Changelog

2.2.3 – 14 September 2022

  • Update: Malware Database v22.9.14
  • Security Fix#985: IP Spoofing, thanks to Calvin Alkan on https://snicco.io/
  • Fix#987: new passwordless UI didn’t need to validate the captcha to get the magic link
  • Fix#986: unban link for admins does not always work
  • Fix#984: fix “two factor authentication” plugin detection
  • Fix#981: Move Login could be activated without pretty permalinks
  • Fix#980: key regeneration button is hidden by the helpers style
  • Fix#962: Ranged IPs can prevent ip detection to be blocked
  • Fix global i18n

2.2.2 – 08 August 2022

  • Update: Malware Database v22.8.2
  • New#961: New UI/UX for PasswordLess Module!
  • Fix#976: WPML was adding a suffix to the PHP constant WP_HOME
  • Fix#975: Salt key mu plugin in double + auto login
  • Fix#974: Error message: Uncaught TypeError: explode(): Argument #2 ($string) must be of type string, array given in /pro/modules/firewall/plugins/bad-referer.php:13
  • Fix#972: Salt keys scanner too loose
  • Fix#971: Undefined array key “registration” in /free/modules/users-login/plugins/move-login.php on line 205
  • Fix#969: Remove user enumeration made using query parameters on REST API calls
  • Fix#965: NULL Coalescing Operator in pro/modules/firewall/tools.php on line 182
  • Fix#917: Uncaught Error: Call to undefined function secupress_status()
  • Fix global i18n

2.2 β€” 03 January 2022

  • New#930: Scan for @include as a malware in wp-config.php only (known for that)
  • New#932: Add support for .php[12345678] .phtml files in malware scanner
  • New#937: New option to force FTP creds when adding a theme or plugin, see “Disable .zip uploads” in “Plugins & Themes” module page
  • Improvement#455: Add filters to all our email subject and messages. Search for “secupress.mail.”
  • Improvement#954: Better filetree for both free and pro version. No more /core, /inc, no more 2 uninstall files, no more weird file inclusions.
  • Improvement#885: remove FaceBook share button
  • Improvement#931: Do not log 404 that are redirected by SEO plugins
  • Improvement#935: Support MemberPress to prevent login out of passwordless when activated
  • Improvement#958: Update zxcvbnphp lib
  • Fix#889: files from core still show themes as diff files
  • Fix#944: PHP Notice: Undefined variable: ip in/core/functions/ip.php on line 59
  • Fix#945: Uncaught Error: Object of class stdClass could not be converted to string in /core/modules/plugins-themes/tools.php:174
  • Fix#946: PHP Fatal error: Uncaught Error: Call to a member function views() on null in /core/classes/common/class-secupress-logs-list.php:165
  • Fix#947: set_time_limit() is forbidden on infomaniak, leads to fatal error in PHP8+
  • Fix#948: Whitelabel is not displaying a plugin author url in settings
  • Fix#949: missing subfolder in secupress_bad_file_extensions_get_regex_pattern
  • Fix#950: i18n files showing up in core file differences
  • Fix#951: “toggle all” checkbox in “file core diff” does not work
  • Fix#950: i18n files showing up in core file differences
  • Fix#955: PHP Fatal error: Uncaught TypeError: count(): Argument #1 ($value) must be of type Countable|array, null given in /core/admin/multisite/settings.php:96
  • Fix#957: Move Login can still disclose the login page when registration is disabled.

2.1.1 β€”Β 22 October 2021

  • Fix#941: Warning: explode() expects parameter 2 to be string, array given in secupress-pro/inc/modules/firewall/plugins/bad-referer.php on line 13
  • Fix#940: DB scan error on XMLHttpRequest
  • Fix#939: secupress_stop_user_enumeration_rest() does not return the $response param
  • Fix#929: hidden passwords in logs always add variables in global arrays

2.1 β€” 04 October 2021

  • New: Compatibility WP 5.8+
  • New#920: New GeoIP Database API
  • New#921: New Plugins and Themes vulnerability database using Patchstack.com
  • New#923: New Sessions Control Details
  • Fix#925: Fatal error: Uncaught ArgumentCountError: Too few arguments to function add_site_option(), 1 passed in secupress-pro/inc/admin/migrate.php on line 31 and exactly 2 expected
  • Fix#926: “Nothing found” not displayed in malware scanner
  • Fix#928: Fatal Error : Uncaught Error: Unknown named parameter $new PHP8
  • Improvement#916: Add hook in PHP 404
  • Fix#919: PHP Fatal error: Uncaught TypeError: array_map(): Argument #2 ($array) must be of type array, bool given in secupress_get_malwarescastatus_admin_post_cb
  • Fix#918: Move Login in subfolder (again and again and again!)
  • Fix#917: Uncaught Error: Call to undefined function secupress_status()

2.0.3 – 12 April 2021

  • Improvement#909: add hook in secupress_update_https_detection_errors
  • Improvement#910: Constant SECUPRESS_ALLOW_LOGIN_ACCESS will also work for our Captcha
  • Improvement#914: fr_BE & fr_CA = fr_FR
  • Fix#913: user_can can lead to fatal error (see https://core.trac.wordpress.org/ticket/52076)
  • Fix: undefined functions (free version only)
  • Fix: Captcha save button was not available (free version only)
  • Fix: role was not translated in the alerts

2.0.2 – 06 April 2021

  • Improvement: Add Jetpack SSO as supported 2FA
  • Improvement: Add a few forbidden names in “bad login IDs” module
  • Fix: Emails for PasswordLess were not sent or sent in spam. (WP 5.7.1 will also fix this)
  • Fix: Export Mode not read correctly
  • Fix: 3 undefined index PHP warning
  • Fix: 2 possible PHP fatal error (but won’t break the front site)
  • Fix: Move Login with WP running in a subdir was broken since 2.0

