= 8.0.1 - November 14, 2024 = * Improvement: Updated GeoIP database. * Change: Revised some help text related to the audit log to be more clear. * Fix: Improved audit log compatibility with some plugins that would cause excessive noise due to their behaviors around setting up user roles and capabilities. * Fix: Fixed a log notice that could occur when deactivating Wordfence with audit log events still pending and a broken Wordfence Central link. = 8.0.0 - November 4, 2024 = * Improvement: Introduced the Wordfence Audit Log, a new premium feature to monitor all changes and actions in security-sensitive areas of the site with remote tamper-proof data storage via Wordfence Central. * Change: Increased the minimum supported WordPress version to 4.7 * Change: Increased the minimum supported PHP version to 7.0 = 7.11.7 - July 29, 2024 = * Improvement: Optimized scan performance by reducing database queries by approximately 38% along with CPU usage. * Fix: Added translation support for "Page not found" string when viewing recent traffic. = 7.11.6 - June 6, 2024 = * Improvement: Revised the strong password requirements notice to be more readable. * Improvement: Removed unnecessary calls for the plugin and theme vulnerability checks. * Improvement: Reduced the frequency of calls to Wordfence Central during some operations where the values do not need to be synced. * Improvement: Refactored some queries to avoid the automatic SHOW FULL COLUMNS queries that WordPress performs to verify database encodings. * Improvement: Infrequently-used config values are no longer automatically loaded into memory and instead loaded only on demand. * Fix: Fixed an issue where multisite installations using the WAF mysqli storage engine could repeatedly attempt to update WAF rules when not in optimized mode. * Improvement: Updated the bundled GeoIP database. * Change: Revised the formatting of TOTP app URLs to prioritize the site’s own URL for better sorting and display. * Fix: Fixed the last captcha column in the users page so it no longer displays “(not required)” on 2FA users since that no longer applies. * Fix: Added a check in wflogs/rules.php to only run when within the WAF’s bootstrap stage when hosted behind nginx. = 7.11.5 - April 3, 2024 = * Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances. * Fix: Addressed PHP 8 deprecation notices in the file differ used by file changed scan results. * Fix: Reduced the frequency of Wordfence Central status update callbacks in sections of the scan that occur quickly in sequence. = 7.11.4 - March 11, 2024 = * Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis). * Fix: Addressed a potential PHP 8 notice in the human/bot detection AJAX call. * Fix: Addressed a potential PHP 8 notice when requesting a lockout unlock verification email. * Fix: Fixed the emailed diagnostics view not showing the missing table information when applicable. * Fix: Improved quick scan logic to base timing on regular scans so they're more evenly distributed. = 7.11.3 - February 15, 2024 = * Fix: Fixed an issue with sites containing invalid Wordfence Central site data where they could throw an error when viewing Wordfence pages. = 7.11.2 - February 14, 2024 = * Improvement: Enhanced the vulnerability scan to check and alert for WordPress core vulnerabilities and to adjust the severity of the scan result based on findings or available updates. * Improvement: Updated the bundled GeoIP database. * Improvement: Increased compatibility of brute force protection with plugins that override the normal login flow and omit traditional hooks. * Change: Adjusted the behavior of automatic quick scans to schedule themselves further away from full scans. * Fix: Added detection for a site being linked to a non-matching Wordfence Central record (e.g., when cloning the database to a staging site). * Fix: Streamlined the license and terms of use installation flow to avoid unnecessary prompting. * Fix: Fixed an issue where user profiles with a selected locale different from the site itself could end up loading the site's locale instead. = 7.11.1 - January 2, 2024 = * Improvement: Added ".env" to the files checked for "Scan for publicly accessible configuration, backup, or log files". * Improvement: Provided better descriptive text for the option "Block IPs who send POST requests with blank User-Agent and Referer". * Improvement: The diagnostics page now displays the contents of any `auto_prepend_file` .htaccess/.user.ini block for troubleshooting. * Fix: Fixed an issue where a login lockout on a WooCommerce login form could fail silently. * Fix: The scan result for abandoned plugins no longer states it has been removed from wordpress.org if it is still listed. * Fix: Addressed an exception parsing date information in non-repo plugins that have a bad `last_updated` value. * Fix: The URL scanner no longer generates a log warning when matching a potential URL fragment that ends up not being a valid URL. = 7.11.0 - November 28, 2023 = * Improvement: Added new functionality for trusted proxy presets to support proxies such as Amazon CloudFront, Ezoic, and Quic.cloud * Improvement: WAF rule and malware signature updates are now signed with SHA-256 as well for hosts that no longer build SHA1 support. * Improvement: Updated the bundled trusted CA certificates. * Change: The WAF will no longer attempt to fetch rule or blocklist updates when run via WP-CLI. * Fix: Removed uses of SQL_CALC_FOUND_ROWS, which is deprecated as of MySQL 8.0.17 * Fix: Fixed an issue where final scan summary counts in some instances were not sent to Central. * Fix: Fixed a deprecation notice for get_class in PHP 8.3.0 * Fix: Corrected an output error in the connectivity section of Diagnostics in text mode. = 7.10.7 - November 6, 2023 = * Fix: Compatibility fix for WordPress 6.4 on the login page styling. = 7.10.6 - October 30, 2023 = * Fix: Addressed an issue with multisite installations when the wp_options tables had different encodings/collations = 7.10.5 - October 23, 2023 = * Improvement: Updated the bundled GeoIP database. * Improvement: Added detection for Cloudflare reverse proxies blocking callbacks to the site. * Change: Files are no longer excluded from future scans if a previous scan stopped during their processing. * Fix: Added handling for the pending WordPress 6.4 change that removes $wpdb->use_mysqli. * Fix: The WAF MySQLi storage engine will now work correctly when either DB_COLLATE or DB_CHARSET are not defined. * Fix: Added additional error handling to Central calls to better handle request failures or conflicts. * Fix: Addressed a warning that would occur if a non-repo plugin update hook did not provide a last updated date. * Fix: Fixed an error in PHP 8 that could occur if the time correction offset was not numeric. * Fix: 2FA AJAX calls now use an absolute path rather than a full URL to avoid CORS issues on sites that do not canonicalize www and non-www requests. * Fix: Addressed a race condition where multiple concurrent hits on multisite could trigger overlapping role sync tasks. * Fix: Improved performance when viewing the user list on large multisites. * Fix: Fixed a UI bug where an invalid code on 2FA activation would leave the activate button disabled. * Fix: Reverted a change on error modals to bring back the additional close button for better accessibility. = 7.10.4 - September 25, 2023 = * Improvement: "Admin created outside of WordPress" scan results may now be reviewed and approved. * Improvement: The WAF storage engine may now be specified by setting the environmental variable "WFWAF_STORAGE_ENGINE". * Improvement: Detect when a plugin or theme with a custom update handler is broken and blocking update version checks. * Change: Deprecated support for WordPress versions lower than 4.7.0. * Change: Exclude parse errors of a damaged compiled rules file from reporting. * Fix: Suppress PHP notices related to rule loading when running WP-CLI. * Fix: Fixed an issue with the scan monitor cron that could leave it running unnecessarily. = 7.10.3 - July 31, 2023 = * Improvement: Updated GeoIP database. * Fix: Added missing text domain to translation function call. * Fix: Corrected inconsistent styling of switch controls. * Change: Made MySQLi storage engine the default for Flywheel hosted sites. = 7.10.2 - July 17, 2023 = * Fix: Prevented bundled sodium_compat library from conflicting with versions included with older WordPress versions. = 7.10.1 - July 11, 2023 = * Improvement: Added support for processing arrays of files in the WAF. * Improvement: Refactored security event processing to send events in bulk. * Improvement: Updated bundled sodium_compat and random_compat libraries. * Fix: Prevented deprecation warning caused by dynamic property creation. * Fix: Added translation support for additional strings. * Change: Adjusted Wordfence registration UI. = 7.10.0 - June 14, 2023 = * Improvement: Added translation support for strings from login security plugin. * Improvement: Added translator notes regarding word order and hidden text. = 7.9.3 - May 31, 2023 = * Improvement: Added exception handling to prevent WAF errors from being fatal. * Fix: Corrected error caused by method call on null in WAF. * Change: Deprecated support for PHP 5.5 and 5.6, ended support for PHP 5.3 and 5.4. * Change: Specified WAF version parameter when requesting firewall rules. = 7.9.2 - March 27, 2023 = * Improvement: The vulnerability severity score (CVSS) is now shown with any vulnerability findings from the scanner. * Improvement: Changed several links during initial setup to open in a new window/tab so it doesn't interrupt installation. * Change: Removed the non-https callback test to the Wordfence servers. * Fix: Fixed an error on PHP 8 that could occur when checking for plugin updates and another plugin has a broken hook. * Fix: Added a check for disabled functions when generating support diagnostics to avoid an error on PHP 8. * Fix: Prevent double-clicking when activating 2FA to avoid an "already set up" error. = 7.9.1 - March 1, 2023 = * Improvement: Further improved performance when viewing 2FA settings and hid user counts by default on sites with many users. * Fix: Adjusted style inclusion and usage to prevent missing icons. * Fix: Avoided using the ctype extension as it may not be enabled. * Fix: Prevented fatal errors caused by malformed Wordfence Central keys. = 7.9.0 - February 14, 2023 = * Improvement: Added 2FA management shortcode and WooCommerce account integration. * Improvement: Improved performance when viewing 2FA settings on sites with many users. * Improvement: Updated GeoIP database. * Fix: Ensured Captcha and 2FA scripts load on WooCommerce when activated on a sub-site in multisite. * Fix: Prevented reCAPTCHA logo from being obscured by some themes. * Fix: Enabled wfls_registration_blocked_message filter support for WooCommerce integration. = 7.8.2 - December 13, 2022 = * Fix: Releasing same changes as 7.8.1, due to wordpress.org error. = 7.8.1 - December 13, 2022 = * Improvement: Added more granualar data deletion options to deactivation prompt. * Improvement: Allowed accessing diagnostics prior to completing registration. * Fix: Prevented installation prompt from displaying when a license key is already installed but the alert email address has been removed. = 7.8.0 - November 28, 2022 = * Improvement: Added feedback when login form is submitted with 2FA. * Fix: Restored click support on login button when using 2FA with WooCommerce. * Fix: Corrected display issue with reCAPTCHA score history graph. * Fix: Prevented errors on PHP caused by corrupted login timestamps. * Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties. * Change: Updated Wordfence registration workflow. = 7.7.1 - October 4, 2022 = * Fix: Prevented scan resume attempts from repeating indefinitely when the initial scan stage fails. = 7.7.0 - October 3, 2022 = * Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues. * Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org. * Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions. * Improvement: Added option to disable looking up IP address locations via the Wordfence API. * Improvement: Prevented successful logins from resetting brute force counters. * Improvement: Clarified IPv6 diagnostic. * Improvement: Included maximum number of days in live traffic option text. * Fix: Made timezones consistent on firewall page. * Fix: Added "Use only IPv4 to start scans" option to search. * Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log. * Fix: Prevented warning on PHP 8 related to process owner diagnostic. * Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER. * Fix: Removed unsupported beta feed option. = 7.6.2 - September 19, 2022 = * Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database. = 7.6.1 - September 6, 2022 = * Fix: Prevented XSS that would have required admin privileges to exploit (CVE-2022-3144) = 7.6.0 - July 28, 2022 = * Improvement: Added option to start scans using only IPv4. * Improvement: Added diagnostic for internal IPv6 connectivity to site. * Improvement: Added AUTOMATIC_UPDATER_DISABLED diagnostic. * Improvement: Updated password strength check. * Improvement: Added support for scanning plugin/theme files in when using the WP_CONTENT_DIR/WP_PLUGIN_DIR constants. * Improvement: Updated GeoIP database. * Improvement: Made DISABLE_WP_CRON diagnostic more clear. * Improvement: Added "Hostname" to Live Traffic message displayed for hostname blocking. * Improvement: Improved compatibility with Flywheel hosting. * Improvement: Adopted semantic versioning. * Improvement: Added support for dynamic cookie redaction patterns when logging requests. * Fix: Prevented scanned paths from being displayed as skipped in rare cases. * Fix: Corrected indexed files count in scan messages. * Fix: Prevented overlapping AJAX requests when viewing Live Traffic on slower servers. * Fix: Corrected WP_DEBUG_DISPLAY diagnostic. * Fix: Prevented extraneous warnings caused by DNS resolution failures. * Fix: Corrected display issue with Save/Cancel buttons on All Options page. * Fix: Prevented errors caused by WHOIS searches for invalid values. = 7.5.11 - June 14, 2022 = * Improvement: Added option to toggle display of last login column on WP Users page. * Improvement: Improved autocomplete support for 2FA code on Apple devices. * Improvement: Prevented Batcache from caching block pages. * Improvement: Updated GeoIP database. * Fix: Prevented extraneous scan results when non-existent paths are configured using UPLOADS and related constants. * Fix: Corrected issue that prevented reCAPTCHA scores from being recorded. * Fix: Prevented invalid JSON setting values from triggering fatal errors. * Fix: Made text domains consistent for translation support. * Fix: Clarified that allowlisted IP addresses also bypass reCAPTCHA. = 7.5.10 - May 17, 2022 = * Improvement: Improved scan support for sites with non-standard directory structures. * Improvement: Increased accuracy of executable PHP upload detection. * Improvement: Addressed various deprecation notices with PHP 8.1 * Improvement: Improved handling of invalidated license keys. * Fix: Corrected lost password redirect URL when used with WooCommerce. * Fix: Prevented errors when live traffic data exceeds database column length. * Fix: Prevented bulk password resets from locking out admins. * Fix: Corrected issue that prevented saving country blocking settings in certain cases. * Change: Updated copyright information. = 7.5.9 - March 22, 2022 = * Improvement: Updated GeoIP database. * Improvement: Removed blocking data update logic in order to reduce timeouts. * Improvement: Increased timeout value for API calls in order to reduce timeouts. * Improvement: Clarified notification count on Wordfence menu. * Improvement: Improved scan compatibility with WooCommerce. * Improvement: Added messaging when application passwords are disabled. * Fix: Prevented warnings and errors when constants are defined based on the value of other constants in wp-config.php. * Fix: Corrected redundant escaping that prevented viewing or repairing files in scan results. = 7.5.8 - February 1, 2022 = * Launch of Wordfence Care and Wordfence Response. = 7.5.7 - November 22, 2021 = * Improvement: Made preliminary changes for compatibility with PHP 8.1 * Change: Added GPLv3 license and updated EULA. = 7.5.6 - October 18, 2021 = * Fix: Prevented login errors with WooCommerce integration when manual username entry is enabled on the WooCommerce registration form. * Fix: Corrected theme incompatibilities with WooCommerce integration. = 7.5.5 - August 16, 2021 = * Improvement: Enhanced accessibility. * Improvement: Replaced regex in scan log with signature ID. * Improvement: Updated Knockout JS dependency to version 3.5.1 * Improvement: Removed PHP 8 compatibility notice. * Improvement: Added NTP status for Login Security to Diagnostics. * Improvement: Updated plugin headers for compatibility with WordPress 5.8 * Improvement: Updated Nginx documentation links to HTTPS. * Improvement: Updated IP address geolocation database. * Improvement: Expanded WAF SQL syntax support. * Improvement: Added optional constants to configure WAF database connection. * Improvement: Added support for matching punycode domain names. * Improvement: Updated Wordfence install count. * Improvement: Deprecated support for WordPress versions older than 4.4.0 * Improvement: Added warning messages when blocking U.S. * Improvement: Added MYSQLI_CLIENT_SSL support to WAF database connection. * Improvement: Added 2FA and reCAPTCHA support for WooCommerce login and registration forms. * Improvement: Added option to require 2FA for any role. * Improvement: Added logic to automatically disable NTP after repeated failures and option to manually disable NTP. * Improvement: Updated reCAPTCHA setup note. * Fix: Prevented issue where country blocking changes are not saved. * Fix: Corrected string placeholder. * Fix: Added missing text domain to translation calls. * Fix: Corrected warning about sprintf arguments on Central setup page. * Fix: Prevented lost password functionality from revealing valid logins. = 7.5.4 - June 7, 2021 = Fix: Resolve conflict with woocommerce-gateway-amazon-payments-advanced plugin = 7.5.3 - May 10, 2021 = * Improvement: Expanded WAF capabilities including better JSON and user permission handling. * Improvement: Switched to relative paths in WAF auto_prepend file to increase portability. * Improvement: Eliminated unnecessary calls to Wordfence servers. * Fix: Prevented errors on PHP 8.0 when disk_free_space and/or disk_total_space are included in disabled_functions. * Fix: Fixed PHP notices caused by unexpected plugin version data. * Fix: Gracefully handle unexpected responses from Wordfence servers. * Fix: Time field now displays correctly on "See Recent Traffic" overlay. * Fix: Corrected typo on Diagnostics page. * Fix: Corrected IP counts on activity report. * Fix: Added missing line break in scan result emails. * Fix: Sending test activity report now provides success/failure response. * Fix: Reduced SQLi false positives caused by comma-separated strings. * Fix: Fixed JS error when resolving last scan result. = 7.5.2 - March 24, 2021 = * Fix: Fixed fatal error on single-sites running WordPress <4.9 = 7.5.1 - March 24, 2021 = * Fix: Fixed fatal error when viewing the Login Security settings page from an allowlisted IP. = 7.5.0 - March 24, 2021 = * Improvement: Translation-readiness: All user-facing strings are now run through WordPress's i18n functions. * Improvement: Remove legacy admin functions no longer used within the UI. * Improvement: Local GeoIP database update. * Improvement: Remove Lynwood IP range from allowlist, and add new AWS IP range. * Fix: Fixed bug with unlocking a locked out IP without correctly resetting its failure counters. * Fix: Sites using deleted premium licenses correctly revert to free license behavior. * Fix: When enabled, cookies are now set for the correct roles on previously used devices. * Fix: WAF cron jobs are now skipped when running on the CLI. * Fix: PHP 8.0 compatibility - prevent syntax error when linting files. * Fix: Fixed issue where PHP 8 notice sometimes cannot be dismissed. = 7.4.14 - December 3, 2020 = * Improvement: Added option to disable application passwords. * Improvement: Updated site cleaning callout with 1-year guarantee. * Improvement: Upgraded sodium_compat library to 1.13.0. * Improvement: Replaced the terms whitelist and blacklist with allowlist and blocklist. * Improvement: Made a number of WordPress 5.6 and jQuery 3.x compatibility improvements. * Improvement: Made a number of PHP8 compatibility improvements. * Improvement: Added dismissible notice informing users of possible PHP8 compatibility issues. = 7.4.12 - October 21, 2020 = * Improvement: Initial integration of i18n in Wordfence. * Improvement: Prevent Wordfence from loading under =5.5.0. Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress. Fix: Added default `permission_callback` params to Wordfence Central REST routes. Fix: Fixed missing styling on WAF optimization admin notice. = 7.4.9 - July 8, 2020 = * Improvement: Added list of known malicious usernames to suspicious administrator scan. * Improvement: Added ability for the WAF to determine if a given plugin/theme/core version is installed. * Improvement: Added a feature to export a diagnostics report. * Improvement: Add php_errorlog to the list of downloadable logs in diagnostics. * Improvement: Added a prompt to allow user to download a backup prior to repairing files. * Improvement: Prevent scan from failing when the home URL has changed and the key is no longer valid. * Improvement: Deprecated PHP 5.3, and ended PHP 5.2 support by prevent auto-update from running on older versions. * Fix: Fixed issue where WAF mysqli storage engine cannot find credentials if wflogs/ does not exist. * Fix: Changed capability checked to read WP REST API users endpoint when "Prevent discovery of usernames through ..." is enabled. * Fix: Prevented duplicate queries for wordfenceCentralConnected wfconfig value. * Fix: Prevented custom wp-content or other directories from appearing in "skipped paths" scan result, even when scanned. * Fix: Login Attempts dashboard widget "Show more" link is not visible when long usernames and IPs cause wrapping. * Fix: Fix typo in the readme. = 7.4.8 - June 16, 2020 = * Fix: Fixed issue with fatal errors encountered during activation under certain conditions. = 7.4.7 - April 23, 2020 = * Improvement: Updated bundled GeoIP database. * Improvement: Better messaging when selecting restrictive rate limits. * Improvement: Scan result emails now include the count of issues that were found again. * Improvement: Resolved scan issues will now email again if they reoccur. * Improvement: Added the state/province name when applicable to geolocation displays in Live Traffic. * Improvement: New blocking page design to better inform blocked visitors on how to resolve the block. * Improvement: Custom WP_CONTENT_DIR, WP_PLUGIN_DUR, and UPLOADS path constants will now get scanned correctly. * Improvement: Added TLS connection failure detection to brute force reporting and checking and a corresponding backoff period. * Fix: Fixed an issue where a bad cron record could interfere with automatic WAF rule updates. * Fix: Fixed a PHP warning that could occur if a bad response was received while updating an IP list. * Fix: The new user tour and onboarding flow will now work correctly on the 2FA page. = 7.4.6 - February 12, 2020 = * Improvement: Enhanced the detection ability of the WAF for SQLi attacks. * Improvement: Updated the bundled GeoIP database. * Improvement: Modified some country names in the block configuration to align with those shown in Live Traffic. * Change: Moved the skipped files scan check to the Server State category. * Fix: Fixed an issue where after scrolling on the Live Traffic page, updates would no longer automatically load. * Fix: Modified the number of login records kept to align better with Live Traffic so they're trimmed around the same time. = 7.4.5 - January 15, 2020 = * Improvement: Improved WAF coverage for an Infinite WP authentication bypass vulnerability. Credit to Marc Montpas for finding a bypass. = 7.4.4 - January 14, 2020 = * Fix: Fixed a UI issue where the scan summary status marker for malware didn't always match the findings. = 7.4.3 - January 13, 2020 = * Improvement: Added WAF coverage for an Infinite WP authentication bypass vulnerability. * Improvement: The malicious URL scan now includes protocol-relative URLs (e.g., //example.com) * Improvement: Malware signatures are now better applied to large files read in multiple passes. * Improvement: Added a scan issue that will appear when one or more paths are skipped due to scan settings excluding them. * Changed: AJAX endpoints now send the application/json Content-Type header. * Changed: Updated text on scan issues for plugins removed from wordpress.org to better indicate possible reasons. * Changed: Added compatibility messaging for reCAPTCHA when WooCommerce is active. * Fixed: Added missing $wp_query->set_404() call when outputting a 404 page on a custom action. * Fixed: Fixed the logout username display in Live Traffic broken by a change in WordPress 5.3. * Fixed: Improved the response callback used for the WAF status check during extended protection installation. * Fixed: The "Require 2FA for all administrators" notice is now automatically dismissed if an administrator sets up 2FA. = 7.4.2 - December 3, 2019 = * Improvement: Increased performance of IP CIDR range comparisons. * Improvement: Added parameter signature to remote scanning for better validation during forking. * Change: Removed duplicate browser label in Live Traffic. * Fix: Added compensation for PHP 7.4 deprecation notice with get_magic_quotes_gpc. * Fix: Fixed potential notice in dashboard widget when no updates are found. * Fix: Updated JS hashing library to compensate for a variable name collision that could occur. * Fix: Fixed an issue where certain symlinks could cause a scan to erroneously skip files. * Fix: Fixed PHP memory test for newer PHP versions whose optimizations prevented it from allocating memory as desired. = 7.4.1 - November 6, 2019 = * Improvement: Updated the bundled GeoIP database. * Improvement: Minor changes to ensure compatibility with PHP 7.4. * Improvement: Updated the WHOIS lookup for better reliability. * Improvement: Added better diagnostic data when the WAF MySQL storage engine is active. * Improvement: Improved the messaging when switching between premium and free licenses. * Change: Deprecated DNS changes scan. * Change: The plugin will no longer email alerts when Central is managing them. * Fix: Added error suppression to ignore_user_abort calls to silence it on hosts with it disabled. * Fix: Improved path generation to better avoid outputting extra slashes in URLs. * Fix: Applied a length limit to malware reporting to avoid failures due to large content size. = 7.4.0 - August 22, 2019 = * Improvement: Added a MySQL-based configuration and data storage for the WAF to expand the number of hosting environments supported. For more detail, see: https://www.wordfence.com/help/firewall/mysqli-storage-engine/ * Improvement: Updated bundled GeoIP database. * Fix: Fixed several console notices when running via the CLI. = 7.3.6 - July 31, 2019 = * Improvement: Multiple "php.ini file in core directory" issues are now consolidated into a single issue for clearer scan results. * Improvement: The AJAX error detection for false positive WAF blocks now better detects and processes the response for presenting the whitelisting prompt. * Improvement: Added overdue cron detection and highlighting to diagnostics to help identify issues. * Improvement: Added the necessary directives to exclude backwards compatibility code from creating warnings with phpcs for future compatibility with WP Tide. * Improvement: Normalized all PHP require/include calls to use full paths for better code quality. * Change: Removed deprecated high sensitivity scan option since current signatures are more accurate. * Fix: Fixed the status circle tooltips not showing. * Fix: IP detection at the WAF level better mirrors the main plugin exactly when using the automatic setting. * Fix: Fixed a currently-unused code path in email address verification for the strict check. = 7.3.5 - July 16, 2019 = * Improvement: Improved tagging of the login endpoint for brute force protection. * Improvement: Added additional information about reCAPTCHA to its setting control. * Improvement: Added a constant that may be overridden to customize the expiration time of login verification email links. * Improvement: reCAPTCHA keys are now tested on saving to prevent accidentally inputting a v2 key. * Improvement: Added a setting to control the reCAPTCHA human/bot threshold. * Improvement: Added a separate option to trigger removal of Login Security tables and data on deactivation. * Improvement: Reworked the reCAPTCHA implementation to trigger the token check on login/registration form submission to avoid the token expiring. * Fix: Widened the reCAPTCHA key fields to allow the full keys to be visible. * Fix: Fixed encoding of the ellipsis character when reporting malware finds. * Fix: Disabling the IP blacklist once again correctly clears the block cache. * Fix: Addressed an issue when outbound UDP connections are blocked where the NTP check could log an error. * Fix: Added handling for reCAPTCHA's JavaScript failing to load, which previously blocked logging in. * Fix: Fixed the functionality of the button to send 2FA grace period notifications. * Fix: Fixed a missing icon for some help links when running in standalone mode. = 7.3.4 - June 17, 2019 = * Improvement: Added security events and alerting features built into Wordfence Central. = 7.3.3 - June 11, 2019 = * Improvement: Added support for managing the login security settings to Wordfence Central. * Improvement: Updated the bundled root CA certificate store. * Improvement: Added a check and update flow for mod_php hosts with only the PHP5 directive set for the WAF's extended protection mode. * Improvement: Added additional values to Diagnostics for debugging time-related issues, the new fatal error handler settings, and updated the PHP version check to reflect the new 5.6.20 requirement of WordPress. * Change: Changed the autoloader for our copy of sodium_compat to always load after WordPress core does. * Fix: Fixed the "removed from wordpress.org" detection for plugin, which was broken due to an API change. * Fix: Fixed the bulk repair function in the scan results when it included core files. = 7.3.2 - May 16, 2019 = * Improvement: Updated sodium_compat to address an incompatibility that may occur with the pending WordPress 5.2.1 update. * Improvement: Clarified text around the reCAPTCHA setting to indicate v3 keys must be used. * Improvement: Added detection for Jetpack and a notice when XML-RPC authentication is disabled. * Fix: Suppressed error messages on the NTP time check to compensate for hosts with UDP connections disabled. = 7.3.1 - May 14, 2019 = * Improvement: Two-factor authentication is new and improved, now available on all Premium and Free installations. * Improvement: Added Google reCAPTCHA v3 support to the login and registration forms. * Improvement: XML-RPC authentication may now be disabled or forced to require 2FA. * Improvement: Reduced size of SVG assets. * Improvement: Clarified text on "Maximum execution time for each scan stage" option. * Improvement: Added detection for an additional config file that may be created and publicly visible on some hosts. * Improvement: Improved detection for malformed malware scanning signatures. * Change: Long-deprecated database tables will be removed. * Change: Removed old performance logging code that's no longer used. * Fix: Addressed a log notice when using the See Recent Traffic feature in Live Traffic. * Fix: WAF attack data now correctly includes JSON payloads when appropriate. * Fix: Fixed the text for Live Traffic entries that include a redirection message. * Fix: Fixed an issue with synchronizing scan issues to Wordfence Central that prevented stale issues from being cleared. = 7.2.5 - April 18, 2019 = * Improvement: Added additional data breach records to the breached password check. * Improvement: Added the Accept-Encoding compression header to WAF-related requests for better performance during rule updates. * Improvement: Updated to the current GeoIP database. * Improvement: Added additional controls to the Wordfence Central connection page to better reflect the current connection state. * Change: Updated the text on the option to alert for scan results of a certain severity. = 7.2.4 - March 26, 2019 = * Improvement: Updated vulnerability database integration. * Improvement: Better messaging when a WAF rule update fails to better indicate the cause. * Fix: Removed a double slash that could occur in an image path. * Fix: Adjusted timeouts to improve reliability of WAF rule updates on slower servers. * Fix: Improved connection process with Wordfence Central for better reliability on servers with non-standard paths. * Fix: Switched to autoloader with fastMult enabled on sodum_compat to minimize connection issues. = 7.2.3 - February 28, 2019 = * Improvement: Country names are now shown instead of two letter codes where appropriate. * Improvement: Updated the service whitelist to reflect additions to the Facebook IP ranges. * Improvement: Added alerting for when the WAF is disabled for any reason. * Improvement: Additional alerting and troubleshooting steps for WAF configuration issues. * Change: Live Traffic human/bot status will additionally be based on the browscap record in security-only mode. * Change: Added dismissible prompt to switch Live Traffic to security-only mode. * Fix: The scan issues alerting option is now set correctly for new installations. * Fix: Fixed a transparency issue with flags for Switzerland and Nepal. * Fix: Fixed the malware link image rendering in scan issue emails and switched to always use https. * Fix: WAF-related scheduled tasks are now more resilient to connection timeouts or memory issues. * Fix: Fixed Wordfence Central connection flow within the first time experience. = 7.2.2 - February 14, 2019 = * Improvement: Updated GeoIP database. * Fix: Syncing requests from Wordfence Central no longer appear in Live Traffic. * Fix: Addressed some display issues with the Wordfence Central panel on the Wordfence Dashboard. = 7.2.1 - February 5, 2019 = * Improvement: Integrated Wordfence with Wordfence Central, a new service allowing you to manage multiple Wordfence installations from a single interface. * Improvement: Added a help link to the mode display when a host disabling Live Traffic is active. * Improvement: Added an option for whitelisting ManageWP in "Whitelisted Services". * Fix: Enqueued fonts used in admin notices on all admin pages. * Fix: Change false positive user-reports link to use https. * Fix: Fix reference to non-existent function when registering menus. = 7.1.20 - January 8, 2019 = Fix: Fixed a commit error with 7.1.19 = 7.1.19 - January 8, 2019 = * Improvement: Speed optimizations for WAF rule compilation. * Improvement: Added Kosovo to country blocking. * Improvement: Additional flexibility for whitelist rules. * Fix: Added compensation for really long file lists in the "Exclude files from scan" setting. * Fix: Fixed an issue where the GeoIP database update check would never get marked as completed. * Fix: Login credentials passed as arrays no longer trigger a PHP notice from our filters. * Fix: Text fixes to the WAF nginx help text. = 7.1.18 - December 4, 2018 = * Improvement: Removed unused font glyph ranges to reduce file count and size. * Improvement: Switched flags to use a CSS sprite to reduce file count and size. * Improvement: Added dates to each release in the changelog. * Change: Live Traffic now defaults to only logging security events on new installations. * Change: Added an upper limit to the maximum scan stage execution time if not explicitly overridden. * Fix: Changed WAF file handling to skip some file actions if running via the CLI. * Fix: Fixed an issue that could prevent files beginning with a period from working with the file restore function. * Fix: Improved layout of options page controls on small screens. * Fix: Fixed a typo in the htaccess update panel. * Fix: Added compensation for Windows path separators in the WAF config handling. * Fix: Fixed handling of case-insensitive tables in the Diagnostics table check. * Fix: Better messaging by the status circles when the WAF config is inaccessible or corrupt. * Fix: REST API hits now correctly follow the "Don't log signed-in users with publishing access" option. = 7.1.17 - November 6, 2018 = * Improvement: Increased frequency of filesystem permission check and update of the WAF config files. * Improvement: More complete data removal when deactivating with remove tables and files checked. * Improvement: Better diagnostics logging for GeoIP conflicts. * Fix: Text fix in invalid username lockout message. * Fix: PHP 7.3 syntax compatibility fixes. = 7.1.16 - October 16, 2018 = * Improvement: Service whitelisting can now be selectively toggled on or off per service. * Improvement: Updated bundled GeoIP database. * Change: Removed the "Disable Wordfence Cookies" option as we've removed all cookies it affected. * Change: Updates that refresh country statistics are more efficient and now only affect the most recent records. * Change: Changed the title of the Wordfence Dashboard so it's easier to identify when many tabs are open. * Fix: Fixed an issue with country blocking and XML-RPC requests containing credentials. = 7.1.15 - October 1, 2018 = * Fix: Addressed a plugin conflict with the composer autoloader. = 7.1.14 - October 1, 2018 = * Improvement: Reduced queries and potential table size for rate limiting-related data. * Improvement: Updated the internal browscap database. * Improvement: Better error reporting for scan failures due to connectivity issues. * Improvement: WAF-related file permissions will now lock down further when possible. * Improvement: Hardening for sites on servers with insecure configuration, which should not be enabled on publicly accessible servers. Thanks Janek Vind. * Change: Switched the minimum PHP version to 5.3. * Fix: Prevent bypass of author enumeration prevention by using invalid parameters. Thanks Janek Vind. * Fix: Wordfence crons will now automatically reschedule if missing for any reason. * Fix: Fixed an issue where the block counts and total IPs blocked values on the dashboard might not agree. * Fix: Corrected the message shown on Live Traffic when a country blocking bypass URL is used. * Fix: Removed extra spacing in the example ranges for "Whitelisted IP addresses that bypass all rules" = 7.1.12 - September 12, 2018 = * Improvement: Updated bundled GeoIP database. * Improvement: Restructured the WAF configuration storage to be more resilient on hosts with no file locking support. * Change: Moved the settings import/export to the Tools page. * Change: New installations will now use lowercase table names to avoid issues with some backup plugins and Windows-based sites. * Fix: The notice and repair link for an unreadable WAF configuration now work correctly. * Fix: Improved appearance of some stat components on smaller screens. * Fix: Fixed duplicate entries with different status codes appearing in detailed live traffic. * Fix: Added better caching for the breached password check to compensate for sites that prevent the cache from expiring correctly. * Fix: Changing the frequency of the activity summary email now reschedules it. = 7.1.11 - August 21, 2018 = * Improvement: Added a custom message field that will show on all block pages. * Improvement: Improved the standard appearance for block pages. * Improvement: Live Traffic now better displays failed logins. * Improvement: Added a constant to prevent direct MySQLi use for hosts with unsupported DB configurations. * Improvement: Malware scan results have been modified to include both a public identifier and description. * Change: Description updated on the Live Traffic page. * Fix: Removed an empty file hash from the old WordPress core file detection. * Fix: Update locking now works on multisites that have removed the original site. = 7.1.10 - July 31, 2018 = * Improvement: Better labeling in Live Traffic for 301 and 302 redirects. * Improvement: Login timestamps are now displayed in the site's configured time zone rather than UTC. * Improvement: Added detection and a workaround for hosts with a non-functional MySQLi interface. * Improvement: The prevent admin registration setting now works with WooCommerce's registration flow. * Improvement: For hosts with varying URL values (e.g., AWS instances), notification