1.0.

0 - 2014-03-25 - Chris Wiegman

Initial Release
1.0.1 - 2014-03-25 - Chris Wiegman
Better conversion of ip to cidr
1.0.2 - 2014-03-27 - Chris Wiegman
Don't show security menu on multisite for non network admins
Fix for module path of windows servers
Module path working correctly on Windows servers
404 white list should transfer to global white list
White list implementation working across all lockouts
Add extra dismiss box to close welcome modal (fix for smaller screens)
1.0.3 - 2014-04-01 - Chris Wiegman
Fixed history.txt (for iThemes customers)
Moved upgrade to separate function for more seamless update
Upgrade system rewritten for better functionality
Make sure 404 doesn't fail if there is not a 404.php in the theme
Make sure WordPress root URLs render correctly
Filewrite now only builds rules on demand.
Fixed dismiss button on intro modal for small screens
General cleanup and typo fixing
1.0.4 - 2014-04-02 - Chris Wiegman
Added ability to manually purge log table
1.0.5 - 2014-04-03 - Chris Wiegman
Added "Show intro" button next to screen options to bring the intro moda
l back
Added ability to use HTML in error messages
Minor copy and other tweaks
1.0.6 - 2014-05-03 - Chris Wiegman
Execute permanent ban on the correct lockout count, not the next one
Updated quick ban rules to match standard ban rules (will work with prox
y)
1.0.7 - 2014-05-03 - Chris Wiegman
Update plugin build
1.0.8 - 2014-04-08 - Chris Wiegman
Make sure global settings save button matches others
Fixed link in locout email
Email address settings retain end of line
Sanitize email addresses on save and not just use
Make sure whitelist is actually an array before trying to process
Make sure rewrite rules show on dashboard when file writing isnt allowed
Added extra information to dashboard server information to help troubles
hooting
1.0.9 - 2014-04-10 - Chris Wiegman
Minor typo fixes
Update nginx rewrite rule on comment spam when domain mapping is active
Added the ability to disable file locking (old behavior)
Better file lock release (try more than 1 method) before failing
Don't automatically show file lock error on first attempt
1.0.10 - 2014-04-14 - Chris Wiegman
When activating SSL Log out the user to prevent cookie conflicts
Use LOCK_EX as a second file locking method on wp-config.php and .htacce
ss
Minor code cleanup
Make sure all wp_enqueue_script dependencies are in proper format
1.0.11 - 2013-04-17 - Chris Wiegman
Make sure logs directory is present before trying to use it
Log a message when witelisted host triggers a lockout
Don't create log files if they're not going to be used
Miscellaneous typos and orther bugfixes
Add pro tab if pro modules need it
 Upgrade module loader to only load what is needed
1.0.12 - 2014-04-18 - Chris Wiegman
Make sure uploads directory is only working in blog 1 in multisite
Better checks for run method in module loader
1.1.0 - 2014-04-21 - Chris Wiegman
Make sure "remove write permissions" works
Better descriptions on white list
Add pro table of contents if needed
Make sure security admin bar item works
Make sure lockout message only happens when needed
Suppress errors on readlink calls
Make sure class is present for permanent ban
Make sure white list is an array
Fix white listed IPs not working
1.1.1 - 2014-04-24 - Chris Wiegman
Miscellaneous typos and other fixes
Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php
. Only flock will be used in these operations
1.2.0 - 2014-05-07 - Chris Wiegman
Better cache clearing and formatting updates
Make sure rewrite rules are updated on this update
Remove extra (settings) items from admin bar menu (leave logs and import
ant information)
Add WP_CONTENT_DIR to system information on dashboard
Move support nag to free version only and make sure it properly redirect
s
Fix check for presence of BackupBuddy to work with BackupBuddy >=4.2.16.
