WP Security / Changelog

Changelog

= Versions Key (Major.Minor.Patch) =
* Major – 1.x.x increase involves major changes to the visual or functional aspects of the plugin, or removing functionality that has been previously deprecated. (higher risk of breaking changes)
* Minor – x.1.x increase introduces new features, improvements to existing features, or introduces deprecations. (low risk of breaking changes)
* Patch – x.x.1 increase is a bug fix, security fix, or minor improvement and does not introduce new features. (non-breaking changes)

= Version 2.6.3 =

*Release Date – 2 Jul 2024

* Bug Fix: An IP was getting blacklisted even though they were whitelisted when attempting to login with a restricted username.
* Minor Improvement: Added some type hinting for load performance and code stability
* Minor Improvement: Updated SDK dependency to version 2.7.3
* Minor Improvement: Updated some PHPDoc
* Minor Improvement: Updated PHP version checks
* Tested up to: 6.5.5

= Version 2.6.2 =

*Release Date – 31 May 2024

* Bug Fix: Fatal Error: constant WP_FS__DIR was conflicting with other plugins using freemius.
* Minor Improvement: Updated SDK dependency to version 2.7.2
* Minor Improvement: Updated PHP version checks
* Tested up to 6.5.3

= Version 2.6.1 =

*Release Date – 3 Nov 2023

* Bug Fix: In a local development environment using symlinks for the plugin’s directory, SDK was unable to reach local assets (css, js) thus causing display and functionality issue issues within the admin area.
* Minor Improvement: Minor code improvements and typo fixes
* Minor Improvement: Updated SDK dependency to version 2.6.0
* Minor Improvement: Updated minimum PHP recommendation to be based on current date
* Minor Improvement: Updated PHP version checks
* Tested up to 6.3.2

= Version 2.6.0 =

*Release Date – 4 Oct 2023

* Bug Fix: PHP fatal error encountered when adding a new site to a multisite environment.
* Bug Fix: Plugin namespace was causing scope issues when referring to core WP classes
* Security: Using updated sanitization methods on $_POST variables
* Improvement: Removed deprecated FILTER_SANITIZE_STRING and replaced with latest security sanitization
* Improvement: Forced blocked username list to be compatible with space delimiter and convert to new line
* Minor Improvement: Updated SDK dependency to version 2.5.12
* Minor Improvement: Enable plugin method needed to be statically defined and called
* Minor Improvement: Updated PHP version checks
* Tested with PHP versions 8.0, 8.1, 8.2
* Tested up to 6.3.1

= Version 2.5.2 =

*Release Date – 18 Jul 2023

* Security Fix: Updated SDK dependency to version 2.5.10

= Version 2.5.1 =

*Release Date – 4 May 2023*

* Bug Fix: The blacklist check and username blocking were firing in the wrong orders

= Version 2.5.0 =

*Release Date – 3 May 2023*

* New Feature: Automatically block common generic usernames and custom defined usernames
* New Feature: Prevent the registration of a username that is on the block list
* Bug Fix: Database tables were not automatically created on all active sites when the plugin was network activated or a new site was added to the network in a multisite environment
* Bug Fix: Custom db tables were not the correct charset and collate
* Bug Fix: Network admin plugins page displayed a link to the main site’s settings.
* Bug Fix: Site admin plugins page displayed a link to a dashboard page that did not exist.
* Bug Fix: If plugin settings were manually deleted via the database, the plugin would not recreate them automatically
* Improvement: Better load performance with PHP 7.4 type hinting
* Improvement: Updated username threat detection to use the default block list values
* Improvement: There were inconsistencies with how settings were referenced throughout the code.
* Improvement: Prevent plugin from loading if the minimum versions of WordPress and PHP are not installed
* Improvement: Updated SDK dependency to version 2.5.7
* Improvement: Updated PHP version checks
* Minor Improvement: Increased Minimum PHP Version to 7.4
* Minor Improvement: Increased Minimum WordPress Version to 5.3
* Minor Improvement: Added Versions Key to changelog
* Minor Improvement: formatting improvements to the readme.txt
* Tested up to 6.2.0