and alert links now correctly use the canonical admin URL. * Fix: Fixed a layout problem with the live traffic disabled notice. * Fix: The scan stage that checks "How does Wordfence get IPs?" no longer shows a warning if the call fails. = 7.1.9 - July 12, 2018 = * Improvement: Added an "unsubscribe" link to plugin-generated alerts. * Improvement: Added some additional flags. * Change: Removed some unnecessary files from the bundled GeoIP library. * Change: Updated wording in the Terms of Use/Privacy Policy agreement UI. * Change: The minimum "Lock out after how many login failures" is now 2. * Change: The diagnostics report now includes the scan issues for easier debugging. * Fix: Multiple improvements to automatic updating to avoid broken updates on sites with low resources or slow file systems. * Fix: Better text wrapping in the top failed logins widget. * Fix: Onboarding CSS/JS is now correctly enqueued for multisite installations. * Fix: Fixed a missing asset with the bundled jQueryUI library. * Fix: Fixed memory calculation when using PHP's supported shorthand syntax. * Fix: Better wrapping behavior on the reason column in the blocks table. * Fix: Fixed an issue with an internal data structure to prevent error log entries when using mbstring functions. * Fix: Improved bot detection when no user agent is sent. = 7.1.8 - June 26, 2018 = * Improvement: Better detection of removal status when uninstalling the WAF's auto-prepend file. * Improvement: Switched optional mailing list signup to go directly through our servers rather than a third party. * Fix: Fixed the dashboard erroneously showing the payment method as missing for some payment methods. * Fix: If a premium license is deleted from wordfence.com, the plugin will now automatically downgrade rather than get stuck in an intermediate state. * Fix: Changed some wording to consistently use "License" or "License Key". = 7.1.7 - June 5, 2018 = * Improvement: Added better support for keyboard navigation of options. * Improvement: staging. and dev. subdomains are now supported for sharing premium licenses. * Improvement: Bundled our interface font to avoid loading from a remote source and reduced the pages some assets were loaded on. * Improvement: Added option to trim Live Traffic records after a specific number of days. * Improvement: Updated to the current GeoIP2 database. * Improvement: Extended the automatic redaction applied to attack data that may include sensitive information. * Change: Removed a no-longer-used API call. * Fix: Fixed a few options that couldn't be searched for on the all options page. * Fix: Activity Report emails now detect and avoid symlink loops. = 7.1.6 - May 22, 2018 = * Fix: Added a workaround for sites with inaccessible WAF config files when reading php://input = 7.1.5 - May 22, 2018 = * Improvement: GDPR compliance updates. * Improvement: The list of blocks now shows the most recently-added blocks at the top by default. * Improvement: Added better table status display to Diagnostics to help with debugging. * Improvement: Added deferred loading to Live Traffic avatars to improve performance with some plugins. * Improvement: The server's own IP is now automatically whitelisted for known safe requests. * Fix: Added a workaround to Live Traffic human/bot detection to compensate for other scripts that modify our event handlers. * Fix: Fixed an error with Live Traffic human/bot detection when plugins change the load order. * Fix: Fixed auto-enabling of some controls when pasting values. * Fix: Fixed an instance where http links could be generated for emails rather than https. = 7.1.4 - May 2, 2018 = * Improvement: Added additional XSS detection capabilities. * Change: Initial preparation for GDPR compliance. Additional changes will be included in an upcoming release to meet the GDPR deadline. * Change: Reworked Live Traffic/Rate Limiting human and bot detection to function without cookies. * Change: Removed the wfvt_ cookie as it was no longer necessary. * Change: Better debug messaging for scan forking. * Fix: PHP deprecation notices no longer suppress those of old OpenSSL or WordPress. * Fix: Fixes to the deprecated OpenSSL version detection and alerting to handle non-patch version numbers. * Fix: Added detection for and fixed a very large pcre.backtrack_limit setting that could cause scans to fail, when modified by other plugins. * Fix: Scan issue alert emails no longer incorrectly show high sensitivity was enabled. * Fix: Fixed wrapping of long strings on the Diagnostics page. = 7.1.3 - April 18, 2018 = * Improvement: Improved the performance of our config table status check. * Improvement: The IP address of the user activating Wordfence is now used by the breached password check until an admin successfully logs in. * Improvement: Added several new error displays for scan failures to help diagnose and fix issues. * Improvement: Added the block duration to alerts generated when an IP is blocked. * Improvement: A text version of scan results is now included in the activity log email. * Improvement: The WAF install/uninstall process no longer asks to backup files that do not exist. * Change: Began a phased rollout of moving brute force queries to be https-only. * Change: Added the initial deprecation notice for PHP 5.2. * Change: Suppressed a script tag on the diagnostics page from being output in the email version. * Fix: Addressed an issue where plugins that return a null user during authentication would cause a PHP notice to be logged. * Fix: Fixed an issue where plugins that use non-standard version formatting could end up with a inaccurate vulnerability status. * Fix: Added a workaround for web email clients that erroneously encode some URL characters (e.g., #). = 7.1.2 - April 4, 2018 = * Improvement: Added support for filtering the blocks list. * Improvement: Added a flow for generating the WAF autoprepend file and retrieving the path for manual installations. * Improvement: Added a variety of new data values to the Diagnostics page to aid in debugging issues. * Improvement: SVG files now have the JavaScript-based malware signatures run against them. * Improvement: More descriptive text for the scan issue email when there's an unknown WordPress core version. * Improvement: Added a dedicated error display that will show when a scan is detected as failed. * Improvement: readme.html and wp-config-sample.php are no longer scanned for changes due to differences between languages (malware signatures still run). * Improvement: When the license status changes, it now triggers a fresh pull of the WAF rules. * Improvement: Added dedicated messaging for leftover WordPress core files that were not fully removed during upgrade. * Improvement: Improved labeling in Live Traffic for hits blocked by the real-time IP blacklist. * Improvement: Added forced wrapping to the file paths in the activity report email to avoid scroll bar overlap making them unreadable. * Improvement: Updated the bundled GeoIP database. * Improvement: Updated the bundled browscap database. * Improvement: All emailed alerts now include a link to the generating site. * Change: Minor text change to unify some terminology. * Fix: Removed a remaining reference to the CDN version of Font Awesome. * Fix: Removed an old reference to the pre-Wordfence 7.1 lockouts table. * Fix: Scan results for malware detections in posts are no longer clickable. * Fix: We now verify that there's a valid email address defined before attempting to send an alert and filter out any invalid ones. * Fix: Added a workaround for GoDaddy/Limit Login Attempts suppressing the 2FA prompting. = 7.1.1 - March 20, 2018 = * Improvement: Added the ability to sort the blocks table. * Improvement: Added short-term caching of breach check results. * Improvement: The check for passwords leaked in breaches now allows a login if the user has previously logged in from the same IP successfully and displays an admin notice suggesting changing the password. * Improvement: Switched the bundled select2 library to use to prefixed version to work around other plugins including older versions on our pages. * Improvement: The scan page now displays when beta signatures are enabled since they can produce false positives. * Improvement: Improved positioning of the "Wordfence is Working" message. * Improvement: Added a character limit to the reason on blocks and forced wrapping to avoid the layout stretching too much. * Fix: Fixed an issue with some table prefixing where multisite installations with rare configurations could result in unknown table warnings. * Fix: Removed an older behavior with live traffic buttons that could allow them to open in a new tab and show nothing. * Fix: Added a check for sites with inaccurate disk space function results to avoid showing an issue. * Fix: Added a secondary check to the email summary cron to avoid repeated sending if the cron list is corrupted. * Fix: Fixed a typo on the Advanced Comment Spam Filter page. = 7.1.0 - March 1, 2018 = * Improvement: Added a new feature to prevent attackers from successfully logging in to admin accounts whose passwords have been in data breaches. * Improvement: Added pagination support to the scan issues. * Improvement: Improved time zone handling for the WAF's learning mode. * Improvement: Improved messaging on file-related scan issues when the file is wp-config.php. * Improvement: Modified the appearance of the "How does Wordfence get IPs" option to be more clear. * Improvement: Better messaging about the scan options that need to be enabled for free installations to achieve 100%. * Improvement: The country blocking selection drawer behavior has been changed to now allow saving directly from it. * Improvement: Increased the textarea size for the advanced firewall options to make editing easier. * Improvement: The URL blacklist check now includes additional variants in some checks to more accurately match. * Change: Adjusted messaging when blocks are loading. * Change: Wording change for the option "Maximum execution time for each stage". * Change: Permanent blocks now display "Permanent" rather than "Indefinite" for the expiration for consistency. * Fix: Fixed the initial status code recorded for lockouts and blocks. * Fix: Fixed PHP notices that could occur when using the bulk delete/repair scan tools. * Fix: Improved the state updating for the scan bulk action buttons. * Fix: Usernames in live traffic now correctly link to the corresponding profile page. * Fix: Addressed a PHP warning that could occur if wordpress.org returned a certain format for the abandoned plugin check. * Fix: Fixed a possible PHP notice when syncing attack data records without metadata attached. * Fix: Modified the behavior of the disk space check to avoid a scan warning showing without an issue generated. * Fix: Fixed a CSS glitch where the top controls could have extra space at the top when sites have long navigation menus. * Fix: Updated some wording in the All Options search box. * Fix: Removed an old link for "See Recent Traffic" on Live Traffic that went nowhere. = 7.0.5 - February 14, 2018 = * Change: Live Traffic records are no longer created for hits initiated by WP-CLI (e.g., manually running cron) * Fix: Fixed an issue where the human/bot detection wasn't functioning = 7.0.4 - February 12, 2018 = * Fix: Re-added missing file to fix commit excluding it. = 7.0.3 - February 12, 2018 = * Improvement: Added an "All Options" page to enable developers and others to more rapidly configure Wordfence. * Improvement: Improved messaging for when a page has been open for more than a day and the security token expires. * Improvement: Relocated the "Always display expanded Live Traffic records" option to be more accessible. * Improvement: Improved appearance and behavior of option checkboxes. * Improvement: For plugins with incomplete header information, they're now shown with a fallback title in scan results as appropriate. * Improvement: The country block rule in the blocks table now shows a count rather than a potentially large list of countries. * Change: Modified behavior of the advanced country blocking options to always show. * Fix: Fixed the "Make Permanent" button behavior for blocks created from Live Traffic. * Fix: Better synchronization of block records to the WAF config to avoid duplicate queries. * Fix: The diff viewer now forces wrapping to prevent long lines of text from stretching the layout. * Fix: Fixed an issue where the scanned plugin count could be inaccurate due to forking during the plugin scan. * Fix: Adjusted sizing on the country blocking options to prevent placeholder text from being cut off at some screen sizes. * Fix: Block/Unblock now works correctly when viewing Live Traffic with it grouped by IP. * Fix: Fixed an issue where the count of URLs checked was incorrect. = 7.0.2 - January 31, 2018 = * Improvement: Added CSS/JS filename versioning to address caching plugins not refreshing for plugin updates. * Improvement: The premium key is no longer prompted for during installation if already present from an earlier version. * Improvement: Added a check and corresponding notice if the WAF config is unreadable or invalid. * Improvement: Improved live traffic sizing on smaller screens. * Improvement: Added tour coverage for live traffic. * Change: IPs blocked via live traffic now use the configurable how long is an IP blocked setting to match previous behavior. * Change: Changed the option to enable live traffic to match the wording and style of other options. * Change: Changed styling on the unknown country display in live traffic to match the common coloring. * Change: Statistics that do not depend on the WAF for their data now display when it is in learning mode. * Change: Scan issues that are indicative of a compromised site are moved to the top of the list. * Change: Changed styling on unselected checkboxes. * Fix: Quick scans no longer run daily if automatic scheduled scans are disabled. * Fix: The update check in a quick scan no longer runs if the update check has been turned off for regular scans. * Fix: Fixed the quick navigation letters in the country picker not scrolling. * Fix: Fixed editing the country block configuration when there are a large number of other blocks. * Fix: Addressed an issue where having the country block or a pattern block selected when clicking Make Permanent could break them. * Fix: Live traffic entries with long user agents no longer cause the table to stretch. * Fix: Fixed an issue where live traffic would stop loading new records if always display expanded records was on. * Fix: Suppressed warnings on IP conversion functions when processing potentially incomplete data. * Fix: Added a check in REST API hooks to avoid defining a constant twice. = 7.0.1 - January 24, 2018 = * Comprehensive UI refresh. * Improvement: Updated bundled GeoIP database. = 6.3.22 - November 30, 2017 = * Fix: Addressed a warning that could occur on PHP 7.1 when reading php.ini size values. * Fix: Fixed a warning by adjusting a query to remove old-style variable references. = 6.3.21 - November 1, 2017 = * Improvement: Updated bundled GeoIP database. * Fix: Fixed a log warning that could occur during the scan for plugins not in the wordpress.org repository. = 6.3.20 - October 12, 2017 = * Improvement: The scan will now alert for a publicly visible .user.ini file. * Fix: Fixed status code and human/bot tagging of block hit entries for live traffic and the Wordfence Security Network. * Fix: Added internal throttling to ensure the daily cron does not run too frequently on some hosts. = 6.3.19 - September 20, 2017 = * Emergency Fix: Updated wpdb::prepare calls using %.6f since it is no longer supported. = 6.3.18 - September 7, 2017 = * Improvement: Reduced size of some JavaScript for faster loading. * Improvement: Better block counting for advanced comment filtering. * Improvement: Increased logging in debug mode for plugin updates to help resolve issues. * Fix: Reduced the minimum duration of a scan stage to improve reliability on some hosts. = 6.3.17 - August 24, 2017 = * Improvement: Prepared code for upcoming scan improvement which will greatly increase scan performance by optimizing malware signatures. * Improvement: Updated the bundled GeoIP database. * Improvement: Better scan messaging when a publicly-reachable searchreplacedb2.php utility is found. * Improvement: The no-cache constant for database caching is now set for W3TC for plugin updates and scans. * Improvement: Added an additional home/siteurl resolution check for WPML installations. = 6.3.16 - August 8, 2017 = * Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options. * Improvement: New scan stage includes a new check for TrafficTrade malware. * Improvement: Reduced net memory usage during forked scan stages by up to 50%. * Improvement: Reduced the number of queries executed for some configuration options. * Improvement: Modified the default whitelisting to include the new core AJAX action in WordPress 4.8.1. * Fix: Synchronized the scan option names between the main options page and smaller scan options page. * Fix: Fixed CSS positioning issue for dashboard metabox with IPv6. * Fix: Fixed a compatibility issue with determining the site's home_url when WPML is installed. = 6.3.15 - July 24, 2017 = * Improvement: Reduced memory usage on scan forking and during the known files scan stage. * Improvement: Added additional scan options to allow for disabling the blacklist checks while still allowing malware scanning to be enabled. * Improvement: Added a Wordfence Application Firewall code block for the lsapi variant of LiteSpeed. * Improvement: Updated the bundled GeoIP database. * Fix: Added a validation check to IP range whitelisting to avoid log warnings if they're malformed. = 6.3.14 - July 17, 2017 = * Improvement: Introduced smart scan distribution. Scan times are now distributed intelligently across servers to provide consistent server performance. * Improvement: Introduced light-weight scan that runs frequently to perform checks that do not use any server resources. * Improvement: If unable to successfully look up the status of an IP claiming to be Googlebot, the hit is now allowed. * Improvement: Scan issue results for abandoned plugins and unpatched vulnerabilities include more info. * Fix: Suppressed PHP notice with time formatting when a microtimestamp is passed. * Fix: Improved binary data to HTML entity conversion to avoid wpdb stripping out-of-range UTF-8 sequences. * Fix: Added better detection to SSL status, particularly for IIS. * Fix: Fixed PHP notice in the diff renderer. * Fix: Fixed typo in lockout alert. = 6.3.12 - June 28, 2017 = * Improvement: Adjusted the password audit to use a better cryptographic padding option. * Improvement: Improved the option value entry process for the modified files exclusion list. * Improvement: Added rel="noopener noreferrer" to all external links from the plugin for better interoperability with other scanners. * Improvement: Added support to the WAF for validating URLs for future use in rules. * Fix: Time formatting will now correctly handle :30 and :45 time zone offsets. * Fix: Hosts using mod_lsapi will now be detected as Litespeed for WAF optimization. * Fix: Added an option to allow automatic updates to function on Litespeed servers that have the global noabort set rather than site-local. * Fix: Fixed a PHP notice that could occur when running a scan immediately after removing a plugin. = 6.3.11 - June 15, 2017 = * Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability. * Improvement: Added a self-check to the scan to detect if it has stalled. * Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later. * Improvement: IP-based filtering in Live Traffic can now use wildcards. * Improvement: Updated the bundled GeoIP database. * Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link. * Improvement: The live traffic "Group By" options now dynamically show the results in a more useful format depending on the option selected. * Improvement: Improved the unknown core files check to include all extra files in core locations regardless of whether or not the "Scan images, binary, and other files as if they were executable" option is on. * Improvement: Better wording for the whitelisting IP range error message. * Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page. * Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation. = 6.3.10 - June 1, 2017 = * Improvement: Reduction in overall memory usage and peak memory usage for the scanner. * Improvement: Support for exporting a list of all blocked and locked out IP addresses. * Improvement: Updated the WAF's CA certificate bundle. * Improvement: Updated the browscap database. * Improvement: Suppressed the automatic HTTP referer added by WordPress for API calls to reduce overall bandwidth usage. * Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found. * Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users. * Fix: Fixed an IPv6 detection issue with one form of IPv6 address. * Fix: An empty ignored IP list for WAF alerts no longer creates a PHP notice. * Fix: Better detection for when to use secure cookies. * Fix: Fixed a couple issue types that were not able to be permanently ignored. * Fix: Adjusted the changelog link in the scan results email to work for the new wordpress.org repository. * Fix: Fixed some broken links in the activity summary email. * Fix: Fixed a typo in the scan summary text. * Fix: The increased attack rate emails now correctly identify blacklist blocks. * Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran. * Fix: Brute force records are now coalesced when possible prior to sending. = 6.3.9 - May 17, 2017 = * Improvement: Malware signature checking has been better optimized to improve overall speed. * Improvement: Updated the bundled GeoIP database. * Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value. * Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location. * Improvement: The diagnostics page now contains a callback test for the server itself. * Improvement: Updated the styling of dashboard notifications for better separation. * Improvement: Added additional constants to the diagnostics page. * Change: Wordfence now enters a read-only mode with its configuration files when run via the 'cli' PHP SAPI on a misconfigured web server to avoid file ownership changing. * Change: Changed how administrator accounts are detected to compensate for managed WordPress sites that do not have the standard permissions. * Change: The table list on the diagnostics page is now limited in length to avoid being exceedingly large on big multisite installations. * Fix: Improved updating of WAF config values to minimize writing to disk. * Fix: The blacklist's blocked IP records are now correctly trimmed when expired. * Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers. * Fix: Fixed some incorrect documentation links on the diagnostics page. * Fix: Fixed a typo in a constant on the diagnostics page. = 6.3.8 - May 2, 2017 = * Fix: Addressed an issue that could cause scans to time out on sites with tens of thousands of potential URLs in files, comments, and posts. = 6.3.7 - April 25, 2017 = * Improvement: All URLs are now checked against the Wordfence Domain Blacklist in addition to Google's. * Improvement: Better page load performance for multisite installations with thousands of tables. * Improvement: Updated the bundled GeoIP database. * Improvement: Integrated blacklist blocking statistics into the dashboard for Premium users. * Fix: Added locking to the automatic update process to ensure non-standard crons don't break Wordfence. * Fix: Fixed an activation error on multisite installations on very old WordPress versions. * Fix: Adjusted the behavior of the blacklist toggle for Free users. = 6.3.6 - April 5, 2017 = * Improvement: Optimized the malware signature scan to reduce memory usage. * Improvement: Optimized the overall scan to make fewer network calls. * Improvement: Running an update now automatically dismisses the corresponding scan issue if present. * Improvement: Added a time limit to the live activity status so only current messages are shown. * Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report. * Improvement: Background pausing for live activity and traffic may now be disabled. * Improvement: Added additional WAF support to allow us to more easily address false positives. * Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems. * Fix: All external URLs in the tour are now https. * Fix: Corrected a typo in the unlock email template. * Fix: Fixed the target of a label on the options page. = 6.3.5 - March 23, 2017 = * Improvement: Sites can now specify a list of trusted proxies when using X-Forwarded-For for IP resolution. * Improvement: Added options to customize which dashboard notifications are shown. * Improvement: Improvements to the scanner's malware stage to avoid timing out on larger files. * Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes. * Improvement: Updated the bundled GeoIP database. * Improvement: Optimized the country update process in the upgrade handler so it only updates changed records. * Improvement: Added our own prefixed version of jQuery.DataTables to avoid conflicts with other plugins. * Improvement: Changes to readme.txt and readme.md are now ignored by the scanner unless high sensitivity is on. * Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite. * Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler. * Fix: Made the description in the summary email for blocks resulting from the blacklist more descriptive. * Fix: Updated the copyright date on several pages. * Fix: Fixed incorrect wrapping of the Group by field on the live traffic page. = 6.3.4 - March 13, 2017 = * Improvement: Added a path for people blocked by the IP blacklist (Premium Feature) to report false positives. = 6.3.3 - March 9, 2017 = * New: Malicious IPs are now preemptively blocked by a regularly-updated blacklist. [Premium Feature] * Improvement: Better layout and display for mobile screen sizes. * Improvement: Dashboard chart data is now updated more frequently. * Fix: Fixed database errors on notifications page on multisite installations. * Fix: Fixed site URL detection for multisite installations. * Fix: Fixed tour popup positioning on multisite. * Fix: Increased the z-index of the AJAX error watcher alert. * Fix: Addressed an additional way to enumerate authors with the REST JSON API. = 6.3.2 - February 23, 2017 = * Improvement: Improved the WAF's ability to inspect POST bodies. * Improvement: Dashboard now shows up to 100 each of failed/successful logins. * Improvement: Updated internal GeoIP database. * Improvement: Updated internal browscap database. * Improvement: Better documentation on Country Blocking regarding Google AdWords * Advanced: Added constant "WORDFENCE_DISABLE_FILE_VIEWER" to prohibit file-viewing actions from Wordfence. * Advanced: Added constant "WORDFENCE_DISABLE_LIVE_TRAFFIC" to prohibit live traffic from capturing regular site visits. * Fix: Fixed a few links that didn't open the correct configuration pages. * Fix: Unknown countries in the dashboard now show "Unknown" rather than empty. = 6.3.1 - February 7, 2017 = * Improvement: Locked out IPs are now enforced at the WAF level to reduce server load. * Improvement: Added a "Show more" link to the IP block list and login attempts list. * Improvement: Added network data for the top countries blocked list. * Improvement: Added a notification when a premium key is installed on one site but registered for another URL. * Improvement: Switching tabs in the various pages now updates the page title as well. * Improvement: Various styling consistency improvements. * Change: Separated the various blocking-related pages out from the Firewall top-level menu into "Blocking". * Fix: Improved compatibility with our GeoIP interface. * Fix: The updates available notification is refreshed after updates are installed. * Fix: The scan notification is refreshed when issues are resolved or ignored. = 6.3.0 - January 26, 2017 = * Enhancement: Added Wordfence Dashboard for quick overview of security activity. * Improvement: Simplified the UI by revamping menu structure and styling. * Fix: Fixed minor issue with REST API user enumeration blocking. * Fix: Fixed undefined index notices on password audit page. = 6.2.10 - January 12, 2017 = * Improvement: Better reporting for failed brute force login attempts. * Change: Reworded setting for ignored IPs in the WAF alert email. * Change: Updated support link on scan page. * Fix: When a key is in place on multiple sites, it's now possible to downgrade the ones not registered for it. * Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing. * Fix: Typo fix in firewall rule 11 name. = 6.2.9 - December 27, 2016 = * Improvement: Updated internal GeoIP database. * Improvement: Better error handling when a site is unreachable publicly. * Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation. * Fix: Addressed an issue where the scan did not alert about a new WordPress version. = 6.2.8 - December 12, 2016 = * Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka. * Improvement: Added vulnerability scanning for themes. * Improvement: Reduced memory usage by up to 90% when scanning comments. * Improvement: Performance improvements for the dashboard widget. * Improvement: Added progressive loading of addresses on the blocked IP list. * Improvement: The diagnostics page now displays a config reading/writing test. * Change: Support for the Falcon cache has been removed. * Fix: Better messaging when the WAF rules are manually updated. * Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable. * Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods. * Fix: Typo fix on the options page. * Fix: Scan issue for known core file now shows the correct links. * Fix: Links in "unlock" emails now work for IPv6 and IPv4-mapped-IPv6 addresses. * Fix: Restricted caching of responses from the Wordfence Security Network. * Fix: Fixed a recording issue with Wordfence Security Network statistics. = 6.2.7 - December 1, 2016 = * Improvement: WordPress 4.7 improvements for the Web Application Firewall. * Improvement: Updated signatures for hash-based malware detection. * Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field. * Improvement: Added additional contextual help links. * Improvement: Significant performance improvement for determining the connecting IP. * Improvement: Better messaging for two-factor recovery codes. * Fix: Adjusted message when trying to block an IP in the whitelist. * Fix: Error log download links now work on Windows servers. * Fix: Avoid running out of memory when viewing very large activity logs. * Fix: Fixed warning that could be logged when following an unlock email link. * Fix: Tour popups on options page now scroll into view correctly. = 6.2.6 - November 17, 2016 = * Improvement: Improved formatting of attack data when it contains binary characters. * Improvement: Updated internal GeoIP database. * Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first. * Fix: Country blocking redirects are no longer allowed to be cached. * Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading. = 6.2.5 - November 9, 2016 = * Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts = 6.2.4 - November 9, 2016 = * Improvement: Scan times for very large sites with huge numbers of files are greatly improved. * Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems. * Improvement: Email-based logins are now covered by "Don't let WordPress reveal valid users in login errors". * Improvement: Extended rate limiting support to the login page. * Fix: Fixed a case where files in the site root with issues could have them added multiple times. * Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values. * Fix: Added a safety check for when the database fails to return its max_allowed_packet value. * Fix: Added safety checks for when the configuration table migration has failed. * Fix: Added a couple rare failed login error codes to brute force detection. * Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request. * Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages. * Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations. = 6.2.3 - October 26, 2016 = * Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack. * Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor. * Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting. * Improvement: Whitelisted StatusCake IP addresses. * Improvement: Updated GeoIP database. * Improvement: Disabling Wordfence now sends an alert. * Improvement: Improved detection for uploaded PHP content in the firewall. * Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory. * Fix: Fixed admin page layout for sites using RTL languages. * Fix: Reduced overhead of the dashboard widget. * Fix: Improved performance of checking for whitelisted IPs. * Fix: Changes to the default plugin hello.php are now detected correctly in scans. * Fix: Fixed IPv6 warning in the dashboard widget. = 6.2.2 - October 12, 2016 = * Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users. = 6.2.1 - October 11, 2016 = * Improvement: Now performing scanning for PHP code in all uploaded files in real-time. * Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking. * Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background. * Improvement: The file system scan alerts for files flagged by antivirus software with a '.suspected' extension. * Improvement: New alert option to get notified only when logins are from a new location/device. * Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal. * Fix: Included country flags for Kosovo and Curaçao. * Fix: Fixed the .htaccess directives used to hide files found by the scanner. * Fix: Dashboard widget shows correct status for failed logins by deleted users. * Fix: Removed duplicate issues for modified files in the scan results. * Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records. * Fix: Fixed file inclusion error with themes lacking a 404 page. * Fix: CSS fixes for activity report email. = 6.2.0 - September 27, 2016 = * Improvement: Massive performance boost in file system scan. * Improvement: Added low resource usage scan option for shared hosts. * Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests. * Improvement: Now displaying scan time in a more readable format rather than total seconds. * Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory. * Fix: Added throttling to sync the WAF attack data. * Fix: Removed unnecessary single quote in copy containing "IP's". * Fix: Fixed rare, edge case where cron key does not match the key in the database. * Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list. * Fix: Fixed scans failing in subdirectory sites when updating malware signatures. * Fix: Fixed infinite loop in scan caused by symlinks. * Fix: Remove extra slash from "File restored OK" message in scan results. = 6.1.17 - September 9, 2016 = * Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled. = 6.1.16 - September 8, 2016 = * Improvement: Now performing malware scanning on all uploaded files in real-time. * Improvement: Added Web Application Firewall activity to Wordfence summary email. * Fix: Now using 503 response code in the page displayed when an IP is locked out. * Fix: `wflogs` directory is now correctly removed on uninstall. * Fix: Fixed recently introduced bug which caused the Whitelisted 404 URLs feature to no longer work. * Fix: Added try/catch to uncaught exception thrown when pinging the API key. * Improvement: Improved performance of the Live Traffic page in Firefox. * Improvement: Updated GeoIP database. = 6.1.15 - August 25, 2016 = * Improvement: Removed file-based config caching, added support for caching via WordPress's object cache. * Improvement: Whitelisted Uptime Robot's IP range. * Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection. * Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins. * Fix: Removed usage of `wp_get_sites()` which was deprecated in WordPress 4.6. * Fix: Fixed PHP notice from `Undefined index: url` with custom/premium plugins. * Improvement: Converted the banned URLs input to a textarea. = 6.1.14 - August 11, 2016 = * Improvement: Support downloading a file of 2FA recovery codes. * Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans. * Improvement: Add note to options page that login security is necessary for 2FA to work. * Fix: Fixed WAF false positives introduced with WordPress 4.6. * Improvement: Update Geo IP database. = 6.1.12 - July 26, 2016 = * Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory. * Fix: Added a few common files to be excluded from unknown WordPress core file scan. = 6.1.11 - July 25, 2016 = * Improvement: Alert on added files to wp-admin, wp-includes. * Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets. * Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors. * Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included. * Fix: Added group writable permissions to Firewall's configuration files. * Improvement: Changed whitelist entry area to textbox on options page. * Fix: Move flags and logo served from wordfence.com over to locally hosted files. * Fix: Fixed issues with scan in WordPress 4.6 beta. * Fix: Fixed bug where Firewall rules could be missing on some sites running IIS. * Improvement: Added browser-based malware signatures for .js, .html files in the malware scan. * Fix: Added error suppression to `dns_get_record`. = 6.1.10 - June 22, 2016 = * Fix: Fixed fatal error in the event wflogs is not writable. = 6.1.9 - June 21, 2016 = * Fix: Using WP-CLI causes error Undefined index: SERVER_NAME. * Improvement: Hooked up restore/delete file scan tools to Filesystem API. * Fix: Reworked country blocking authentication check for access to XMLRPC. * Improvement: Added option to require cellphone sign-in on all admin accounts. * Improvement: Updated IPv6 GeoIP lite data. * Fix: Removed suPHP_ConfigPath from WAF installation process. * Fix: Prevent author names from being found through /wp-json/oembed. * Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan. * Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence. * Improvement: Changed rule compilation to use atomic writes. * Improvement: Removed security levels from Options page. * Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end. = 6.1.8 - May 26, 2016 = * Fix: Change wfConfig::set_ser to split large objects into multiple queries. * Fix: Fixed bug in multisite with "You do not have sufficient permissions to access this page" error after logging in. * Improvement: Update Geo IP database. * Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow(). * Fix: Added third param to http_build_query for hosts with arg_separator.output set. * Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests). * Improvement: Clarify error message "Error reading config data, configuration file could be corrupted." * Improvement: Added better crawler detection. * Improvement: Add currentUserIsNot('administrator') to any generic firewall rules that are not XSS based. * Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts. * Improvement: Show message on scan results when a result is caused by enabling "Scan images and binary files as if they were executable" or... * Fix: Suppressed warning: dns_get_record(): DNS Query failed. * Fix: Suppressed warning gzinflate() error in scan logs. * Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given ... * Fix: Scheduled update for WAF rules doesn't decrease from 7 days, to 12 hours, when upgrading to a premium account. * Improvement: Better message for dashboard widget when no failed logins. = 6.1.7 - May 10, 2016 = * Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek. = 6.1.6 - May 9, 2016 = * Fix: Fixed bug with 2FA not properly handling email address login. * Fix: Show logins/logouts when Live Traffic is disabled. * Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long). * Fix: Now able to delete whitelisted URL/params containing ampersands and non-UTF8 characters. * Improvement: Reduced 2FA activation code to expire after 30 days. * Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits. * Improvement: Adjusted permissions on Firewall log/config files to be 0640. * Fix: Fixed false positive from Maldet in the wfConfig table during the scan. = 6.1.5 - April 28, 2016 = * Fix: WordPress language files no longer flagged as changed. * Improvement: Accept wildcards in "Immediately block IP's that access these URLs." * Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page. * Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4. * Improvement: Added WordPress version and various constants to Diagnostics report. * Fix: Fixed bug with Windows users unable to save Firewall config. * Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only. * Fix: Made the 'administrator