Description
THE TOP RATED WORDPRESS SECURITY AND FIREWALL PLUGIN
All-in-One Security (AIOS) is a security plugin designed especially for WordPress, now brought to you from the team at UpdraftPlus.
Customers love All-In-One Security because it’s easy to use, and it does a whole lot for free.
All-In-One Security gives you Login Security Tools, to keep bots at bay and protect your website from brute force attacks.
Our Web Application Firewall gives you automatic protection from security threats.
Content Protection Features protect what you’ve worked so hard to build; All-In-One Security eliminates comment spam and prevents other websites from stealing your content with features like iFrame prevention and copywriting protection.
Still on the fence?
- We’re currently the Only WordPress Security Plugin with a 5 Star user rating across more than 1 million installs.
- Our security team maintains a list of known exploits, actively building protections against them and releasing these as new firewall rules to free and paying customers, at the same time.
- We’re already the world’s number one for backups, so you know you can trust us with the security of your website too.
LOGIN SECURITY FEATURE SUITE
Protect against brute-force attacks and keep bots at bay. All-In-One Security takes WordPress’ default login security features to a whole new level.
- Supports best practice: All-In-One Security detects if an account has the default ‘admin’ username or if a user has identical login and display names, prompting the user to change this in support of better security practices.
- Hide login page from bots: Configure a custom URL for the WordPress ‘Admin’ login page, making it harder for bots to find.
- Change default
wp_
prefix: Hackers use automated code to attack websites like yours. Make life harder for them and protect your site with this simple but effective AIOS security feature. - Login lockout: External users making multiple login attempts can be locked out for a configured period of time. You can also lockout users with invalid usernames. See a list of all locked out users and unlock with one click.
- Reporting: All-In-One Security provides a wealth of information about website users. View activity by username, IP address, login and logout dates and times. See a list of users currently logged in, and a list of all failed login attempts.
- Force logouts: Ensure users don’t stay logged in indefinitely. With All-In-One Security you can force logouts for all users after a configurable amount of time.
- Robot verification: For additional security and to prevent spam registrations, implement Cloudflare Turnstile, Google reCAPTCHA, plain maths CAPTCHA or a honeypot to registration pages, or enable manual approval of user accounts instead.
- Stops user enumeration: Prevent external users and bots from fetching user information via author permalink.
- Two-factor authentication: All-In-One Security TFA supports Google Authenticator, Microsoft Authenticator, Authy and many more.
- Password strength tool: Calculates how long it would take for your password to be cracked through a brute force attack.
- General visitor lockout Put your site into “maintenance mode” and lock down the front-end to all visitors. This can be useful while doing back end tasks, like performing site upgrades or investigating security threats.
- WordPress Salts Security Feature Extended: All-In-One Security adds 64 new characters to WordPress Salts and changes them weekly, making it even more challenging for hackers to crack your users’ WordPress passwords.
FIREWALL & FILE PROTECTION SECURITY SUITE
A Web Application Firewall (WAF) is your website’s first line of defence, protecting your site by monitoring traffic and blocking malicious requests.
- Progressively activate firewall settings: These range from basic, intermediate and advanced.
- Automatic protection from the latest threats: Our team maintains a list of known exploits, actively building protections against them which are then released as new firewall rules to free and paying customers.
- 6G blacklist: All-In-One Security incorporates ‘6G Blacklist’ firewall rules, protecting your site against a known list of malicious URL requests, bots, spam referrers and other attacks (courtesy of Perishable Press).
- Protect against fake Google bots: Bots presenting as Google crawlers can steal your content and litter your webpage with comment spam. Protect against it with the All-In-One Security Web Application Firewall.
- Blacklist functionality: Ban users by IP address, IP address range or by specifying user agents.
- Prevent DDOS attacks: Prevent malicious users from performing DDOS attacks through a known vulnerability in WordPress XML-RPC pingback functionality.
- Prevent image hotlinking: Protect server bandwidth and your website’s content by preventing other sites from using your imagery via hotlinking.
- Cross site scripting (XSS) protection: All-In-One Security prevents attackers from injecting malicious script into your website via a special cookie.
- File change detection: Security scanners alert you to file changes in your WordPress system, so you can see if a change is legitimate or suspicious, and investigate as appropriate.
