iThemes Security (formerly Better WP Security)

Version Description

Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
Tweak: Add filters to short-circuit lock APIs.
Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
Bug Fix: Tweak checkbox styles.
Bug Fix: Improved compatibility with WP Engine.
Bug Fix: Pass the WP_Error object to the wp_login_failed hook.
Bug Fix: Prevent wp_no_robots deprecation warning on WordPress 5.7.

Release Info

Developer	TimothyBlynJacobs
Plugin	iThemes Security (formerly Better WP Security)
Version	7.9.1
Comparing to
See all releases

Code changes from version 7.9.0 to 7.9.1

Files changed (21) hide show

better-wp-security.php +1 -1
core/core.php +1 -1
core/history.txt +5 -0
core/lib.php +79 -0
core/lib/class-itsec-lib-login-interstitial.php +6 -25
core/lib/includes/function.login-header.php +7 -2
core/lockout.php +4 -0
core/modules/hide-backend/class-itsec-hide-backend.php +6 -6
core/modules/hide-backend/settings-page.php +1 -0
core/modules/security-check-pro/utility.php +0 -5
core/package.json +1 -0
core/packages/components/src/checkbox-control/style.scss +5 -2
core/response.php +1 -1
core/templates/lockout/lockout.php +5 -1
history.txt +8 -0
package.json +1 -0
readme.txt +13 -4
vendor-prod/composer/ClassLoader.php +1 -1
vendor-prod/composer/autoload_classmap.php +0 -9
vendor-prod/composer/autoload_real.php +3 -0
vendor-prod/composer/autoload_static.php +0 -9

better-wp-security.php CHANGED Viewed

	@@ -6,7 +6,7 @@
6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	- * Version: 7.9.0
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2


6	* Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7	* Author: iThemes
8	* Author URI: https://ithemes.com
9	+ * Version: 7.9.1
10	* Text Domain: better-wp-security
11	* Network: True
12	* License: GPLv2

core/core.php CHANGED Viewed

	@@ -26,7 +26,7 @@ if ( ! class_exists( 'ITSEC_Core' ) ) {
26	*
27	* @access private
28	*/
29	- private $plugin_build = ~~4121~~;
30
31	/**
32	* Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync


26	*
27	* @access private
28	*/
29	+ private $plugin_build = 4122;
30
31	/**
32	* Used to distinguish between a user modifying settings and the API modifying settings (such as from Sync

core/history.txt CHANGED Viewed

	@@ -917,3 +917,8 @@
917	Enhancement: Overwrite Restrict Content Pro's detected IP address with the IP detected by iThemes Security.
918	Bug Fix: Passwords Requirements compatibility with Restrict Content Pro.
919	Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.


917	Enhancement: Overwrite Restrict Content Pro's detected IP address with the IP detected by iThemes Security.
918	Bug Fix: Passwords Requirements compatibility with Restrict Content Pro.
919	Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.
920	+ 6.0.1 - 2020-11-05 - Timothy Jacobs
921	+ Bug Fix: Improved compatibility with WP Engine.
922	+ 6.0.2 - 2020-12-16 - Timothy Jacobs
923	+ Tweak: Remove non-SSL fallbacks for Security Check Pro.
924	+ Bug Fix: Tweak checkbox styles.

core/lib.php CHANGED Viewed

@@ -744,6 +744,12 @@ final class ITSEC_Lib {
             	 */
             	public static function get_lock( $name, $expires_in = 30 ) {
             		/** @var \wpdb $wpdb */
             		global $wpdb;
             		$main_options = $wpdb->base_prefix . 'options';
@@ -813,6 +819,11 @@ final class ITSEC_Lib {
             	 * @param string $name The lock name.
             	 */
             	public static function release_lock( $name ) {
             		$lock = "itsec-lock-{$name}";
@@ -2318,4 +2329,72 @@ final class ITSEC_Lib {
             	public static function url_safe_b64_encode( $input ) {
             		return str_replace( '=', '', strtr( base64_encode( $input ), '+/', '-_' ) );
+            	}
+            }


744	*/
745	public static function get_lock( $name, $expires_in = 30 ) {
746
747	+ $pre_check = apply_filters( 'itsec_pre_get_lock', null, $name, $expires_in );
748	+
749	+ if ( null !== $pre_check ) {
750	+ return $pre_check;
751	+ }
752	+
753	/** @var \wpdb $wpdb */
754	global $wpdb;
755	$main_options = $wpdb->base_prefix . 'options';