2.0.1 – 29 March 2021

  • New#905: Expert Mode has been added as a simple checkbox (but already available since 1.4.6 – 9 august 2018 ;p so, “new” feature)
  • Improvement#885: Extend allowed request methods
  • Improvement#893: Test if file exists be fore being tagged as PHP404 to prevent false positives
  • Improvement#894: Better HTTPS tests
  • Improvement#896: Emails from SecuPress will now come from the admin email address instead of noreply@ (the WP filter hook wp_mail_from is still usable)
  • Improvement#901: New way to propose deactivation on incompatible plugins + force deactivation on plugins that directly enters in conflict
  • Improvement#906: ?wp_lang param was not usable on moved login pages
  • Fix#897: A Grade was not accessible even with all the tests OK
  • Fix#898: WordPress Site Health page is back!
  • Fix#900: Undefined Index on step4
  • Fix#902: Update WP_Background_Process Lib
  • Fix#904: Locked Default Role was not deactivable
  • Fix#903: Database Prefix Rename feature didn’t renamed the checked tables
  • Fix#907: Alerts Emails contains HTML tags

2.0 aka Python (Mark XX) – 05 March 2021

  • New#318: Malware Scan on DataBase
  • New#332: WordPress Core > Change DB Prefix Manually
  • New#399: WordPress Core > Renew you security keys in one click
  • New#531,769: Revamp the Malware Scan Module: better detection, more detection (and remove the delete file button, sorry)
  • New#575: Addon Module Page
  • New#791: WordPress Wore > Lock admin_email, default_role, membership settings from WP
  • New#821: Your Grade can not get a “+”, and the A Grade is more accessible
  • New#823: Sensitive Data > Prevent 404 guessing
  • New#825: PHP8 Compatibility
  • New#828: WordPress Core > Lock home_url and site_url
  • New#863: Main Scanner > You can now scan a specific item
  • New#866: fr_BE and fr_CA will get the fr_FR translations
  • New#870: New php constant SECUPRESS_ALLOW_GEOIP_ACCESS to bypass geoip auto blocking
  • New#872: FireWall > Block Bad referers
  • New#873: Alerts > Slack Notifications
  • Improvement#184: Add the total of scanners when displayed (like 22/35)
  • Improvement#187,292,783: Better uninstallation of the whole plugin (wp-config & htaccess content, mu-plugins)
  • Improvement#194,220,395,482,579,775,789,809,812,840,842,871: Better wording, i18n, explanations, remove “Cheatin’uh?”, remove whitelist/blacklist, remove masculin terms in french to be more epicene + do not ever use WP text domain and keep our trad at home
  • Improvement#229: Add links to related modules in schedules page
  • Improvement#740: Reset button with JS confirmation (but at the same time, remove the button for now, see blog post)
  • Improvement#752: Better report email subject
  • Improvement#753: Remove the obsolete Block SQLi option
  • Improvement#754: Stop main scanner after 3 minutes
  • Improvement#778: Remove the date by month in security keys to prevent too many disconnection and prevent some bad dev based on thoses keys to mess up (please do not relay on these keys, use wp_salt()…)
  • Improvement#781: Better anti hotlink to prevent possible 404 urls on our fake image + allow google image
  • Improvement#782: Change recommandations for PHP Version to be more flexible
  • Improvement#786: Add “wp-config-sample.php” to old WordPress files
  • Improvement#796: Add the found IP in filter secupress.ip.default_ip
  • Improvement#800: Import settings will now import htaccess modifications (based on activated modules, not in the exported file)
  • Improvement#808: return HTTP response code matching the data passed to secupress_die (props @jeherve)
  • Improvement#815: Hide all login errors instead of a list
  • Improvement#822: Grade is included in the email subject
  • Improvement#827: Email only if grade has changed and is worst
  • Improvement#831: Remove license.txt, wp-config-sample.php, readme.html from being missing files in malware scanner
  • Improvement#834: Remove notices about wp-config.php and .htaccess not writable
  • Improvement#835: Remove SCRIPT_DEBUG from wp-config scanner
  • Improvement#837: Better secupress.plugin.passwordless_email_message replacements
  • Improvement#855: Empty User-Agent is not a bad one anymore
  • Improvement#860: On module (de)activation, rescan the test if present
  • Improvement#861: Do a JS check on captcha module to be sure it can be activated
  • Improvement#862: If a scanner gone bad, send it to alerts
  • Improvement#865: Remove the “ask old password” option
  • Improvement#876: Our mu-plugins won’t work if SP is not activated
  • Fix#362: SecuPress tables tagged as unknown when autofix the DB prefix switch
  • Fix#471: Remove unwanted columns in Logs pages
  • Fix#499: .htaccess path was not correct with ABSPATH
  • Fix#547: Remove “www.” in domain for antihotlink (for multisite subdomains)
  • Fix#746: Notice: “listMessage is not a constant”
  • Fix#762: Fix displaying wrong confirmation message when addind multiple IP to (dis)allow
  • Fix#767: Notice: “Undefined index: SERVER_PORT/HTTP_HOST in core/functions/common.php on line 797/800”
  • Fix#774: Remove the warning emoji in move login message
  • Fix#779: Email confirmation is present at each connection when move login is activated
  • Fix#784: Cannot use move login when pro is installed but not activated with the license
  • Fix#788: Settings link in plugins page is not correct with white label
  • Fix#792: Update doc links with https
  • Fix#793: Update Support for 2FA 3rd party
  • Fix#798: Google Bot was blocked due to a bad method query
  • Fix#801: Block double slashed users route from REST API
  • Fix#802,875: Remove old obsolete devs from <2.0 (recovery_email, support)
  • Fix#804: Double auth still displays 2 fields
  • Fix#814: API Keys can’t be hidden anymore
  • Fix#817: AntiSpam let any comment pass, sometimes…
  • Fix#818: If WooCommerce, do not scan login errors
  • Fix#819: Fatal error on GeoIP update (in background, your site was not harmed)
  • Fix#824: Display strange chars in Grade
  • Fix#830: Notice: “Undefined index: move-login_custom_page_url”
  • Fix#838: Move Login password page won’t work
  • Fix#855: Do not display SecuPress in admin footer and if hide WordPress version active, hide it in admin footer too
  • Fix#879: Missing items in our admin bar menu
  • Security Fix#844: A visitor can ban any IP

1.4.12 – 26 May 2020

  • Fix: Don’t ban IP, just block. This will prevent false positives on Banned IPs but still can block bad stuff.
  • Removed: The AntiFront BruteForce feature doesn’t exist anymore, too much false positive since now, websites can need may requests.