0
Clean up details views on log pages
Add username column to temp and lockouts tables
Lockout usernames whether they exist or not
Don't duplicate lockouts
Fixed malformed lockout error on lockout message
Don't display a host lockout when none exists
Add Sync integration to release lockouts
Improved reliability of brute force user lockouts
1.2.1 - 2014-05-19 - Chris Wiegman
Fixed links in lockout emails
Fixed IP mask calculations
Add call to pro user-logging module
Add ability to temporarily whitelist an IP address
1.3.0 - 2014-05-28 - Chris Wiegman
Added call to two-factor module
1.4.0 - 2014-06-11 - Chris Wiegman
Added call to settings import/export module (pro)
Added button to restore default log location
Don't automatically load front-end classes in dashboard pages
Avoid errors on save if htaccess is completely empty
Only register activation/deactivation/install hooks in admin
Make sure temporary white-list is always available
Improved check for white-listed IP during lockout
Added ability to use constant to override server detection
Don't remove extra line spaces in .htaccess
Minor reformating and typo fixes
1.4.1 - 2014-06-12 - Chris Wiegman
Fixed get_module_path to prevent 404 errors on plugin assets
Fixed misplaced parenthesis forcing computer to always display it isn't
whitelisted
1.4.2 - 2014-07-02 - Chris Wiegman
Fixed an issue that was preventing an IP from being permanently banned d
ue to too many lockouts
Updated .htaccess rules for an IP that has been banned from too many loc
kouts to be more effective in more hosting environments
Fixed responsive issues in iThemes notifications that prevented notifica
tions from being easily read on small screens.
1.5.0 - 2014-07-28 - Chris Wiegman
Added malware and malware scheduling modules
Added better URL validation to ITSEC_LIB
Added exception for 127.0.0.1 to prevent a local server from being locke
d out of a site during wp-cron or other calls
Added button to quickly add current IP address to permanent whitelist
Added appropriate message for logs page when logs are not available due
to "file only" logging being selected
1.5.1 - 2014-07-29 - Chris Wiegman
Make sure pro core module loads to remove upsell when pro has already be
en purchased.
1.5.2 - 2014-07-30 - Chris Wiegman
Clean up notifications for file change detection and malware scanning
1.5.3 - 2014-08-11 - Chris Wiegman
Ensure that individual module updates fire when updating the plugin
Added function to retrieve current URL from the front-end
1.5.4 - 2014-08-20 - Chris Wiegman
Low Severity Security Fix - Lack of access control patched - Sucuri (rep
orted 19Aug2014)
1.6.0 - 2014-09-09 - Chris Wiegman
New Feature: Add IPCheck Brute Force API integration
New Feature: Add ability to receive a daily digest email instead of indi
vidual emails per event.
Enhancement: Added "Go Pro" menu item to admin menus.
Enhancement: Added button to release IP address from temporary whitelist
.
Fixed: introduction screen should now display completely on computers wi
th low-resolution screens.
Fixed: multisite bug that still showed BackupBuddy (if present) even tho
ugh BackupBuddy is not multisite compatible.
Fixed: Scrolling table of contents should not cover side-bar items on pr
o.
Fixed: When changing admin user login form will no show the correct path
when WordPress is not installed in the same directory as the website address.
Fixed: File locking will try to create the iThemes Directory if it isn't
already present rather than just saying a lock could not be attained.
1.6.1 - 2014-09-09 - Chris Wiegman
Fixed: Fixed typos in digest email.
Fixed: Fixed typos in default network lockout message.
Fixed: Force stylesheet reload for new nags and other items by pushing p
lugin build number to stylesheet registrations
1.7.0 - 2014-09-15 - Chris Wiegman
New Feature: Automatically generate strong passwords
New Feature: Password expiration
Fixed: When an invalid log directory is detected it will not fail but wi
ll instead reset it to the original.
Fixed: No more duplicate digest emails
Fixed: No more "Array" message appearing in digest emails from user lock
outs
Fixed: HTML in traditional file log emails will display correctly.
Fixed: From address in notification emails will now display correctly.
Fixed: MySQL errors will no longer appear for missing iThemes Security t
ables. Instead it will attempt to recreate them.
1.7.1 - 2014-09-16 - Chris Wiegman
Fixed: Version bump to break cache.
1.7.2 - 2014-09-17 - Chris Wiegman
Enhancement: Default log rotation changed from 30 days to 14 days
Fixed: All logs page will properly display even with 50,000+ entries in
the log
1.7.3 - 2014-10-09 - Chris Wiegman
Fixed: fixed duplicate ID issue from user_id_exists calls.
Fixed: Fixed an error in the lockout module that results in an error for
users of multisite
Fixed: Notification emails will no longer send if not turned on
Fixed: Duplicate messages will not be allowed in digest emails
Fixed: Duplicate digest emails will have a far lesser chance of sending
Fixed: User lockout count in email notifications will now be correct
1.7.4 - 2014-10-09 - Chris Wiegman
Fixed: Error on line 1312 when iThemes API is actived with version 4.4.1
5
1.8.0 - 2014-10-13 - Chris Wiegman
New Pro Feature: Dashboard widget. Get important information and handle
user blocking right from the WordPress Dashboard.