819	* @param string $name The lock name.
820	*/
821	public static function release_lock( $name ) {
822	+ $pre_check = apply_filters( 'itsec_pre_release_lock', null, $name );
823	+
824	+ if ( null !== $pre_check ) {
825	+ return;
826	+ }
827
828	$lock = "itsec-lock-{$name}";
829

2329	public static function url_safe_b64_encode( $input ) {
2330	return str_replace( '=', '', strtr( base64_encode( $input ), '+/', '-_' ) );
2331	}
2332	+
2333	+ /**
2334	+ * Compares the WordPress version with the given version.
2335	+ *
2336	+ * @param string $version The version to compare with.
2337	+ * @param string $operator The operator.
2338	+ * @param bool $allow_dev Whether to treat dev versions as stable.
2339	+ *
2340	+ * @return bool
2341	+ */
2342	+ public static function wp_version_compare( $version, $operator, $allow_dev = true ) {
2343	+ global $wp_version;
2344	+
2345	+ if ( $allow_dev ) {
2346	+ list( $wp_version ) = explode( '-', $wp_version );
2347	+ }
2348	+
2349	+ return version_compare( $wp_version, $version, $operator );
2350	+ }
2351	+
2352	+ /**
2353	+ * Checks if the WordPress version is at least the given version.
2354	+ *
2355	+ * @param string $version The version to check WP for.
2356	+ * @param bool $allow_dev Whether to treat dev versions as stable.
2357	+ *
2358	+ * @return bool
2359	+ */
2360	+ public static function is_wp_version_at_least( $version, $allow_dev = true ) {
2361	+ return static::wp_version_compare( $version, '>=', $allow_dev );
2362	+ }
2363	+
2364	+ /**
2365	+ * Gets the WordPress login URL.
2366	+ *
2367	+ * @param string $action A particular login action to use.
2368	+ * @param string $redirect Where to redirect the user to after login.
2369	+ * @param string $scheme The scheme to use. Accepts `login_post` for form submissions.
2370	+ *
2371	+ * @return string
2372	+ */
2373	+ public static function get_login_url( $action = '', $redirect = '', $scheme = 'login' ) {
2374	+ if ( 'login_post' === $scheme \|\| ( $action && 'login' !== $action ) ) {
2375	+ $url = 'wp-login.php';
2376	+
2377	+ if ( $action ) {
2378	+ $url = add_query_arg( 'action', urlencode( $action ), $url );
2379	+ }
2380	+
2381	+ if ( $redirect ) {
2382	+ $url = add_query_arg( 'redirect_to', urlencode( $redirect ), $url );
2383	+ }
2384	+
2385	+ $url = site_url( $url, $scheme );
2386	+ } else {
2387	+ $url = wp_login_url( $redirect );
2388	+
2389	+ if ( $action ) {
2390	+ $url = add_query_arg( 'action', urlencode( $action ), $url );
2391	+ }
2392	+ }
2393	+
2394	+ if ( function_exists( 'is_wpe' ) && is_wpe() ) {
2395	+ $url = add_query_arg( 'wpe-login', 'true', $url );
2396	+ }
2397	+
2398	+ return apply_filters( 'itsec_login_url', $url, $action, $redirect, $scheme );
2399	+ }
2400	}

