5.2 =
565
- * New Pro Feature: wp-cli integration
566
- * New Feature: Temporarily whitelist your IP address via iThemes Sync
567
- * New Feature: Override proxy IP detection
568
- * New feature: Hide admin bar (if desired)
569
- * New Feature: Perform file scan via iThemes Sync
570
- * New Feature: Perform malware scan via iThemes Sync
571
- * Enhancement: Added filter to allow for custom log pages
572
- * Enhancement: Added debug constant to help troubleshoot multiple emails
573
- * Enhancement: Added constant to force digest emails via wp-cron instead of custom timing
574
- * Fixed: Various missing variable fixes were added
575
- * Fixed: MySQL errors on MySQL 5.6 during activation were fixed.
576
- * Fixed: HTML emails now contain HTML tag
577
- * Fixed: Lockout count in emails should now be more accurate
578
- * Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix)
579
- * Fixed: Added filters to SSL to try to catch more assets
580
- * Fixed: Suspicious query strings feature should no longer conflict with many plugins
581
- * Fixed: File change detection should no longer throw an error if opendir failed
582
-
583
- = 4.4.23 =
584
- * Fixed: App passwords in two-factor authentication will now correctly authenticate themselves.
585
-
586
- = 4.4.22 =
587
- * New Pro Feature: Temporary privilege escalation
588
-
589
- = 4.4.21 =
590
- * Enhancement: More time/date information is now shown in the logs for file change scanning
591
- * Fixed: Filechange will no longer show false positives with every change in DST (although this will cause run round of such notifications on update).
592
- * Fixed: Link to malware scanning logs will work.
593
-
594
- = 4.4.20 =
595
- * New Pro Feature: File change scanning will now compare WordPress core files to the WordPress.org repository.
596
- * Fixed: Make sure php_gid is always defined to prevent error message if the function is not usable.
597
- * Fixed: Link to BackupBuddy in admin bar will now work correctly.
598
-
599
- = 4.4.18 =
600
- * New Pro Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard.
601
- * Fixed: When using wp-cron for file checking cron check will run daily instead of hourly.
602
-
603
- = 4.4.16 =
604
- * Fixed: Error on line 1312 when iThemes API is actived with version 4.4.15
605
-
606
- = 4.4.15 =
607
- * Enhancement: File change summary emails are more concise and will avoid extra information
608
- * Fixed: Hide backend will now work with Jetpack's JSON API authorization.
609
- * Fixed: Option to change user ID 1 will correctly disappear when not present
610
- * Fixed: Removed empty user agent from default blacklist to avoid issues with external services
611
- * Fixed: File change folder check will no longer scan directories outside of ABSPATH for any reason
612
- * Fixed: Adding define( 'ITSEC_FILE_CHANGE_CRON', true ); to wp-config.php will cause the file change scanner to only run once daily via wp-cron.
613
- * Fixed: Compatibility issue where strong password enforcement could cause an error if passwords are changed outside of the core of WordPress
614
- * Fixed: Lost password url should now be correct on multisite.
615
- * Fixed: fixed duplicate ID issue from user_id_exists calls.
616
- * Fixed: Fixed an error in the lockout module that results in an error for users of multisite
617
- * Fixed: Notification emails will no longer send if not turned on
618
- * Fixed: Duplicate messages will not be allowed in digest emails
619
- * Fixed: Duplicate digest emails will have a far lesser chance of sending
620
- * Fixed: User lockout count in email notifications will now be correct
621
-
622
- = 4.4.13 =
623
- * Enhancement: Default log rotation changed from 30 days to 14 days
624
- * Fixed: All logs page will properly display even with 50,000+ entries in the log
625
-
626
- = 4.4.11 =
627
- * Enhancement: Updated copy on Virustotal API key to indicate that a private key is not needed.
628
- * Fixed: More complete check for user id when resettings password will prevent undefined index login on line 62 error.
629
- * Fixed: Fixed a bug that prevented the api key from saving after resetting the key.
630
- * Fixed: Removed errors that could occur due to the use of custom capabilities and roles.
631
-
632
- = 4.4.9 =
633
- * New Pro Feature: Automatically generate strong passwords
634
- * New Pro Feature: Password expiration
635
- * Enhancement: Added a link to the actual timezone settings in the general settings page (instead of the top of the page)
636
- * Fixed: When an invalid log directory is detected it will not fail but will instead reset it to the original.
637
- * Fixed: No more duplicate digest emails
638
- * Fixed: No more "Array" message appearing in digest emails from user lockouts
639
- * Fixed: HTML in traditional file log emails will display correctly.
640
- * Fixed: From address in notification emails will now display correctly.
641
- * Fixed: MySQL errors will no longer appear for missing iThemes Security tables. Instead it will attempt to recreate them.
642
- * Fixed: Fixed missing "no changes" text in file change emails.
643
- * Fixed: Formatting of individual file change emails will now work.
644
- * Fixed: Fixed a bug in ban users user agents that would cause a crash on Apache if the user agent contained a space
645
- * Fixed: When an invalid backup directory is detected it will not fail but will instead reset it to the original.
646
-
647
- = 4.4.6 =
648
- * Fixed: fixed possible undefined api_error variable on line 316 if WordPress believes the email address is invalid.
649
- * Fixed: failed calls to various apis will no longer throw a php error on failure.
650
-
651
- = 4.4.5 =
652
- * Fixed: Fixed typos in digest email.
653
- * Fixed: Fixed typos in default network lockout message.
654
- * Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations
655
-
656
- = 4.4.3 =
657
- * Fixed: Fixed an error that could occur on multisite due to a missing "core" object
658
-
659
- = 4.4.2 =
660
- * New Feature: Add IPCheck Brute Force API integration
661
- * New Feature: Add ability to receive a daily digest email instead of individual emails per event.
662
- * Enhancement: Added "Go Pro" menu item to admin menus.
663
- * Enhancement: Added button to release IP address from temporary whitelist.
664
- * Enhancement: Reordered sidebar items to make it easier for the user to get to the information they need from iThemes
665
- * Fixed: introduction screen should now display completely on computers with low-resolution screens.
666
- * Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
667
- * Fixed: Scrolling table of contents should not cover side-bar items on pro.
668
- * Fixed: When changing admin user login form will no show the correct path when WordPress is not installed in the same directory as the website address.
669
- * Fixed: The plugins_loaded hook which fires on logout will now fire later to improve compatibility with iThemes Exchange
670
- * Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
671
- * Fixed: Added an extra flag in an attempt to reduce duplicate file-change detection executions.
672
- * Fixed: Added missing index.php files to directories that were missing them to ensure no information could be attained if directory is turned on.
673
- * Fixed: Make sure hide backend rewrite rules are consistent with the correct location of the WordPress login page when WordPress is not installed in the main website folder.
674
- * Fixed: File locking will try to create the iThemes Directory if it isn't already present rather than just saying a lock could not be attained.
675
- * Fixed: Fixed an error whereas an empty filter could display an error when building the log tables.