- Disable PHP file editing: Protect your PHP code by disabling the ability to edit files in the WordPress administration area.
- Permission setting alerts: Identify files or folders where the permission settings are not secure and correct with one-click.
- Ability to create custom rules: Advanced users can add custom rules to block access to various resources on your site.
- Access prevention: Prevent external users from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
CONTENT PROTECTION SECURITY SUITE
Eliminate spam, protect your WordPress content, and your search engine rankings with these important security features from All-In-One-Security.
- Comment SPAM prevention : Webpages littered with spam comments damage your brand, effect the user experience and impact SEO.
All-In-One Security stops SPAM at the source by preventing comments that originate from other domains. AIOS automatically and permanently blocks spammers’ IP addresses. Site owners can use Cloudflare Turnstile or Google reCAPTCHA to reduce comment spam and block malicious users with just one click. - iFrame protection: Preventing other websites from reproducing your content via an ‘iFrame’ is a useful security feature that protects your intellectual property and your website visitors.
- Copywriting protection: Stop users from stealing your content by disabling the right-click, select and copy text function.
- Disable RSS and Atom Feeds: RSS and Atom Feeds can be used by bots to ‘scrape’ your website content and present it as their own. This feature prevents that by disabling RSS and Atom Feeds on your website.
LATEST AND GENERAL SECURITY FEATURES
- Audit Log: The All-In-One Security audit log gives Admins a view of events taking place on their WordPress website. They can see if anything strange is happening and detect security risks. For example, you can see if a plugin or theme has been added, removed, updated, activated or deactivated without your knowledge or consent.
INTERESTED IN AIOS PREMIUM?
For even greater protections, consider All-In-One Security (AIOS) Premium. It’s one of the most cost-effective and comprehensive WordPress Security plugins on the market and extends the powers of ‘Free’ with:
MALWARE SCANNING (Premium only)
Finding out by accident that your website’s security has been compromised due to malware is too late.
Malware can have a dramatic effect on search rankings. It can slow your site down, access customer data, send unsolicited emails, change your content or prevent users from accessing it.
- Alerts you to blacklisting: Search engines can very quickly blacklist a site hacked with malicious code. All-In-One Security Premium monitors your site’s status daily and alerts you if you’ve been blacklisted.
- Notification if something is amiss: We’ll notify you of any malware issues within 24 hours so you can take action, before it’s too late.
- Response time monitoring: You’ll know immediately if website response time is negatively affected.
- Up-time monitoring: All-In-One Security checks website uptime every 5 minutes. We’ll notify you if your site/server goes down.
- Flexible assignment: Register and remove WordPress sites from security scanning at any time.
- Security Reports: Security Reports are available via the ‘My Account’ page and directly via email.
FLEXIBLE TWO-FACTOR AUTHENTICATION (PREMIUM ONLY)
TFA is available in our free packages. All-In-One Security Premium affords whole new levels of control over how TFA is implemented.
- Role specific configuration: Make TFA compulsory for certain roles, e.g. for admin and editor roles.
- Require TFA after set time period: For example, you could require all admins to have TFA once their accounts are a week old.
- Trusted Devices: Ask for TFA after a chosen number of days for trusted devices instead of on every login.
- Anti-bot Protection: Option to hide the existence of forms on WooCommerce login pages unless JavaScript is active.
- Customise design layout: Customise the design of TFA so that it aligns with your existing web design.
- Emergency Codes: Generate a one-time use emergency code to allow access if your device is lost.
- Multisite Compatible: Compatible with WordPress multisite networks and sub-sites.
- Support for login forms: Support for WooCommerce and Affiliates-WP, Elementor Pro, bbPress and all third-party login forms without any further coding needed. Also compatible with ‘Theme my Login’
SMART 404 BLOCKING (PREMIUM ONLY)
404 errors occur when someone legitimately mistypes a URL, but they’re also generated by hackers searching for security weaknesses in your site.
- Block bots producing 404s: All-In-One Security Premium automatically and permanently blocks IP addresses of bots and hackers based on how many 404 errors they generate.
- Reporting: Handy charts keep you informed of how many 404s have occurred and which IP address or country is producing them
COUNTRY BLOCKING (PREMIUM ONLY)
Most security attacks come from a handful of countries and so it’s possible to prevent most attacks with our country blocking tool.