1.9.0 - 2014-10-21 - Chris Wiegman
New Pro Feature: File change scanning will now compare WordPress core fi
les to the WordPress.org repository.
Fixed: Make sure php_gid is always defined to prevent error message if t
he function is not usable.
Fixed: Link to BackupBuddy in admin bar will now work correctly.
1.10.0 - 2014-11-04 - Chris Wiegman
New Pro Feature: Temporary privilege escalation
1.10.1 - 2014-11-05 - Chris Wiegman
Security Fix: Fixed possible XSS vulnerability in ITSEC_Lib. - Low prior
ity - Thanks to http://planetzuda.com
1.11.0 - 2014-12-04 - Chris Wiegman
New Pro Feature: wp-cli integration
New Feature: Temporarily whitelist your IP address via iThemes Sync
New Feature: Override proxy IP detection
New feature: Hide admin bar (if desired)
Enhancement: Added filter to allow for custom log pages
Enhancement: Added debug constant to help troubleshoot multiple emails
Enhancement: Added constant to force digest emails via wp-cron instead o
f custom timing
Fixed: Various missing variable fixes were added
Fixed: MySQL errors on MySQL 5.6 during activation were fixed.
Fixed: HTML emails now contain HTML tag
Fixed: Lockout count in emails should now be more accurate
1.12.0 - 2014-12-16 - Chris Wiegman
New Pro Feature: Google reCAPTCHA
1.12.1 - 2015-01-05 - Chris Wiegman
New Feature: Add file/folder permissions check to Dashboard
Fix/Enhancement: Minor refactoring of various core components
1.12.2 - 2015-01-12 - Chris Wiegman
Fix: Fixed duplicate module listsing on log page dropdown
Fix: Fixed missing lockouts on iThemes Sync dashboard
1.13.0 - 2015-01-21 - Chris Wiegman
New Feature: Change WordPress Salts
Enhancement: Refactored ITSEC_Lib and ITSEC_Files for better usability a
nd new functions to make changing salts possible
1.13.1 - 2015-01-27 - Chris Jean
Bug Fix: Generating wp-config.php file updates no longer produces warnin
gs.
1.13.2 - 2015-01-27 - Chris Jean
Bug Fix: Fixed .htaccess file modifications failing.
1.13.3 - 2015-02-05 - Chris Wiegman
 Fix: Quick banning IPs will now work correctly if existing htaccess rule
s are in place
Fix: minor bug fixes and typo corrections.
1.13.4 - 2015-02-20 - Chris Wiegman
Enhancement: Limit the number of lockouts that can be displayed at any g
iven time in the dashboard.
Fix: Make sure header error messages are suppressed when performing a lo
ckout.
Fix: Fix error message from missing login information when displaying lo
ckouts.
1.13.5 - 2015-02-26 - Chris Jean
Bug Fix: Fixed regression that prevented adding wildcard IP's in the for
m of 'XXX.XXX.XXX.*' to Ban Hosts.
1.13.6 - 2015-03-20 - Chris Jean
Enhancement: Translation files can now be stored in WP_LANG_DIR/plugins/
ithemes-security-pro for
iThemes Security Pro and WP_LANG_DIR/plugins/better-wp-security
for iThemes Security free version.
Bug Fix: The file permissions check will no longer list a warning if the
plugins directory has permissions of 755.
1.13.7 - 2015-04-22 - Chris Jean
Enhancement: Improved domain name generation given the host name.
1.14.0 - 2015-06-04 - Chris Jean
Enhancement: Added new library classes for managing files, directories,
and config files.
1.14.1 - 2015-06-08 - Chris Jean
Bug Fix: Fixed "Fatal error: Call to undefined method ITSEC_Lib_File::ge
t_full_file_permissions()" which could occur when saving settings.
1.14.2 - 2015-06-09 - Chris Jean
Bug Fix: Warnings when file writes fail are now hidden.
Bug Fix: Fixed a situation where creation of a zipped export file would
>fail, but an email would still be sent as if the zip was created
>successfully.
Enhancement: Improved error messages for when file writes fail.
Enhancement: Improved error messages for when export file creation fails
.
Enhancement: Improved error messages for situations when the .htaccess,
>nginx.conf, or wp-config.php files may need to be manually updated.
1.14.2 - 2015-06-09 - Chris Jean
Bug Fix: Warnings when file writes fail are now hidden.
Bug Fix: Fixed a situation where creation of a zipped export file would
>fail, but an email would still be sent as if the zip was created
>successfully.
Enhancement: Improved error messages for when file writes fail.