core/lib/class-itsec-lib-login-interstitial.php CHANGED Viewed

	@@ -190,7 +190,7 @@ class ITSEC_Lib_Login_Interstitial {
190	*/
191	public function get_async_action_url( ITSEC_Login_Interstitial_Session $session, $action ) {
192
193	- $url = ~~$this->get_base_wp_login_url~~();
194	$url = add_query_arg( array(
195	'action' => "itsec-{$session->get_current_interstitial()}",
196	self::R_USER => $session->get_user()->ID,
	@@ -456,7 +456,7 @@ class ITSEC_Lib_Login_Interstitial {
456
457	if ( isset( $_REQUEST[ self::R_SAME_BROWSER_DENY ] ) ) {
458	$session->delete();
459	- ~~wp_redirect~~( ~~wp_login_url~~() );
460	die;
461	}
462
	@@ -570,7 +570,7 @@ class ITSEC_Lib_Login_Interstitial {
570	$session = $this->get_and_verify_session();
571
572	if ( ! $interstitial->show_to_user( $session->get_user(), $session->is_current_requested() ) ) {
573	- wp_safe_redirect( ~~wp_login_url~~() );
574	die;
575	}
576
	@@ -591,8 +591,7 @@ class ITSEC_Lib_Login_Interstitial {
591	$action = $session->get_current_interstitial();
592	$interstitial = $this->registered[ $action ];
593
594	- $wp_login_url = $~~this->get_base_wp_login_url(~~);
595	- $wp_login_url = add_query_arg( 'action', "itsec-{$action}", $wp_login_url );
596
597	$interstitial->pre_render( $session );
598
	@@ -895,24 +894,6 @@ class ITSEC_Lib_Login_Interstitial {
895	die;
896	}
897
898	- /**
899	- * Get the base wp login URL.
900	- *
901	- * @return string
902	- */
903	- private function get_base_wp_login_url() {
904	- add_filter( 'rcp_do_login_hijack', '__return_false', 100 );
905	- $wp_login_url = set_url_scheme( wp_login_url(), 'login_post' );
906	- remove_filter( 'rcp_do_login_hijack', '__return_false', 100 );
907	-
908	- if ( ( defined( 'WPE_PLUGIN_URL' ) \|\| isset( $_GET['wpe-login'] ) ) && ! preg_match( '/[&?]wpe-login=/', $wp_login_url ) ) {
909	- $wpe_login = isset( $_GET['wpe-login'] ) ? $_GET['wpe-login'] : 'true';
910	- $wp_login_url = add_query_arg( 'wpe-login', $wpe_login, $wp_login_url );
911	- }
912	-
913	- return $wp_login_url;
914	- }
915	-
916	/**
917	* Get the next interstitial to be displayed.
918	*
	@@ -1061,8 +1042,8 @@ class ITSEC_Lib_Login_Interstitial {
1061	die;
1062	}
1063
1064	- $redirect = add_query_arg( self::R_EXPIRED, 1, ~~wp_login_url~~() );
1065	- wp_safe_redirect( ~~set_url_scheme(~~ $redirect, ~~'login_post'~~ ) );
1066	die;
1067	}
1068


190	*/
191	public function get_async_action_url( ITSEC_Login_Interstitial_Session $session, $action ) {
192
193	+ $url = ITSEC_Lib::get_login_url( '', '', 'login_post' );
194	$url = add_query_arg( array(
195	'action' => "itsec-{$session->get_current_interstitial()}",
196	self::R_USER => $session->get_user()->ID,

456
457	if ( isset( $_REQUEST[ self::R_SAME_BROWSER_DENY ] ) ) {
458	$session->delete();
459	+ wp_safe_redirect( ITSEC_Lib::get_login_url() );
460	die;
461	}
462

570	$session = $this->get_and_verify_session();
571
572	if ( ! $interstitial->show_to_user( $session->get_user(), $session->is_current_requested() ) ) {
573	+ wp_safe_redirect( ITSEC_Lib::get_login_url() );
574	die;
575	}
576

591	$action = $session->get_current_interstitial();
592	$interstitial = $this->registered[ $action ];
593
594	+ $wp_login_url = ITSEC_Lib::get_login_url( "itsec-{$action}", '', 'login_post' );

595
596	$interstitial->pre_render( $session );
597

894	die;
895	}
896


















897	/**
898	* Get the next interstitial to be displayed.
899	*

1042	die;
1043	}
1044
1045	+ $redirect = add_query_arg( self::R_EXPIRED, 1, ITSEC_Lib::get_login_url( '', '', 'login_post' ) );
1046	+ wp_safe_redirect( $redirect );
1047	die;
1048	}
1049

core/lib/includes/function.login-header.php CHANGED Viewed

	@@ -11,7 +11,12 @@ function login_header( $title = 'Log In', $message = '', $wp_error = '' ) {
11	global $error, $interim_login, $action;
12
13	// Don't index any of these forms
14	- ~~add_action~~( ~~'login_head',~~ '~~wp_no_robots~~' );





15
16	add_action( 'login_head', 'wp_login_viewport_meta' );
17
	@@ -201,4 +206,4 @@ function wp_login_viewport_meta() {
201	<meta name="viewport" content="width=device-width" />
202	<?php
203	}
204	- endif;


11	global $error, $interim_login, $action;
12
13	// Don't index any of these forms
14	+ if ( ITSEC_Lib::is_wp_version_at_least( '5.7' ) ) {
15	+ add_filter( 'wp_robots', 'wp_robots_sensitive_page' );
16	+ add_action( 'login_head', 'wp_strict_cross_origin_referrer' );
17	+ } else {
18	+ add_action( 'login_head', 'wp_no_robots' );
19	+ }
20
21	add_action( 'login_head', 'wp_login_viewport_meta' );
22