1.4.11.1 – 22 Fev 2020

  • Fix: fatal error during cron background tasks

1.4.11 – 18 November 2019

  • Improvement#759: GeoIP blocked IP will be logged as “critical” now.
  • Improvement#748: Antibrute Force on Front will be logged as “critical” now.
  • Improvement#749: You can now use the PHP bypass constant SECUPRESS_ALLOW_LOGIN_ACCESS for both Move Login and PasswordLess.
  • Fix#772: PasswordLess fields were not correct since WP 5.3
  • Fix#771: Move Login “logout” link was not correct since WP 5.3
  • Fix#768: “Prevent User Creation” was preventing users to change their passwords
  • Fix#763: Alerts modules was not activated on demand
  • Fix#757: “Site Health” will not be an empty page anymore when you didn’t scanned yet your site with SP.
  • Fix#755: PHP Error message with secupress_get_submodule_file_path()
  • Fix#747: Brute Force module activation does not requires 2 clicks on save button.
  • Fix#746: Message more specific when switching to pro version.
  • Fix#745: Purge the bruteforce table more efficiently
  • Fix#744: Banned IPs are now the top prio over “bad url content” module
  • Fix#743: Better datation for banned IPs
  • Fix#742: Better hooks content for secupress.plugin.passwordless_email_activation_subject and secupress.plugin.passwordless_email_activation_message
  • Fix#726: Uncaught Error: Call to a member function views() on null in /inc/classes/common/class-secupress-logs-list.php:165

1.4.10 – 26 August 2019

  • New Feature#736: Do not allow User Creation
  • Fix#737: Blacklist IP didn’t worked as expected, fixed now.
  • Fix#733: Add a try/catch on shell_exec test to prevent fatal errors (seems that functions_exists is not enough oO)
  • Improvement#734: Prevent the plugin to be tagged as malicious because of all the “bad words” contained in the code

1.4.9.4 – 14 August 2019

  • Fix the “secupress_filter_scanner” PHP error, props Loic Martin

1.4.9.3 – 24 July 2019

  • SF Move Login is not allowed anymore as a replacement plugin for our Move Login module
  • A new filter `secupress.move-login.override-plugins` is not there to add your plugin if needed.
  • Fix#729: Improve the detection of bad contents
  • Fix#731: Site Health page is on error is no scanner has been done yet (of course !)
  • Fix#732: Some menus links could be modified by SecuPress
  • Fix#536: Translations in pro were having “secupress” domain instead of “secupress-pro”…
  • Security Fix: Move Login will not display the new login page in an certain exploit (see secupress.me blog, related to “wps hide login” flaws)

1.4.9.2 – 21 June 2019

  • Improvement: Add more details on block page for better support
  • Fix: Remove some agressive bad content rules that triggered the block page too often
  • Fix: Fatal error on plugin activation if a module has to be silently activated (not so often)
  • Fix: Better result for some scanners that were not valid (but the protection was there!)

1.4.9.1 – 18 June 2019

  • Fix: Fatal Error on Pro update for some users

1.4.9 – 17 June 2019

  • New: New scanners to match Site Health: HTTPS, Communication with WP.org.
  • New#707: New Site Health page from WP 5.2 is now managed by SecuPress for all “security” points.
  • Improvement: Remove 2 textarea fields from firewall, too many times blocked by hosts, use a hook if you really want to customize the rules.
  • Improvement#717: Update firewall rules with custom 7G rules.
  • Improvement#701: GeoIP Module is now compatible with IPv6.
  • Improvement#705: Move Login can now be configured to display a custom message or redirect on a custom page.
  • Improvement#721: Whitelist and Blacklist in “log” module are now compatibles with IPv6, IP ranges and IP lists than can be copy/pasted.
  • Improvement#724: Remove all actions before get_users() for passwordless to prevent someone/a plugin to hack the list, resulting on not being possible to log-in.
  • Improvement#725: Function secupress_send_mail() replace blogname with url if empty, yes it exists.
  • Fix#705: Updates (for SecuPress of other plugin, sometimes) were not always visible.
  • Fix#709: “Alerts” settings were not saved correctly.
  • Fix#720: Uncaught Error: Call to undefined function secupress_filter_scanner()
  • Fix#723: Antispam forbid usage of pb and tb is removing too much.