Enhancement: Improved error messages for when export file creation fails
.
Enhancement: Improved error messages for situations when the .htaccess,
>nginx.conf, or wp-config.php files may need to be manually updated.
1.14.2 - 2015-06-09 - Chris Jean
Bug Fix: Warnings when file writes fail are now hidden.
Bug Fix: Fixed a situation where creation of a zipped export file would
>fail, but an email would still be sent as if the zip was created
>successfully.
Enhancement: Improved error messages for when file writes fail.
Enhancement: Improved error messages for when export file creation fails
.
Enhancement: Improved error messages for situations when the .htaccess,
>nginx.conf, or wp-config.php files may need to be manually updated.
1.14.2 - 2015-06-09 - Chris Jean
Bug Fix: Warnings when file writes fail are now hidden.
 Enhancement: Improved error messages for when file writes fail.
Enhancement: Improved error messages for situations when the .htaccess,
nginx.conf, or wp-config.php files may need to be manually updated.
1.14.3 - 2015-06-16 - Chris Jean
Bug Fix: Fixed support for wp-config.php files placed one directory abov
e the ABSPATH.
1.14.4 - 2015-06-18 - Chris Jean
Bug Fix: Manual backups now work as expected after changing the content
directory.
Bug Fix: Readded support for Litespeed .htaccess file modifications.
1.15.0 - 2015-07-02 - Chris Jean
Feature Removal: Removed the malware scanning feature as VirusTotal no l
onger supports scanning from WordPress sites. A replacement is in the works.
Bug Fix: The close button on the "Thank you for activating iThemes Secur
ity" message now appears in the correct location.
Bug Fix: Removed the site's URL being displayed in the "Replace jQuery W
ith a Safe Version" setting details.
Bug Fix: Updated .htaccess rules to be compatible with Apache 2.4 withou
t the auth compat module.
Bug Fix: Enabling and disabling the "Remove File Writing Permissions" se
tting now updates the file permissions properly.
Bug Fix: Web servers that cannot be recognized now default to Apache.
Enhancement: Updated the hackrepair lists.
1.16.0 - 2015-08-03 - Chris Jean
Feature Removal: Removed the "Remove WordPress Generator Meta Tag" featu
re as it is not recommended due to limited security benefit and creating compati
bility issues.
Enhancement: Added the ability to undo the Content Directory change.
Bug Fix: No longer tries to load a non-existent JavaScript file for the
salts module.
Bug Fix: Fixed an issue with one-time database backups on multi-site ins
talls.
Bug Fix: Fixed issues related to locating .htaccess or nginx.conf files
on sites with WordPress installed in a separate directory.
Bug Fix: Fixed issues with PHP blocking in uploads directory not working
with certain non-standard setups.
Bug Fix: Minor change to fix a warning that can appear after changing th
e Content Directory.
Bug Fix: Fixed a PHP fatal error that could occur on some servers when a
dding a ban to the site's .htaccess or nginx.conf file.
Bug Fix: Fixed some issues with profile pages on multisite setups that a
ffected both two factor authentication and the password generator.
1.16.1 - 2015-08-14 - Chris Jean
Bug Fix: Fixed "Call to undefined function get_home_path()" error.
1.17.0 - 2015-09-14 - Chris Jean
New Feature: Added malware scanning provided by Sucuri SiteCheck.
1.17.1 - 2015-09-14 - Chris Jean
Enhancement: Updated link to Sucuri SiteCheck.
1.17.2 - 2015-09-15 - Chris Jean
Enhancement: Updated better-wp-security's translation domain from it-l10
n-better-wp-security to better-wp-security.
1.17.3 - 2015-09-15 - Chris Jean
Compatibility Fix: Added support for ITSEC_TEST_MALWARE_SCAN_DISABLE_SSL
VERIFY. Setting it to true can bypass "SSL peer certificate or SSH remote key wa
s not OK" errors on servers with bad SSL configurations.
1.17.4 - 2015-09-21 - Chris Jean
Compatibility Fix: Updated code triggered by the ITSEC_TEST_MALWARE_SCAN
_DISABLE_SSLVERIFY define. This avoids plugin compatibility issues that prevent
disabling the SSL peer verification.
2.0.0 - 2015-10-14 - Chris Jean
 New Feature: Added "Multiple Authentication Attempts per XML-RPC Request
" setting to the WordPress Tweaks section. When this setting is set to "Block",
iThemes Security will block brute force login attacks against XML-RPC as describ
ed by Sucuri in this blog post: https://blog.sucuri.net/2015/10/brute-force-ampl
ification-attacks-against-wordpress-xmlrpc.html
Enhancement: Updated text describing the XML-RPC setting in the WordPres
s Tweaks section to better explain what the setting is for and which setting is
recommended.