206	<meta name="viewport" content="width=device-width" />
207	<?php
208	}
209	+ endif;

core/lockout.php CHANGED Viewed

	@@ -804,6 +804,10 @@ final class ITSEC_Lockout {
804	@header( 'HTTP/1.0 403 Forbidden' );
805	ITSEC_Lib::no_cache();
806




807	$actions = apply_filters( 'itsec_lockout_action_links', array(), $context );
808
809	ob_start();


804	@header( 'HTTP/1.0 403 Forbidden' );
805	ITSEC_Lib::no_cache();
806
807	+ if ( ITSEC_Lib::is_wp_version_at_least( '5.7' ) ) {
808	+ add_filter( 'wp_robots', 'wp_robots_sensitive_page' );
809	+ }
810	+
811	$actions = apply_filters( 'itsec_lockout_action_links', array(), $context );
812
813	ob_start();

core/modules/hide-backend/class-itsec-hide-backend.php CHANGED Viewed

	@@ -21,7 +21,7 @@ class ITSEC_Hide_Backend {
21	return;
22	}
23
24	- add_action( '~~itsec_initialized~~', array( $this, 'handle_specific_page_requests' ), ~~1000~~ );
25	add_action( 'signup_hidden_fields', array( $this, 'add_token_to_registration_form' ) );
26	add_action( 'login_enqueue_scripts', array( $this, 'login_enqueue' ) );
27
	@@ -56,7 +56,7 @@ class ITSEC_Hide_Backend {
56	if ( preg_match_all( '\|(https?:\/\/((.)wp-admin(.)))\|', $text, $urls ) ) {
57	foreach ( $urls[0] as $url ) {
58	$url = trim( $url );
59	- $text = str_replace( $url, ~~wp_login_url~~( $url ), $text );
60	}
61	}
62
	@@ -121,7 +121,7 @@ class ITSEC_Hide_Backend {
121	* @return void
122	*/
123	private function handle_login_alias() {
124	- if ( isset( $~~_GET~~['action'] ) && $~~_GET~~['action'] === trim( $this->settings['post_logout_slug'] ) ) {
125	// I'm not sure if this feature is still needed or if anyone still uses it. - Chris
126	do_action( 'itsec_custom_login_slug' );
127	}
	@@ -135,7 +135,7 @@ class ITSEC_Hide_Backend {
135	* @return void
136	*/
137	private function handle_canonical_login_page() {
138	- $action = isset( $~~_GET~~['action'] ) ? $~~_GET~~['action'] : '';
139
140	if ( 'postpass' === $action ) {
141	return;
	@@ -292,7 +292,7 @@ class ITSEC_Hide_Backend {
292	$url = $this->add_token_to_url( $url, 'register' );
293	} elseif ( false !== strpos( $path, 'action=rp' ) ) {
294	$url = $this->add_token_to_url( $url, 'login' );
295	- } elseif ( 'wp-login.php' !== $request_path \|\| empty( $~~_GET~~['action'] ) \|\| 'register' !== $~~_GET~~['action'] ) {
296	$url = $this->add_token_to_url( $url, 'login' );
297	}
298	} elseif ( 'wp-signup.php' === $clean_path && 'wp-signup.php' !== $this->settings['register'] ) {
	@@ -383,7 +383,7 @@ class ITSEC_Hide_Backend {
383	* lead to a 404 page.
384	*/
385	public function login_enqueue() {
386	- if ( ! empty( $~~_GET~~['action'] ) && 'register' === $~~_GET~~['action'] ) {
387	wp_enqueue_style( 'itsec-hide-backend-login-page', plugins_url( 'css/login-page.css', __FILE__ ) );
388	}
389	}


21	return;
22	}
23
24	+ add_action( 'setup_theme', array( $this, 'handle_specific_page_requests' ) );
25	add_action( 'signup_hidden_fields', array( $this, 'add_token_to_registration_form' ) );
26	add_action( 'login_enqueue_scripts', array( $this, 'login_enqueue' ) );
27

56	if ( preg_match_all( '\|(https?:\/\/((.)wp-admin(.)))\|', $text, $urls ) ) {
57	foreach ( $urls[0] as $url ) {
58	$url = trim( $url );
59	+ $text = str_replace( $url, ITSEC_Lib::get_login_url( '', $url ), $text );
60	}
61	}
62