email address' admin notice dismissable. = 6.1.4 - April 20, 2016 = * Fix: Fixed potential bug with 'stored data not found after a fork. Got type: boolean'. * Improvement: Added bulk actions and filters to WAF whitelist table. * Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising. * Fix: Added index to attackLogTime. wfHits trimmed on runInstall now. * Fix: Fixed attack data sync for hosts that cannot use wp-cron. * Improvement: Use wftest@wordfence.com as the Diagnostics page default email address. * Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page. * Fix: Prevent warnings when $_SERVER is empty. * Fix: Bug fix for illegal string offset. * Fix: Hooked up multibyte string functions to binary safe equivalents. * Fix: Hooked up reverse IP lookup in Live Traffic. * Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page. * Improvement: Pause Live Traffic after scrolling past the first entry. * Improvement: Move "Permanently block all temporarily blocked IP addresses" button to top of blocked IP list. * Fix: Added JSON fallback for PHP installations that don't have JSON enabled. = 6.1.3 - April 14, 2016 = * Improvement: Added dismiss button to the Wordfence WAF setup admin notice. * Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan. * Fix: Removed the disallow file mods for admins created outside of WordPress. * Fix: Fixed bug with 'Hide WordPress version' causing issues with reCAPTCHA. * Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration. * Fix: Fixed bug with multiple API calls to 'get_known_files'. = 6.1.2 - April 12, 2016 = * Fix: Fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address. = 6.1.1 - April 12, 2016 = * Enhancement: Added Web Application Firewall * Enhancement: Added Diagnostics page * Enhancement: Added new scans: * Admins created outside of WordPress * Publicly accessible common (database or wp-config.php) backup files * Improvement: Updated Live Traffic with filters and to include blocked requests in the feed. = 6.0.25 - March 28, 2016 = * Improvement: Added help callout for compromised sites. * Improvement: Updated local GeoIP database. * Improvement: Updated local browser data cache to support newer browsers and user-agents. = 6.0.24 - February 3, 2016 = * Enhancement: Added automatic whitelisting for Facebook crawlers. * Improvement: Added styling to premium callouts. * Improvement: Updated local GeoIP database. * Improvement: Updated local browser data cache to support newer browsers and user-agents. = 6.0.23 - January 20, 2016 = * Improvement: Updated local GeoIP database. * Improvement: Updated local browser data cache to support newer browsers and user-agents. = 6.0.22 - December 18, 2015 = * Security Fix: Fixed stored XSS vulnerability discovered internally (thanks to Matt Rusnak). * Enhancement: Added additional Sucuri scanner IP to our whitelist. = 6.0.21 - December 4, 2015 = * Enhancement: Added better handling of Googlebot verification. = 6.0.20 - October 8, 2015 = * Fix: Fixed bug with options that are enabled by default but disabled by the user are reset to defaults. = 6.0.19 - October 7, 2015 = * Fix: Added check to verify pluggable.php is included before calling wp_hash. = 6.0.18 - October 7, 2015 = * Fix: Resolved issue with some admin links not using the network admin URL. * Fix: Resolved issue with slashes not being stripped from Advanced Blocking usernames, reasons. * Enhancement: Added ability to Block any requests from IPs matching a PTR record. * Fix: Updated the GeoIP lib to use the wfUtils::inet_pton functions instead of the PHP default for installs that do not have IPv6 support. * Fix: Added help link for whitelisted 404's entry on options page. * Fix: Automatically exclude files that crash the scan. * Fix: Clear the wfHoover database table after scan is killed. * Enhancement: Added notice about false positives when running a scan with HIGH SENSITIVITY enabled. * Fix: Removed WordPress version from style and script loaders. Hid the readme.html. * Fix: Alert email for "lost password" did not send when the user used their username. * Enhancement: Exclude zip files from scans by default, and add that as option under 'Scan image and binary files'. * Fix: Fixed edge case where .htaccess became garbled when using Falcon cache. = 6.0.17 - September 14, 2015 = * Fix: Resolved issue where 301 redirects count as 404s with throttling applied. * Fix: Fixed Falcon .htaccess code writing to .htaccess when 'Immediately block IP's that access these URLs' option is modified. * Fix: Fixed issue where filtering posts by author in wp-admin no longer works due to change in /?author=N scan prevention logic. * Fix: Fixed issue in Live Traffic where 404s display as 200s. * Fix: Resolved issue with throttling logins via XMLRPC are not applied. = 6.0.16 - September 8, 2015 = * Fix: Resolved issue with some variations of author=N scans not being caught. Thanks James Golovich. * Fix: Updated typo in author=N option. * Fix: Resolved issue with Falcon not writing to .htaccess with WP installed in subdirectory. * Fix: Added width to logo in activity report email. * Fix: Resolved issue with Live Traffic endpoint in cases where WordPress is installed into a subdirectory. * Improvement: Optimized database query with in unlocking user email routine. * Improvement: Moved firewall logic into 'wp_loaded' hook. = 6.0.15 - August 4, 2015 = * Fix: Resolved issue with GoogleBot being erroneously flagged as human in Live Traffic. * Fix: Added better handling of human/bot detection. * Improvement: Verified humans are flagged via cookie to prevent false positives. = 6.0.14 - July 28, 2015 = * Fix: Live Traffic endpoint moved to site root to prevent issues with GoogleBot. = 6.0.12 - July 28, 2015 = * Improvement: Updated local GeoIP database. * Improvement: Updated local browser data cache to support newer browsers and user-agents. * Improvement: Added option to exclude URLs from 404 throttling, and included some common 404s. * Improvement: Added new branded logos. * Fix: Fixed bug with live traffic ajax call being indexed by Google. = 6.0.11 - July 13, 2015 = * Improvement: Updated local GeoIP database to July version. * Improvement: Updated local browser data cache to support newer browsers and user-agents. * Fix: Hooked up network ranges in CIDR format (192.168.0.0/16) in Whois to support data coming back from whois that includes CIDR network format. * Fix: Fixed 2 PHP notices in wfUtils. = 6.0.10 - June 29, 2015 = * Improvement: Removed locked out IPs from locked out list when permanently blocking all locked out IPs. * Improvement: Added admin-configured blocked IPs and blocked network ranges to import/export. * Fix: Fixed PHP warnings in activity report where an array is not returned. * Fix: Fixed PHP notice in IP spam check portion of scan. = 6.0.9 - June 24, 2015 = * Fix: Fixed bug in Live Traffic where v5 style blocked ranges generated PHP warning breaking the JSON response. * Fix: Fixed invalid date bug in Live Traffic: Top Consumers and Top 404s. * Fix: Fixed edge case bug with author=N scans redirecting to author archives page. = 6.0.8 - June 23, 2015 = * Improvement: Added the local time stamp to 'time since' labels in Live Traffic and Blocked IPs pages. * Improvement: Added a check to prompt the admin to download a backup copy of the wp-config.php in the event it's flagged as containing malware. * Improvement: Added option in Live Traffic to remove a blocked network range defined in Advanced Blocking in the Live Traffic feed for IPs within that range. * Improvement: Added option to permanently block all IPs that are currently temporarily blocked or locked out from the Blocked IPs page. * Improvement: Updated local GeoIP database. * Fix: Fixed double forward slash in file path in the 'View the File' action of malicious code scan. * Fix: Fixed notice in block IP JSON callback. = 6.0.7 - June 15, 2015 = * Fix: Fixed bug with Top 5 Logins displaying all failed logins opposed to timeframe set by email frequency. * Fix: Fixed bug with /?author=N scan protection not working for authors with no published posts. * Improvement: Fixed Wordfence logo width in dashboard widget on smaller screens. * Improvement: Added country names to flag icons in widget dashboard. * Improvement: Updated issues email to use WordPress' charset instead of ISO-8859-1. * Improvement: Added check to see if premium API key is set to auto-renew and send email reminder prior to renewal. * Improvement: Updated to API version 2.17. * Improvement: Changed auto-renew reminder email to go out 10 days before renewal, 12 days before expiration. = 6.0.6 - June 8, 2015 = * Improvement: Handled uncaught exception when noc1 is not available in 2FA. * Improvement: Fixed issue with limit-logins mu-plugin on GoDaddy counting first login attempt in 2FA against total allowed login attempts. * Fix: Fixed bug with IPs not resolving to countries when printable IP passed to logBlockedIP. * Fix: Fixed issue with free users country blocking redirects working after downgrade. * Fix: Encoded URL field in country blocking options. * Fix: Added a check to verify field has not already been altered prior to calling ALTER in runInstall. * Fix: Fixed issue with scan_options method being called after method has been removed. * Fix: Fixed bug in scan when dns_get_record fails and error condition was not handled. * Fix: Fixed PHP notice when 'Crawler' not included in browser pcap result. = 6.0.5 - June 1, 2015 = * Fix: Removed anonymous function to ensure PHP 5.2 compatability. = 6.0.4 - June 1, 2015 = * Improvement: Added option to disable SSL verification for hosts that have outdated versions cURL. * Improvement: Added default of 127.0.0.1 when $_SERVER['REMOTE_ADDR'] is not set. Helps if you're running WordPress cron from Linux cron. * Improvement: Added compatability with Godaddy's MU (must use) limit login plugin and our two factor. Change makes sure you can see the message from Wordfence to enter your cellphone code. * Improvement: Added direction: ltr; to admin pages. * Improvement: Added focus/blur events to scan activity log ajax to improve server performance. * Improvement: Merged wp_option charset and database vulnerability scans to improve performance and make UI more intuitive. * Improvement: Opened 'See recent traffic' in a new window from the Live Traffic page. * Improvement: Updated browser pcap cache file for compatibility with detecting newer Firefox browsers. * Fix: Fixed bug in directories excluded from scans (escaped directory separator). * Fix: Updated known files and outdated plugins/themes to use wp_get_themes. * Fix: Fixed bug with wfScanEngine where scans forked between scan_database_main and scan_database_finish would not display results of database scan. * Fix: Added return false; to wfScan::error_handler to allow default error handler to process error. * Fix: Fixed notice with wfUserIPRange::isValidIPv4Range. * Fix: Fixed bug with 'Allow HTTPS pages to be cached' setting being unset after saving options. * Fix: Fixed a couple of typos and spelling. * Fix: Fixed errors upon plugin activation where wfConfig was queried before it was created. * Fix: Fixed issue with notices from serializing wordfenceDBScanner and private properties belonging to parent class. = 6.0.3 - May 21, 2015 = * Fix: Fix for hosts that don't have IPv6 compiled into PHP (which is rare) we not manually define certain functions. = 6.0.2 - May 20, 2015 = * Fix: Fixed an issue with the schema not updating when customers migrate to IPv6 schema to store IP's. * Improvement: Added additional safety checks during the schema update. = 6.0.1 - May 20, 2015 = * Feature: IPv6 fully supported. This includes whois, range blocking, IPv6 city lookup in live traffic, country blocking and all other security functions. See www.wordfence.com/blog/ for more info. * Feature: New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden. * Improvement: Prevent Googlebot from being blocked if user has configured a banned URL and Google tries to crawl it. * Improvement: Improved detection for additional Google crawlers especially if an IP PTR resolves to a .googlebot.com domain. * Fix: Fixed bug with https:// URLs not allowed in country blocking. * Fix: Fixed typos. = 5.3.12 - April 22, 2015 = * Fix: Wordfence no longer can appear on sub-sites on multi-site installs, only on the network admin panel. * Fix: Wordfence dashboard widget only can appear on network admin dashboard in multi-site installs. * Fix: No more multiple scheduled scans on multi-site. * Fix: Fixed mixed-protocol warning if you're using SSL and Wordfence - our static assets are loaded without specifying protocol now. * Fix: Fixed issue where non-existent users were shown in dashboard widget and email summary as valid users. * Fix: Removed /e modifier in preg_replace for Diff_Renderer_Html_Array::formatLines since it is deprecated in PHP 5.5. * Fix: Removed ssl_verify => false from wp_remote_post connectivity test since some versions of cURL will throw an error since WordPress uses their own certificate bundle. * Fix: Fixed bug with activity report email date range (was one week ahead). * Fix: Removed email summary report from cron on deactivation. * Fix: Fixed an off-by-one bug in wfDirectoryIterator for maximum total files and max files per directory. * Fix: Updated our browser data to fix an issue that caused newer browsers to appear in live traffic with version 0.0. * Improvement: Updated the country database used for country blocking to April 2015 version. * Improvement: Added an additional check for disabling script execution in the uploads directory that the .htaccess file actually contains our protection code before removing it. * Improvement: Paused Live Traffic ajax request when the window/document loses focus to reduce server load. * Improvement: Better error handling when making API calls to noc1 to help our support personell help you. * Improvement: Added locked out IP's and IP's restricted through advanced blocking to the blocked IP log for dashboard and email summary. * Improvement: Excluded whitelisted IP's from dashboard and widget email summary. = 5.3.11 - April 7, 2015 = * Fix: Dasboard widget no longer appearing for all users. = 5.3.10 - April 6, 2015 = * Fix: Removed .htaccess file the previous release created in wfcache directory that caused problems. = 5.3.9 - April 6, 2015 = * Premium Feature: Password Auditing. Audit the strength of your admin and user-level passwords against our GPU based auditing cluster. Easily alert users to weak passwords or force a password change. * Feature: Activity email summary. See options page to enable a weekly, bi-weekly or monthly activity summary. * Feature: Activity summary dashboard widget. * Fix: Fixed bug on plugin activation where the configuration table was being queried before it was created. * Improvement: Added .htaccess to wfcache directory. * Improvement: Switched to using wp_remote_post for Wordfence cloud API calls to improved SSL support and a more standards based approach. = 5.3.8 - March 20, 2015 = * Customers running WP versions older than 3.9 don't support wp_normalize_path(). Added support for older WP versions to fix an error being thrown. = 5.3.7 - March 19, 2015 = * Improvement: Updated country blocking database to the newest version (March 2015) * Improvement: Added detection for many new samples we received (thanks all!) including a nasty polymorphic infection. * Fix: Changed the way we find the plugin directory to fix a possible issue that would cause alerts to return blank plugin names. * Fix: Improved Nginx detection so that we don't accidentally detect Nginx if you're running Apache. = 5.3.6 - January 26, 2015 = * Feature: You can now block POST requests to your WordPress site that have an empty User-Agent and Referer header. This is a common pattern among badly written brute force bots. * Feature: Added cron viewer at bottom of Wordfence options page. The plugin we were using to help diagnose customer issues is broken. Use this instead. * Feature: Added DB table viewer at bottom of Wordfence options page. This is a read-only utility to view table names and detailed status. Also for customer diagnostic purposes. * Improvement: Code cleanup after in-depth code analysis. Removed unused functions and variables and re-indented selected code. * Fix: Fixed issue that appeared after last release where raw HTML tags were appearing in email alerts. * Fix: Tour behaved inconsistently under some conditions. Fixed. * Fix: Mismatched HTML tags in some presentation code. Fixed. * Fix: When fetching theme list the interator had the same name as the array. Fixed. * Fix: Detection for malware URLs in comments had a partial description in the issue. Was being overwritten when it should have been appended. Fixed. * Fix: Check if dns_get_record() exists before using it to avoid warnings. * Fix: If you have the wordfence security network disabled, the _wfVulnScanners table may have grown indefinitely. Fixed so it's regularly truncated. * Fix: wordfence::getLog() was private and should be public. Fixed. * Fix: Removed warning about _wfsf not being an element of GET params. Usually hidden, but in case something checks error_get_last() = 5.3.5 - January 19, 2015 = * Update: Upgraded the geoIP country database to Jan 2015 version. * Improvement: Added an option to disable execution of PHP code in the uploads directory as an added level of protection. Under "Other Options" on the Wordfence options page. * Improvement: We now email you any malware URLs encountered and they won't be filtered by your spam filter because the URL is included in the alert email as an image. * Fix: Fixed an issue that would cause multiple scans to be scheduled if the plugin was disabled and then reenabled. * Fix: The name of malicious files detected are now included in the alert email sent containing the issues. = 5.3.4 - December 21, 2014 = * Changed FAQ link when locked out and email unlock doesn't work to correct link. * Falcon cache now creates files as mode 0644 for improved security. * Updated GeoIP database to December 2014 version. = 5.3.3 - November 20, 2014 = * Security fix. Thanks Matt Barry. * Changed what we consider to be private addresses to a smaller range of addresses. See current range at: http://docs.wordfence.com/en/How_Wordfence_handles_Private_Addresses * Fixed a warning about an undefined value which appeared after we added referer blocking in 5.3.2. = 5.3.2 - November 18, 2014 = * Feature: Advanced blocking now includes referer blocking. i.e. you can block visitors arriving from certain websites or pretending to. See updated http://docs.wordfence.com/en/Advanced_Blocking * Feature: Developers, you can now ask Wordfence to whitelist your server IP by calling wordfence::whitelistIP(). See http://docs.wordfence.com/en/WhitelistIP = 5.3.1 - November 11, 2014 = * IP to Country database updated to November 4th 2014 version. * Options export and import now also exports Country Blocking and Scan Schedule configuration. * Scans fully documented at docs.wordfence.com. Link on 'Scan' page under heading. * Live Traffic fully documented at docs.wordfence.com. Link on Live Traffic page. * Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page. * Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page. * Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page. * Country blocking fully documented. Link on Country blocking page. * Scan Scheduling fully documented. Link on Scan Scheduling page under title. * Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together. * Removed unnecessary text from several menu items and moved into official docs where needed. = 5.2.9 - November 5, 2014 = * Added ability to export Wordfence settings and reimport on one or many sites using secure token. * Added API function to programatically import Wordfence settings from another WordPress site. * Upgraded to Wordfence API version 2.14. = 5.2.8 - October 31, 2014 = * Detailed documentation for all options on the Wordfence options page. Launching docs.wordfence.com wiki. * Fixed server-side issue where diff'ing certain files would give a blank page or an API error. * Removed now unused whois library because we're now using Wordfence API server to get around whois port blocking. = 5.2.7 - October 15, 2014 = * Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear. * Whois queries now go via our own server as a workaround for hosting providers who block your web server's access to port 43 preventing you from making a direct