Stepping Up The WordPress Security Game With iThemes
For many years now we have been setting up WordPress sites and during that time the Better WP Security plugin has always been a mainstay in most of those setups. It has long been a well-rounded platform when it comes to WordPress security concerns. This of course is one of the main reasons that it was on our recommended WordPress security plugins.
Even back then it was an excellent security tool for any webmasters toolbox. A host of features and controls meant that you could get basic security underway with relative ease.
In December of 2013 we took another look at Better WP Security and noted that at that time it was under the management of iThemes. At that time the version was 3.6.1 and it looked very promising to see what direction iThemes was planning on taking this security plugin.
The great news is that they have done a wonderful job over the last year. The present version of iThemes Security (formally Better WP Security) is now up to 4.4.23, In the last year alone the developers over there have made well over 150+ updates to this already excellent security plugin.
One might think that that is a lot of fixes, but as a programmer I understand that code gets written and updated all the time. This means that the more code they write, the more stuff they can update. This is not always a bad issue. It does mean that they have been working very hard to keep up with the demands from the community for increased security features, quick turn-around time on bug-fixes and optimization of existing code structures. That is exactly what you want to see in any enterprise level software. We look forward to seeing many more new features and updates.
Our thanks go out to the iThemes Dev team for doing such a wonderful job.
Below is a recap of the last years worth of updates that they have done. Make sure you are keeping this plugin up-to-date.
- Version: 4.4.23
- Author: iThemes.com
- Last Updated: 11-05-2014
- Requires WordPress Version: 3.9 or higher
- Compatible up to: 4.0.1
- Average 5-Star Rating: 4.7
- Fixed: App passwords in two-factor authentication will now correctly authenticate themselves.
- New Pro Feature: Temporary privilege escalation
- Enhancement: More time/date information is now shown in the logs for file change scanning
- Fixed: Filechange will no longer show false positives with every change in DST (although this will cause run round of such notifications on update).
- Fixed: Link to malware scanning logs will work.
- New Pro Feature: File change scanning will now compare WordPress core files to the WordPress.org repository.
- Fixed: Make sure php_gid is always defined to prevent error message if the function is not usable.
- Fixed: Link to BackupBuddy in admin bar will now work correctly.
- New Pro Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard.
- Fixed: When using wp-cron for file checking cron check will run daily instead of hourly.
- Fixed: Error on line 1312 when iThemes API is actived with version 4.4.15
- Enhancement: File change summary emails are more concise and will avoid extra information
- Fixed: Hide backend will now work with Jetpack’s JSON API authorization.
- Fixed: Option to change user ID 1 will correctly disappear when not present
- Fixed: Removed empty user agent from default blacklist to avoid issues with external services
- Fixed: File change folder check will no longer scan directories outside of ABSPATH for any reason
- Fixed: Adding define( ‘ITSEC_FILE_CHANGE_CRON’, true ); to wp-config.php will cause the file change scanner to only run once daily via wp-cron.
- Fixed: Compatibility issue where strong password enforcement could cause an error if passwords are changed outside of the core of WordPress
- Fixed: Lost password url should now be correct on multisite.
- Fixed: fixed duplicate ID issue from user_id_exists calls.
- Fixed: Fixed an error in the lockout module that results in an error for users of multisite
- Fixed: Notification emails will no longer send if not turned on
- Fixed: Duplicate messages will not be allowed in digest emails
- Fixed: Duplicate digest emails will have a far lesser chance of sending
- Fixed: User lockout count in email notifications will now be correct
- Enhancement: Default log rotation changed from 30 days to 14 days
- Fixed: All logs page will properly display even with 50,000+ entries in the log
- Enhancement: Updated copy on Virustotal API key to indicate that a private key is not needed.
- Fixed: More complete check for user id when resettings password will prevent undefined index login on line 62 error.
- Fixed: Fixed a bug that prevented the api key from saving after resetting the key.
- Fixed: Removed errors that could occur due to the use of custom capabilities and roles.
- New Pro Feature: Automatically generate strong passwords
- New Pro Feature: Password expiration
- Enhancement: Added a link to the actual timezone settings in the general settings page (instead of the top of the page)
- Fixed: When an invalid log directory is detected it will not fail but will instead reset it to the original.