Enhancement: Improved IP detection when proxy detection is active by pro
cessing the header set by CloudFlare.
Enhancement: Added a filter named itsec_filter_remote_addr_headers which
can be used to change which headers are searched for the client IP. This allows
for tailoring the IP detection for specific reverse proxies and load balancers.
Bug Fix: Updated the Banned Users settings to no longer add a newline to
the Ban Hosts input each time the settings page is saved.
2.0.1 - 2015-11-10 - Chris Jean
Enhancement: Removed Yandex and Sogou from the HackRepair blacklist as t
hey are legitimate search engine bots.
Enhancement: Added detailed information about Sucuri malware scan errors
to Malware Scan log details.
Bug Fix: No longer enables display of database errors when an event is l
ogged.
2.1.0 - 2016-01-11 - Chris Jean & Aaron D. Campbell
Security Fix: Fixed PHP code that could allow AJAX requests to list dire
ctories and files outside the directory structure of the WordPress installation.
Note that these AJAX requests required a logged in user with admin-level privil
eges. This vulnerability was unable to be exploited by non-privileged or anonymo
us requests.
Bug Fix: Updated the SSL feature to use 301 redirects rather than 302 re
directs.
Bug Fix: Fixed situations where security nonces would incorrectly trigge
r "security check" errors when enabling specific combinations of features on the
settings page.
Bug Fix: Enabling scheduled database backups and setting a backup interv
al of 0 days no longer results in a backup being created on every page load.
Feature Removal: Removed the "Security Status" portion of the Security >
Dashboard page. This is in preparation for a new tool that provides suggestions
tailored to the site and server that Security is running on.
Enhancement: Updated the way the feature modules function in order to al
low them to be redesigned in a more efficient and flexible way for future releas
es.
Enhancement: Updated the File Change Detection feature to attempt a max
memory limit of 256M rather than 128M as some users experience out of memory iss
ues which could be fixed with the higher memory limit.
Enhancement: Updated the Database Backup feature to attempt a max memory
limit of 256M rather than 128M as some users experience out of memory issues wh
ich could be fixed with the higher memory limit.
Enhancement: Added localization support for some non-localized strings.
2.1.1 - 2016-01-14 - Chris Jean & Aaron D. Campbell
Bug Fix: Module-specific data is properly initialized/removed on plugin
activation, deactivation, and uninstallation.
2.1.2 - 2016-01-15 - Chris Jean & Aaron D. Campbell
Enhancement: Updated handler for multiple active versions of iThemes Sec
urity.
2.1.3 - 2016-01-26 - Chris Jean & Aaron D. Campbell
Bug Fix: Comparisons of IPv4 addresses and ranges now include the IP's a
t the edge of the ranges.
Bug Fix: IPv4 tests now work as expected when deciding if a blacklisted
IP or range overlaps a whitelisted IP's and ranges.
Bug Fix: Fixed styling issue that affected the display of the horizontal
 tabs on settings pages in WordPress 4.5.
Bug Fix: Replaced old module sorting order in settings screens.
Bug Fix: Fixed PHP 7 compatibility issue that triggers the following err
or: "Uncaught Error: Call to undefined function mysql_get_client_info()".
Bug Fix: Fixed warnings and errors that could occur when deleting the pl
ugin.
Enhancement: When a lockout is being executed, wp_logout() will only be
called if the current page request comes from a logged in user. This prevents pl
ugins that log logout events from logging log outs from unknown users.
Enhancement: Improved the descriptions used for some of the data display
ed in the "System Information" section of Security > Dashboard.
Enhancement: Added "Use MySQLi" entry to the "System Information" sectio
n of Security > Dashboard to show whether the MySQLi driver is enabled.
Enhancement: Updated the "SQL Mode" entry in the "System Information" se
ction of Security > Dashboard to show the full details if that value is set.
2.1.4 - 2016-01-27 - Chris Jean & Aaron D. Campbell
Bug Fix: Fixed warning that could occur on a failed login when Local Bru
te Force Detection is disabled.
2.1.5 - 2016-02-03 - Chris Jean & Aaron D. Campbell
Bug Fix: All data added to the options table by iThemes Security is remo
ved on uninstall.