whois query. * Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue. * Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks! * Updated Wordfence server API to version 2.12. * Added facility at bottom of Wordfence options page to send a test email from your WordPress system to check if email sending is working. * Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don't support flock() or reliable file locking. * Updated to the October 2014 version of the Geo IP country DB. (newest edition) = 5.2.6 - September 29, 2014 = * Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path. * Made it clear that country blocking URL's require absolute URL's. = 5.2.5 - September 20, 2014 = * Security release. Update immediately. Thanks to Julio Potier. * Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work. * Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don't have E=noabort:1 in your .htaccess and give you instructions. * Auto-update also disabled now for LiteSpeed customers who don't have E=noabort:1 and you will get an email alert with an explanation. * Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled. * Removed a benign warning in wfCache.php. * Added clarity to the banned URL option on the options page. All URL's must be relative. * Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities. * Fixed advanced country blocking which was not correctly displaying advanced options. * Migrated to using wp_kses() for sanitization. * Prevent IP spoofing in default Wordfence IP configuration. * Change explanations of how Wordfence gets IP's to make it clear which to use to prevent spoofing. * Make it clear that the option to have IP's immediately blocked when they access a URL requires relative URL's starting with a forward slash. * Whitelist Sucuri's scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan. * Improved Wordfence's code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP's more elegantly. = 5.2.4 - September 15, 2014 = * Security release. Upgrade immediately. * This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page. * Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled. * Improves Revolution Slider proteciton. * Fixed bypass for fake googlebot blocking. = 5.2.3 - September 12, 2014 = * Updated Geo IP country database to newest version (September 2014 edition) * Security fix. Improved referrer sanitization in live traffic. * Changed scan success messaging for clarity. * Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs. = 5.2.2 - September 4, 2014 = * Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied. * Changed the Wordfence Memory config option's label to make it clearer what the option does. * Moved screenshots out of plugin distro directory to reduce plugin payload size. = 5.2.1 - August 25, 2014 = * Fix: Users with large lists of blocked IP's (over 2,100) would receive a browser error "Uncaught RangeError: Maximum call stack size exceeded". Fixed. * Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change) = 5.1.9 - August 17, 2014 = * Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed. * Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed. * Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed. * Improvement: Upgraded country DB to newest version. * Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner. * Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled. = 5.1.8 - August 10, 2014 = * Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page. * Note: If you are seeing the "cron key does not match the saved key" error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it. * Note: If you are trying to save your Wordfence options and the options keep reverting, enable the "disable config caching" at the bottom of your Wordfence options page, save and this will fix it. = 5.1.7 - August 4, 2014 = * Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers. * Fix: Removed old image files that were unused. = 5.1.6 - July 23, 2014 = * Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example. * Improvement: Upgraded the country blocking database to the newest version which is July 2014. * Improvement: Improved server-side performance for Wordfence scanning. * Improvement: Offer the option to keep Wordfence up-to-date automatically. * Improvement: If file contains malicious code, include filename in email alert summary info. * Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software. * Fix: Prevent lockout email alerts being sent for blank usernames. = 5.1.5 - July 5, 2014 = * Fix: Bing crawler was being misidentified as human. Fixed. * Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com) = 5.1.4 - June 24, 2014 = * Feature: Auto updates for Wordfence! This is a much-requested feature by our power admin's. Enable the "Update Wordfence automatically when a new version is released" option on the Wordfence options page. * Fix: Security fix. Thanks to Narendra Bhati from Suma Soft. = 5.1.2 - June 12, 2014 = * Feature: You can now specify one or more URL's that if accessed will cause the IP to immediately be blocked. See below "Other Options" for the new feature. * Improvement: Added additional debugging info when cron key does not match saved key to help diagnose any problems. * Improvement: New Issues email now contains site URL rather than just hostname to help identify subdirectory sites. * Improvement: Upgraded the country blocking database to the newest version which is June 2014. * Fix: Some browser versions were being reported as 0.0. Updated browser detection. = 5.1.1 - June 6, 2014 = * Improvement: WooCommerce now officially supported out of the box. * Feature: Added the wordfence:doNotCache() function that you can call in your themes and plugins to prevent caching of items. * Fix: Fixed the warning appearing in lib/wfUtils.php about a scalar being treated as an array which appeared in 5.0.9. * Fix: Failed logins were not being logged for non-existent usernames that were set to immediatelly block. Fixed. * Fix: Removed several warnings/notices that would appear when WP_DEBUG is enabled. * Fix: Added default character set to .htaccess which fixes garbled international characters being served from cache on sites with no default apache charset. = 5.0.9 - May 28, 2014 = * Feature: (Premium) Advanced Comment Spam Filter. Checks comment source IP, author URL and hosts and IP's in body against additional spam lists. * Feature: (Premium) Check if your site is being Spamvertised i.e. your domain is being included in spam emails. Usually indicates you've been hacked. * Feature: (Premium) Check if your website IP is generating spam. Checks against spam lists if your IP is a known source of spam. * Improvement: Cache clearing errors are nown shown with clear explanations. * Improvement: Added lightweight stats logging internally in preparation for displaying them on the admin UI in the next release. * Fix: If a non-existent user tries to sign in it is not logged in the live logins tab. Fixed. * Fix: Removed warning "Trying to get property of non-object" that would occur under certain conditions. * Fix: Removed call to is_404() which was not having any effect and would issue a warning if debug mode is enabled. * Fix: Check if CURL is installed as part of connectivity test. = 5.0.8 - May 20, 2014 = * Feature: Support for Jetpack Mobile Theme in Falcon Caching engine. Regular pages are cached, mobile pages are served direct to browser. * Improvement: Pages that are less than 1000 bytes will not be cached. The avg web page size in 2014 is 1246,000 bytes. Anything less than 1000 bytes is usually an error. * Improvement: Wordfence will now request 128M on hosts instead of 64M where memory in php.ini is set too low. * Fix: Wordfence was caching 404's under certain conditions. Fixed. * Fix: Nginx/FastCGI users would sometimes receive an error about not being able to edit .htaccess. Fixed. = 5.0.7 - May 9, 2014 = * Feature: Immediately block IP if hacker tries any of the following usernames. (Comma separated list that you can specify on the Wordfence options page) * Feature: Exclude exact URL's from caching. Specifically, this allows you to exclude the home page which was not possible before. * Feature: Exclude browsers or partial browser matches and specific cookies from caching. * Fix: Fixed issue where /.. dirs would be included in certain scandir operations. * Fix: logHuman function was not analyzing user-agent strings correctly which would allow some crawlers that execute JS to be logged as humans. * Fix: Removed ob_end_clean warnings about empty buffers when a human is being logged. * Fix: Removed warning in lib/wfCache.php caused by unset $_SERVER['QUERY_STRING'] when we check it. * Fix: Fixed "logged out as ''" blank username logout messages. * Fix: Improved security of config cache by adding a PHP header to file that we strip. Already secure because we have a .htaccess denying access, but more is better. * Fix: Falcon Engine option to clear Falcon cache when a post scheduled to be published in future is published. * Fix: Fixed Heartbleed scans hanging. = 5.0.6 - May 5, 2014 = * Feature: Prevent discovery of usernames through '?/author=N' scans. New option under login security which you can enable. * Fix: Introduced new global hash whitelist on our servers that drastically reduces false positives in all scans especially theme and plugin scans. * Fix: Fixed issue that corrupted .htaccess because stat cache would store file size and cause filesize() to report incorrect size when reading/writing .htaccess. * Fix: Fixed LiteSpeed issue where Falcon Engine would not serve cached pages under LiteSpeed and LiteSpeed warned about unknown server variable in .htaccess. * Fix: Fixed issue where Wordfence Security Network won't block known bad IP after first login attempt if "Don't let WordPress reveal valid users in login errors" option is not enabled. * Fix: Sites installed under a directory would sometimes see Falcon not serving cached docs. * Fix: If you are a premium customer and you have 2FA enabled and your key expires, fixed issue that may have caused you to get locked out. * Improvement: If your Premium API key now expires, we simply downgrade you to free scanning and continue rather than disabling Wordfence. * Improvement: Email warnings a few days before your Premium key expires so you have a chance to upgrade for uninterrupted service. = 5.0.5 - April 28, 2014 = * Fix: Removed mysql_real_escape_string because it's deprecated. Using WP's internal escape. * Fix: Wordfence issues list would be deleted halfway through scan under certain conditions. * Fix: Connection tester would generate php error under certain conditions. = 5.0.4 - April 17, 2014 = * Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers. * Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon. * Improvement: Once Falcon is enabled, if we can't write to .htaccess, we fall back to PHP based IP blocking. * Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button. * Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root. * Fix: Added an additional filter to prevent crawlers like Bing who execute javascript from being logged as humans. * Fix: Changed the extension of the backup .htaccess to be .txt to avoid anti-virus software alerting on a download with .com extension. [Props to Scott N. for catching this] = 5.0.3 - April 11, 2014 = * Removed ability to disable XML-RPC. The feature broke many mobile apps and other remote services. = 5.0.2 - April 7, 2014 = * Fix: Issue that caused users running WordPress in debug mode to see a is_404 warning message. * Fix: Issue that caused Call to undefined function wp_get_current_user warning. * Fix: Issue that caused caching to not work on sites using subdirectories. * Fix: Issue that caused SQL errors to periodically appear about wfPerfLog table. * Fix: Issue that caused warnings about array elements not being declared. = 5.0.1 - April 7, 2014 = * To see a video introduction of Falcon Engine included with Wordfence 5, [please watch this video](https://vimeo.com/91217997) * SUMMARY: This is a major release which includes Falcon Engine which provides the fastest WordPress caching available today. It also includes many other improvements and fixes. Upgrade immediatelly to get a massive performance boost for your site, many new features and fixes. * Feature: Falcon Engine provides the fastest caching algorithm for WordPress. Get up to a 50x site speedup now when you use Wordfence. * Feature: PHP based caching as an alternative to Falcon. * Feature: IP, browser and IP range blocking is now done using .htaccess if Falcon Engine is enabled providing a big performance boost. * Feature: Falcon and PHP caching includes ability to exclude URL patterns from cache along with cache management. * Feature: Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack. * Feature: Option to disable Wordfence cookies from being sent. * Feature: Option to start all scans using the remote start-scan option. This may fix some customers who can't start scans. * Feature: Falcon Engine includes the ability to block IP ranges using .htaccess. We take your ranges and convert them into CIDR compatible .htaccess lines that very efficiently block the ranges you've specified. Another great performance improvement. * Feature: If user disables permalinks we automatically disable Falcon Engine caching. * Feature: Before you enable Falcon Engine we make you download a backup of your .htaccess file just in case. * Improvement: Real-time traffic monitoring loads asynchronously to provide a faster user experience. * Improvement: All Wordfence configuration variables are now cached on disk rather than repeatedly looked up on the database providing a big performance improvement. * Improvement: Updated browser detection algorithms for new browsers. * Improvement: Updated country GeoIP database to the April edition. * Improvement: Improved performance by only loading routines required for logged in users if they have a login cookie. No DB lookup required. * Improvement: Added on-off switches to top of live traffic to make it easy to turn on/off. * Improvement: Removed marketing message from Wordfence email alerts. * Improvement: Added ability to exclude files from scan that match patterns. Multiple excludes using wildcards allowed. * Improvement: Improved performance by moving all actions that would only be used by a logged in user to be set up using add_action if the user actually has a login cookie. * Fix: Added a throttle to prevent identical email alerts being sent repeatedly. * Fix: Changed order of IP blocking and alerting code to prevent multiple email alerts being sent in a race condition. * Fix: Cleaned up legacy code including removing all array_push statements. * Fix: Added try/catch block to fileTooBig() function when we encounter files that we can't seek on and that throw an IO error to prevent scans from crashing. * Fix: Resolved issue that may have caused wfhits table to grow continuously on some sites. * Fix: Ensured that runInstall() isn't called multiple times. * Fix: Moved register_activation_hook to only be called if the user has a login cookie and has a likelihood of being actually logged in as admin. Performance improvement. * Fix: Added doEarlyAccessLogging routine to move logging before caching so we can have both. * Fix: Removed the "update LOW_PRIORITY" sql statement when updating wfHits which was intended to speed up MySQL performance but may have actually caused queries to queue up and slow things down. * Fix: Whitelisted IP's are no longer put through two factor authentication as one would expect. * Fix: Changed our wp_enqueue_script calls to add a 'wf' prefix to our script names so that another plugin doesn't cause our scripts to not load. * Fix: Removed code that would cause all alerts to be turned on for some users under certain conditions. * Fix: Automatically excluding backup files and log files from URL scans to reduce false positives on referring URLs in logs and backups. = 4.0.3 - February 4, 2014 = * Improvement: Added "high sensitivity" scanning which catches evals with other bad functions but may give false positives. Not enabled by default. * Fix: Removed code that caused error message during scan initialization. * Fix: IP to number conversation code had a problem with IP's with a single 0 in them. Bug was introduced in 4.0.2. * Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed. = 4.0.2 - February 4, 2014 = * Feature: Ability to bulk repair or delete files when cleaning a site. * Feature: You can now limit the number of emails per hour that Wordfence sends. * Feature: You can now scan image files as if they are executables when cleaning a site. See the option under scanning options. * Feature: New connectivity test for wp_remote_post to our servers. * Feature: New detection for backdoors that were previously missed in scans. * Improvement: Added a link to the Wordfence admin URL for a site when an email alert is received. * Improvement: Removed "buy premium" message from the alert emails which was causing confusion and irritation. * Improvement: Improved private address detection by making it faster and adding all private subnets, not just RFC1918 nets. * Improvement: Switched to wp_remote_get for triggering scans instead of wp_remote_post() * Improvement: Added some more verbose debugging for scan starts when in debug mode. * Improvement: No longer include private addresses when checking malware URL's and scanning IP's. * Improvement: Added code to disable Wordfence if WordPress is installing. * Fix: Text change because not all "scan" buttons are blue. * Fix: Removed URL from wfBrowscapCache.php which was causing false positives during scans. * Fix: Fixed SQL bug that triggered when we logged a vulnerability scan. * Fix: IP range blocks where a digit is preceded by a '0' char will no longer generate an error. * Fix: The getIP() routine will no longer use the IP closest to a visitor in network topology if that IP is a private address and behind a proxy. = 4.0.1 - January 23, 2014 = * Real-time WordPress Security Network Launched. * If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites. * See our home page on www.wordfence.com for a live map of attacks being blocked. Then blog about us!! * Fixed bug where wfBrowscapCache.php is reported as malicious. * Big improvement in scanning speed and efficiency of URL's and IP addresses. * Fixed preg_replace() warning by using newer preg_replace_callback() func. = 3.9.1 - January 20, 2014 = * Fixed issue that caused Wordfence security to not log 404's. * Made 404's more visible on the live traffic page. * Fixed panel width that was too narrow for WP 3.8 on live traffic and issues pages. * Report hack attempts to Wordfence Security scanning server for DDoS protection. * Remind admin if security alert email is blank and tour is closed. * Updated links to new Wordfence Security support website at support.wordfence.com. * Made Wordfence Security paid-users-only message a little more user friendly. = 3.8.9 - December 12, 2013 = * Fix: Fixed issue that caused certain Wordfence Security login functions to not work. Was a PHP 5.4 vs older version incompatability issue. * Updated GeoIP location database to new version for country blocking. * Fix: Resolved issue that caused the Issues that Wordfence Security found to not be displayed in some cases. * Updated Wordfence Security to WordPress 3.8 Compatability. = 3.8.8 - November 7, 2013 = * Fix: We now truncate the wfHoover table after scans to save disk space on servers with huge numbers of URLs in files. * Fix: isStrongPasswd function was being called statically but not declared as static. * Fix: Improved error reporting when we can't connect to Wordfence Security API servers. * Fix: Fixed code that was causing an error log warning when we read the requested URL. * Fix: Disable and clear cellphone sign-in if you downgrade to free from paid to prevent lockouts. = 3.8.7 - October 25, 2013 = * Fixed issue that caused cellphone sign-in to not work with PHP version 5.4 or greater. * Fixed conflict with other plugins that also use the Whois PHP library. * Fixed an unsanitized user-agent string. * Added new malware signatures for string rot13 heuristics. * Updated compatibility to 3.7. = 3.8.6 - October 21, 2013 = * Fixed issue that caused scheduled scans to run even if disabled. * Fixed display bug when signin fails. = 3.8.5 - October 3, 2013 = * Fixed issue that caused Human traffic to not be logged in Wordfence