- Fixed: No more duplicate digest emails
- Fixed: No more “Array” message appearing in digest emails from user lockouts
- Fixed: HTML in traditional file log emails will display correctly.
- Fixed: From address in notification emails will now display correctly.
- Fixed: MySQL errors will no longer appear for missing iThemes Security tables. Instead it will attempt to recreate them.
- Fixed: Fixed missing “no changes” text in file change emails.
- Fixed: Formatting of individual file change emails will now work.
- Fixed: Fixed a bug in ban users user agents that would cause a crash on Apache if the user agent contained a space
- Fixed: When an invalid backup directory is detected it will not fail but will instead reset it to the original.
- Fixed: fixed possible undefined api_error variable on line 316 if WordPress believes the email address is invalid.
- Fixed: failed calls to various apis will no longer throw a php error on failure.
- Fixed: Fixed typos in digest email.
- Fixed: Fixed typos in default network lockout message.
- Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations
- Fixed: Fixed an error that could occur on multisite due to a missing “core” object
- New Feature: Add IPCheck Brute Force API integration
- New Feature: Add ability to receive a daily digest email instead of individual emails per event.
- Enhancement: Added “Go Pro” menu item to admin menus.
- Enhancement: Added button to release IP address from temporary whitelist.
- Enhancement: Reordered sidebar items to make it easier for the user to get to the information they need from iThemes
- Fixed: introduction screen should now display completely on computers with low-resolution screens.
- Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
- Fixed: Scrolling table of contents should not cover side-bar items on pro.
- Fixed: When changing admin user login form will no show the correct path when WordPress is not installed in the same directory as the website address.
- Fixed: The plugins_loaded hook which fires on logout will now fire later to improve compatibility with iThemes Exchange
- Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
- Fixed: Added an extra flag in an attempt to reduce duplicate file-change detection executions.
- Fixed: Added missing index.php files to directories that were missing them to ensure no information could be attained if directory is turned on.
- Fixed: Make sure hide backend rewrite rules are consistent with the correct location of the WordPress login page when WordPress is not installed in the main website folder.
- Fixed: File locking will try to create the iThemes Directory if it isn’t already present rather than just saying a lock could not be attained.
- Fixed: Fixed an error whereas an empty filter could display an error when building the log tables.
- Low Severity Security Fix – Lack of access control patched – Sucuri (reported 19Aug2014)
- Fixed an error in XMLRPC blocking when $username variable cannot be found
- Remove error message if WP_Error is returned with wp_remote_post in malware scan
- Fixed bug where away-mode was still enabled after one-time period has passed which could result in away mode activating when it should not
- Ensure that individual module updates fire when updating the plugin
- Added function to retrieve current URL from the front-end
- Fixed error in brute force protection that counts valid logins with XML-RPC as bad logins towards a brute force lockout
- Updated descriptions an instructions in malware scheduling to make the feature easier to use
- Numerous typo corrections throughout dashboard
- Clean up notifications for file change detection and malware scanning
- Fixed an accidental disabling of file change scans introduced in 4.3
- Added on-demand malware scanning for the homepage
- Added better URL validation to ITSEC_LIB
- Added exception for 127.0.0.1 to prevent a local server from being locked out of a site during wp-cron or other calls
- Added button to quickly add current IP address to permanent whitelist
- Added appropriate message for logs page when logs are not available due to “file only” logging being selected
- Fixed Error in 404 scanning if path field was empty
- Updated hackrepair.com’s default blacklist
- Modified support reminder to ask users to upgrade rather than donate
- Use get_home_path() in place of ABSPATH to account for WordPress core in a different directory than wp-content
- Use PHP comments in index.php file to account for the possibility of a scan including the file in which case the html comment could result in an error
- Fixed various typos throughout the plugin dashboard
- Added ability to prevent file change scanning from running on a given page load by defining ITSEC_FILE_CHECK_CRON to true
- Cleaned up file change logging reports to me more clear when no files have been changed
- Added feature to immediately ban user “admin” when no user “admin” exists on the site and a host tries to log in with it anyway
- Added blank line to end of all textarea input to make it easier to input data
- Added brute force checks to XMLRPC calls to prevent brute force attacks against XMLRPC
- Fixed a bug preventing file-change scanning from running when manually executed from the “Logs” page
- Fixed a bug where an error could be generated if the saved files from the file change feature weren’t properly saved
- Fixed comment approval email links to make sure they work when a user is not logged in and hide backend is in effect
- Fixed an issue that was preventing an IP from being permanently banned due to too many lockouts
- Updated .htaccess rules for an IP that has been banned from too many lockouts to be more effective in more hosting environments
- Fixed responsive issues in iThemes notifications that prevented notifications from being easily read on small screens.