1.4.8 – 30 april 2019

  • Improvement#696: add blogname in the email in secupress_retrieve_password()
  • Improvement#697: Update the PHP minimum values. Bye 5.x, welcome 7.x
  • Improvement#698: remove admin-bar.php from the bad url access scanner
  • Improvement: Remove the “page protect” module, we don’t need this protection finally.
  • Improvement: Various CSS and PHP improvements.
  • Fix#686: (again) The scanner for “bad user agent header” could not read the correct value, Grade A was not possible, it’s back in the game!
  • Fix#700: fix geoips db table name
  • Fix#702: Warning: "continue" targeting switch is equivalent to "break". in /secupress/inc/classes/settings/class-secupress-settings.php on line 972
  • Fix#703: Notice: Undefined index: confidence in /secupress/inc/modules/antispam/plugins/fightspam.php on line 732

1.4.7 – 26 september 2018

  • New#689: Dark Mode compatibility! Check https://wordpress.org/plugins/dark-mode/ (merge in core proposed)
  • Improvement#680: Add all “debug” and “.log” files to the “anti disclose readme/changelog” feature
  • Improvement#683: Add 2 filters on captcha messages to replace the default “Yes iβ€˜m a human” and “Session expired”. See `secupress.plugins.login-captcha.checkbox.text` and `secupress.plugins.login-captcha.error.text`
  • Improvement#684: Better 64 bits check.
  • Improvement#685: Better “stop user enumeration” on Rest API, (JSON return instead of diying)
  • Improvement#679: Compatibility with PHP7 for a vendor package (PDF)
  • Improvement#686: Remove the HTML tags check from “bad user-agents” feature. Too many false positive since WP 4.9.8 😐
  • Fix#691: GeoIP was returning false since 1.4.5 because of the bad prepare format.

1.4.6 – 9 august 2018

  • New#668: Add support for https://fr.wordpress.org/plugins/2fas-light/ as a 2FA plugin
  • New#676: SecuPress Expert Mode. You can set a SECUPRESS_MODE constant on “expert” to hide descriptions and help all over the plugin to have a clear interface.
  • Improvement#663: GeoIP module can now bypass real seo bots! So you can block USA but still got Google on your website for example.
  • Improvement#665: Backups are now done using offset, this means that there is more chance to finish instead of dying.
  • Improvement#670: GeoIP database will update everyday automatically using a cron. You and your visitors won’t fell the update. Why everyday? Because everyday IPs are changing (in fact, every second… but I didn’t want to be so mean). This will prevent false positives and false negatives from your visitors, bots, crons.
  • Improvement#671: Strip URLs from UA before check bad UA to prevent false positives.
  • Improvement#672: Better compatibility for secupress_get_main_url compat().
  • Improvement#675: Add a checkbox for login errors module to allow its deactivation.
  • Fix#660: Fix the JARVIS encounter in a bad SecuPress settings link.
  • Fix#661: SECUPRESS_HIDE_API_KEY was not hiding the key anymore, ironic.
  • Fix#664: Fatal error: Uncaught Error: Call to undefined function secupress_global_settings_activate_pro_license() in /secupress-pro/core/core.php:227
  • Fix#667: WP Cron Fatal error: Uncaught Error: Call to undefined function secupress_scanit() in /secupress-pro/inc/modules/schedules/plugins/inc/php/class-secupress-background-process-schedules-scan.php:47
  • Fix#673: MoveLogin with nginx sais you have to “remove” rules instead of adding them. Funny or not.

1.4.5.1 β€” 27 june 2018

1.4.5 – 18 june 2018

  • New#659: You can now set a scanner speed on scanner page, just below the scanner button. This is designed to resolve some server issue that does not love/allow too much (ajax) requests at the same time (30+ in 1 sec by default to 0,25sec or 1 per sec now). Improvement#649: Change the behavior of the scanner for minimum role. It’s not ‘Subscriber‘ anymore but ‘Not Administrator‘, so you can now set your default role on “Customer” or whatever without being tagged as “bad“.
  • Improvement#655: The new “confirmaction” links on WP 4.9.6 were showing the new moved login page. It will now show a “confirmaction” shortcut when move login is active.
  • Improvement#657: Remove the “Ask for support” on each scan result in step 3, nobody was using them.
  • Fix#626: Block Fake SEO Bots won’t block Facebook share anymore.
  • Fix#640: Import file was tagged as “empty”, not anymore.
  • Fix#641,#647: Some module were impossible to activate/check, it’s now ok.
  • Fix#642: Warning: count(): Parameter must be an array or an object that implements Countable in /secupress/inc/functions/common.php on line 1288
  • Fix#643: The “Add my license” and “Settings” link is now correct.
  • Fix#644: GeoIPs database will now work on 32 bits servers (INT MAX issue).
  • Fix#645: GeoIPs database has been updated to perfectly match countries, and won’t block an unknown country now.
  • Fix#646: Warning: shell_exec() has been disabled for security reasons in /secupress/inc/functions/ip.php on line 229
  • Fix#648: Fatal error: Cannot redeclare secupress_remove_comment_feature_add_packed_plugin() (previously declared in secupress-pro/core/modules/antispam/callbacks.php on line 64
  • Fix#650: Fatal error: Uncaught Error: Call to undefined function secupress_pro_settings_white_label_callback() in /secupress/inc/modules/welcome/callbacks.php on line 27
  • Fix #651: Move login and subfolder love/hate again.
  • Fix #654: Warning: fileperms(): stat failed for /index.php in /secupress/inc/functions/files.php on line 29
  • Fix #656: The scanner step 3 was not showing all the possible fixes.

1.4.4 – 23 may 2018

  • GDPR Compliance!
  • New Dashboard: The first module page is now a dashboard, you can see your licence info here now.
  • New: You can now reset the SecuPress settings or just module per module.
  • Improvement#628: GeoIP Database has been updated with new IPs
  • Improvement#630: Force strong password is now available on reset form too.
  • Fix#614: Exported settings file doesn’t contains the whitelabeled name, this will prevent the impossibility to import this file
  • on another website whitout the same whitelabel name.
  • Fix#617: Warning: shell_exec() has been disabled for security reasons in /secupress-pro/core/functions/ip.php on line 229
  • Fix#620: PHP Fatal error: Uncaught Error: Call to undefined function secupress_global_settings_activate_pro_license() in
  • /secupress-pro/core/core.php:227
  • Fix#622: Warning: count(): Parameter must be an array or an object that implements Countable in
  • /secupress/functions/common.php on line 1288
  • Fix#625: Remove “Wget” from bad User Agents
  • Fix#626: Facebook share post parser was blocked by block fake bot module
  • Fix#627: GooglePageSpeed too
  • Fix#628: GeoIP will not block anymore an unknown IP address (country not found)