Security live traffic view. = 3.8.4 - September 30, 2013 = * Removed Wordfence Security .htaccess because it doesn't offer any security functionality and increases incompatibility. * Fixed spelling errors. * Added check to see if HTTP_USER_AGENT server variable is defined before using it to suppress large number of warnings on some sites. * Changed the way we call admin_url to the correct syntax. * Correctly escaped HTML on error messages. * Fixed issue that generated non-compliant query string. * Updated GeoIP database to newest version. = 3.8.3 - August 28, 2013 = * Updated GeoIP database for country blocking security. * Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it's a non-static method. Thanks Juliette. * Removed characters that are invalid in an IP address or domain from the Whois facility to improve security. * Prevent users from creating 1 character passwords to improve security. * Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P. * Fixed issue that caused IP to output as integer in status msg. Not security related but display issue. * Declared Wordfence Security reverseLookup function as static to remove warning. * Fixed returnARr syntax error in Wordfence Security class. * Note, there is no Wordfence Security version 3.8.2. = 3.8.1 - July 19, 2013 = * Added Cellphone Sign-in (Two Factor Authentication) for paid Wordfence Security members. Stop brute-force attacks permanently! See new "Cellphone Sign-in" menu option. * Added ability to enforce strong passwords using Wordfence Security when accounts are created or users change their password. See Wordfence Security 'options' page under 'Login Security Options'. * Added new backdoor/malware signatures to Wordfence Security scanning including detection for spamming scripts, youtube spam scripts and a new attack shell. * Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a Wordfence Security scan. * Fixes from Juliette R. F. Remove warnings for unset variables. Fix options 'save' spinner spinning infinitely on some platforms. Removed redundant error handling code in Wordfence Security. * Added ability to downgrade a paid Wordfence Security license to free. = 3.7.2 - May 24, 2013 = * Fixed issue that caused locked out IP's to not appear, or to appear with incorrect "locked out until" time. = 3.7.1 - May 24, 2013 = * Moved global firewall, login security and live traffic options to top of options page. * Made it clear that if you have Wordfence Security firewall disabled, IP's won't be blocked, country blocking won't work and advanced blocking won't work with warnings on each page. = 3.6.9 - May 15, 2013 = * Fixed JS error in Wordfence Security that occurs occasionally when users are viewing Wordfence Security activity log in real-time. * New Feature: Prevent users registering 'admin' username if it doesn't exist to improve security. Recommended if you've deleted 'admin'. Enable on 'options' page. * Check if Wordfence Security GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name. * Fixed a Wordfence Security compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don't get blocked. Added two HTTP no-cache and Expires headers. * Fixed bug when using Wordfence Security Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier * Vastly improved speed of Wordfence Security Advanced User-Agent blocking security feature. No longer using regex but still support wildcards using fnmatch() * We now support usernames with spaces in the list of users to ignore in the live traffic config on 'options' page. * Improved language in status messages to avoid confusion. Changed "unrecognized files" to "additional files" to describe non-core/theme/plugin files. = 3.6.8 - May 6, 2013 = * Fixed bug in Wordfence Security that caused IP range blocking to not block. * Fixed bug that caused unblocking a permanently blocked IP to work, but not refresh the list. * Added usernames to the email you receive when a user is locked out. * Added a few more status messages for Wordfence Security URL malware scanning. * Removed the sockets function call from connection testing because some hosts don't allow calls to socket_create() * Added detection in the Wordfence Security Whois page to check if the server has the fsockopen() function available with helpful message if it's disabled. * Whitelisted IP's now override Wordfence Security country blocking and range blocking. * Removed Bluehost affiliate links for free customers * Fixed issue that caused scans to crash when checking URLs for malware. * Fixed issue that caused scans with large numbers of posts that contain the same URL to crash. * Updated the Wordfence Security GeoIP database for country blocking to newest version. = 3.6.7 - April 19, 2013 = * Improved security for Cloudflare customers to prevent spoofing attacks and protect when a hacker bypasses Cloudflare proxies. * Added clear explanation of what increasing AJAX polling time does on options page. * Fixed issue with Wordfence Security detecting itself as malware. We messed up the version number in previous release. = 3.6.6 - April 17, 2013 = * Added option to change AJAX polling frequency * Fixed issue that caused whitelisted IP's to not be whitelisted. * Added code that prevents blocking of Wordfence's API server (or Wordfence Security will cease to function) * Added link at bottom of 'options' page to test connectivity to our API servers. * Include any CURL error numbers in error reporting. * Fixed issue that caused IP range blocking to not block access to login page. * Fixed issue that caused cache files to be flagged as malicious. = 3.6.5 - March 21, 2013 = * Fixed Fatal error: func_get_args(): Can't be used as a function parameter. * This bug affected users using PHP older than 5.3.0 = 3.6.4 - March 21, 2013 = * Fixed a major javascript bug that snuck in 2 releases ago and has disabled many features for Internet Explorer browsers. * Clarified range blocking examples. = 3.6.3 - March 21, 2013 = * Fixed 'max_user_connections' issue. * Wordfence Security now uses WordPress's WPDB and this halves the number of DB connections Wordfence Security establishes to your DB. * Wordfence Security is now HyperDB compatible. * Advanced blocking i.e. Browser and IP Range blocking is now a free feature. * We no longer disable Live Traffic if we detect a caching plugin. Based on user feedback, apparently live traffic actually works with those plugins. * Fixed issue that causes site to crash if a conflicting GeoIP library is installed. * Changed logHuman routine to do a LOW_PRIORITY MySQL update to speed things up. * Login failure counter is now reset if you send yourself an unlock email so you're not locked out again after 1 failure. * The free version of Wordfence Security is now supported with ads at the top of the admin pages. Please visit our sponsors and help keep Wordfence Security free! * Fixed issue that may cause scans to not be scheduled using the default schedule for new users. * There was no 3.6.2 release, in case you're wondering about the version skip. = 3.6.1 - March 18, 2013 = * Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking. * Added Wordfence Security feature: WHOIS for IP's and Domains. Supports all registries and local rWhois * Added Wordfence Security feature: Advanced Blocking to block IP ranges and browser patterns. * Added Wordfence Security feature: WHOIS on live traffic pages. * Added Wordfence Security feature: network blocking links on live traffic pages. * Fixed bug where W3 Total Cache and WP Super Cache cache blocked Wordfence Security pages. * Added explanation of how caching affects live traffic logging if we detect a caching plugin. * Fixed AJAX loading to deal with multiple parallel ajax requests. * Updated tour to include info on new WHOIS and Advanced Blocking features. * Changed manual IP blocks to be permanent by default. * Fixed issue in Wordfence Security that caused live traffic page not to reload when IP is unblocked. * Modified "How does your site get IP's" config to avoid confusing new users. * Changed 503 block message to be more helpful with link to FAQ on how to unblock. * Removed redundant code in wfAPI.php * Optimized code by moving firewall specific code to execute only if firewall is enabled. * Fixed issue that caused "last attempted access" to show over 500 months ago. * Fixed issue that was causing warning in getIP() code. * Upgraded to Wordfence Security API version 2.6. = 3.5.3 = * This is the dev version. Stable is 3.5.2. * Added detection for "hacked by badi" hack. Check if wp_options has been changed to UTF-7. = 3.5.2 - January 19, 2013 = * IP detection is now much more robust. Admins must specify how their site gets IP addresses. * Fixed issue that would throw Ajax ticker into a hard loop and put load on a server if user is on "options" page and WF can't detect IPs. * Added support for Cloudflare proxies when getting client's real IP address. * If we fail to get an IP and then get an IP succesfully, we update the activity log. * Activity log update in case of successful IP acquisition will warn if we're getting internal RFC1918 IP's e.g. the IP of your firewall. = 3.5.1 - December 12, 2012 = * Fixed issue with twentyten, twentyeleven, twentytwelve themes showing up as modified in 3.5. * Fixed issue with wpdb->prepare throwing warnings. WordPress changed their code and we have now caught up. * Fixed issue of files containing "silence is golden" showing up as being changed with no executable content. = 3.4.5 - December 8, 2012 = * Fixed security issue of being able to list wordfence Security's own virtual dir on some server configurations. * Fixed issue of WF using deprecated function which caused warnings or errors on install. * Added link to security alert mailing list on "Scan" page next to manual start scan button and in tour. = 3.4.4 - November 19, 2012 = * Fixed issue that caused scans to not complete. * Fixed issue that caused scans to launch a large number of child processes due to very short scan timeout. * Fixed issue that caused websites that don't know their own hostname to not be able to scan. * Added workaround for a bug in Better WP Security breaking Wordfence Security due to their code overwriting the WP version. * Optimized the way we calculate max execution time for each process while scanning. = 3.4.1 - November 13, 2012 = * Removed wfscan.php script and now using pseudo-ajax calls to fire off scans. Much more reliable. * Removed visitor.php script and now using pseudo-ajax calls to log human visits. * Added config option to allow admin to specify max execution time (advanced only!!). * Fixed issue that caused API calls to fail on MultiSite installs. * Fixed issue that caused comments to break on MultiSite installs under certain conditions. * Fixed issue that caused incorrect domain to be shown in live traffic view on multi-site installs. * Fixed issue where some proxies/firewalls send space delimited IP addresses in HTTP headers and Wordfence Security now handles that. * Fixed issue that caused Wordfence Security to capture activation errors of other plugins. * Geo IP database update to November 7th edition. = 3.3.7 - October 19, 2012 = * Upgrade immediately. Fixes possible XSS vulnerability in Wordfence Security "firewall unlock" form. * Also added rate limiting to max of 10 requests per second to the unlock form. = 3.3.5 - October 17, 2012 = * Re-releasing to try and fix an issue with the WordPress plugin distro system. = 3.3.4 - October 17, 2012 = * Fixed bug that caused malformed URLs to be sent to scanning server which caused errors on some installations. * Fixed issue that caused scans to "hang" or stall on larger sites during "Analyzing" phase when we hash files. Sites of arbitrary size can now be scanned. * Fixed issue that caused "plugin generated X characters of unexpected output" error during install or upgrade. = 3.3.3 - October 16, 2012 = * Fixed errors caused by ini_set being disabled on certain servers. * Removed error logging messages in certain cases because some badly configured hosts write these errors to the web browser. * Fixed getIP code that was evaluating arrays as strings in some cases. * Added error logging so that if there is an activation error, the Wordfence Security will display the actual error to you. * Fixed issue that caused scan to output "Could not get the administrator's user ID." when a user has changed their table prefixes under certain conditions. = 3.3.2 - October 15, 2012 = * A complete rearchitecture of Wordfence Security scanning to massively improve performance. * Our free customers are now 100% back in business. Apologies for the delay, but this was worth the wait. * Wordfence Security is now 4X faster for both free and paid customers. * Significantly reduced CPU and memory overhead. * Significantly reduced network througput when communicating with Wordfence Security scanning servers. * Big performance improvement on our own scanning servers which allows us to continue to provide Wordfence Security free for the forseeable future. * Upgraded scanning API to version 2.4 * Upgraded Geo IP database to October version. * Moved core, theme, plugin and malware scanning into hashing recursive routine for big performance gain. * Removed need for fileQ in hashing routine for reduction in memory usage and reduction in DB write size. * Removed send-packet architecture and now processing files locally by fetching comparison data from scanning server instead. * Removed wfModTracker - old module that is no longer used. * Malware is now scanned by fetching hash prefixes from WF server instead of sending hashes of every file to our server. Much more efficient. * Made status messages in summary console a little more user friendly. = 3.2.7 - September 3, 2012 = * Fixed dates and times in activity log alert emails and other emails to be in site's local timezone. * Added advanced country blocking options which allow bypass if a special URL is hit. * Added warning in options page if alert email is not configured under alert checkboxes. * Modified scan times to be within 60 minute window after scheduled time to prevent stampede at the top of the hour on our scanning server. * Fixed bug on Godaddy and a few other hosts where viewing list of files not in the repo caused error. This was caused by posix functions not being supported on Godaddy and some other hosts. = 3.2.6 - August 31, 2012 = * Paid feature: Remote site vulnerability and infection scanning. = 3.2.5 - August 30, 2012 = * Moved all attack signatures out of the plugin to prevent Wordfence Security being detected as malicious in a false positive. = 3.2.4 - August 30, 2012 = * Improved country blocking to make bulk adding/deleting of countries much easier. * Fixed bug that caused Google feed fetcher and other Google UA bots to get blocked if blocking of unverified Googlebots was enabled. * Fixed issue where Locked out users were shown having the same expiry time as Blocked IP's. * Fixed issue where Locked out users were not shown in the locked out list, but were still locked out if Blocked IP and Locked out expiry was different. * Improved performance of whitelisting so if whitelisted, all rules are bypassed. * Fixed issue that caused twentyten and twentyeleven themes to be shown as missing core files if they have been removed and theme scanning is enabled. * Fixed issue that made it impossible to end the tour for Firefox users. = 3.2.1 - August 28, 2012 = * Theme and plugin scanning is now free. Woohoo! * Added introductory tour for Wordfence Security. * Upgraded to Wordfence Security scanning API version 2.0 to allow free theme and plugin scanning. * Fixed two issue with scheduled scanning for premium users that would cause scans to not run or run at wrong times under certain conditions. * Added feature to view unknown files on system to help clean badly infected systems. See on scanning page in "Tools" under yellow box. * Fixed blocked countries overflowing their container in the user interface. * Fixed case where if user is using MySQL >= 5.1.16 and doesn't have the "drop" privilege, they can't truncate the wfFileQueue table and it could grow uncontrollably. * Updated to the new Libyan flag. * Fixed mysql_ping() reconnection to DB generating warnings. * Fixed issue that caused scans to hang. Wordfence Security now processes smaller batches of files before checking if it needs to fork. * NOTE: We removed a list of shells we're scanning for because they were yielding false positives on some host scanning software. * DNS fix from previous release backed out because it's no longer needed. (We temporarily hardcoded an IP) = 3.1.6 - August 21, 2012 = * Emergency release to deal with DNS issue. = 3.1.4 - August 7, 2012 = * Fixed SQL error in code that checks if IP blockedTime has expired. Changed column type to signed. * Added detection of malicious injected titles with scripts or meta redirects. * Fixed bug introduced in previous release that prevents blocked IP's from being blocked. = 3.1.2 - August 6, 2012 = * Fixed permanent IP blocking bug which caused permanently blocked IP's to no longer display in the list after some time, even though there were still blocked. (Incorrect SQL query) * Fixed "Can't get admin ID" on scan starts for both MU and single site installs. * Improved status messages for sites with very large numbers of comments. * Fixed bug that caused sites in subdirectories to not be able to view site config or run the memory test on the Wordfence Security "options" page. * Fixed database disconnect bug (mysql server has gone away). An additional fix was required to finally squash this bug. * Removed the code that prevented you from installing Wordfence Security on Windows. Sorry Windows customers! * Improved scheduling so that it is now more reliable. * Fixed bug that caused a loop for customers who could not contact the Wordfence Security servers on install. * Added helpful message if you get the "can't connect to itself" error message with some additional documentation to help solve this issue. * Improved error reporting when Wordfence Security can't connect to the scanning servers. Now features a helpful explanation rather than a generic message. * Added Country Geo-Blocking feature for paid customers. * Added Scan Scheduling feature for paid customers. = 3.1.1 - July 31, 2012 = * Added another fix for "mysql server has gone away" error. Wordfence Security now makes sure the DB is still connected and reconnects if not. * Added new detection for encoded malicious code in files. * Fixed bug introduced yesterday that prevented permanent blocking of IP's. * Improved ability to detect if we're running on Windows (but we don't support Windows yet). * Issue intelligent warning if Wordfence Security can't read base WordPress directory. * Don't activate Wordfence Security if user is running Windows. * Cleaned up errors if a file can't be scanned due to permission restrictions. * Improved reporting of which user scan is running as and how we determined who the admin user is. = 3.1.0 - July 30, 2012 = * Changed the way we monitor disk space from % to warning on 20 megs and critical on 5 megs remaining. This deals with very large disks in a more rational way. (Thanks Yael M. and Ola A.) * We now deal with cases where the $_SERVER variable contains an array instead of string for IP address. It seems that some installations modify the value into an array. (Thanks S.S.) * The Wordfence Security DB connection now more reliably changes the mysql timeout for the session to prevent "mysql server has gone away" errors. (Thanks Peter A.) = 3.0.9 - July 29, 2012 = * Fixed problem where scan process can't get admin ID. * Fixed issue that caused permanent IP's to not be permanent. * Fixed SQL error when calculating if IP block has expired. * Fixed incorrect calling of is_404 that caused intermittent issues. * Fixed basedir warnings when scan tries to scan files it does not have access to. * Fixed warning and incorrect calculation of rows in DB. * Added ability to get IP from "HTTP_X_REAL_IP" header of a front-end proxy is sending it. * Fixed warning about HTTPS element not existing in getRequestedURL() * Fixed problem with paid vs free keys getting confused. * Fixed error with fetching vulnerability patterns. = 3.0.8 - July 10, 2012 = * Fixed bug that caused "Could not get the administrator's user ID. Scan can't continue." = 3.0.7 - July 9, 2012 = * Fixed bug that caused scan to loop, stop halfway or not start for many sites. * Fix bug that caused scan to not