- Fixed error for missing function in hide backend
- Fixed an error that could cause a 404 on the admin with hide-backend enabled.
- Fixed error on line 55 of class-itsec-four-oh-four.php that could occur under certain circumstances
- Don’t filter hide backend hash until after schema redirect
- don’t send file change email on first scan
- Fixed verbage when changing login URL
- Modified ban users rewrites for apache. Should work with proxy and if setenvif isn’t enabled.
- Fixed get_module_path to prevent 404 errors on plugin assets
- Fixed misplaced parenthesis forcing computer to always display it isn’t whitelisted
- Updated readme.txt
- Added call to settings import/export module (pro)
- Added button to restore default log location
- Don’t automatically load front-end classes in dashboard pages
- Avoid errors on save if htaccess is completely empty
- Only register activation/deactivation/install hooks in admin
- Make sure temporary white-list is always available
- Improved check for white-listed IP during lockout
- Added ability to use constant to override server detection
- Don’t remove extra line spaces in .htaccess
- Minor reformating and typo fixes
- Make sure front-end classes are available only when needed
- Fixed default types in file change settings
- Added file type exclusion to 404 settings
- Allow for Jetpack SSO to function with suspicious queries turned on
- Use WordPress’ PclZip for backup zip
- Make sure backup disables itself when other backup solutions are present
- Fix tweet link
- Minor fixes and cleanup
- Added call to two-factor module
- Consolidate white lists into one option
- Fix IP mask calculations
- Fix NGINX IP range blocking
- Update modules to use new logging
- Minor refactoring
- Add metabox for iThemes Sync
- Update jQuery version in tweaks
- Shortened file change array names to save space
- Fixed links in lockout emails
- Fixed IP mask calculations
- Add call to pro user-logging module
- Add ability to temporarily whitelist an IP address
- Don’t allow empty file types in file change exclusions
- Add Sync integration for Away Mode
- Minor typo and other fixes
- Better cache clearing and formatting updates
- Make sure rewrite rules are updated on this update
- Remove extra (settings) items from admin bar menu (leave logs and important information)
- Add WP_CONTENT_DIR to system information on dashboard
- Move support nag to free version only and make sure it properly redirects
- Fix check for presence of BackupBuddy to work with BackupBuddy >=220.127.116.11
- Clean up details views on log pages
- Add username column to temp and lockouts tables
- Lockout usernames whether they exist or not
- Don’t duplicate lockouts
- Fixed malformed lockout error on lockout message
- Don’t display a host lockout when none exists
- Add Sync integration to release lockouts
- Improved reliability of brute force user lockouts
- Miscelaneous typos and other fixes
- Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php. Only flock will be used in these operations
- Fixed a function not found error in the brute force module
- Improved content filtering in SSL so that more images and other content will link with appropriate protocol.
- Fixed hide backend in cases where a lockout has expired
- Miscelaneous typos and other fixes.