= Version 2.4.4 =

*Release Date – 05 Apr 2022*

* Security: Updated SDK to version 2.4.3 due to security vulnerability
* Security: Implemented escaping to prevent XSS
* Warning: Upcoming Version 2.5 will require a minimum PHP 7.4 and WordPress 5.3
* Improvement: Implemented centralized sanitization library for retrieval of all request variables for better reliability and consistency of sanitization
* Minor Improvement: Updated PHP version checks
* Tested up to 5.9.2

= Version 2.4.2 =

*Release Date – 06 Feb 2022*

* NOTICE: Upcoming Version 2.5 will require a minimum PHP 7.4 and WordPress 5.3
* Security: Improved XSS escaping throughout the admin pages.
* Bug Fix: The filter hooks into ‘authenticate’ were using add_action instead of add_filter
* Bug Fix: Some styling on the permissions table was not getting applied correctly due to missing class
* Improvement: Fix some PHP notices
* Minor Improvement: Updated PHP version checks
* Tested up to: 5.9

= Version 2.4.1 =

*Release Date – 04 March 2021*

* Bug Fix: Pantheon Hosting: files in the uploads directory now accept 770 permissions as secure
* Improvement: Removed the batch permissions dropdown and the update permissions button when no files/dirs are available to modify.

= Version 2.4.0 =

*Release Date – 28 February 2021*
*Release Notes: [https://wpsecuritysafe.com/changelog/version-2-4/](https://wpsecuritysafe.com/changelog/version-2-4/)*

* Added Feature: Automatically blocks IP addresses temporarily after numerous failed logins
* Added Feature: Import and Export settings are now included with the free version.
* Added Pro Feature: Advanced Automatic IP Blocking after numerous threats are detected.
* Improvement: Fixed some PHP warnings displayed when XML-RPC requests use poorly formatted XML. Thank you Charles Suggs for reporting this.
* Improvement: Adjusted cleanup script to leave allow/deny table for 3 days past expiration for more advanced threat detection.
* Improvement: Allowed IPs now get exempt from nonce checks.
* Improvement: Adjusted upgrade script to be more efficient with load.
* Improvement: Updated file permission statuses to be error, warning, and notice versus bad, ok, good
* Improvement: Adjusted Login Error handling so that the user is sent back to the login screen when the login attempt is blocked and the error is displayed.
* Improvement: Fixed various PHP Warnings: Thanks John Dorner for reporting them.
* Improvement: Automatically group and sort bad file permissions to the top of the file permissions table.
* Improvement: Changed the 404, login, and block charts from 7 days to 30 days of data to display.
* Improvement: Minor code improvements.
* Minor Improvement: Updated SDK to version 2.4.2
* Minor Improvement: Updated PHPDoc notes
* Minor Improvement: Updated PHP version checks
* Bug Fix: Pantheon Hosting: directories in the uploads directory now accept 770 permissions as secure
* Pro Bug Fix: Plugins files were not getting file permissions fixed after a plugin update.
* Tested up to: 5.6.2

= Version 2.3.2 =

*Release Date – 11 September 2020*

* Minor Improvement: Removed feature Local Login as it was triggering false positives due to browser caching issues.
* Minor Improvement: Updated PHP version checks
* Tested up to: 5.5.1

= Version 2.3.1 =

*Release Date – 05 January 2020*

* Bug Fix: version privacy for JS files conflicted with Google Recaptcha. Thank you Lynn Appleget for reporting this bug.
* Bug Fix: Plugin updates were not getting logged properly after an update.
* Bug Fix: Plugin would not initialize in a multi-site network.
* Bug Fix: Prevent caching of nonce for front-end login form
* Bug Fix: Some 404s were getting detected before a WP redirect was happening.
* Minor Improvement: Fixed PHP Notices
* Minor Improvement: Updated PHP version checks
* Minor Improvement: PHP version comparison logic improved
* Minor Improvement: Increase performance by reducing unnecessary method calls
* Minor Improvement: Updated SDK
* Tested up to: 5.4

= Version 2.3.0 =

*Release Date – 13 November 2019*

* Bug Fix: Administrator role was prevented from right-clicking and highlighting when these content protection features were enabled. This role should be excluded from these policies.
* Bug Fix: Fixed typo which had no affect on functionality due to fallback check.
* Improvement: Changed default settings to include “Make Website Anonymous” during updates and “Prevent WordPress version files from public access”.
* Improvement: Minor performance enhancements
* Increase PHP version requirement to match WordPress core.
* Tested up to: 5.3