676
-
677
- = 4.3.11 =
678
- * Low Severity Security Fix - Lack of access control patched - Sucuri (reported 19Aug2014)
679
- * Fixed an error in XMLRPC blocking when $username variable cannot be found
680
-
681
- = 4.3.9 =
682
- * Remove error message if WP_Error is returned with wp_remote_post in malware scan
683
- * Fixed bug where away-mode was still enabled after one-time period has passed which could result in away mode activating when it should not
684
- * Ensure that individual module updates fire when updating the plugin
685
- * Added function to retrieve current URL from the front-end
686
- * Fixed error in brute force protection that counts valid logins with XML-RPC as bad logins towards a brute force lockout
687
-
688
- = 4.3.7 =
689
- * Updated descriptions an instructions in malware scheduling to make the feature easier to use
690
- * Numerous typo corrections throughout dashboard
691
- * Clean up notifications for file change detection and malware scanning
692
-
693
- = 4.3.3 =
694
- * Fixed an accidental disabling of file change scans introduced in 4.3
695
-
696
- = 4.3.2 =
697
- * Added on-demand malware scanning for the homepage
698
- * Added better URL validation to ITSEC_LIB
699
- * Added exception for 127.0.0.1 to prevent a local server from being locked out of a site during wp-cron or other calls
700
- * Added button to quickly add current IP address to permanent whitelist
701
- * Added appropriate message for logs page when logs are not available due to "file only" logging being selected
702
- * Fixed Error in 404 scanning if path field was empty
703
- * Updated hackrepair.com's default blacklist
704
- * Modified support reminder to ask users to upgrade rather than donate
705
- * Use get_home_path() in place of ABSPATH to account for WordPress core in a different directory than wp-content
706
- * Use PHP comments in index.php file to account for the possibility of a scan including the file in which case the html comment could result in an error
707
- * Fixed various typos throughout the plugin dashboard
708
- * Added ability to prevent file change scanning from running on a given page load by defining ITSEC_FILE_CHECK_CRON to true
709
- * Cleaned up file change logging reports to me more clear when no files have been changed
710
- * Added feature to immediately ban user "admin" when no user "admin" exists on the site and a host tries to log in with it anyway
711
- * Added blank line to end of all textarea input to make it easier to input data
712
- * Added brute force checks to XMLRPC calls to prevent brute force attacks against XMLRPC
713
-
714
- = 4.2.15 =
715
- * Fixed a bug preventing file-change scanning from running when manually executed from the "Logs" page
716
- * Fixed a bug where an error could be generated if the saved files from the file change feature weren't properly saved
717
- * Fixed comment approval email links to make sure they work when a user is not logged in and hide backend is in effect
718
- * Fixed an issue that was preventing an IP from being permanently banned due to too many lockouts
719
- * Updated .htaccess rules for an IP that has been banned from too many lockouts to be more effective in more hosting environments
720
- * Fixed responsive issues in iThemes notifications that prevented notifications from being easily read on small screens.
721
-
722
- = 4.2.13 =
723
- * Fixed error for missing function in hide backend
724
-
725
- = 4.2.12 =
726
- * Fixed an error that could cause a 404 on the admin with hide-backend enabled.
727
-
728
- = 4.2.11 =
729
- * Fixed error on line 55 of class-itsec-four-oh-four.php that could occur under certain circumstances
730
-
731
- = 4.2.10 =
732
- * Don't filter hide backend hash until after schema redirect
733
- * don't send file change email on first scan
734
- * Fixed verbage when changing login URL
735
- * Modified ban users rewrites for apache. Should work with proxy and if setenvif isn't enabled.
736
- * Fixed get_module_path to prevent 404 errors on plugin assets
737
- * Fixed misplaced parenthesis forcing computer to always display it isn't whitelisted
738
- * Updated readme.txt
739
-
740
- = 4.2.8 =
741
- * Added call to settings import/export module (pro)
742
- * Added button to restore default log location
743
- * Don't automatically load front-end classes in dashboard pages
744
- * Avoid errors on save if htaccess is completely empty
745
- * Only register activation/deactivation/install hooks in admin
746
- * Make sure temporary white-list is always available
747
- * Improved check for white-listed IP during lockout
748
- * Added ability to use constant to override server detection
749
- * Don't remove extra line spaces in .htaccess
750
- * Minor reformating and typo fixes
751
- * Make sure front-end classes are available only when needed
752
- * Fixed default types in file change settings
753
- * Added file type exclusion to 404 settings
754
- * Allow for Jetpack SSO to function with suspicious queries turned on
755
- * Use WordPress' PclZip for backup zip
756
-
757
- = 4.2.6 =
758
- * Make sure backup disables itself when other backup solutions are present
759
- * Fix tweet link
760
- * Minor fixes and cleanup
761
- * Added call to two-factor module
762
-
763
- = 4.2.4 =
764
- * Consolidate white lists into one option
765
- * Fix IP mask calculations
766
- * Fix NGINX IP range blocking
767
- * Update modules to use new logging
768
- * Minor refactoring
769
- * Add metabox for iThemes Sync
770
- * Update jQuery version in tweaks
771
- * Shortened file change array names to save space
772
- * Fixed links in lockout emails
773
- * Fixed IP mask calculations
774
- * Add call to pro user-logging module
775
- * Add ability to temporarily whitelist an IP address
776
-
777
- = 4.2.2 =
778
- * Don't allow empty file types in file change exclusions
779
- * Add Sync integration for Away Mode
780
- * Minor typo and other fixes
781
- * Better cache clearing and formatting updates
782
- * Make sure rewrite rules are updated on this update
783
- * Remove extra (settings) items from admin bar menu (leave logs and important information)
784
- * Add WP_CONTENT_DIR to system information on dashboard
785
- * Move support nag to free version only and make sure it properly redirects
786
- * Fix check for presence of BackupBuddy to work with BackupBuddy >=4.2.16.0
787
- * Clean up details views on log pages
788
- * Add username column to temp and lockouts tables
789
- * Lockout usernames whether they exist or not
790
- * Don't duplicate lockouts
791
- * Fixed malformed lockout error on lockout message
792
- * Don't display a host lockout when none exists
793
- * Add Sync integration to release lockouts
794
- * Improved reliability of brute force user lockouts
795
-
796
- = 4.1.5 =
797
- * Miscelaneous typos and other fixes
798
- * Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php. Only flock will be used in these operations
799
- * Fixed a function not found error in the brute force module
800
- * Improved content filtering in SSL so that more images and other content will link with appropriate protocol.
801
- * Fixed hide backend in cases where a lockout has expired
802
- * Miscelaneous typos and other fixes.
