Plugin Name: WP Defender Author: Hoang Ngo, Aaron Edwards Tested up to: 4.7.4 Change Log: 2.1.3 - 2019-18-06 ---------------------------------------------------------------------- - Feature: Security tweaks will send reminder when no tweaks were actioned after activation - Improvement: Scanning will be more catchy, especially with code using eval function, however that can lead to more false positive, please consider to check with our support before delete the file. - Fix: Bring back the tooltips system - Fix: Audit filter links doesn't reflect the right results if open in new tab - Fix: Filtering issue type in scanning now show correct results. - Fix: Scanning notification keep sending when the setting turn to "off" - Fix: User IP in IP Lockout->Blacklist now show the correct IP. - Fix: Bring back the subject customization field in Scanning email config. - Fix: Manage Login Duration wont make user to login twice anymore. - Fix: Audit filtering by user now working properly - Fix: We change the Audit logging items' color from red to more neutral. - Fix: Ad Widget won't be show in vulnerability list by accident anymore - Fix: Bottom bulk selector in Scanning page now work properly - Fix: Deprecate warning from the function strpos() in php 7.3 - Fix: Sync issues with HUB will be more consistent. - Fix: Mask login doesn't work properly if Wordpress get installed in a sub-folder - Fix: Conflict with Avada theme which making scanning stuck - Fix: Gracefully handle error when php dom extension does not install - Fix: Prevent factory reset revert database prefix into wp_ even though it was not set by Defender. - Fix: Prevent slashes added in email template 
- Fix: Minor grammar and UX improvements. 2.1.2 - 2019-10-04 ---------------------------------------------------------------------- - Feature: Defender Pro now supports the WPMU DEV Dashboard’s white label feature. - Feature: You can now perform a factory reset of Defender’s settings via the Settings screen, as well as control what happens to data when the plugin is uninstalled. - Improvement: Defender File Scanning no longer identifies robots.txt as a potentially harmful file. - Improvement: We’ve turned off autocomplete on the two-factor authentication field so that previous codes don’t show up. - Fix: Fixed a conflict with Defender where the 404 lockout feature would lock out users who tried to access old Hummingbird cache files. - Fix: You can now view date ranges greater than 7 days for IP Lockout logs 
- Fix: Minor grammar and UX improvements. 2.1 - 2019-18-02 ---------------------------------------------------------------------- - New: Geo-based IP blocking. Completely block incoming traffic from specific countries to gain full control over who can and can’t access your site. - New: Upgraded design components and improved user experience across the board. - Fix: Corrupt .htaccess rules generated by Defender weren’t able to be re-applied when adding them a second time. - Fix: Users can no longer get past login masking when using double slashes. - Fix: Javascript errors prevented adding recipients to notifications and editing templates. - Fix: Blacklist monitoring could not be enabled on some sites. - Fix: Parse error on installations running PHP 5.3. - Improvement: Removed activation redirection and tooltips on first activation. - Other minor enhancements and fixes 2.0 - 2018-04-09 ---------------------------------------------------------------------- - New: added tweak “Disable XML-RPC” - Improvement: Two factor authentication can now be force enabled by role. - Improvement: Masking URL description. - Fix: Compatibility with Appointments+ login when Mask Login is enabled. - Fix: /login/ will be blocked instead of redirecting to right login URL - Fix: new site registration email login URL will now show right Login URL instead of the original one when Mask URL is enabled. - Fix: Accessibility issue when activating 2FA. - Changes: Show Admin Pointer on initial Defender activation, and removing the redirect behavior. - Other minor enhancements and fixes 1.9.1 - 2018-09-07 ---------------------------------------------------------------------- - Fix: Mask Login Area description text is misleading - Fix: wp-admin link of sub-sites in networks link to wrong admin URL - Fix: Prevent Information Disclosure & Prevent PHP Execution show false error message when first applied - Fix: Dashboard reporting section mis-alignment - Other minor enhancements and fixes 1.9 - 2018-24-05 ---------------------------------------------------------------------- - New: Ability to edit default two-factor authentication email notifications - New: Added Privacy Policy in privacy guideline page - Improvements for lockout logs interface - Improvement: Smarter report default time. - Fix: Defender auto redirect issue when bulk activating plugins - Fix: saving 404 redirect URL issue - Fix: Some layouts are shifted on mobile devices - Other minor enhancements and fixes 1.8 - 2018-10-04 ---------------------------------------------------------------------- - New: Hide the default WordPress login URLs with the new Mask Login Area feature, giving you enhanced protection from hackers and bots. - New: Ability to force two-factor authentication for all users. - Fix: Fixed a bug where file scanning would detect wp-config.php as suspicious. - Fix: Fixed an issue where the lockout pages could be cached by external cache engines. 