* Block traffic based on country of origin: All-In-One Security Premium utilises an IP database that promises 99.5% accuracy.
* Block traffic to specific pages: Block access to your whole WordPress site or on a page-by-page basis.
* Whitelist some users from blocked countries: Whitelist IP addresses or IP ranges even if they are part of a blocked country.
PREMIUM SUPPORT
- Unlimited support: Personalised, email support as and when you need it.
- Fastest response times: We offer a response time of three days. 99% of All-In-One Security Premium customers receive a response to
their enquiry within 24 hours.
Plugin Support
- If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via aiosplugin.com
Developers
- If you are a developer and you need some extra hooks or filters for this plugin then let us know.
Translations
- All-In-One Security plugin can be translated to any language.
Currently available translations:
- English
- German
- Spanish
- French
- Hungarian
- Italian
- Swedish
- Russian
- Chinese
- Portuguese (Brazil)
- Persian
Privacy Policy
This plugin may collect IP addresses for security reasons such as mitigating brute force login threats and malicious activity.
The collected information is stored on your server. No information is transmitted to third parties or remote server locations.
Usage
Go to the settings menu after you activate the plugin and follow the instructions.
Screenshots
Blocks
This plugin provides 1 block.
- Twofactor User Settings
Installation
To begin making your WordPress site more secure:
- Upload the ‘all-in-one-wp-security.zip’ file from the Plugins->Add New page in the WordPress administration panel.
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Go to Settings menu under ‘WP Security’ and start activating the security features of the plugin.
FAQ
-
How is All-In-One Security (AIOS) supported?
-
Customers of ‘Free’ AIOS can get support from this very webpage. Select ‘Support’ from the tabs above and post a topic. We aim to respond to all support requests within 24 hours during the working week.
-
Is All-In-One Security compatible with other plugins?
-
Yes. AIOS works smoothly with most popular WordPress plugins.
-
Is All-in-One-Security regularly updated?
-
Yes. WordPress Security is something that evolves over time. We update AIOS with new security features (and fixes if required) on a regular basis so you can be assured that your site will keep benefitting from new security protection techniques for as long as you need them.
-
Will All-In-One Security slow down my website?
-
No.
-
The decision is yours to make. ‘Free’ AIOS incorporates a web application firewall, comprehensive login security tools including two-factor authentication and all the latest recommended WordPress security practices and techniques.
But if your WordPress site is a business website, if it showcases what you do, or who you are, we generally recommend AIOS Premium. Prices start from as little as $70 for the year. -
AIOS Premium scans your WordPress website for malware whilst also monitoring your site’s response time and uptime, notifying you of any issues within 24 hours, AIOS Premium customers also benefit from hands-on ticketed support via email (rather than via WP Support forums).
Additional security tools include Country Blocking, Smart 404 Error Blocking and Advanced Two Factor Authentication.
More information is available from our All-In-One Security website -
In the web shop, purchase your preferred subscription. After completing the purchase, you will be emailed a link to download the plugin. You can also access the link through your “My Account” page.
After downloading the zip file, install and activate the plugin through WP Admin->Plugins->Add New->Upload Plugin.
The premium extends the free version. Therefore you should keep the free version installed and active. You will also be prompted to enter your AIOS username and password to connect your site to licenses. This will allow the plugin to receive updates. -
Yes, you need to have the free version of the plugin installed and activated before installing Premium. Premium plugin is an add-on that requires the free version to be present.
-
Does All-In-One Security work with multi-site network installations?
-
Yes, AIOS Premium is compatible with WordPress multisites. For multisite networks, the protection will apply to the network as a whole, and the dashboard and options will be available on the main site of the WordPress multisite.
-
Can a WordPress security plugin stop all attacks on my site?
-
There is no 100% guarantee that a security plugin will be able to protect against all attacks, as there is always the possibility of unknown WordPress vulnerabilities or other unexpected factors, and attackers are always seeking to develop new ways around protections. However, All-In-One Security gives good protection against known attack methods, and is under continuous development to monitor and improve protections.
-
Does All-In-One Security work on all servers and hosts?