- Make sure “remove write permissions” works
- Better descriptions on white list
- Add pro table of contents if needed
- Make sure security admin bar item works
- Make sure lockout message only happens when needed
- Suppress errors on readlink calls
- Make sure class is present for permanent ban
- Make sure white list is an array
- Fix white listed IPs not working
- Log when Away-mode is triggered
- Make sure away mode file isn’t accidently deleted
- Make sure away mode doesn’t even allow access to the login form (as it didn’t in 3.x)
- Enhance warnings on “Change content directory” settings
- Better descriptions on white lists
- Fixed XMLRPC label
- Better XMLRPC Dashboard status
- Don’t allow logout action on wp-login.php with hide backend
- Better check for variable in SSL admin
- XMLRPC soft block should now work with WordPress mobile app
- Make sure uploads directory is only working in blog 1 in multisite
- Better checks for run method in module loader
- Make sure backup directory is present before trying to use it
- Make sure backup file method is respected on all backup operations
- Added ability to limit number of backups saved to disk
- Minor typo and other fixes
- Only load front-end classes as needed
- Add link to free support at .org forums
- Remove select(?ed) from suspicious query strings for 3.9 compatibility
- Fixed domain mapping issue (requires http://wordpress.org/plugins/wordpress-mu-domain-mapping/ domain mapping plugin)
- Remove array type errors on 404 pages
- Remove remaining create function calls
- Make sure logs directory is present before trying to use it
- Log a message when witelisted host triggers a lockout
- Don’t create log files if they’re not going to be used
- Add pro tab if pro modules need it
- Upgrade module loader to only load what is needed
- Fix sorting by count in 404 Logs
- Minor code cleanup
- Make sure all wp_enqueue_script dependencies are in proper format
- Reduce priority of hide backend init for better compatibility with other plugins
- SSL now logs users out when activating to prevent cookie conflicts
- When activating SSL Log out the user to prevent cookie conflicts
- Use LOCK_EX as a second file locking method on wp-config.php and .htaccess
- Minor code cleanup
- Make sure all wp_enqueue_script dependencies are in proper format
- Added ability to “soft” block XMLRPC to prevent pingback vulnerability while still allowing other access
- Updated “Suspicious queary strings” to not block plugin updates
- Update NGINX comment spam rewrite rules to better work with multi-site domain mapping
- Move 404 hook in hide backend from wp to wp_loaded
- Make sure super-admin role is maintained on multi-site when changing user id 1 and admin username at the same time
- Make sure all redirects for hide backend and ssl are 302, not 301
- Better resetting of SSL and disallow file editor on deactivation to account for more states
- Make sure hide backend works with registration
- Minor copy and other fixes
- Update nginx rewrite rule on comment spam when domain mapping is active
- Added the ability to disable file locking (old behavior)
- Better file lock release (try more than 1 method) before failing
- Don’t automatically show file lock error on first attempt
- Added Spanish translation by Andrew Kurtis
- Clean up away mode to prevent lockouts on update or other points
- Make sure unset admin user field remains if the other setting has been fixed
- Removed admin user from settings table of contents
- Make sure array input is trimmed in file change module
- Correct input type on file change settings sanitization
- Use full URL on file change warning redirect to prevent invalid target
- Reduce erroneous hide backend change warnings
- When accessing htaccess or wpconfig make sure opening settings changes are 664 instead of 644 to reduce issues
- Update hackrepair.com’s Agents blacklist
- Make sure global settings save button matches others
- Fixed link in locout email
- Email address settings retain end of line
- Sanitize email addresses on save and not just use
- Make sure whitelist is actually an array before trying to process
- Make sure rewrite rules show on dashboard when file writing isnt allowed
- Added extra information to dashboard server information to help troubleshooting
- Fixed bug preventing file change scanning from advancing when chunked
- Don’t autoload file list on non-multisite installations
- Make sure away mode settings transfer from 3.x or disable away mode
- Better descriptions on save buttons
- Admin use “Fix it” Correctly goes to advanced page
- Execute permanent ban on the correct lockout count, not the next one
- Updated quick ban rules to match standard ban rules (will work with proxy)
- Fixed an NGINX rule that didn’t actually block XMLRPC.php
- Updated rule order on ban users
- Fixed a bug that could prevent away from from turning off in certain time configurations (this resulted in the return to homepage on login)
- Updated some function doc
- Added “Show intro” button next to screen options to bring the intro modal back
- Added ability to use HTML in error messages
- Minor copy and other tweaks
- Private posts will now work with hide backend
- Added an option for custom login action that can bypass hide login
- Allow admin-ajax.php to bypass hide backend
- Added filters for external backup plugins to register with the dashboard
- Enable theme compatibility mode by default
- Miscellaneous copy and function doc fixes
- only save post meta for ssl when the value is true
- fixed missing admin user settings if only one part had been changed
- SSL Redirection working properly on front end. No more redirect errors
- hide backend will warn of the new url when saving
- hide backend will now email the notification email(s) when the login area has been moved
- Added BackupBuddy coupon
- Added ability to manually purge log table
- Removed error message that could happen on user creation with strong passwords enabled
- Moved strong password js later in execution cycle to prevent errors
- More hide backend tweaks to cover remaining white screen issues
- Removed option to enqueue a new version of jQuery unless it is needed
- Removed extra quotes that could appear in user agents
- Removed error message on login page when jQuery replace in use
- Don’t use WordPress rewrites for hide backend, we now create our own rewrite rule
- All modules now use newer upgrade method
- Fix modal dismiss button on settings page
- Ban users rules now should work with proxies
- Saving settings will always generate and write rewrite rules if file writing is allowed
- Hide backend now works with multisite and subdirectory installs
- Make sure tables exist if manually updating from 3.x
- Move admin user settings to advanced page
- Make sure logout happens after processing admin user changes
- All modules now rewritten to call rules on build
- Rename backup and logs folders when wp-content is renamed
- Delay file scan by at least 2 minutes when saving settings
- Added “theme compatibility” mode to remove errors in hide backend caused by themes conflicting with the feature.