1.7.5 - 2018-07-02 ---------------------------------------------------------------------- - Fix: Report status missing in Hub Security tab - Fix: Some themes/plugins shown as a vulnerability but no info available - Other minor enhancements and fixes 1.7.4.1 - 2017-4-12 ---------------------------------------------------------------------- - Added: Endpoint API so HUB can work with Defender natively through WPMU DEV Dashboard plugin 1.7.4 - 2017-20-11 ---------------------------------------------------------------------- - Fix: Conflict with Jetpack where Defender 2FA module would not detect if Jetpack 2FA was disabled. - Fix: Visitor would get a 404 lockout if landing on a page with many dead links. - Improvement: When an user is deleted, audit logging now display the user's login instead of only UID. - Other minor enhancements/fixes 1.7.3 - 2017-14-10 ---------------------------------------------------------------------- - Fix: Two-factor authentication can be bypassed by user with no role. - Improvement: Enhanced two-factor authentication protection across multisites. 1.7.2 - 2017-09-10 ---------------------------------------------------------------------- - Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server. - Improvement: Better UI/UX for Two-factor authentication. - Fix: Security tweak "Prevent PHP Execution" and "Protect Information" now support Apache 2.4 htaccess rules. - Other minor enhancements/fixes 1.7.1 - 2017-25-09 ---------------------------------------------------------------------- - Improvement: Audit logging logs will be stored up to 1 year, query range can be set up to 3 months - Improvement: Option to set a cooldown period for lockout notifications. - Added: widget for 2 factors authentication - Fix: Defender does not detect the right IP when CloudFlare is being used - Fix: Conflict with TM Photo Gallery Plugin - Other minor enhancements/fixes 1.7 - 2017-15-08 ---------------------------------------------------------------------- - New: Now you can enable 2 factors authentication with Defender and Google Authenticator app, support for iOS and Android - New: We can define how long the "Remember me" can take affect, via a new Security Tweak, called "Manage Login Duration" - Improvement: IP Lockout logs now have separate tables, better for performance. - Fix: Ignore a file in Scanning section sometimes coming back after couple of scans. - Other minor enhancements/fixes 1.6.2 - 2017-05-07 ---------------------------------------------------------------------- - New: CSV export for Audit Logging. - Improvement: Email reports now have unsubscribe link, and link to Reports where email reports can be turned off. - Fix: Typo in Audit email. - Other minor enhancements/fixes 1.6.1 - 2017-21-06 ---------------------------------------------------------------------- - Improvement: Improved IP Lockout performance. - Fix: Audit logging detects wrong WordPress version when upgrade - Fix: "Update old security keys" doesn't move to resolved list after processed - Fix: When emptying IP Lockout logs cause timeout error. - Fix: Typos in some places - Other minor enhancements/fixes 1.6 - 2017-05-06 ---------------------------------------------------------------------- - Improvement: Allow users to select and apply rules to other server type in Prevent PHP Execution and Prevent Information Disclosure. - Fix: Sometimes HUB status doesn't sync with WordPress site. - Other minor enhancements/fixes 1.5 - 2017-17-05 ---------------------------------------------------------------------- - New: You can now add exceptions for specific PHP files in the PHP Execution Security Tweak. - Improvement: Filtering all log types now uses URLs instead of ajax only, meaning you can link to a filtered log easily. - Improvement: Various user experience updates across the plugin interface to make using Defender even easier. - Fix: Lockout Logs now display from newest to oldest. - Fix: Lockout Logs pagination now works correctly. - Fix: Inconsistencies in the IP Lockouts stats across the plugin. - Fix: Sending Audit Logging reports to multiple recipients would address all recipients as the first user's name. - Fix: Grammar and typos in some modals and error messages. - Fix: If Defender finds a vulnerability in WordPress's core, the text would indicate running an update would fix the issue though no update was actually available yet. 1.4.2 - 2017-03-05 ---------------------------------------------------------------------- - Improvement: The plugin interface will now stretch to utilize extra screen space on larger screens. - Fix: Audit Logging was getting its days mixed up in the summary area. You’ll now see the correct day of the week. - Fix: We squashed a bug that was causing files scans to sometimes report false positive files after WordPress core upgrades. - Fix: A conflict with Jetpack was causing scans to stall, which we have now fixed up. - Fix: In some cases File Scanning reports wouldn't actually stop sending if you disabled them. It now obeys commands. - Fix: Google's bot was being blocked by IP Lockouts but now it's free to crawl and index as it pleases. - Fix: We removed redundant “cancel” buttons on settings pages. You probably won’t even notice! - Fix: We’ve added live stats so now there’s no need to wait around in anticipation while running files scan actions. - Fix: Stats weren’t displaying the right numbers after actioning security tweaks, but it’s all good now. - Fix: Pagination on the Audit Logging logs page now works like you would expect it to. - Fix: Files detected in File Scanning now have metrics with their file sizes. - Fix: We’ve fixed styling issues with toggles. - Fix: We removed the” Resolve bulk update” option from File Scanning. It wasn’t really a valid action. - Fix: Incomplete icons in the Dashboard reports area have been updated. - Fix: We’ve removed redirection from the dashboard to the File Scanning page are after preforming a file scan so now you shouldn’t feel lost. - Fix: Lots of other small stuff, like minor cosmetic and grammar fixes. 