803
-
804
- = 4.1.3 =
805
- * Make sure "remove write permissions" works
806
- * Better descriptions on white list
807
- * Add pro table of contents if needed
808
- * Make sure security admin bar item works
809
- * Make sure lockout message only happens when needed
810
- * Suppress errors on readlink calls
811
- * Make sure class is present for permanent ban
812
- * Make sure white list is an array
813
- * Fix white listed IPs not working
814
- * Log when Away-mode is triggered
815
- * Make sure away mode file isn't accidently deleted
816
- * Make sure away mode doesn't even allow access to the login form (as it didn't in 3.x)
817
- * Enhance warnings on "Change content directory" settings
818
- * Better descriptions on white lists
819
- * Fixed XMLRPC label
820
- * Better XMLRPC Dashboard status
821
- * Don't allow logout action on wp-login.php with hide backend
822
- * Better check for variable in SSL admin
823
-
824
- = 4.0.27 =
825
- * XMLRPC soft block should now work with WordPress mobile app
826
- * Make sure uploads directory is only working in blog 1 in multisite
827
- * Better checks for run method in module loader
828
-
829
- = 4.0.25 =
830
- * Make sure backup directory is present before trying to use it
831
- * Make sure backup file method is respected on all backup operations
832
- * Added ability to limit number of backups saved to disk
833
- * Minor typo and other fixes
834
- * Only load front-end classes as needed
835
- * Add link to free support at .org forums
836
- * Remove select(?ed) from suspicious query strings for 3.9 compatibility
837
- * Fixed domain mapping issue (requires http://wordpress.org/plugins/wordpress-mu-domain-mapping/ domain mapping plugin)
838
- * Remove array type errors on 404 pages
839
- * Remove remaining create function calls
840
- * Make sure logs directory is present before trying to use it
841
- * Log a message when witelisted host triggers a lockout
842
- * Don't create log files if they're not going to be used
843
- * Add pro tab if pro modules need it
844
- * Upgrade module loader to only load what is needed
845
-
846
- = 4.0.23 =
847
- * Fix sorting by count in 404 Logs
848
- * Minor code cleanup
849
- * Make sure all wp_enqueue_script dependencies are in proper format
850
- * Reduce priority of hide backend init for better compatibility with other plugins
851
- * SSL now logs users out when activating to prevent cookie conflicts
852
- * When activating SSL Log out the user to prevent cookie conflicts
853
- * Use LOCK_EX as a second file locking method on wp-config.php and .htaccess
854
- * Minor code cleanup
855
- * Make sure all wp_enqueue_script dependencies are in proper format
856
-
857
- = 4.0.21 =
858
- * Added ability to "soft" block XMLRPC to prevent pingback vulnerability while still allowing other access
859
- * Updated "Suspicious queary strings" to not block plugin updates
860
- * Update NGINX comment spam rewrite rules to better work with multi-site domain mapping
861
- * Move 404 hook in hide backend from wp to wp_loaded
862
- * Make sure super-admin role is maintained on multi-site when changing user id 1 and admin username at the same time
863
- * Make sure all redirects for hide backend and ssl are 302, not 301
864
- * Better resetting of SSL and disallow file editor on deactivation to account for more states
865
- * Make sure hide backend works with registration
866
- * Minor copy and other fixes
867
- * Update nginx rewrite rule on comment spam when domain mapping is active
868
- * Added the ability to disable file locking (old behavior)
869
- * Better file lock release (try more than 1 method) before failing
870
- * Don't automatically show file lock error on first attempt
871
- * Added Spanish translation by <a href="http://www.webhostinghub.com/">Andrew Kurtis</a>
872
-
873
- = 4.0.19 =
874
- * Clean up away mode to prevent lockouts on update or other points
875
-
876
- = 4.0.18 =
877
- * Make sure unset admin user field remains if the other setting has been fixed
878
- * Removed admin user from settings table of contents
879
- * Make sure array input is trimmed in file change module
880
- * Correct input type on file change settings sanitization
881
- * Use full URL on file change warning redirect to prevent invalid target
882
- * Reduce erroneous hide backend change warnings
883
- * When accessing htaccess or wpconfig make sure opening settings changes are 664 instead of 644 to reduce issues
884
- * Update hackrepair.com's Agents blacklist
885
- * Make sure global settings save button matches others
886
- * Fixed link in locout email
887
- * Email address settings retain end of line
888
- * Sanitize email addresses on save and not just use
889
- * Make sure whitelist is actually an array before trying to process
890
- * Make sure rewrite rules show on dashboard when file writing isnt allowed
891
- * Added extra information to dashboard server information to help troubleshooting
892
-
893
- = 4.0.16 =
894
- * Fixed bug preventing file change scanning from advancing when chunked
895
- * Don't autoload file list on non-multisite installations
896
- * Make sure away mode settings transfer from 3.x or disable away mode
897
- * Better descriptions on save buttons
898
- * Admin use "Fix it" Correctly goes to advanced page
899
-
900
- = 4.0.14 =
901
- * Execute permanent ban on the correct lockout count, not the next one
902
- * Updated quick ban rules to match standard ban rules (will work with proxy)
903
- * Fixed an NGINX rule that didn't actually block XMLRPC.php
904
- * Updated rule order on ban users
905
- * Fixed a bug that could prevent away from from turning off in certain time configurations (this resulted in the return to homepage on login)
906
- * Updated some function doc
907
-
908
- = 4.0.12 =
909
- * Added "Show intro" button next to screen options to bring the intro modal back
910
- * Added ability to use HTML in error messages
911
- * Minor copy and other tweaks
912
- * Private posts will now work with hide backend
913
- * Added an option for custom login action that can bypass hide login
914
- * Allow admin-ajax.php to bypass hide backend
915
- * Added filters for external backup plugins to register with the dashboard
916
- * Enable theme compatibility mode by default
917
- * Miscellaneous copy and function doc fixes
918
-
919
- = 4.0.10 =
920
- * only save post meta for ssl when the value is true
921
- * fixed missing admin user settings if only one part had been changed
922
- * SSL Redirection working properly on front end. No more redirect errors
923
- * hide backend will warn of the new url when saving
924
- * hide backend will now email the notification email(s) when the login area has been moved
925
- * Added BackupBuddy coupon
926
- * Added ability to manually purge log table
927
-
928
- = 4.0.8 =
929
- * Removed error message that could happen on user creation with strong passwords enabled
930
- * Moved strong password js later in execution cycle to prevent errors
931
- * More hide backend tweaks to cover remaining white screen issues
932
- * Removed option to enqueue a new version of jQuery unless it is needed
933
-
934
- = 4.0.7 =
935
- * Removed extra quotes that could appear in user agents
936
- * Removed error message on login page when jQuery replace in use
937
- * Don't use WordPress rewrites for hide backend, we now create our own rewrite rule
938
- * All modules now use newer upgrade method
939
- * Fix modal dismiss button on settings page
940
- * Ban users rules now should work with proxies
941
- * Saving settings will always generate and write rewrite rules if file writing is allowed
942
- * Hide backend now works with multisite and subdirectory installs
943
- * Make sure tables exist if manually updating from 3.x
944
- * Move admin user settings to advanced page
945
- * Make sure logout happens after processing admin user changes
946
- * All modules now rewritten to call rules on build
947
- * Rename backup and logs folders when wp-content is renamed
948
- * Delay file scan by at least 2 minutes when saving settings
949
- * Added "theme compatibility" mode to remove errors in hide backend caused by themes conflicting with the feature.