121	* @return void
122	*/
123	private function handle_login_alias() {
124	+ if ( isset( $_REQUEST['action'] ) && $_REQUEST['action'] === trim( $this->settings['post_logout_slug'] ) ) {
125	// I'm not sure if this feature is still needed or if anyone still uses it. - Chris
126	do_action( 'itsec_custom_login_slug' );
127	}

135	* @return void
136	*/
137	private function handle_canonical_login_page() {
138	+ $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
139
140	if ( 'postpass' === $action ) {
141	return;

292	$url = $this->add_token_to_url( $url, 'register' );
293	} elseif ( false !== strpos( $path, 'action=rp' ) ) {
294	$url = $this->add_token_to_url( $url, 'login' );
295	+ } elseif ( 'wp-login.php' !== $request_path \|\| empty( $_REQUEST['action'] ) \|\| 'register' !== $_REQUEST['action'] ) {
296	$url = $this->add_token_to_url( $url, 'login' );
297	}
298	} elseif ( 'wp-signup.php' === $clean_path && 'wp-signup.php' !== $this->settings['register'] ) {

383	* lead to a 404 page.
384	*/
385	public function login_enqueue() {
386	+ if ( ! empty( $_REQUEST['action'] ) && 'register' === $_REQUEST['action'] ) {
387	wp_enqueue_style( 'itsec-hide-backend-login-page', plugins_url( 'css/login-page.css', __FILE__ ) );
388	}
389	}

core/modules/hide-backend/settings-page.php CHANGED Viewed

	@@ -41,6 +41,7 @@ final class ITSEC_Hide_Backend_Settings_Page extends ITSEC_Module_Settings_Page
41
42	?>
43	<p><?php _e( 'Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.', 'better-wp-security' ); ?></p>

44	<?php
45
46	}


41
42	?>
43	<p><?php _e( 'Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.', 'better-wp-security' ); ?></p>
44	+ <p><?php _e( 'The login page may be exposed by WordPress Core, Plugins, or Themes when printing links to the login page. For example Privacy Request Confirmations or front-end login forms. Hide Backend shouldn\'t be used as a substitute for Strong Passwords.', 'better-wp-security' ) ?></p>
45	<?php
46
47	}

core/modules/security-check-pro/utility.php CHANGED Viewed

	@@ -212,11 +212,6 @@ final class ITSEC_Security_Check_Pro_Utility {
212
213	$response = wp_remote_post( self::$api_url, $remote_post_args );
214
215	- if ( is_wp_error( $response ) && ( 'connect() timed out!' !== $response->get_error_message() ) ) {
216	- $url = preg_replace( '\|^https://\|', 'http://', self::$api_url );
217	- $response = wp_remote_post( $url, $remote_post_args );
218	- }
219	-
220	if ( is_wp_error( $response ) ) {
221	if ( 'connect() timed out!' === $response->get_error_message() ) {
222	return new WP_Error( 'http_request_failed', __( 'The server was unable to be contacted.', 'better-wp-security' ) );


212
213	$response = wp_remote_post( self::$api_url, $remote_post_args );
214





215	if ( is_wp_error( $response ) ) {
216	if ( 'connect() timed out!' === $response->get_error_message() ) {
217	return new WP_Error( 'http_request_failed', __( 'The server was unable to be contacted.', 'better-wp-security' ) );

core/package.json CHANGED Viewed

	@@ -85,6 +85,7 @@
85	"sass-loader": "^7.1.0",
86	"style-loader": "^0.23.1",
87	"svg-react-loader": "github:woutervanvliet/svg-react-loader",

88	"webpack": "^4.29.5",
89	"webpack-cli": "^3.2.3",
90	"webpack-filter-warnings-plugin": "^1.2.1",


85	"sass-loader": "^7.1.0",
86	"style-loader": "^0.23.1",
87	"svg-react-loader": "github:woutervanvliet/svg-react-loader",
88	+ "tmp": "^0.2.1",
89	"webpack": "^4.29.5",
90	"webpack-cli": "^3.2.3",
91	"webpack-filter-warnings-plugin": "^1.2.1",

core/packages/components/src/checkbox-control/style.scss CHANGED Viewed

	@@ -65,8 +65,9 @@ $checkbox-input-size-sm: 25px; // width + height for small viewports
65	}
66	}
67
68	- ~~svg~~.dashicon.components-checkbox-control__checked {
69	fill: #fff;