= Version 2.2.3 =

*Release Date – 21 October 2019*

* Bug Fix: Local Login feature would not allow logins via front-end login forms created with wp_login_form(). Thank you @alfonsoborghi for the bug report.
* Bug Fix: An admin notice was not properly counting directories with OK permissions on the Files admin page.
* Bug Fix: Stats were attempting to record during system activities and thus throwing “WordPress database error Duplicate entry”
* Bug Fix: Search and bulk delete on the Firewall Allow/Deny admin page would trigger false flag admin errors regarding IP validation.
* Bug Fix: Sort filters on the Firewall admin page would trigger false flag admin notices.
* Bug Fix: Body class was being added to every page in the admin.
* Bug Fix: Duplicate policy disabled admin notices were appearing on admin pages using wp_list_table()
* Security: Added nonce to reset and save settings
* Security: Added nonce to add / remove Firewall rules
* Minor Improvement: Renamed nonces to prevent conflicts with other plugins
* Minor Improvement: Performance tuning to reduce function calls
* Minor Improvement: Changed default settings to include disabling XML-RPC and force Local Logins.
* Minor Improvement: Fixed a PHP Warning.
* Minor Improvement: Updated PHP version checks
* Tested up to: 5.2.4

= Version 2.2.2 =

*Release Date – 09 September 2019*

* Bug Fix: Cron cleanup scripts were failing.
* Improvement: Fixed two PHP errors.

= Version 2.2.1 =

*Release Date – 05 September 2019*

* Updated Feature: The local login feature was improved to be more reliable.
* Bug Fix: The local login feature was causing server errors on Pantheon servers. Thanks FullSteam Labs for the bug report.
* Bug Fix: The blacklist check was not functioning properly.
* Bug Fix: The sidebar was appearing on tabs that were full width of the screen.
* Bug Fix: The charts would not load in a local development environment without an active internet connection.
* Bug Fix: Fixed minor styling anomalies when viewing admin in Spanish
* Pro Bug Fix: File corrupt error displayed if imported settings already matched the current settings.
* Improvement: Added more i18n language support.
* Improvement: The form that adds an IP to the firewall is more user-friendly
* Improvement: Added ability to make notes when manually adding IPs to the firewall
* Improvement: Fixed some minor PHP notices.
* Improvement: Added ‘Status’ column and filter to Firewall page.
* Improvement: Added additional information to the ‘Details’ column.
* Improvement: Converted the Firewall page to include all detected threats
* Improvement: Added Spanish Translations
* Minor Improvement: Updated logo and minor styling
* Minor Improvement: Updated PHP version checks
* Security: Added additional sanitization for logging
* Tested with ManageWP Version 4.9.1
* Tested up to: 5.2.3

= Version 2.1.1 =

*Release Date – 15 July 2019*

* Bug Fix: Session handling conflicted with some admin features in oddball scenarios
* Improvement: Fixed a PHP Warning

= Version 2.1.0 =

*Release Date – 15 July 2019*

* Bug Fix: WP Cron activities were not recording to activity log (Only visible in debug mode)
* Bug Fix: Charts do not display properly until an entry has been initially added to stats.
* Bug Fix: Styling issue with wp_table_list pagination
* Bug Fix: Search field not working on log tables
* Bug Fix: Admin notices would not display for policies that were disabled or if wp cron was disabled using DISABLE_WP_CRON.
* Bug Fix: The admin notices were not displaying bold properly
* Improvement: Fixed some PHP notices, thanks to Charles Suggs
* Improvement: Excluded user roles super admin, administrator, editor, and author from text highlighting and right-click content protection while logged in
* Minor Improvement: Updated SDK
* Improvement: Implemented better session handling for increased load performance
* Improvement: Added more i18n language support.

= Version 2.0.2 =

*Release Date – 10 June 2019*

* Improvement: In some outlying circumstances, the DB tables do not get created. A failsafe was added to create the tables if the insertion of a record failed.
* Bug Fix: The new DB tables get created if the plugin is disabled and then enabled, but not after an update process.