1.4.3 – 9 may 2018

  • New#605: New feature added in Sessions Control module: Send a reset link to users
  • Improvement#599: UI was not full width
  • Improvement#600: Checkboxes in step 2 seems enabled
  • Improvement#602: Compat with HostPAPA.ca
  • Improvement#609: Remove the notices “These options are disabled…”
  • Improvement: Remove every check about WP being under 4.0
  • Fix#597: Fatal error when updating using folder overwrite (FTP for example)
  • Fix#598: GooglePageSpeed is blocked by Fake SEO Bots module
  • Fix#601: 404 on PHP should block but not ban
  • Fix#606: regex of fake bots’ user agents was too large
  • Fix#607: Alerts were always sent every 15mn, even with a higher number
  • Fix#608: Fix “Warning: set_time_limit() has been disabled for security reasons”

1.4.2 – 23 april 2018

  • Improvement#587: Remove SecuPress main logo on whitelabel (there is still some, wait!)
  • Improvement#589: API Key is hidden behind β€’β€’β€’β€’β€’ chars.
  • Improvement#592: Add a Facebook link when grade is A to share the result.
  • Fix#587: CSS missing when whitelabel is on.
  • Fix#588: Move Login died when it should not.
  • Fix#591: Block Fake Bots should not block real bots, right?
  • Fix#595: Fatal error when blocking User Enumeration on REST API
  • Fix#596: Security Fix: The new moved login page could be guessed because of a redirect due to a lack of “die()”, there is no more whitelist condition now. Thanks to Aymen Borgi.

1.4.1 – 18 april 2018

  • Improvement#583: Better PHP Version detection and warning (php 7 is now the best recommended one)
  • Improvement: Easy Login scan will now detect correctly 15 2FA plugins, not only our PasswordLess module.
  • Fix#581: You can now correctly disconnect if you’re using Move Login Page.
  • Fix#582: You can now correctly save the malware scan option page.
  • Fix#586: Possible 503 error : “The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

1.4 aka Hotrod – 11 avril 2018

  • New: PHP required version is now 5.4 (and will grow at each major version)
  • New: WordPress required version is now 4.0 (and will grow at each major version)
  • New#490: Block User Enumeration Feature
  • New#551: Ban 404 on .php Files Feature
  • New#544: API Key is hidden by default, you can also hide the full block using the new constant `SECUPRESS_HIDE_API_KEY` (will be set to true if `SECUPRESS_API_EMAIL` and `SECUPRESS_API_KEY` are set)
  • New#557: New constants `SECUPRESS_API_EMAIL` and `SECUPRESS_API_KEY` to overridde data from settings
  • New#558: New filter `secupress.pre_scan.$class` to shortcut any scanner
  • New#564: Block Fake SEO Bots Feature
  • New#562: New filter `secupress.get_email` to change the email when sending
  • New#567: New filter `secupress.nginx.notice` to prevent Nginx notices to pop
  • New#572: New filter `secupress.settings.load_plugin.$plugin` to prevent a full block of settings to be displayed
  • New#572: New filter `secupress.settings.field.$args[‘name’]` to hide an option from a setting block
  • New#576: New scan 404 on .php files
  • New: Pro version is now required to auto-fix issues on step 2 in the scanner
  • Improvement#242: When Pro is active, you’ll see a small yellow Ezio (the eagle) logo on each pro feature, so you know what is a pro feature.
  • Improvement#401: Remove outdated scanners and features : REST API Blocking, Non Login Time Slot, DirectoryIndex, no need that now.
  • Improvement#480: Change the way we display the anti sqli scanner code, more lorem, more ipsum, less random
  • Improvement#541: Change the way we load Move Login to prevent any “404 management” plugin to generate conflict
  • Improvement#550: Move Login will now let the priority to “WPS Hide Login” and “SF Move Login”
  • Improvement#553: Move Login will now redirect into the dashboard if the user is logged in
  • Improvement#563: Do not log banned IPs
  • Improvement#569: Let the possibility to go to step2 without launching a new scan
  • Improvement#570: Revamp of the “Get Pro” page (use an external link instead haha)
  • Improvement#571: Remove the hardcoded ads, add more help instead + you can still disable the full bar using the filter `secupress.no_sidebar` or just future ads with `secupress.no_sideads`
  • Improvement#573: Add a 3rdparty.php file to have a better detection of 2FA plugins installed, and better compat with hosts like WPServeur and O2Switch
  • Fix#470: Some messages could be in 2 different languages in the scan results
  • Fix#533: Move Login was not acting correctly when subfoldered
  • Fix#543: ManageWP couldn’t always correctly access the plugins list, now it’s ok
  • Fix#545: Move Login new page was disclosed by wp-signup.php page
  • Fix#559: Notice: Undefined index: move-login_login-access in /secupress/modules/users-login/callbacks.php on line 246
  • Fix#565: GEOIp was not blocking all countries correctly
  • Fix#566: Anti Bruteforce Front was not blocking all requests correctly
  • Fix#568: Remove the Captcha hidden field, too much false negatives

Β 1.3.3 – 04 september 2017

  • Fix#527, #526, #525, #524, #509: Passwordless now send an email when activated (each time), not at each page save.

Β 1.3.2 – 01 september 2017

  • Improvement: When PasswordLess is activated, you’ll have to valide this action by clicking on a link in an email. This will prevent you to be locked out.
  • Fix #502: Move login and PasswordLess are friends, again.