70	cursor: pointer;
71	position: absolute;
72	left: -4px;
	@@ -105,7 +106,9 @@ svg.dashicon.components-checkbox-control__checked {
105	}
106	}
107
108	- ~~svg~~.dashicon.components-checkbox-control__checked.components-checkbox-control__checked--indeterminate {
109	width: 16px;


110	left: 0;
111	}


65	}
66	}
67
68	+ .components-checkbox-control__input-container .dashicon.components-checkbox-control__checked {
69	fill: #fff;
70	+ color: #fff;
71	cursor: pointer;
72	position: absolute;
73	left: -4px;

106	}
107	}
108
109	+ .components-checkbox-control__input-container .dashicon.components-checkbox-control__checked.components-checkbox-control__checked--indeterminate {
110	width: 16px;
111	+ font-size: 16px;
112	+ line-height: 20px;
113	left: 0;
114	}

core/response.php CHANGED Viewed

	@@ -245,7 +245,7 @@ final class ITSEC_Response {
245	}
246
247	$self->force_logout = true;
248	- self::redirect( add_query_arg( 'loggedout', 'true', ~~wp_login_url~~() ) );
249	}
250
251	public static function redirect( $redirect ) {


245	}
246
247	$self->force_logout = true;
248	+ self::redirect( add_query_arg( 'loggedout', 'true', ITSEC_Lib::get_login_url() ) );
249	}
250
251	public static function redirect( $redirect ) {

core/templates/lockout/lockout.php CHANGED Viewed

	@@ -11,7 +11,11 @@
11	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
12	<meta name="viewport" content="width=device-width, initial-scale=1">
13	<link href="<?php echo plugin_dir_url( __FILE__ ) . 'lockout.css'; ?>" type="text/css" rel="stylesheet">
14	- <?php ~~wp_no_robots~~(); ?>




15	<title><?php esc_html_e( 'Forbidden', 'better-wp-security' ); ?></title>
16	</head>
17	<body id="error-page">


11	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
12	<meta name="viewport" content="width=device-width, initial-scale=1">
13	<link href="<?php echo plugin_dir_url( __FILE__ ) . 'lockout.css'; ?>" type="text/css" rel="stylesheet">
14	+ <?php if ( ITSEC_Lib::is_wp_version_at_least( '5.7' ) ):; ?>
15	+ <?php wp_robots(); ?>
16	+ <?php else: ?>
17	+ <?php wp_no_robots(); ?>
18	+ <?php endif; ?>
19	<title><?php esc_html_e( 'Forbidden', 'better-wp-security' ); ?></title>
20	</head>
21	<body id="error-page">

history.txt CHANGED Viewed

@@ -913,3 +913,11 @@
             	Bug Fix: Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
             	Bug Fix: Passwords Requirements compatibility with Restrict Content Pro.
             	Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.


913	Bug Fix: Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
914	Bug Fix: Passwords Requirements compatibility with Restrict Content Pro.
915	Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.
916	+ 7.9.1 - 2021-04-14 - Timothy Jacobs
917	+ Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
918	+ Tweak: Add filters to short-circuit lock APIs.
919	+ Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
920	+ Bug Fix: Tweak checkbox styles.
921	+ Bug Fix: Improved compatibility with WP Engine.
922	+ Bug Fix: Pass the `WP_Error` object to the `wp_login_failed` hook.
923	+ Bug Fix: Prevent wp_no_robots deprecation warning on WordPress 5.7.

package.json CHANGED Viewed

	@@ -85,6 +85,7 @@
85	"sass-loader": "^7.1.0",
86	"style-loader": "^0.23.1",
87	"svg-react-loader": "github:woutervanvliet/svg-react-loader",

88	"webpack": "^4.29.5",
89	"webpack-cli": "^3.2.3",
90	"webpack-filter-warnings-plugin": "^1.2.1",


85	"sass-loader": "^7.1.0",
86	"style-loader": "^0.23.1",
87	"svg-react-loader": "github:woutervanvliet/svg-react-loader",
88	+ "tmp": "^0.2.1",
89	"webpack": "^4.29.5",
90	"webpack-cli": "^3.2.3",
91	"webpack-filter-warnings-plugin": "^1.2.1",

readme.txt CHANGED Viewed

	@@ -2,8 +2,8 @@
2	Contributors: ithemes, chrisjean, mattdanner, timothyblynjacobs
3	Tags: security plugin, malware scanner, login security, malware prevention, hack prevention, brute force protection, anti-virus, secure, password protection, ban, bad bots, audit log
4	Requires at least: 5.4
5	- Tested up to: 5.6
6	- Stable tag: 7.9.0
7	Requires PHP: 5.6
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
	@@ -189,6 +189,15 @@ Free support may be available with the help of the community in the <a href="htt
189
190	== Changelog ==
191