= Version 2.0.0 =

*Release Date – 10 June 2019*

* Bug Fix: Security Safe would unintentionally recommend a lower version of PHP if the user had a newer version higher than the known versions.
* Added Feature: Log 404 Errors
* Added Feature: Log Successful and Failed Logins
* Added Feature: Manage Denied / Allowed IP Addresses
* Added Feature: Log Blocked Access Attempts
* Added Feature: Log Security Vulnerability Probing
* Added Feature: Statistics and Charts
* Improvement: Force Local Logins setting now records blocked attempts.
* Improvement: Cleaned up some PHP Notices in error log.
* Improvement: Updated namespacing to support future plugins
* Improvement: Updated directory structure for better scalability
* Improvement: Minor code standardization updates
* Improvement: Performance testing and optimization
* Improvement: Minor styling updates
* Minor Improvement: Updated PHP version checks
* Security: Added additional security to prevent XSS
* Tested up to: 5.2.1

= Version 1.2.3 =

*Release Date – 01 March 2019*

* Security: Updated SDK
* Minor Improvement: Updated PHP version checks
* Tested up to: 5.1

= Version 1.2.2 =

*Release Date – 9 December 2018*

* NOTE: PHP 5.6 and 7.0 are now identified as no longer supported due to end of life.
* Improvement: Converted plugin variables to constants for efficiency and updated all references
* Improvement: Updated PHP version checks
* Tested up to: 5.0

= Version 1.2.1 =

*Release Date – 22 September 2018*

* Bug Fix: WP-CLI does not properly set variables and causes fatal error when attempting to load plugin. Thank you Brian Medlin.

= Version 1.2.0 =

*Release Date – 22 September 2018*

* Improvement: Automatically display file permission issues at the top of the list of files.
* Improvement: Removed Composer autoloading to increase efficiency
* Improvement: Reduced PHP memory usage to increase performance
* Improvement: Added Freemius integration
* Improvement: Updated PHP version checks
* Improvement: Minor UI styling
* Bug Fix: UI Styling issues in WP 3.5
* Bug Fix: Some WP-CLI commands return blank responses due to plugin killing PHP process. Thank you Brian Medlin for the discovery.
* Added Feature: Remove WP Version in wp-admin
* Pro: Added Feature: Import / Export Settings
* Pro: Added Feature: Automatic fix plugin permissions on plugin updates.
* Pro: Added Feature: Automatic fix theme permissions on theme updates.
* Pro: Added Feature: Automatically hide files with permissions that cannot be changed.
* Compatibility testing with WordPress version 3.5
* Tested up to: 4.9.8

= Version 1.1.13 =

*Release Date – 17 August 2018*

* Bug Fix: Individual policy disabled notice was visible when all notices were disabled.
* Added Feature: Clear PHP Cache Before Updates
* Improvement: Updated descriptions of features in settings.
* Improvement: Updated PHP version checks.

= Version 1.1.12 =

*Release Date – 4 July 2018*

* NOTICE: Update to this version if you are having issues with your settings.
* Improvement: Automatically detects if settings are corrupted and resets them to default values.
* Improvement: Updated the initial/default settings.
* Improvement: Updated PHP version checks.

= Version 1.1.11 =

*Release Date – 3 July 2018*

* Bug Fix: Cannot change file permissions. Bug introduced in version 1.1.10.
* Bug Fix: File Policy settings get cleared out when attempting to change file permissions. Bug introduced in version 1.1.10.
* Bug Fix: Initial settings were not properly being set. Bug introduced in version 1.1.10.
* Bug Fix: debug.log file does not remove itself when debugging is turned off.
* Improvement: Cleaned up some PHP Notices in error log.
* Improvement: Added additional logging for troubleshooting bugs.

= Version 1.1.10 =

*Release Date – 26 June 2018*

* Bug Fix: After a group of policies are enabled, the disabled warning notice still appears immediately after saving, but goes away after navigating to another page.
* Bug Fix: When all security policies are disabled, the notice was incorrectly referring to “General Settings” which no longer exists.
* Bug Fix: When a group of policies are disabled, the warning notice would instruct the user to go to the relative settings page even if the user was already on that specific page.
* Bug Fix: Page would not go back to the top when a page anchor was used in the URL and settings were saved.
* Improvement: Improved usability by Adding color indicators within the settings tab to match the notices related to the specific setting.
* Improvement: Added Priorities to the changelog to indicate the urgency of an update.
* Thank you @df03472 for notifying us about the bugs above.