950
- * Fixed history.txt (for iThemes customers)
951
- * Moved upgrade to separate function for more seamless update
952
- * Upgrade system rewritten for better functionality
953
- * Make sure 404 doesn't fail if there is not a 404.php in the theme
954
- * Make sure WordPress root URLs render correctly
955
- * Filewrite now only builds rules on demand.
956
- * Fixed dismiss button on intro modal for small screens
957
- * General cleanup and typo fixing
958
- * New .pot file with updated iThemes .pot file generator
959
-
960
- = 4.0.5 =
961
- * Fixed away mode not allowing PM times.
962
- * Fixed general copy typos.
963
- * Non super admins will no longer see the "Security" menu item in the admin bar on multisite.
964
- * Update to iThemes' icon-fonts library to account for ABSPATH set to '' or '/'.
965
- * Fixed relative paths on Windows servers.
966
- * Removed the pingback URL from the header if XML-RPC disabled.
967
- * Added file locking to admin user operations to [hopefully] avoid duplicated users.
968
- * 404 white list should transfer to global white list
969
- * White list implementation working across all lockouts
970
- * Add extra dismiss box to close welcome modal (fix for smaller screens)
971
-
972
- = 4.0.2 =
973
- * Fixed bug in conversion of wildcard ip (ie 131.2.1.*) to proper netmask. Should prevent 500 errors on sites.
974
-
975
- = 4.0.1 =
976
-
977
- * Fix for issue whereas a blank deny ip line could be entered into wp-config.php during update if banned users was used.
978
-
979
- = 4.0.0 =
980
-
981
- Better WP Security is now iThemes Security.
982
-
983
- This release is a complete rewrite from the ground up. Special thanks to Cory Miller of iThemes.com and Chris Wiegman for realizing the vision for this plugin and how far we can go with it together.
984
-
985
- * New Security Features
986
- * jQuery Scanner looks for vulnerable versions of jQuery in your theme and gives you the option to replace it with the current version of jQuery from WordPress core.
987
- * Remove author archives for users without any posts. This helps prevent bots from finding users on your site.
988
- * Force a unique nicename. This forces the user to choose a Nickname that is different from the login name which will be used for the author slug and other appropriate areas.
989
- * Disable PHP execution in uploads.
990
-
991
- * Improvements
992
- * New UI with streamlined options and other settings
993
- * Hide features not in use
994
- * Smart feature selection for easier use
995
- * Central logs location
996
- * Ability to better customize notification and backup emails by sending to one or more addresses
997
- * Ability to save files anywhere on the host
998
- * Uses file-system locking for all critical operations
999
- * Global settings require setting options only once
1000
- * Full BackupBuddy integration
1001
- * Voluntary tracking of when options are turned on or off via Google Analytics
1002
- * Hide backend no longer uses keys
1003
- * Whitelist IPs for all lockouts
1004
- * File change detection can run in batches for better resource usage
1005
- * Backups can ignore unneeded table data such as logs
1006
- * File change detection can ignore specified file types completely
1007
- * All saved files now go to uploads
1008
- * Ban users now has its own whitelist
1009
- * Away mode and nearly all other features tweaked for speed and reliability
1010
- * Module feature includes to accommodate future features as well as possibility of 3rd party features
1011
- * No more insufficient permissions errors on settings tabs
1012
-
1013
- = 3.6.6 =
1014
- * Added notice about upgrade
1015
-
1016
- = 3.6.5 =
1017
- * Reintroduced InfiniteWP compatibility
1018
-
1019
- = 3.6.4 =
1020
- * Updated readme
1021
- * Removed FooPlugins support box as iThemes begins integration of all support
1022
- * Removed InfiniteWP Compatibility
1023
-
1024
- = 3.6.3 =
1025
- * Turned off iThemes Survey
1026
- * Updated iThemes email subscription box
1027
-
1028
- = 3.6.2 =
1029
- * Fixed error message in above support widget when WordPress debug active.
1030
- * Fixed error when creating user in iThemes Exchange
1031
-
1032
- = 3.6.1 =
1033
- * Fixed iThemes image path for case-sensitive
1034
- * Add iThemes ITSEC survey to help plan further updates
1035
- * Added Customizable email to support form
1036
-
1037
- = 3.6 =
1038
- * Added WP Security Lock as a partner for sites that have already been compromised.
1039
- * Changed social information to iThemes
1040
- * Better domain support (Mark Boudreau)
1041
- * Add username to notification email (Andreas Geibert)
1042
- * Changed author to iThemes
1043
- * Added links to backup buddy and iThemes subscription
1044
- * Fixed inconsistent count in logs
1045
- * updated German translation by <a href="http://fluchtsportler.de" title="kniebremser">Rene Wolf</a>
1046
-
1047
- = 3.5.6 =
1048
- * Updated Bulgarian translation by <a href="http://wordpress.org/support/profile/mhalachev">Martin Halachev</a>
1049
- * Removed all instances of the deprecated $wpdb->escape
1050
- * Fixed possible XSS issue (Github Issue #64 with patch from i0wn)
1051
- * Wrapped all wp_mail calls in function_exists checks as it no longer seems to be reliably available after plugins_loaded in WordPress 3.6
1052
- * Minor refactoring
1053
- * Added (.*) to Zues in hackrepair.com list to mitigate possible issues
1054
- * Typo correction on SSL options courtesy of <a href="http://karthost.com">Roy Randolph</a>.