192	= 7.9.0 =
193	* Important: iThemes Security requires WordPress 5.4 or later.
194	* Enhancement: Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
	@@ -622,5 +631,5 @@ Free support may be available with the help of the community in the <a href="htt
622
623	== Upgrade Notice ==
624
625	- = 7.9.0 =
626	- Version 7.9.0 contains ~~new~~ ~~features~~ and bug fixes. It is recommended for all users.


2	Contributors: ithemes, chrisjean, mattdanner, timothyblynjacobs
3	Tags: security plugin, malware scanner, login security, malware prevention, hack prevention, brute force protection, anti-virus, secure, password protection, ban, bad bots, audit log
4	Requires at least: 5.4
5	+ Tested up to: 5.7
6	+ Stable tag: 7.9.1
7	Requires PHP: 5.6
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html

189
190	== Changelog ==
191
192	+ = 7.9.1 =
193	+ * Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
194	+ * Tweak: Add filters to short-circuit lock APIs.
195	+ * Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
196	+ * Bug Fix: Tweak checkbox styles.
197	+ * Bug Fix: Improved compatibility with WP Engine.
198	+ * Bug Fix: Pass the `WP_Error` object to the `wp_login_failed` hook.
199	+ * Bug Fix: Prevent wp_no_robots deprecation warning on WordPress 5.7.
200	+
201	= 7.9.0 =
202	* Important: iThemes Security requires WordPress 5.4 or later.
203	* Enhancement: Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).

631
632	== Upgrade Notice ==
633
634	+ = 7.9.1 =
635	+ Version 7.9.1 contains security and bug fixes. It is recommended for all users.

vendor-prod/composer/ClassLoader.php CHANGED Viewed

	@@ -60,7 +60,7 @@ class ClassLoader
60	public function getPrefixes()
61	{
62	if (!empty($this->prefixesPsr0)) {
63	- return call_user_func_array('array_merge', $this->prefixesPsr0);
64	}
65
66	return array();


60	public function getPrefixes()
61	{
62	if (!empty($this->prefixesPsr0)) {
63	+ return call_user_func_array('array_merge', array_values($this->prefixesPsr0));
64	}
65
66	return array();

vendor-prod/composer/autoload_classmap.php CHANGED Viewed

	@@ -259,15 +259,6 @@ return array(
259	'Pimple\\Psr11\\ServiceLocator' => $vendorDir . '/pimple/pimple/src/Pimple/Psr11/ServiceLocator.php',
260	'Pimple\\ServiceIterator' => $vendorDir . '/pimple/pimple/src/Pimple/ServiceIterator.php',
261	'Pimple\\ServiceProviderInterface' => $vendorDir . '/pimple/pimple/src/Pimple/ServiceProviderInterface.php',
262	- 'Pimple\\Tests\\Fixtures\\Invokable' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Fixtures/Invokable.php',
263	- 'Pimple\\Tests\\Fixtures\\NonInvokable' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Fixtures/NonInvokable.php',
264	- 'Pimple\\Tests\\Fixtures\\PimpleServiceProvider' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Fixtures/PimpleServiceProvider.php',
265	- 'Pimple\\Tests\\Fixtures\\Service' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Fixtures/Service.php',
266	- 'Pimple\\Tests\\PimpleServiceProviderInterfaceTest' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/PimpleServiceProviderInterfaceTest.php',
267	- 'Pimple\\Tests\\PimpleTest' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/PimpleTest.php',
268	- 'Pimple\\Tests\\Psr11\\ContainerTest' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Psr11/ContainerTest.php',
269	- 'Pimple\\Tests\\Psr11\\ServiceLocatorTest' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/Psr11/ServiceLocatorTest.php',
270	- 'Pimple\\Tests\\ServiceIteratorTest' => $vendorDir . '/pimple/pimple/src/Pimple/Tests/ServiceIteratorTest.php',
271	'Psr\\Container\\ContainerExceptionInterface' => $vendorDir . '/psr/container/src/ContainerExceptionInterface.php',
272	'Psr\\Container\\ContainerInterface' => $vendorDir . '/psr/container/src/ContainerInterface.php',
273	'Psr\\Container\\NotFoundExceptionInterface' => $vendorDir . '/psr/container/src/NotFoundExceptionInterface.php',