1.3.1 – 02 august 2017

  • New #510: Remove the “Avoid Double Logins” module since it’s not efficient enough
  • Improvement #511: You dont have to add 2 email addresses for the alerts
  • Improvement #478: Display a message when the malware scan found nothing
  • Improvement #512: Remove the recovery email notice, you won’t need to fill this anymore
  • Improvement #507: Lighter Move Login module with less options, no .htaccess/web.config/ngnix.conf modifications but more decisions and less bugs instead of endless bugs.
  • Improvement #506: Remove the scan and fix for empty user agent (not efficient enough in 2017, too much false positive)
  • Improvement #505: Remove the scan and fix for too long URLs (not efficient enough in 2017, too much false positive)
  • Improvement #488: New bad user agent (Gecko/2009032609 Firefox), thanks to Fabrice from wpformation.com
  • Improvement #481: Better message (less sarcastic, yes) when you lock yourself out.
  • Fix #504: On some servers, $_SERVER[‘SERVER_ADDR’] does not exists, well, ok.
  • Fix #502: Move login was not cool with PasswordLess
  • Fix #501: Some multisites websites could not validate their licence.
  • Fix #473: Captcha always returned “human verification fail” when autofill from browser is enabled.

1.3 aka Bleeding Edge – 18 july 2017

  • New: you don’t need the Free version to run the Pro version now: one plugin is enough.
  • New: migrating between the Pro plugin and the Free plugin is now easier.
  • Improvement #457: no more errors after editing the wp-config.php file. We added a sandbox that doesn’t keep
  • modifications in place if there is a problem.
  • Improvement #448: Better detection of user’s right for DB scan
  • Improvement #365: removed OrangeBot from the bad user agents list.
  • Improvement #337: captcha is now also available on the user registration page.
  • Improvement #308: Sometimes after a scan (step 1), some results are still tagged as “new”, you should encounter less cases.
  • Improvement #268: settings page lock: scanners page and logs page are now locked.
  • Improvement #247: malware scan: wp-config-sample.php is not flagged as missing from core anymore.
  • Improvement #180: added a warning about disabling the XML-RPC API.
  • Fix #469: customize.php redirects to the login page (thanks to @wpmarmite)
  • Fix #454: logs export: the file name was wrong. Moreover, now it includes the date.
  • Fix #451: Fatal error on WP <4.2.11 when sending emails
  • Fix #448: on some rare cases, the tables prefix couldn’t be changed because “the user doesn’t … have edition rights”.
  • Fix #417: malware scan: huge files are skipped (otherwise the process never ends).
  • Fix #416: malware scan: sometimes it couldn’t be stopped.
  • Fix #414: fixed some PHP 7 errors.

1.2.7 – 18th April 2017

  • Improvement: removed the monthly plans from the “Get Pro” page and improved a few things.

1.2.6.1 – 06th April 2017

  • Improvement #450: use a new API for the “Get Pro” page, to fetch prices.
  • Improvement #445: display the missing “Rate us” box in the settings page.
  • Improvements #387 and #449: changed a few things in the “Get Pro” page, mainly focused on the monthly plans.
  • Fix #447: prevented Move Login to change `&` characters into `&` in filtered URLs, it may cause problems when used as a redirection target.

1.2.5.1 – 19th March 2017

  • Fix #424: a htaccess server error appeared if you were using WP

1.2.5 – 16th March 2017

  • Improvement #413: improved PHP and WP version check on activation.
  • Improvement #408: improved Move Login settings. Now you HAVE to specify a new login URL: no default value anymore, no forgotten URL anymore. Also, your new URLs can be seen while you type in πŸ™‚
  • Improvement #397: improved the theme/plugin installation/upload sub-modules: even white-listed IPs are blocked now.
  • Fix #402: in some cases, the scan testing the `readme.html` direct access was testing a wrong URL.
  • Fix #111: added the IP address `0.0.0.0` to the hardcoded white-list. It should prevent some cron processes to be blocked (because of an empty User Agent for example).
  • Improvement #397: improved the theme/plugin activation/deactivation/deletion sub-modules: even white-listed IPs are blocked now.
  • Fix #415: on some installations, the file `fpdf.php` was constantly showing in the malware scan, even being in the smart white-list.
  • Fix #409: the backup process couldn’t create the backup folders (D’OH!).
  • Fix #325: the protection against bad file extensions wasn’t working if domain sharding is used for medias.

1.2.4 – 28th February 2017

  • Improvement #382: if the salt keys scan still reports problems after the MU plugin is created, it will still try to fix it.
  • Fix #282: links in email messages should now be fine.
  • Fix #170: the notice saying the `.htaccess` file is not writable now is displayed only if the file exists.
  • Tested with php 7.1.
  • Various small fixes and improvements.
  • Fix #393: settings and profile pages were not accessible when the password protections are enabled.
  • Fix #374: the malware scanner doesn’t report empty files as malwares anymore.
  • Fix #327: in the malware scanner, white-listed files and “old WP files” are now removed from the “not from WP core” list.
  • Fix #209: in the malware scanner, the “scan” button wasn’t reporting the right status on first scan (only after reloading the page).
  • Fix #283: use the right charset collate for the “Anti Front Brute Force” and “GeoIP Management” database tables.
  • Fix #282: links in email messages should now be fine.
  • Fix #391: whenever an IP address is banned, the message was displayed to everybody.