1055
- * Changed minimum version to 3.6
1056
-
1057
- = 3.5.5 =
1058
- * Fixed error that prevented manual backups from executing
1059
- * Updated Turkish translation by <a href="http://hakanertr.wordpress.com">Hakan Er</a>
1060
- * Updated shield logo by Martin Halachev
1061
- * Minor fixes for strict warnings occuring when on PHP 5.4
1062
- * Fix for lstat error for files in the ithemes-security/backups/ directory
1063
- * Fixed an error that prevented manual filecheck
1064
-
1065
- = 3.5.4 =
1066
- * Bulgarian translation by <a href="http://arthlete.com/">Nikolay Kolev of Gymnastics and Bodyweight Tutorials</a>
1067
- * Chinese (Traditional) translation by Toine Cheung
1068
- * Fixed an XSS vulnerability in the logevent function. Fix by <a href="http://www.nccgroup.com/en/blog/?author=Richard%20Warren">Richard Warren</a>
1069
- * Updated Turkish by <a href="http://hakanertr.wordpress.com">Hakan Er</a>
1070
- * 404 Logs now only accessible via the link on the logs page (thank you Marc-Alexandre Montpas)
1071
- * Added .htaccess to protect saved backups (thank you Marc-Alexandre Montpas)
1072
- * Added extra sanitization when downloading host info from database (was sanitized on upload) (thank you Marc-Alexandre Montpas)
1073
- * Brazilian Portuguese translation by <a href="http://profiles.wordpress.org/rafaelfunchal">Rafael Funchal</a>
1074
- * German translation by <a href="http://fluchtsportler.de" title="kniebremser">Rene Wolf</a>
1075
- * Removed timezone from email lockout notifications (GitHub Issue #35)
1076
- * Better variable checking to prevent error messages
1077
- * Force user 0 when logging filechecking (GitHub Issue #7)
1078
- * CSS update for MP6 from shivapoudel
1079
- * Small tweak to prevent email notifications being sent when they shouldn't
1080
- * Cleaned up variable checking throughout to eliminate activation errors if php errors or WP_DEBUG is turned on
1081
- * Added further checks to reduce errors if file change log is invalid
1082
- * Memory should now display correctly in file change email
1083
- * Use maybe_unserialize instead of unserialize
1084
- * Added option to filter foreign charcters as part of filter suspicious query string
1085
- * Updated .pot file
1086
-
1087
- = 3.5.3 =
1088
- * Simplified Chinese by <a href="http://haib.in">海滨</a>
1089
- * Persian by <a href="http://forum.wp-parsi.com/user/1469-ibrahim/">Ibrahim Jafari</a>
1090
- * Typo correction by ihuston
1091
- * Fixed Bit51 Google+ Link
1092
- * Better proxy support for ban users by kalvindukes
1093
- * Updated Spanish translation by <a href="http://pabloromero.org">Pablo Romero</a>
1094
- * Updated Readme
1095
- * Updated .pot file
1096
-
1097
- = 3.5.2 =
1098
- * Fixed error message that could appear when creating backups
1099
- * Correct Changelog not displaying correctly on WordPress.org after version 3.5.1
1100
-
1101
- = 3.5.1 =
1102
- * Replaced Turkish language version lost in when tagging 3.5 in the WordPress.org repository
1103
- * Solved a conflict with other Bit51 plugins that use the common Bit51 class
1104
-
1105
- = 3.5 =
1106
- * Integrate with Foo Plugins support system
1107
- * Fixed role translation call for Strong password enforcement
1108
- * Turkish by <a href="http://hakanertr.wordpress.com">Hakan Er</a>
1109
- * Random version number no longer strips unrelated GET variables for better compatibility
1110
- * Upgrading no longer automatically rewrites .htaccess and wp-config resulting in much improved reliability
1111
- * Fixed possible error when login fails and PHP is set to report errors to screen
1112
-
1113
- = 3.4.10 =
1114
- * Replaced feed with standard WordPress feed
1115
- * Added better error checking for feed should Feedburner (or any other provider) kill it again
1116
-
1117
- = 3.4.9 =
1118
- * More secure user query thanks to John Cave
1119
- * Greatly improved intl date handling by <a href="http://www.sceric.net/">SCUDELLER Eric</a>
1120
- * Added: French translation by <a href="http://www.sceric.net/">SCUDELLER Eric</a>
1121
- * Fixed: bug preventing Jetpack's Infinite Scroll from working with long URL protection
1122
-
1123
- = 3.4.8 =
1124
- * Fixed error message that may occur if InfiniteWP is not installed.
1125
-
1126
- = 3.4.7 =
1127
- * Added compatibility with InfiniteWP (http://infinitewp.com/)
1128
- * Updated default ban list as it was a little too restrictive for my taste
1129
- * Added export of 404 logs in .csv format (experimental)
1130
- * Add X-Forwarded-For ability to IP logging
1131
- * Minor bug and typo fixes
1132
-
1133
- = 3.4.6 =
1134
- * Updated usability on ban lists
1135
- * Ban list threshold now triggered on hit and not 1 after
1136
-
1137
- = 3.4.5 =
1138
- * Replace database override of awaymode with wp-config constant
1139
- * Filecheck override is now done through wp-config constant
1140
- * Added option to generate new secret key in hide backend
1141
- * Added Slovak translation by Erich Szabó
1142
- * Possible Google Maps fix for Apache
1143
- * Improved time handling for away mode, lockouts, logs, and more
1144
- * Added Tagalog translation by Hanne of ​<a href="http://pointen.dk/">http://pointen.dk/</a>
1145
- * Various table updates from Michael Conover (<a href="twitter.com/sidtheduck">@sidtheduck</a>) at <a href="http://sidtheduck.com">sidtheduck.com</a>.
1146
- * Load plugin as global to reduce multiple executions
1147
- * Fixed rewrite rules for banned hosts
1148
- * Updated .pot file
1149
- * Other minor bugfixes and refactoring
1150
-
1151
- = 3.4.4 =
1152
- * fixed input vulnerability found at http://packetstormsecurity.org/files/116317/ithemes-security-3.4.3-Cross-Site-Scripting.html
1153
- * fixed email address in footer information on backup screen
1154
- * file check exclusions should now work properly for individual files.
1155
- * One-click protection is now part of the install script.
1156
- * Won't log or even check 404 if feature is off.
1157
- * Don't clear cache during away check. Let's see instead if the transients …
1158
- * Don't clear Supercache page cache on clear logs
1159
-
1160
- = 3.4.3 =
1161
- * Only clear WP Supercachce when full page cache clearing is required
1162
-
1163
- = 3.4.2 =
1164
- * Gravatars will no longer dissappear after changing user 1 id
1165
- * Better cache clearing when changing options
1166
- * Reworked away mode for better cache handling
1167
- * Subdirectory redirects should now work
1168
- * Fixed error message on logout
1169
- * Fixed password reset email link
1170
- * Will no longer duplicate IPs in ban list when entered via auto-ban
1171
- * Minor style updates
1172
- * Better namespacing in content.php
1173
- * Removed 38.0.0.0/8 from hackrepair.com blacklist
1174
- * remove yandex from hackrepair.com blacklist
1175
-
1176
- = 3.4.1 =
1177
- * Clean all logs when checked
1178
- * Better logic for SSL checking
1179
- * Removed echo statement in Filecheck
1180
- * Highly compressed NGINX rules
1181
- * Added to "Filter Suspicious Query String" Logic
1182
-
1183
- = 3.4 =
1184
- * Added Russian Translation
1185
- * Updated Hindi contributor to <a href="http://outshinesolutions.com/">Outshine Solutions</a>
1186
- * Prevented file change warning from displaying to non-admins
1187
- * Fixed error causing multiple backup emails
1188
- * Added ability to change ID of user with ID 1
1189
- * Fixed bug in plugin base url
1190
- * Added extra warnings and "escape route" for away mode
1191
- * Fixed hide backend issues since WordPress 3.4
1192
- * Lookup IP addresses directly from logs
1193
- * Fixed dbdelta errors on upgrade
1194
- * Updated form styles and appearance
1195
- * Added tabs to settings pages for increased usability
1196
- * Duplicate IP addresses won't be saved to banned list
1197
- * Wildcards now correctly save to banned list
1198
- * Suppress errors on filecheck arrays
1199
- * Fixed link to permalink settings in hide backend
1200
- * Added extra save buttons to system tweaks
1201
- * Added logging memory usage to filecheck
1202
- * Updated readme.txt
1203
- * Updated .pot
1204
-
1205
- = 3.3 =
1206
- * More checks to ensure blank "Deny from" lines don't appear in .htaccess
1207
- * Added host and user agent blacklist by <a href="http://hackrepair.com">HackRepair.com</a>
1208
- * Changed "Options All -Indexes" to "Options -Indexes" in .htaccess rules
1209
- * Added log view for all bad login attempts to view logs
1210
- * Always show .htaccess and wp-config.php changes in Dashboard
1211
- * Database backups no longer turn on automatically with one-click secure.