259	'Pimple\\Psr11\\ServiceLocator' => $vendorDir . '/pimple/pimple/src/Pimple/Psr11/ServiceLocator.php',
260	'Pimple\\ServiceIterator' => $vendorDir . '/pimple/pimple/src/Pimple/ServiceIterator.php',
261	'Pimple\\ServiceProviderInterface' => $vendorDir . '/pimple/pimple/src/Pimple/ServiceProviderInterface.php',









262	'Psr\\Container\\ContainerExceptionInterface' => $vendorDir . '/psr/container/src/ContainerExceptionInterface.php',
263	'Psr\\Container\\ContainerInterface' => $vendorDir . '/psr/container/src/ContainerInterface.php',
264	'Psr\\Container\\NotFoundExceptionInterface' => $vendorDir . '/psr/container/src/NotFoundExceptionInterface.php',

vendor-prod/composer/autoload_real.php CHANGED Viewed

	@@ -13,6 +13,9 @@ class ComposerAutoloaderInit35a2bd4feb347da0d3ea2d8ef023082f
13	}
14	}
15



16	public static function getLoader()
17	{
18	if (null !== self::$loader) {


13	}
14	}
15
16	+ /**
17	+ * @return \Composer\Autoload\ClassLoader
18	+ */
19	public static function getLoader()
20	{
21	if (null !== self::$loader) {

vendor-prod/composer/autoload_static.php CHANGED Viewed

	@@ -292,15 +292,6 @@ class ComposerStaticInit35a2bd4feb347da0d3ea2d8ef023082f
292	'Pimple\\Psr11\\ServiceLocator' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Psr11/ServiceLocator.php',
293	'Pimple\\ServiceIterator' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/ServiceIterator.php',
294	'Pimple\\ServiceProviderInterface' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/ServiceProviderInterface.php',
295	- 'Pimple\\Tests\\Fixtures\\Invokable' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Fixtures/Invokable.php',
296	- 'Pimple\\Tests\\Fixtures\\NonInvokable' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Fixtures/NonInvokable.php',
297	- 'Pimple\\Tests\\Fixtures\\PimpleServiceProvider' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Fixtures/PimpleServiceProvider.php',
298	- 'Pimple\\Tests\\Fixtures\\Service' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Fixtures/Service.php',
299	- 'Pimple\\Tests\\PimpleServiceProviderInterfaceTest' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/PimpleServiceProviderInterfaceTest.php',
300	- 'Pimple\\Tests\\PimpleTest' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/PimpleTest.php',
301	- 'Pimple\\Tests\\Psr11\\ContainerTest' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Psr11/ContainerTest.php',
302	- 'Pimple\\Tests\\Psr11\\ServiceLocatorTest' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/Psr11/ServiceLocatorTest.php',
303	- 'Pimple\\Tests\\ServiceIteratorTest' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Tests/ServiceIteratorTest.php',
304	'Psr\\Container\\ContainerExceptionInterface' => __DIR__ . '/..' . '/psr/container/src/ContainerExceptionInterface.php',
305	'Psr\\Container\\ContainerInterface' => __DIR__ . '/..' . '/psr/container/src/ContainerInterface.php',
306	'Psr\\Container\\NotFoundExceptionInterface' => __DIR__ . '/..' . '/psr/container/src/NotFoundExceptionInterface.php',


292	'Pimple\\Psr11\\ServiceLocator' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/Psr11/ServiceLocator.php',
293	'Pimple\\ServiceIterator' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/ServiceIterator.php',
294	'Pimple\\ServiceProviderInterface' => __DIR__ . '/..' . '/pimple/pimple/src/Pimple/ServiceProviderInterface.php',









295	'Psr\\Container\\ContainerExceptionInterface' => __DIR__ . '/..' . '/psr/container/src/ContainerExceptionInterface.php',
296	'Psr\\Container\\ContainerInterface' => __DIR__ . '/..' . '/psr/container/src/ContainerInterface.php',
297	'Psr\\Container\\NotFoundExceptionInterface' => __DIR__ . '/..' . '/psr/container/src/NotFoundExceptionInterface.php',

iThemes Security (formerly Better WP Security) - Version 7.9.1

Version Description

Release Info

Code changes from version 7.9.0 to 7.9.1