Bug Fix: Fixed the cause of the following warning: call_user_func_array(
) expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not h
ave a method 'execute_deactivate'
Enhancement: Improved code that ensures that tables and options table en
tries created by iThemes Security are removed on uninstall only when no other iT
hemes Security plugin is active.
2.2.0 - 2016-02-11 - Chris Jean & Aaron D. Campbell
New Feature: Added support for IPv6 addresses. This includes support for
IPv6 in lockouts, ban hosts, and white lists.
Bug Fix: Fixed issue that could cause username-based lockouts to fail fo
r long usernames.
Enhancement: Updated descriptions of valid IP and IP range formats for t
he Lockout White List and the Ban Hosts settings.
2.2.1 - 2016-02-15 - Chris Jean & Aaron D. Campbell
Bug Fix: Fixed issue that prevented wildcard IP ranges from being blackl
isted or whitelisted.
Bug Fix: Removed warnings generated when the Away Mode module is disable
d and iThemes Sync contacts the site.
Enhancement: Updated host entries in log details to link to traceip.net
rather than ip-adress.com. This is because ip-adress.com does not support IPv6 a
ddresses.
Enhancement: Updated some translatable strings relating to blacklisting
and whitelisting to allow for better translations.
Enhancement: Added details about how wildcard IP ranges are converted to
CIDR format (this improves performance).
2.2.2 - 2016-02-18 - Chris Jean & Aaron D. Campbell
Bug Fix: Fixed formatting issue that could cause raw HTML output in the
malware scan logs.
Enhancement: Improved error handling and reporting for malware scan issu
es.
2.2.3 - 2016-02-29 - Chris Jean & Aaron D. Campbell
Security Fix: Hardened the created backups and logs directories. Thanks
to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this is
sue.
Security Fix: More secure backup and log file names. Thanks to Nicolas C
hatelain (SYSDREAM IT Security Services) for notifying us of this issue.
Bug Fix: The "NGINX Conf File" setting is now properly respected, causin
g the generated NGINX configuration file to be stored in that location.
Enhancement: Generated database backup file names now contain a human-re
adable timestamp in the format of YYYYMMDD-HHMMSS.
Enhancement: Zipped database backup files no longer contain a deeply nes
ted directory structure. Instead, they only contain the sql file.
Enhancement: When the "Force Unique Nickname" feature is enabled, the ge
nerated display name now uses an improved randomization function.
Enhancement: Improved tabbing of rules in generated nginx.conf files.
Enhancement: Removed the "See what's new button" as it has fulfilled its
purpose.
2.2.4 - 2016-03-01 - Chris Jean & Aaron D. Campbell
Bug Fix: Updated code that generates the backups and logs directories to
ensure that it attempts to create the parent directory if it does not exist yet
.
Bug Fix: Removed warnings that could be generated if the logs directory
could not be created.
Bug Fix: Database backup files sent via email no longer have a name with
out an extension if zipping up the file fails.
2.2.5 - 2016-03-03 - Chris Jean & Aaron D. Campbell
Bug Fix: Fixed temporary whitelisting by preventing a temporarily whitel
isted IP from being locked out.
2.2.8 - 2016-03-17 - Chris Jean & Aaron D. Campbell
Bug Fix: Fixed issue that could cause a fatal error after changing the c
ontent directory.
Bug Fix: Updated the link to sign up for security guide download to poin
t to a https address. This is better security and prevents warnings when submitt
ing from a http site in some browsers.
Bug Fix: If a cryptographically secure log file name can't be generated,
queue up log file writes until we can.
2.2.9 - 2016-03-29 - Chris Jean & Aaron D. Campbell
Security Fix: No longer using document.location to build 'Show Intro' li
nk in admin - Thanks to David Lodge (Pen Test Partners) for notifying us of this
issue.
Bug Fix: Fixed some notices when certain multisite options are used on B
uddyPress
Enhancement: New itsec_white_ips filter to allow plugins that work with
external services to whitelist service IPs
2.2.10 - 2016-04-19 - Chris Jean & Aaron D. Campbell
Security Fix: Better caps checks for dismissal of changed file dialog -
Thanks to Julio Potier for notifying us of this issue.
Bug Fix: Make file change warning dialog text properly translatable
Enhancement: Adding 'itsec_log_event' action for logged events
2.2.11 - 2016-05-02 - Chris Jean & Aaron D. Campbell
Bug Fix: Throw a real 403 instead of a faked 404 for hide backend - Fixe
s compatability with certain plugins including WordPress SEO. Hat tip to Joost d
e Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.