1212
- * Replaced unique key in database tables with primary key (tested in 3.4)
1213
-
1214
- = 3.2.7 =
1215
- * Hindi translation by Outshine Solutions
1216
- * Spanish translation by Pablo Romero
1217
-
1218
- = 3.2.6 =
1219
-
1220
- * Lithuanian translation by Vincent G
1221
- * Fixed bug that could allow blank hosts in .htaccess for ban users
1222
- * Removed obsolete translations from before version 3.0
1223
- * Fixed various typos
1224
- * Numerous minor bug fixes
1225
- * Support moved back to WordPress.org forums
1226
-
1227
- = 3.2.5 =
1228
-
1229
- * Users can now specify email address for database backups
1230
- * Fixed bug throwing error when saving changes to existing users
1231
- * Corrected typo in intl hook
1232
- * List banned IPs on separate lines for readability
1233
- * Replaced all instances of Wordpress with WordPress
1234
- * Logs no longer show errors when records are cleared while viewing file change details
1235
- * File check will no longer automatically enable on servers with low RAM
1236
- * An extra database key has been introduced to easily disable file checking if it causes memory errors
1237
- * updated .pot
1238
- * Sanitize ALL server variables to prevent XSS vulnerability
1239
-
1240
- = 3.2.4 =
1241
-
1242
- * Added configurable email address for all email notifications
1243
- * Added ability to turn off dashboard warning for file check
1244
- * Password reset form will now require strong passwords if configured
1245
- * Ability to automatically blacklist an IP address after a specified number of lockouts
1246
- * Various minor bugfixes
1247
- * Turning off front-end ssl will stop ssl redirect loops in sites with an existing ssl implementation
1248
- * Updated language and explanations for various features
1249
- * Updated .pot
1250
-
1251
- = 3.2.3 =
1252
-
1253
- * Fixed date offset in log views
1254
- * Fixed site admin renaming for multisite users
1255
- * Fixed typos throughout
1256
- * Block concat MySQL command
1257
- * Deny access to readme.txt in protect files
1258
- * Fixed 404 table description
1259
- * Added domain name to email notifications
1260
- * Improved folder check login
1261
- * Suppress error messages for file-check operations
1262
-
1263
- = 3.2.2 =
1264
-
1265
- * Fixed 500 error when ban-users in enabled and IP or agents list are empty
1266
- * Fixed error that logged bad logins and 404s even when features were turned off
1267
-
1268
- = 3.2.1 =
1269
-
1270
- * Added choice to completely disable front-end SSL, enable per page, or enable site-wide
1271
- * Fixed login URL on new user email when new user is created by an existing user and hide backend is enabled
1272
- * Default all SSL to off for new installations
1273
- * Fixed strong password roles to work correctly
1274
- * A little 418 humor
1275
- * Updated .pot file
1276
- * Updated readme.txt
1277
-
1278
- = 3.2 =
1279
-
1280
- * File checker checks for changed files
1281
- * SSL for individual pages and posts
1282
- * One-click protection removes all .htaccess and wp-config.php options
1283
- * Option to not allow the plugin to write to .htaccess and wp-config.php
1284
- * Tweaked NGINX rewrite rules
1285
- * Moved SSL options to separate page for better usability
1286
- * Tables now display in native WordPress format
1287
- * Updated language throughout
1288
- * Tweaked Apache rewrite rules
1289
- * Various minor bug-fixes
1290
- * New installation video (see plugin homepage)
1291
- * Updated .pot file
1292
-
1293
- = 3.1 =
1294
-
1295
- * Significantly less resource usage
1296
- * Fixed white screen errors on load
1297
- * Fixed backup scheduling errors
1298
- * updated .pot file
1299
- * numerous minor bugfixes
1300
-
1301
- = 3.0.12 =
1302
-
1303
- * Displays log messages for all lockouts
1304
- * Scheduled backup times can be much more easily customized
1305
- * Setting wp-config.php and .htaccess to 0444 is now optional
1306
- * Updated .pot file
1307
- * Fixes to Apache/LiteSpeed rules and NGINX rules
1308
- * Numerous minor bugfixes
1309
-
1310
- = 3.0.11 =
1311
-
1312
- * Fixed bug with redundant backup caller in admin script
1313
-
1314
- = 3.0.10 =
1315
-
1316
- * Better LiteSpeed support
1317
- * Better database backup scheduling
1318
- * Better line spacing in .htaccess and wp-config.php
1319
- * WordPress 3.3.1 now required
1320
- * Status area now links to proper options and not top of tweaks page
1321
- * NGINX rule fixes
1322
- * admin-ajax.php now works even with hide backend
1323
- * error surpression on file operations
1324
- * update .pot
1325
- * Many language updates
1326
- * Better update script for multisite installs
1327
-
1328
- = 3.0.9 =
1329
-
1330
- * Fixed multi-site issue due to 3.0.8 update support fix
1331
- * Fixed awaymode settings issues
1332
-
1333
- = 3.0.8 =
1334
-
1335
- * Fixed improper php open tags
1336
- * Fixed erroneous PHP_EOL in nginx rules
1337
- * LiteSpeed support
1338
- * Better update support (not relying on activation hook anymore)
1339
- * Added abstract keyword to bit51.php
1340
- * Removed itsec references in bit51.php
1341
- * updated .pot file
1342
-
1343
- = 3.0.7 =
1344
-
1345
- * Changed method of end of line character technique for better cross-platform server compatibility
1346
- * Fixed 2 lines of <? in content.php replacing them with <?php
1347
-
1348
- = 3.0.6 =
1349
-
1350
- * Another fix to the "line 2072" error. This would be a lot easier with a Windows host as those are the only folks that seem to have the issue
1351
-
1352
- = 3.0.5 =
1353
-
1354
- * Changes to language on ban users page
1355
- * fixed "line 2072" error
1356
-
1357
- = 3.0.4 =
1358
-
1359
- * Changed IP banning to only accept * wildcards for ranges
1360
- * All host banning is not done via server configuration rather than php
1361
- * Numerous minor bugfixes
1362
-
1363
- = 3.0.3 =
1364
-
1365
- * Fixed bug in backup file path
1366
-
1367
- = 3.0.2 =
1368
-
1369
- * Fixed default options on saving
1370
- * Fixed setup options
1371
- * Other minor bugfixes
1372
-
1373
- = 3.0.1 =
1374
-
1375
- * Turned off flag that caused plugin settings to reset on update.