1.4.1 - 2017-21-04 ---------------------------------------------------------------------- Fixed: Compatibility issue with Getting Started Wizard Fixed: Scanning was sometimes slow or getting stuck 1.4 - 2017-18-04 ---------------------------------------------------------------------- - New: Meet the brand new Defender! This release focuses on making security for WordPress a better place. We’ve given the UI a refresh and updated the UX, so configuring your security settings is a walk in the park. - Fixed: A ton of bug fixes & improvements. Yep, vague description! But why bore you with the small stuff when you could be spending time bolstering your site’s security? 1.3 - 2017-13-03 ---------------------------------------------------------------------- - Added: Endpoint API so HUB can work with Defender natively through WPMU DEV Dashboard plugin - Other minor enhancements/fixes 1.2 - 2017-27-02 ---------------------------------------------------------------------- - Added: New Hardening Rule (PHP version) - Improvement: Audit Logging now allows date range selection. - Improvement: IP Lockouts now allow IP ranges in whitelist/blacklist. - Improvement: IP Lockouts now can import/export whitelist/backlist. - Fixed: IP Lockouts email notification text on permanent IP ban. 1.1.4.1 - 2016-31-10 ---------------------------------------------------------------------- - Fixed: Fatal error when PHP extension sockets is not enabled 1.1.4 - 2016-31-10 ---------------------------------------------------------------------- - Improvement: Audit logging now detects file changes in WordPress core. - Fixed: Updating via WordPress core now syncs better with the Hub. - Fixed: Some compatibility fixes for PHP 5.2. 1.1.3 - 2016-20-09 ---------------------------------------------------------------------- - Improvement: Audit Logging now ajax based. - Fixed: minor bug fixes & some UI/UX improvements 1.1.2 - 2016-24-08 ---------------------------------------------------------------------- - Improvement: Switched the User dropdown in Audit Logging to load results via AJAX to increase initial load performance. - Improvement: Scan results now pre-load information so that you can action fixes faster. - Fixed: Removed cronjob events from being tracked in Audit Logging. - Fixed: The Audit Logging filter box now stays visible if no results are returned. - Fixed: Other small bug fixes and improvements. 1.1.1 - 2016-08-08 ---------------------------------------------------------------------- - Added: A warning indicator in WP Admin sidebar to let you know how many security issues are outstanding. - Added: The ability to choose to only receive email reports when there are issues with your website. - Fixed: Minor bug fixes & improvements 1.1 - 2016-25-07 ---------------------------------------------------------------------- - New feature: Audit logging - New plugin icon - Vulnerability plugins/theme scan result can be ignored - Some other minor enhancements/fixes 1.0.8 - 2016-20-05 ---------------------------------------------------------------------- - Improve Core Integrity Scan. - Improve caching method 1.0.7 - 2016-17-05 ---------------------------------------------------------------------- - Improved: Scan schedule. - Fix: issue with W3 Total Cache Object Cache 1.0.6 - 2016-13-05 ---------------------------------------------------------------------- - Fix: Defender data doesn't sync with HUB correctly - Fix: Email report doesn't send properly - Some other minor enhancements/fixes 1.0.5 - 2016-28-04 ---------------------------------------------------------------------- - Added: Option to choose reminder period for Hardener rule "Update old security keys" - Improved: Compatibility with Windows server - Improved: Optimized resource usage when scanning - Fix: issue with memcached - Other minor enhancements/fixes 1.0.4 - 2016-06-04 ---------------------------------------------------------------------- - Improve scan engine, reduce false positives - Improve uninstallation method - Add the ability to ignore hardener rules. - Improve the performance impact on the site. - Fix scans sticking at 100% in some cases - Fix compatibility issues with IIS - Some other minor enhancements/fixes 1.0.3 - 2016-22-03 ---------------------------------------------------------------------- - Optimize scanning - Preventing performance issue with some hosts - Fix false blacklist detection in local environment - Some other minor enhancements/fixes 1.0.2 - 2016-15-03 ---------------------------------------------------------------------- - Applied ajax inline updates for plugins/themes - One click Prevent PHP execution - One click Prevent Information Disclosure - Add detail page for core integrity issue, and automate resolution - Fix scan stability with limited memory - Some other minor enhancements/fixes 1.0.1 - 2016-03-03 ---------------------------------------------------------------------- - Scanning can auto detect if user is active on scanning page to work based on ajax, or leave to enable background scan - Improve condition checking for Prevent Information Disclosure module - Improve condition checking for Prevent PHP execution module 1.0 - 2016-01-03 ---------------------------------------------------------------------- - First release