= Version 1.1.9 =

*Release Date – 14 June 2018*

* Bug Fix: Security Safe Admin page styling breaks when other plugins add classes to the body.

= Version 1.1.8 =

*Release Date – 12 June 2018*

* Bug Fix: Reference to wp-content was incorrect as a fallback default value when using custom plugin directory outside of wp-content directory.
* Security: Prevent Administrators of a multisite environment from modifying settings unless they are Super Admin.
* Added Support: Add support for backup logging.
* Tested Multi-site Compatibility
* Improvement: Increased plugin load efficiency

= Version 1.1.7 =

*Release Date – 06 June 2018*

* Added Feature: Hide password protected posts from public queries.
* Bug Fix: Changing permissions of the home directory has been reported to cause issues when loading the website. Use default permissions set by the host.
* Bug Fix: Duplicate notices were being displayed in the Files section.
* Bug Fix: Fixed broken link in notice message.
* Improvement: Moved certain notices regarding features to the specific areas of each settings tab.
* Improvement: Updated PHP version checks
* Improvement: Minor grammatical corrections
* Tested up to version 4.9.6

= Version 1.1.6 =

*Release Date – 08 May 2018*

* Bug Fix: If a child theme is used, only the parent theme files were appearing in the theme files permissions audit list.
* Improvement: Updated PHP version checks

= Version 1.1.5 =

*Release Date – 23 April 2018*

* Added Feature: Prevent Access to readme.html and license.txt core files.
* Added Feature: Notifications for file permissions displaying totals of vulnerable files.
* Improvement: Updated file permission status color scheme to match WP notifications.
* Improvement: Updated PHP version checks and added notifications.
* Security: Added additional security measures when handling $_POST variables.
* Bug Fix: Changed status of files from “good” to “secure” for all files that should only be 644 permissions.
* Bug Fix: When using the Hide Script Versions feature, CSS and JS files cache would not update for the browser until the next day after a plugin or theme was updated.
* Bug Fix: After the user pressed the Reset Settings button, the content on the page would not display.
* Added support for Security Safe Pro Add-on.
* Tested up to version 4.9.5

= Version 1.1.3 =

*Release Date – 25 February 2018*

* Added Feature: Hide WordPress Version from the RSS feed.
* Added Feature: Hide Script Versions from enqueued CSS and JS files
* Bug Fix: Hide WordPress stays on despite the settings value
* Bug Fix: An error is displayed when saving settings if the settings are the same in the database.

= Version 1.1.2 =

*Release Date – 20 February 2018*

* Bug Fix: Icon CSS conflict with other icon plugins

= Version 1.1.1 =

*Release Date – 20 February 2018*

* Added Feature: Disable text highlighting to deter copying content
* Added Feature: Disable right clicking to deter copying content
* Added Feature: Fix file permissions
* Added Feature: Make website anonymous when checking for updates
* Added Feature: Plugin information tab for debugging purposes
* Bug Fix: Database was including nonce and referrer when saving settings
* Improvement: Update UI styling
* Thank you @epohs and @isabisa for file permissions UI testing and feedback
* Tested up to: 4.9.4

= Version 1.0.3 =

*Release Date – 24 January 2018*

* Added Feature: Server software version auditing
* Added Feature: Theme file permissions auditing
* Added Feature: Plugins files permissions auditing
* Bug Fix: Plugin version history was not logging properly
* Bug Fix: Automatic Updates were not running when the settings were selected
* Security: Added Nonce to admin forms
* Security: Removed the absolute path from file permissions auditing
* Improvement: File permissions were expanded to include all files and folders of WordPress base directory
* Improvement: Minor code standardization
* Improvement: Updated all screenshots
* Tested up to: 4.9.2

= Version 1.0.2 =

*Release Date – 10 January 2018*

* Bug Fix: File permissions would display files and directories even if they did not exist
* Bug Fix: File permissions status would display Bad if the ‘world’ had no permissions to read, write, or execute
* Bug Fix: Directory structure references relied on constants that could potentially conflict with custom site directory structures

= Version 1.0.1 (Initial Release)=

*Release Date – 09 January 2018*

* Initial Release
* Thank you @daggerhart for plugin development feedback
* Thank you @cfullsteam for PHP structure feedback