1376
-
1377
- = 3.0 =
1378
-
1379
- * Complete rewrite from the ground up
1380
- * Menu changes
1381
- * UI completely rewritten
1382
- * Now supports NGINX
1383
- * Scheduled database backups
1384
- * Added ability to block user agents in addition to hosts
1385
- * Numerous bugfixes
1386
-
1387
- = 2.18 =
1388
-
1389
- * Another attempt to fix the login error that started with 2.16. Changed logic for determining hide backend feature.
1390
-
1391
- = 2.17 =
1392
-
1393
- * Fixed an error that started with version 2.16 and prevented user from being able to login to the WordPress Dashboard.
1394
-
1395
- = 2.16 =
1396
-
1397
- * Fixed login link in new user email after breaking it in version 2.15
1398
-
1399
- = 2.15 =
1400
-
1401
- * Now loads all features at init to [hopefully] eliminate function not found errors
1402
-
1403
- = 2.14 =
1404
-
1405
- * Bugfixes from 2.13
1406
- * Removed randomized version for all logged-in users due to conflicts with admin-bar
1407
-
1408
- = 2.13 =
1409
-
1410
- * Bugfixes from 2.12
1411
-
1412
- = 2.12 =
1413
-
1414
- * Bugfixes from 2.11
1415
-
1416
- = 2.11 =
1417
-
1418
- * Fixed login-slug in new user email
1419
- * Fixed login slugs throughout site
1420
- * Remove reset-password options
1421
- * Improved rewrite rules (I would credit the author but I'm afraid in a bone headed move I never wrote down the author with the notes)
1422
- * No longer loads pluggable
1423
-
1424
- = 2.10 =
1425
-
1426
- * Added Romanian translation by Luke Tyler
1427
-
1428
- = 2.9 =
1429
-
1430
- * readme.txt typo correction
1431
- * Added ability to whitelist hosts and ip addresses for intrusion detection
1432
- * intrusion detection now lists 404 errors found to help ease troubleshooting
1433
- * intrusion detection now records referrer to make tracking 404 errors easier
1434
- * corrected error when attempting to list multiple hosts when banning users
1435
-
1436
- = 2.8 =
1437
-
1438
- * German Translation by Stefan Meier
1439
-
1440
- = 2.7.1 =
1441
-
1442
- * Fixed a logic bug caused by changes in 2.7
1443
-
1444
- = 2.7 =
1445
-
1446
- * Fixed a bug preventing login lockouts from releasing.
1447
-
1448
- = 2.6 =
1449
-
1450
- * Added link to author of Italian Translation
1451
- * Fixed bug preventing the "Ban Users" function from working.
1452
-
1453
- = 2.5 =
1454
-
1455
- * Italian translation by Paolo Stivanin
1456
- * Support information moved to separate page for easy access
1457
- * Minor bug fixes
1458
-
1459
- = 2.4 =
1460
-
1461
- * Fixed a bug that generated a 404 error when clicking the reset password link that is emailed to users
1462
- * Added the option to customize the error message displayed for the login lockdown and intrusion detection lockouts
1463
-
1464
- = 2.3 =
1465
-
1466
- * Fixed various typos
1467
- * meta.php require_once now works correctly
1468
- * fixed bug in which .htaccess and wp-config.php were not reporting correct permissions
1469
- * Version is now hidden on admin pages except for multi-site
1470
-
1471
- = 2.2 =
1472
-
1473
- * Emergency fix restoring version number display for backend as previous fix made multi-site installations unusable
1474
-
1475
- = 2.1 =
1476
-
1477
- * Added options to customize intrusion detection to allow custom lockout duration and error threshold
1478
- * Time now correctly displays for intrusion detection lockouts and lockouts are released at the correct time
1479
- * Version number now hidden for all users without administrator role on backend
1480
- * Saved hide backend key to database to allow for easier use in other plugins that link directly to wp-login.php (still has to be manually entered in each affected plugin)
1481
- * Will now use the correct wp-config.php file if it is located outside of the directory used for the wordpress installation
1482
- * Empties APC cache (when installed) after changing wp-content directory preventing the necessity to restart Apache
1483
- * Fixed display bugs for login and intrusion lockout lists.
1484
-
1485
- = 2.0 =
1486
-
1487
- * Now supported by Bit51.com
1488
- * Removed blocking of http HEAD requests to improve integration with social networking APIs such as Twitter
1489
- * French translation by Claude ALTAYRAC
1490
-
1491
- = 1.9 =
1492
-
1493
- * Error message on lockouts more ambiguous
1494
- * Added email notification for intrusion detection lockouts
1495
- * Added Bahasa Indonesia (Indonesian) translation by Belajar SEO, Jasa SEO Indonesia
1496
-
1497
- = 1.8.1 =
1498
-
1499
- * Minor bug fixes
1500
-
1501
- = 1.8 =
1502
-
1503
- * Changed plugin description
1504
- * Improved translation support
1505
- * Added Turn off file editor in WordPress backend
1506
- * Improved accuracy of version checking when upgrading
1507
- * Ban Users now allows for more than just IP address, it has been renamed accordingly
1508
-
1509
- = 1.7 =
1510
-
1511
- * Renamed detect 404s section to intrusion detection to include upcoming features
1512
- * general spelling and grammer corrections
1513
- * Moved configuration to network dashboard for multisite installations
1514
- * Improved multisite support
1515
- * Warns if .htaccess or wp-config.php files aren't writable where needed
1516
- * Added icon to menu for easier identification
1517
- * Cleaned up and refined status information
1518
-
1519
- = 1.6 =
1520
-
1521
- * Fixed WLManifest link removal from header
1522
- * Added nofollow to all meta links
1523
- * "Away Mode" page now displays current time even when feature has not been enabled
1524
- * Status page now shows system information
1525
- * htaccess contents moved to status page
1526
- * fixed fatal activation error affecting php 5.2 users
1527
-
1528
- = 1.5 =
1529
-
1530
- * Meta links update correctly when changing backend links
1531
-
1532
- = 1.4 =
1533
-
1534
- * Fixed another issue that prevented the "htaccess" options page from displaying on some hosts
1535
-
1536
- = 1.3 =
1537
-
1538
- * Fixed an issue that prevented the "htaccess" options page from displaying on some hosts
1539
-
1540
- = 1.2 =
1541
-
1542
- * Finished support for localization
1543
-
1544
- = 1.1 =
1545
-
1546
- * Fixed bug that prevented cleaning old lockouts from database
1547
-
1548
- = 1.0 =
1549
-
1550
- * More code documentation
1551
- * Added warnings to changing content directory (until I can find a good way to update all existing content)
1552
- * Added options to clean old entries out of the database
1553
- * Fixed minor typos throughout
1554
-
1555
- = 0.16.BETA =
1556
-
1557
- * Updated Homepage
1558
-
1559
- = 0.15.BETA =
1560
-
1561
- * Fixed error for potential conflicts with old htaccess rules
1562
-
1563