1.2.3 – 20th February 2017

  • Improvement #370: in the scanner, each scan has now its own documentation ?. The “Read the documentation” links can be found at step 3, the Manual Operations.
  • Improvement #357: for the “Too Long URL” protection, requests made with `wp_request_***()` to self are not blocked anymore.
  • Fix #373: fixed a bug that allowed a specifically forged URL to cheat the “Too Long URL” protection.
  • Fix #367: fixed a PHP notice `Missing argument 2 for SecuPress_Action_Log::pre_process_action_wp_login()`.
  • Fix #363: fixed a possible failure on step 2 of the scanner (Auto-Fix).
  • Fix #352: revamp the whole “Auto Update” scan and protection, mainly focusing on the constant definitions.
  • Fix #347: the Twitter bird now can sing correctly.
  • Fix #343: when some scans display a message “Unable to determine…”, a link to activate manually the protection should be displaying. Some were missing.
  • Fix #329: the directory listing scan now reports a “Good” status if folders display an empty page with HTTP code 200.
  • Improvement #321: the malware scan now has a way to toggle multiple checkboxes at the same time. Yay for speed.
  • Improvement #273: logged in users are not considered as spam by the antispam anymore.
  • Fix #369: reviewed our 3 log-in protections (PasswordLess, Only One Connection, Captcha). Lots of work has been done to prevent users to be locked out.
  • Fix #368: fixed a `gzinflate()` error while importing settings. The down side is *old settings exports won’t work anymore: please do new settings exports after this update*.
  • Fix #360: in the malware scan, removed Akismet from core files. Sometimes it is not included in WordPress releases and triggers false positives.
  • Fix #349: alerts were still reporting whitelisted IPs.

1.2.2 – 27th January 2017

  • Fix #355: fixed a “recursion” that caused some scans to return a “bad” status while the corresponding protections were working
  • Fix #351: fixed license invalidation on multisite or multilingual sites.
  • Fix #346: fixed a PHP warning about `vsprintf()` in the scanner page.
  • Fix #345: don’t manipulate headers if they have been already sent.
  • Fix #313: fixed one of our easter eggs. ?
  • Fix #256: in the `wp-config.php` file, don’t comment a constant that is already commented or the sky will fall.
  • Fix #46, #154, #328, #348: fixed the whole chmod scan. Some fixes made in version 1.0.3 dramagically disappeared at some point, we bring them back: chmod values are correct again, test for the `web.config` file is back (if applicable). In the scan result, the list of files/folders were incomplete. In the scan result, folders are not called files anymore. Test for `.htaccess` and `web.config` existence instead of testing for Apache / IIS7.
  • Improvement #356: added back a “View details” link on the plugin row (in the plugins list), so the changelog and all the info can be viewed anytime.
  • Fix #269: fixed PDF export failure.

1.2.1 – 11th January 2017

  • Happy new year! ?
  • Improvement #336: prevent a rare PHP warning: array_count_values() can only count string and integer values! that could mess with the scan results.
  • Improvement #322: CSS animations are no more on Logs page, interacting with them is now easier.
  • Fix #342: in the Malware Scan module, the “Save All Changes” button under the Directory Index option was disabled.
  • Fix #340: solve a fatal error on deactivation.

1.2 aka Heavy Duty – 20th December 2016

  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections can now be activated and deactivated separately as needed
  • New: some scans were slightly modified, so here is a new one that will test only the ShellShock vulnerability
  • New: if a scan displays a “Not able to access your front page” message, it brings you the possibility to activate the protection anyway.
  • Improvement #118: in the scanner’s manual fixes, the “Ignore this step” button is more understandable.
  • Improvement #147: in logs and alerts, no more “UAHE”, “BUC”, or any other obscur codes when a request is blocked, only a human readable sentence.
  • Improvement #199: the User Agent blacklist is now case sensitive.
  • Improvement #274: if you use a “Coming Soon” or “Maintenance” page, manual scans have now a small drill and can get through it and will no longer trigger a “Not able to access your front page” message for this reason.
  • Improvement #286: updated the “no longer in directory” and “not updated over 2 years” plugins lists.
  • Improvement #289: the scan message related to the constant `COOKIEHASH` is more accurate.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are *not* blocked.
  • Improvement #297: the checkbox to activate the protection to deny access to malicious file extensions in the uploads folder now displays rewrite rules if the configuration file is not writable.
  • Improvement #324: tell cache plugins not to cache our blocking messages nor the login pages.
  • Improvement: prevent our icons to be overridden by other plugins or themes.
  • Fix #264: the scanner related to the admin user wouldn’t fix anything in a specific case. Nothing is better than a whip sometimes.
  • Fix #265: fixed a message displayed by the chmod scan. In some cases it was speaking nonsense about files `/` and `/`.
  • Fix #281: “Ask for old password” and “Strong Passwords” are now besties
  • Fix #285: typo in a `IfModule`
  • Fix #291: the fix related to the WordPress version disclosure ate the rewrite rules on Nginx. So we made it give them back (that was kind of scary).
  • New: the malware scanner now has a smart whitelist. You can also mark files as “not a malware”: when we receive enough notifications about the same file, it is included in the whitelist for everyone.
  • New: redesign the malwares scan’s page.
  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections are now activatable and deactivatable separately when you want
  • Improvement #139: cleanup our crons on plugin deactivation.
  • Improvement #189: better plugin activation and deactivation processes.
  • Improvement #196: now you can also deactivate your license directly within the plugin.
  • Improvement #203: now you can send a support request even if the emails are not working on your server.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are *not* blocked.
  • Improvement #298: now PasswordLess, Avoid Double Logins, and Captcha work better together
  • Fix #208: repaired layout on the “See differences”‘s page.
  • Fix #312: changed the PDF reports file name to prevent bad encoding.

1.1.3 – 07th November 2016

  • Improvement #258: Remove the blog_id and website URL in the new salf keys to avoid having to log in on each website on a multisite, was just annoying.
  • Improvement #259: Better hook usage to allow any cache plugin (like WP Rocket of course) to ignore login page.
  • Improvement #195: Better Move Login rules on Ngnix. And better rules in general for all modules.
  • Fix #262: Some firewall sub-modules are not working in frontend, the functions were not in the right file 😐
  • Fix #252: X-Powered by header was not hidden on Ngnix. Ngnix my friend …
  • Fix #250: WPML still appeared as a “bad plugin removed from repo”, well, the whitelist filter was not used.

