New Feature: The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro can now automatically apply the fix for you.
Enhancement: Added support for muting specific vulnerability notifications. After performing a new site scan, click the link for details about a vulnerability. Then click the "mute" button to stop being notified about that particular issue.
Enhancement: Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.
Tweak: Cap banned hosts persisted to .htaccess or nginx.conf to the most recent 100. This number can be adjusted with the "itsec_ban_users_max_hosts_for_server_config" filter. Older banned hosts will be locked out after WordPress loads.
Bug Fix: File Change Security Message would not appear for new installs.
Bug Fix: Due to a Google reCAPTCHA API change, trying to use v3 or Invisible reCAPTCHA may have always resulted in the "You must submit the reCAPTCHA to proceed. Please try again." error. You may have to empty your server cache or browser cache to receive the fix.
Enhancement: Add super admins as a selectable role for User Groups.
Enhancement: Add reCAPTCHA to the Reset Password form.
Enhancement: Add support for resending a Two-Factor Email code.
Enhancement: Add support for resending a Passwordless Login email.
Enhancement: Allow selecting users across all sites in a network for User Groups, Security Profile cards, and User Security Check.
Enhancement: Include all super admins by default in the Security Profile card, even if they are not a member of the network's main site.
Enhancement: Display all of a user's roles in the Security Profile card.
Enhancement: When logging in with Passwordless Login, skip Two-Factor if the primary Two-Factor method is Email.
Enhancement: Force a space after each Two-Factor Backup Code to assist with copying and pasting.
Enhancement: Include the website URL in the download file for Two-Factor Backup Codes.
Enhancement: Add a warning if a WordPress Salt is set to an invalid value.
Enhancement: Allow re-entering the Two-Factor Onboard flow even after Two-Factor is setup by visiting /wp-login.php?itsec_after_interstitial=2fa-on-board directly.
Enhancement: Add a new WP CLI command for managing user Two-Factor enrollment.
Enhancement: Add a new WP CLI command for retrieving logs.
Enhancement: Include child log items in the logs list table. These are helpful for debugging issues.
Enhancement: Improve performance of the logs page on sites with large number of log items.
Tweak: Only show Lockout Bypass Magic Link for valid users.
Tweak: When logging $_SERVER, only log a snapshot of available properties.
Bug Fix: New Password Requirements for already created accounts were not enforced until the second login.
Bug Fix: User Security Check would not display in Multisite.
Bug Fix: Prevent fatal error if invalid user IDs are encountered by User Groups.
Bug Fix: Infinite loop when trying to use Application Passwords on Multisite.
Bug Fix: User Logging did not correctly capture the user id of the logged-out user on WordPress 5.3.
Bug Fix: Warnings when doing a settings import.
Deprecated: The "getlockouts", "releaselockout", and "getrecent" WP CLI commands. Use the "lockout" and "log" commands instead. They will be removed in a future release.
Important: Updated Trusted Devices MaxMind GeoLite2 integration to account for their new Terms of Service to account for the CCPA. Users must now provide a free license key when using the MaxMind GeoLite2 Geolocation method.
Bug Fix: Backup event was not added when the WP Cron Scheduler was reset manually.
Bug Fix: Admin Notices Popover was not being hidden when clicking outside the Popover on WP 5.3.
Enhancement: Allow LastPass to autofill password fields.
Bug Fix: Passwordless Login would trip some ModSecurity rules when used with LastPass autofill.
Bug Fix: The username first Passwordless Login flow was not working on WordPress 5.3 if the user did not have permission to use Passwordless Login.
Bug Fix: Harden Version Management against plugins that were populating invalid update API data.
Bug Fix: The "Mulisite Tweaks -> Hide Updates" setting prevented auto-updates from running with WP Cron.
Bug Fix: Remove "get_magic_quotes()" call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.4.