- = 0.14.BETA =
1564
-
1565
- * Removed hotlinking protection as it has been deemed to be outside the scope of this project
1566
- * Removed protocol from hide backend htaccess rules for consistency between http and https
1567
- * Combined all httaccess rules into single iThemes Security Block
1568
- * 404 check now ignores all logged in users
1569
-
1570
- = 0.13.BETA =
1571
-
1572
- * Fixed a bug that could erase part of the wp-config file= 0.12.BETA =
1573
-
1574
- * Changing content directories should no longer break sites that were upgraded from versions prior to 3.0
1575
-
1576
- = 0.11.BETA =
1577
-
1578
- * Update to project homepage and other minor changes
1579
-
1580
- = 0.10.BETA =
1581
-
1582
- * Removed WP version check from status page as it was redundant
1583
- * On uninstall wp-content location will be returned to default
1584
- * Fixed setup error
1585
- * Error checking now correctly identifies database table prefix
1586
- * Rendom version # generator now removes version number from scripts and css where it can (thanks to Dave for this)
1587
-
1588
- = 0.9.BETA =
1589
-
1590
- * Bug fixes
1591
- * Internationalization improvements
1592
-
1593
- = 0.8.BETA =
1594
-
1595
- * Fixed more critical bugs
1596
-
1597
- = 0.7.BETA =
1598
-
1599
- * Fixed more critical bugs
1600
-
1601
- = 0.6.BETA =
1602
-
1603
- * Fixed 2 critical bugs
1604
-
1605
- = 0.5.BETA =
1606
-
1607
- * Major refactoring
1608
- * Streamline database tables
1609
- * Numerous bugfixes
1610
- * Code documentation and continued internationalization prep
1611
-
1612
- = 0.4.BETA =
1613
-
1614
- * Changed the main menu name to "Security"
1615
- * Minimum requirement raised to 3.0.2
1616
- * Begun code documentation and intl prep
1617
-
1618
- = 0.3.BETA =
1619
-
1620
- * Numerous bugfixes
1621
- * 404 check will NOT ban logged in users
1622
- * Lockdown rules no longer apply to logged in users
1623
-
1624
- = 0.2.BETA =
1625
-
1626
- * Updated hidebe to handle standard logout links
1627
- * Numerous other bugfixes
1628
-
1629
- = 0.1.BETA =
1630
-
1631
- * Finished status reporting
1632
- * Force SSL for admin pages (on supporting servers)
1633
- * Change wp-content path
1634
-
1635
- = ALPHA 11 =
1636
-
1637
- * Added security checklist
1638
- * Added option to rename existing admin account
1639
- * Added option to change DB table prefix
1640
- * Various bugfixes
1641
-
1642
- = ALPHA 10 =
1643
-
1644
- * Added more htaccess security options
1645
- * All htaccess options have been moved to their own page
1646
- * Added simple intrusion detection based on 404s
1647
- * Bugfixes and code optimization
1648
-
1649
- = ALPHA 9 =
1650
-
1651
- * Deactivating now removes all htaccess areas and turns off associated options
1652
- * Enforce strong passwords for all users of a given minimum role
1653
- * Minor bug fixes
1654
-
1655
- = ALPHA 8 =
1656
-
1657
- * Added various .htaccess options to strengthen file security
1658
- * Modified "hide backend" rewrite rules to work with multi-site
1659
- * Removed non-security hide-backend options
1660
- * Various bug fixes
1661
- * Renamed "General" options page to "System Tweaks" to avoid confusion
1662
- * Added more options to clean up WordPress headers
1663
- * Added options to remove plugin notifications from non-super admin users
1664
-
1665
- = ALPHA 7 =
1666
-
1667
- * Continued code refactoring and bug-fixes
1668
- * Improved error handling and upgrade support
1669
- * Combined status and support options pages
1670
-
1671
- = ALPHA 6 =
1672
-
1673
- * Added sanitization and validation to user input
1674
- * Added "away mode" to limit backend access by time
1675
- * Script no longer dies when logged out and instead returns to homepage.
1676
-
1677
- = ALPHA 5 =
1678
-
1679
- * Complete refactor of the existing code
1680
- * Divided settings sections for better UX
1681
- * Added htaccess checks
1682
- * Redesigned options system for less database calls
1683
- * Reduced table usage from 4 to 2
1684
- * Added email notifications for login limiter
1685
- * Added complete access blocker for login limiter
1686
-
1687
- = ALPHA 4 =
1688
-
1689
- * Added login limiter to limit invalid attempts
1690
- * various Bug fixes
1691
-
1692
- = ALPHA 3 =
1693
-
1694
- * Corrected error display
1695
- * Added registration rules regardless of whether registrations are on or off.
1696
- * Added "Display random version to non-admins"
1697
- * Fixed rewrite rules on hide admin urls so going to the admin slug will work whether the user is logged in or not
1698
- * Added crude upgrade warning to warn of old (not so great) rewrite rules
1699
-
1700
- = ALPHA 2 =
1701
-
1702
- * Optimized and commented code
1703
- * Added uninstall function
1704
- * Numerous fixes to bugs and logic
1705
-
1706
- = 0.1 ALPHA =
1707
-
1708
- * First alpha release including simple feature set.
1709
-
1710
  == Upgrade Notice ==
1711
 
1712
- = 6.4.0 =
1713
- Version 6.4.0 contains important bug fixes and enhancements. It is recommended for all users.
1
  === iThemes Security (formerly Better WP Security) ===
2
+ Contributors: ithemes, chrisjean, gerroald, mattdanner, timothyblynjacobs
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.6
5
+ Tested up to: 4.8.1
6
+ Stable tag: 6.5.0
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
188
 
189
  == Changelog ==
190
 
191
+ = 6.5.0 =
192
+ * Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
193
+ * Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP directly.
194
+ * Enhancement: Enabling SSL support will only log you out if you are not already on an https connection.
195
+ * Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
196
+ * Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
197
+ * Bug Fix: Bumped version number of some scripts to ensure that they refresh properly.
198
+ * Bug Fix: Fixed way to work around Hide Backend on some hosts.
199
+
200
  = 6.4.0 =
201
  * Enhancement: Replaced file locking with database locking. This method of locking is compatible with all systems as it does not require the ability to write files. It also allows for locking to work on sites that have multiple front-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed.
202
  * Enhancement: Add "Copy to Clipboard" functionality for server and wp-config rules.
352
  * Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
353
  * Enhancement: The "Ban Lists" setting of Banned Users is now enabled by default.
354
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
355
  == Upgrade Notice ==
356
 
357
+ = 6.5.0 =
358
+ Version 6.5.0 contains important bug fixes and enhancements. It is recommended for all users.