1.0.2 – 07th November 2016

  • Fix #255: Warning: Missing argument 2 for SecuPress_Alerts::_wp_login_test() in /inc/modules/alerts/plugins/inc/php/alerts/class-secupress-alerts.php on line 299.
  • Fix #253: Bad File Extensions were not protected on Nginx. Ngnix my friend…
  • Fix #249: The Only One Connexion module didn’t worked as expected, now, it is.
  • Fix #248: Import settings didn’t import setting, now, it import settings.

1.1.2 β€” 25th October 2016

  • Just new prices table compatibility

1.0.1 – 22th October 2016

  • Improvement: typos, and missing translations.
  • Fix #210: The plugin could be activated without the free version, merge drama.
  • Fix #222: Fatal error, we’re requiring a non existant file from free instead os pro version.
  • Fix #225: Text encoding in PDF export was broken on accents.
  • Fix #233: Fatal error in class-secupress-background-process-file-monitoring.php “Can’t use function return value in write context”, now the context is right.

1.1.1 β€” 22th October 2016

  • Improvement #216: The button “Ask for support” is now always present on scanner step 3
  • Improvement #205: typos, and missing text domain
  • Fix #186: Add description and author to the COOKIEHASH MU plugin
  • Fix #204: When fixing the last thing in step 3, redirect to step 4
  • Fix #207: Table prefix fix won’t show up on step 3
  • Fix #219: PDF Export not exporting anything, wow.
  • Fix #224: In scanner JS, HTML entities were in status text.
  • Fix #227: Notice on affected role section Undefined index: double-auth_affected_role in /inc/admin/functions/modules.php on line 555
  • Fix #232: Bad request methods scan returned false negatives status.

1.1 β€” 19th October 2016

  • New: Design revamp for modules homepage

1.0 aka Mark I – 18th October 2016

  • Initial release

1.0.6 β€” 18th October 2016

  • Fix #158 & #179: Affected roles on modules were reset to empty. I prefer a filled field.
  • Fix #159: The error message from files backup talked about DB backup. Go home!
  • Fix #178: The PasswordLess scan will now check if its module is active, and in a near future will really check for any 2FA code.
  • Fix #185: A mysterious “////” title was present in the french translation, near “XML-RPC”.
  • Fix #190: The module link in the non login time slot scan has now its # to get a correct anchor. Happy sailor.
  • Fix #191: A function was missing, so the PasswordLess scan couldn’t activate its module, now, he can and he’s happy too.
  • Fix #193: The antibruteforce scan always said “false” because we didn’t call him by its real name.
  • Fix #197: When one of our muplugin was created on plugin deactivation, it triggered a fatal error, it was so fatal that we decided to remove it.

1.0.5 β€” 07th October 2016

  • Fix #167: Possibly locked at step 1 with a fake “New scan” for readme.txt files, you’re not stuck anymore.
  • Fix #166: Various CSS improvements.
  • Fix #171: Scans related to the firewall were always returning a bad status, even if the protections were running.
  • Fix #172: The scan and the protection related to the “Bad request methods” were not accurate.
  • Fix #176: A SQL warning occurred if you didn’t had logs to delete from 1.0.4, a new IF condition has been added to prevent that.

1.0.4 β€” 26th September 2016

  • TAKE CARE, ALL YOUR LOGS WILL BE DELETED! THANK YOU
  • Improvement #164: Logs are now lighter and can be deleted much faster
  • New #160: Add a filter named `secupress.remote_timeout` if you got too many “Pending” status in scanner, add more timeout since cUrl is not always gentle with us ><

1.0.3 β€” 14th September, 2016

  • Improvement: Commented salt keys (previously fixed) will now be deleted to avoid another error 500 case (in case of, you know)
  • Improvement: The banner button has now a better display on tiny screen
  • Improvement: Since SecuPress is compatible with WP 3.7 and 3.8, the icons are now compatible too
  • Improvement: Better bad user-agent blacklist, some were too current and blocked legit users.
  • Fix: User-Agent with more than 255 chars won’t be blocked anymore, too many false positive cases
  • Fix: The recovery email can now be set even if 2 users got the same email address (don’t ask …)
  • Fix: wp-config.php file permissions was sometimes set on 064 and broke some sites when autofix was done.
  • Fix: The PHP version warning was marked as bad for nothing, it will now mark it correctly

1.0.2 β€” 02nd September, 2016

  • Fix: The PHP Notice: wp_enqueue_script/wp_enqueue_style called incorrectly is now called correctly and won’t disturb you anymore everywhere in your admin area
  • Fix: The Error 500 caused by commented salt keys will not happen again
  • Fix: We removed the “ping” keyword from the bad user-agents since “pingdom” is not so malicious, isn’t it?
  • Fix: SecuPress couldn’t fix the “admin user” scan with open registration and no admin account.
  • Fix: The TinyMCE editor is not broken anymore, you can use it normally now \o/

1.0.1 β€” 31th August, 2016

  • Fix: The PHP Fatal Error on activation or deactivation has been killed.
  • Fix: The following JavaScript Error Uncaught ReferenceError: secupressResetManualFix is not defined in secupress-scanner.min.js when you visit the scanner page is on vacations, forever.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, we won’t use $this in a static method anymore, promise.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, ok this one is the last.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php, well, it was the real last one.
  • Fix: Warning in settings.php usage of a protected method is now allowed.
  • Fix: Warning in modules.php because we called secupress_insert_iis7_nodes() without the second mandatory argument.
  • Fix: The following PHP Parse error "syntax error, unexpected 'ai' (T_STRING) in mu-plugins/_secupress_deactivation-notice-nginx_remove_rules.php" won’t show up anymore for french users.

1.0 aka Mark I β€” 23th August, 2016

  • Initial release \o/