start on sites with thousands (over 20,000 in one case) users. * Scan start is now faster for sites with large numbers of users. * Fix bug that caused scan to get killed when checking passwords on sites with thousands of users. * Wordfence Security now intelligently determines how to do a loopback request to kick off a scan. * Scan is no longer called with a cron key in HTTP header but uses a query string value to authenticate itself which is more reliable. = 3.0.6 - July 8, 2012 = * Improved malware and phishing URL detection. * Upgraded to Wordfence Security API version 1.9 * Fixed issue that caused large files to slow or crash a scan. * Added workaround for PHP's broken filesize() function on 32 bit systems. * Added an improved test mode for URL scanner for better unit testing on our end. * Suppressed warnings issued when a reverse DNS lookup fails. * Added improved debug output to becomeAdmin() function in scans to help diagnose scans not starting. = 3.0.5 - July 4, 2012 = * Fixed "The key used to start a scan has expired." error and added data to help diagnose future issues like this. * Removed HTTPHeaders from wfHits table which was using a lot of disk space and not used much. * Removed limiting wfHits table size because it was unreliable. * We're now limiting wfHits to 20,000 rows and the rows are much smaller. About 2 to 8 megs. * Fixed bug that could have caused install routine to run repeatedly. * Fixed typo bug in blocking code that didn't have any impact but was sloppy. * Changed wfscan.php message when accessed directly to be more helpful. = 3.0.4 - June 30, 2012 = * Detects if the Wordfence Security app (not scanner) is short on memory and requests more * Fixes an issue where scan breaks if all scanning options are disabled = 3.0.3 - June 26, 2012 = * Issue that caused all core files to show as missing has been fixed. * We now handle all API server errors gracefully using exceptions. * If your installation didn't activate correctly you now get a friendly message. * Removed unused menu_config.php code. * The 503 message now tells you why your access to the site has been limited so that admin's can tune firewall rules better. * We no longer reuse the WordPress wpdb handle because we get better stability with our own connection. = 3.0.2 - June 20, 2012 = * Overall this release is a very important upgrade. It drastically reduces memory usage on systems with large files from hundreds of megs to around 8 megs max memory used per scan. * Moved queue of files that get processed to a new DB table to save memory. * Reduced max size of tables before we truncate to avoid long DB queries. * Reduced max size of wfStatus table from 100,000 rows to 1,000 rows. * Introduced feature to kill hung or crashed scans reliably. * Made scan locking much more reliable to avoid multiple concurrent scans hogging resources. * Debug status messages are no longer written to the DB in non-debug mode. * Modified the list of unknown files we receive back from the WF scanning servers to be a packed string rather than an array which is more memory efficient. * Added summary at the end of scans to show the peak memory that Wordfence Security used along with server peak memory. * Hashes are now progressively sent to Wordfence Security servers during scan to drastically reduce memory usage. * Upgraded to Wordfence Security server API version 1.8 * List of hosts that Wordfence Security URL scanner compiles now uses wfArray which is a very memory efficient packed binary structure. * Writes that WF URL scanner makes to the DB are now batched into bulk inserts to reduce load on DB. * Fixed bug in wfscan.php (scanning script) that could have caused scans to loop or pick up old data. * Massively reduced the number of status messages we log, but kept very verbose logging for debug mode with a warning about DB load. * Added summary messages instead of individual file scanning status messages which show files scanned and scan rate. * Removed bin2hex and hex2bin conversions for scanning data which were slow, memory heavy and unneeded. * Wordfence Security database class will now reuse the WordPress database handle from $wpdb if it can to reduce DB connections. = 2.1.5 - June 14, 2012 = * Fixed bug that caused WF to not work when certain DB caching plugins are used and override wpdb object. * Fixed Wordfence Security so activity log only shows our own errors unless in debug mode. * Wordfence Security now deletes all it's tables and deletes all saved options when you deactivate the plugin. * Removed all exit() on error statements. Critical errors are handled more gracefully by writing to the log instead. * Fixed a bug that would cause a database loop until running out of memory under certain error conditions. * Suppressed useless warnings that occur in environments with basedir set or where functions are disabled for security reasons. * Removed redundant check that executed on every request and put it in activation instead. * If serialization during scan breaks, exit gracefully instead of looping. * Disk space in log is now shown as Gigabytes and formatted nicely. * Removed wdie() function which is a little obnoxious. Writing to WF error log instead. * Fixed bug where a non-empty but useless HTTP header can break getIP() function. * Added useful data to error output if getIP() tells you it can't work on your system. * Removed option to start scan in debug because it's no longer possible with a forked scan. * Removed option to test process running time on a system because it breaks on most systems and confuses customers. * Database connection errors no longer call die() but log an error instead in a way that removes the risk of a logging loop. * Removed dropAll.php script because we now clean up tables on deactivate and it's not needed. * Updated readme to show that we support 3.4. = 2.1.4 - June 11, 2012 = * Fixed registered users not appearing in live traffic. * Fixed temp file deletion bug that caused warnings and loops. * Fixed issue that caused warning about WORDFENCE_VERSION * Fixed Wordfence Security admin area not working under SSL * Fixed bug that caused IP addresses of clients to be misinterpreted if there are multiple addresses from chained proxies. * Now stripping port numbers from IP's which we weren't doing before. * Added check for validity of IP's and report fatal error if it fails because this could lock users out. * Improved error reporting including fixing an out of memory error when a specific error condition arose in wfConfig::set() * Changed order of tmp dirs to be wordfence/lib protected dir first and then system temp dir. Added uploads as tmp dir for last resort. * Malware URL's are now marked in red in alerts so it's obvious what the offending URL in a file is. = 2.1.3 - June 5, 2012 = * Added fix for hosts that have max_allowed_packet set too small. We will write a temp file to disk instead if possible. * Increased size of status column to 1000 chars = 2.1.2 - June 4, 2012 = * Fixed issue with scan scheduling that caused a loop * Fixed issue that caused version constant to not be included in scans = 2.1.1 - June 4, 2012 = * Added ability to permanently block IP's * Added ability to manually block IP's * Made Wordfence Security more memory efficient, particularly the forking process. * Fixed issue that caused WF to not work on databases with blank passwords. * Wordfence Security now stops execution of a DB connection error is encountered. * Clear cron jobs if Wordfence Security is uninstalled. * Enabled hourly cron for Wordfence security network. * Wordfence Security now works if your server doesn't have openssl installed * Wordfence Security now works even if you don't have CURL * Fixed visitor logging so it works with HTTPS websites. * Alert emails now contain filenames in each alert description. * Users with weak passwords alerts now contain the username in the email. * Upgraded API to 1.7. * Fixed issue that caused DISALLOW_FILE_MODS to make WF menu disappear. * Modified wfDB to deal with very large queries without exceeding max_allowed_packet * Fixed issue that broke ability to see file changes and repair files in security scan results. = 2.1.0 - June 3, 2012 = * Fixed scans hanging on Dreamhost and other hosts. * Made Wordfence Security more memory efficient. * Wordfence Security scans are now broken into steps so we can scan a huge number of files, posts and comments. * Alert emails now include IP address, hostname lookup and geographic location (city if available). * Improved security scan locking. No longer time based but uses flock() if on unix or time on Windows. * Suppressed warnings that WF was generating. * Improve handling of non-standard wp-content directories. * Fix restored files were still showing as changed if they contained international characters. * Improve permission denied message if attempting to repair a file. * Fixed problem that caused scans to not start because some hosts take too long to look up their own name. * Fixed issue with Wordfence Security menu that caused it to not appear or conflict with other menus under certain conditions. * Upgraded to security API version 1.6 * Improved geo lookup code for IP's to improve security. * Fixed debug mode output in live status box - coloring was wrong. * Added ajax status message to WF admin pages. * Fixed colorbox popup so that it doesn't jump around on refresh. = 2.0.7 - May 24, 2012 = * Fixed CSS bug that changed plugins page layout in admin area * Added memory benchmark utility. * Added process runtime benchmark utility. * Added ability to security scan in debug mode which accesses the scan app directly. = 2.0.6 - May 23, 2012 = * Added IP whitelisting including ability to whitelist ranges that are excluded from firewall and login security measures. * RFC1918 private networks and loopback address is automatically whitelisted to prevent firewall or login security blocking internal routers and proxy servers, internal firewalls and internal users. * Added WORDFENCE_VERSION constant to improve version lookup performance. * Fixed issue that caused security scans to not start and humans to not be logged in live traffic. Wordfence Security makes security scan script and visitors script executable on install or upgrade now. * Fixed bug that caused disk space scanning to still show an issue found in security scan summary even when user chooses to ignore the security issue. * Made disk space thresholds 1 and 1.5% space remaining because many hosts have very large disks where 1% is gigabytes. * Made wordfence Security database handle cache deal with concurrent connections to different databases. * Improved Wordfence Security database library's error reporting. * Improved performance when Wordfence Security looks up it's own version during security scans and other operations. * Removed three rules in base wordfence Security htaccess that could cause 500 errors on servers that don't allow these options to be overridden. Does not affect htaccess security because we inherit the base htaccess and still protect our lib/ directory with our own htaccess. = 2.0.5 - May 12, 2012 = * If your plugin PHP files are viewable by the world, we now give you a detailed warning on the seriousness of this security threat with ability to view the offending .htaccess files. * Added a debug mode in options for very verbose logging and marking errors in red. * Added more logging for the process that starts the security scan. * Ability to securely view the entire activity log added. * Using plugin version in all CSS URL's instead of API version. * Activity log microtime is more accurate now. * Fixed bug that would cause security scanning of PHP files with base64 content to stop. = 2.0.4 = * Now security scanning all comments, posts and pages on multi-site installation for malware and phishing URL's. Significant security enhancement. * Improved messages on multisite when a bad comment or post is found. * Fixed bug that caused paid users to not be able to activate their premium key. * Made upgrade process much friendlier. * Got rid of GeSHi syntax highlighting because it segfaults and is resource intensive. Using built in PHP highlighting instead. * Message asking you to configure an alert email address only appears for 3 pageviews after plugin activation so it's less irritating. * Fixed bug for MU users that caused WF to tell you that your WF schema is missing and you need to reactivate. * Fixed bug that caused malware URL security scanner to not work for MU users. = 2.0.3 - May 10, 2012 = * Removed unbuffered queries and switched to conventional queries that are memory efficient for better stability. * Made security scanning large numbers of URL's contained in things like awstats log files extremely memory efficient and way faster. * Removed alerts about unknown files in core directory if they belong to an older wordpress version and are unchanged. * Other performance improvements like using strpos instead of strstr. * Moved "scan files outside base dir" option to be in correct place on config page. = 2.0.2 - May 9, 2012 = * Fixed plugin upgrades so that css and scripts are not cached across versions. = 2.0.1 - May 9, 2012 = * Improved security scanning for specific attacks being used in the PHP-CGI vulnerability ( CVE-2012-1823) * API keys no longer required. WF fetches a temporary anonymous API key for you on activation. * Added real-time activity log on scan page. * Added real-time summary updates on scan page. * Fixed ability to view files that have symlinks in path. * Added message to configure alert email address for multi-site and single site installs on activation. * Disabled firewall security rules by default because most sites don't need them. * Disabled blocking of fake googlebots except for high security levels to prevent users who like to pretend they're googlebot from blocking themselves. * Geshi the syntax highlighter now asks for more memory before running. * Fixed bug that caused scan to hang on very large files. * Added an index to wfStatus to make it faster for summary statuses * Removed multisite pre-activation check to make activation more reliable on multisite installs. * Better problem reporting if you trashed your Wordfence Security schema but the plugin is still installed. = 1.5.6 - May 1, 2012 = * Removed use of nonces and purely using 30 minute key for unlocking emails. * Fixed bug that caused admin emails to not get emailed when requesting unlocking email. * Fixed minor issue with undefined array in issues loop. = 1.5.5 - May 1, 2012 = * Added ability for admin's to unlock login and unblock their IP addresses if they're accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse. * Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency. * Made advanced security options visible so you know they exist. * Fixed dns_get_record() function not existing bug on Windows systems pre PHP 5.3.0. Was causing scans to hang. * Increased login lockout defaults to be much higher which still protects against brute force hacks. * Removed CURLOPT_MAXREDIRS in curl to avoid safe mode warnings. * Fixed ability to view and diff files on blogs installed in subdirectories. * Fixed ability to see individual IP hits on subdir sites. * Plugin and theme update messages now include links to the upgrade page. * Removed the link on the login form that mentions the site is protected by Wordfence Security. * Changed lockout defaults to be much higher. * Added options for higher number of failures before lockout in options page for configurable login security. * Now including plugin version in the activity log when the admin chooses to email it to us for debugging. = 1.5.4 - April 30, 2012 = * Admin can now select to scan outside the WordPress base dir and standard WordPress directories. * Max memory size for scans is now configurable for larger installations. 256M is the default. * Changed maximum scan time to 10 minutes. = 1.5.3 - April 29, 2012 = * A harmless cosmetic error was being thrown up when some security scans started. Fixed that. = 1.5.2 - April 29, 2012 = * Changed max scan time to 30 mins. = 1.5.1 - April 29, 2012 = * Fixed a bug that caused scans to crash when permissions don't allow a directory to be read. = 1.4.8 - April 29, 2012 = * WP repo didn't deploy the zip file correctly so recreating the version tag. = 1.4.7 - April 29, 2012 = * Vastly improved error logging including catching fatal PHP errors and logging them to status log. * Fixed accidental preg_replace variable interpolation. * Syntax fixes (various) = 1.4.6 - April 29, 2012 = * Increased memory available to Wordfence Security to 256M during security scans, configurable in wordfenceConstants.php * Improved memory logging during security scans. Current memory usage is now shown on the far right of filenames while scans occur. = 1.4.5 - April 27, 2012 = * Bugfix - fixed bug that caused Wordfence Security menu to dissapear. = 1.4.4 - April 27, 2012 = * WordPress Multi-site support added. Currently in Beta. Tested with subdomains, not subdirectories, but it should work great on both. * Main changes are moving menus to the Network Admin area, preventing individual blogs from enabling the plugin and dealing with database prefix issues. = 1.4.3 - April 26, 2012 = * Improved diagnistic information on binary and regular API calls for better debugging. * Changed ticker to only show activity with level < 3 = 1.4.2 - April 26, 2012 = * Email to send security alerts to is now configured at the same time an API key is entered. * phpinfo is emailed along with activity log when user requests to send us activity log so that we can see things like PHP max execution time and other relevant data * Now writing individual files to activity log during security scans for better diagnostics. * Login security message. * Updated readme.txt FAQ and description. * Fixed bug where sites with self signed SSL security certificate never start scan because cert fails security check. * Increased API curl timeout to 300 for slower hosts that seem affected during URL security scans. = 1.4.1 = * This is a major release of Wordfence Security, please upgrade immediately. * Only scan files in the WordPress ABSPATH root directory and known WordPress subdirectories. Prevents potentially massive scans on hosts that have large dirs off their wordpress root. * Don't generate plain SHA hashes anymore because we don't currently use them on the server side for scanning. (Still generates md5's and SHAC) * No longer do change tracking on files before scans because the change tracking does almost the same amount of work when generating hashes as the actual scan. So just do the scan, which is now faster. * Updated internal version to 1.2 to use new code on the server side which sends back a list of unknown files rather than known files, which is usually smaller and more network efficient. * Improved logging in activity log. * Removed SSL peer verification because some hosts have bad cert config. Connection to our servers is still via SSL to enhance security. * Fixed a few minor issues. Overall you should notice that scans are much faster now. = 1.3.3 - April 23, 2012 = * Made real-time server polling more efficient. * Entering your API key now automatically starts your first scan. Was causing some confusion. = 1.3.2 - April 23, 2012 = * Reduced the number of database connections that Wordfence Security makes to one. * Modified the memory efficient unbuffered queries we use to only use a single DB connection. * Removed status updates during post and comment scans which prevents interference with unbuffered queries and makes the scans even faster. = 1.3.1 - April 23, 2012 = * Fixed a bug where if you have the plugin "secure-wordpress" installed, you can't do a Wordfence Security scan because it says you have the wrong version. This is because secure-wordpress trashes the $wp_version global variable to hide your version rather than using the filters provided by WordPress. So coded a workaround so that your Wordfence Security scans will work with that plugin installed. = 1.3 - April 23, 2012 = * Minor fix to point to the correct binary API URL on the Wordfence Security cloud servers. = 1.2 - April 23, 2012 = * It is now free to get a Wordfence Security API key. * Premium keys include theme and plugin file security verification which consumes resources on the Wordfence Security servers. * Various bugfixes and performance enhancements. = 1.1 - April 21, 2012 = * Initial public release of Wordfence Security Plugin.