- Fixed history.txt (for iThemes customers)
- Moved upgrade to separate function for more seamless update
- Upgrade system rewritten for better functionality
- Make sure 404 doesn’t fail if there is not a 404.php in the theme
- Make sure WordPress root URLs render correctly
- Filewrite now only builds rules on demand.
- Fixed dismiss button on intro modal for small screens
- General cleanup and typo fixing
- New .pot file with updated iThemes .pot file generator
- Fixed away mode not allowing PM times.
- Fixed general copy typos.
- Non super admins will no longer see the “Security” menu item in the admin bar on multisite.
- Update to iThemes’ icon-fonts library to account for ABSPATH set to ” or ‘/’.
- Fixed relative paths on Windows servers.
- Removed the pingback URL from the header if XML-RPC disabled.
- Added file locking to admin user operations to [hopefully] avoid duplicated users.
- 404 white list should transfer to global white list
- White list implementation working across all lockouts
- Add extra dismiss box to close welcome modal (fix for smaller screens)
- Fixed bug in conversion of wildcard ip (ie 131.2.1.*) to proper netmask. Should prevent 500 errors on sites.
- Fix for issue whereas a blank deny ip line could be entered into wp-config.php during update if banned users was used.
Better WP Security is now iThemes Security.
This release is a complete rewrite from the ground up. Special thanks to Cory Miller of iThemes.com and Chris Wiegman for realizing the vision for this plugin and how far we can go with it together.
- New Security Features
- jQuery Scanner looks for vulnerable versions of jQuery in your theme and gives you the option to replace it with the current version of jQuery from WordPress core.
- Remove author archives for users without any posts. This helps prevent bots from finding users on your site.
- Force a unique nicename. This forces the user to choose a Nickname that is different from the login name which will be used for the author slug and other appropriate areas.
- Disable PHP execution in uploads.
- New UI with streamlined options and other settings
- Hide features not in use
- Smart feature selection for easier use
- Central logs location
- Ability to better customize notification and backup emails by sending to one or more addresses
- Ability to save files anywhere on the host
- Uses file-system locking for all critical operations
- Global settings require setting options only once
- Full BackupBuddy integration
- Voluntary tracking of when options are turned on or off via Google Analytics
- Hide backend no longer uses keys
- Whitelist IPs for all lockouts
- File change detection can run in batches for better resource usage
- Backups can ignore unneeded table data such as logs
- File change detection can ignore specified file types completely
- All saved files now go to uploads
- Ban users now has its own whitelist
- Away mode and nearly all other features tweaked for speed and reliability
- Module feature includes to accommodate future features as well as possibility of 3rd party features
- No more insufficient permissions errors on settings tabs
- Added notice about upgrade
- Reintroduced InfiniteWP compatibility
- Updated readme
- Removed FooPlugins support box as iThemes begins integration of all support
- Removed InfiniteWP Compatibility
- Turned off iThemes Survey
- Updated iThemes email subscription box