-
AIOS should be compatible with most hosts, unless the host has specifically restricted the use of security plugins. Similarly, certain features may not work on some servers, especially Windows/IIS platforms. Features that use the ‘.htaccess’ file will not apply on a Windows IIS server or NGINX server (but development is ongoing to port those protections to all servers).
-
Development and test sites require their own licence if updates to the plugin are needed.
However, these sites can be disconnected from the licence when they have served their purpose. You can disconnect the licence via the site’s WP Admin->Plugins page, and it will be available to be reassigned to a different site. -
Is the All In One Security & Firewall Plugin GDPR and other privacy law compliant?
-
Please read more about GDPR compliance here: https://aiosplugin.com/privacy-policy/ .
Reviews
Contributors & Developers
“All-In-One Security (AIOS) – Security and Firewall” is open source software. The following people have contributed to this plugin.
Contributors“All-In-One Security (AIOS) – Security and Firewall” has been translated into 12 locales. Thank you to the translators for their contributions.
Translate “All-In-One Security (AIOS) – Security and Firewall” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
5.3.3 – 16/Sep/2024
- FEATURE: Added captcha option for WooCommerce classic guest checkout page.
- FIX: Fixed responsive layout issues with dashboard notice logo on mobile devices.
- FIX: Turnstile captcha widget showing multiple times
- FIX: Solved memory issue for reading larger host system log file
- FIX: Removed .htaccess options from the Settings menu on Nginx, IIS and unsupported web servers
- FIX: Resolved UX popup issue and firewall allowlist sanitization
- FIX: Resolved an issue where bulk table actions were still executed even if the confirmation dialog was canceled.
- FIX: Added a null check to prevent PHP warnings in firewall rules
- TWEAK: Ajaxified the actions in the settings, filesystem security, spam prevention and user security menu
- TWEAK: Added Ajax support to list tables and the audit log
- TWEAK: Added CAPTCHA field to MemberPress forgot password and registration forms
- TWEAK: Excluded .htaccess tabs from settings if the server is not supported
- TWEAK: Updated the firewall rules UI and malware scanner description
- TWEAK: Tweaked the htaccess backup method to generate the random filename
- TWEAK: Removed ‘prevent access to default WP files’ from .htaccess and added ‘license.txt’ to deletion list.
5.3.2 – 06/Aug/2024
- FIX: Bug that allowed subsite admins to delete audit logs of other subsites
- FIX: Disabled blacklisting on subsites because the PHP-based firewall currently applies to the entire multisite
- FIX: An issue with getting the google bot ip ranges
- TWEAK: Added extra protections in place before modifying the .htaccess file
- TWEAK: Actions in the tools, firewall and scanner menu are now processed via AJAX
- TWEAK: Trimmed leading and trailing whitespace from inputs in the WHOIS lookup tab
- TWEAK: Added a confirmation pop-up when users clear records in the Debug Logs table
- TWEAK: Added captcha support for the MemberPress plugin
- TWEAK: Improved the UX of the WP REST API options
- TWEAK: Internal code improvements to improve maintainability
- TWEAK: Updated the feature manager to improve performance
- TWEAK: Fixed the issue of blank tables on mobile view
5.3.1 – 26/Jun/2024
- FEATURE: Added CAPTCHA to password protected pages/posts
- FIX: Captcha not showing on the BuddyPress registration page
- FIX: WooCommerce logout issue when the renamed login page and login whitelist features are both enabled
- FIX: Missing CAPTCHAs when multiple WooCommerce login and register forms are on the same page
- FIX: Fixed an issue with the 404 detection actions
- FIX: A UI issue with the 2FA QR code image
- TWEAK: Added the attribute data-cfasync=”false” to the default captcha url to allow loading on Cloudflare Rocket Loader
- TWEAK: Purge login lockdown table records after 90 days to restrict size. The AIOS_PURGE_LOGIN_LOCKOUT_RECORDS_AFTER_DAYS constant has been added to change the default.
- TWEAK: Updated the malware scanner frequency text from daily to weekly
- TWEAK: Updated the password strength meter UI for the password tool
- TWEAK: Add a ‘Lock IP’ and ‘Blacklist IP’ link to the IP column of the audit log.
- TWEAK: Enhance fake Googlebot detection. In the case where gethostbyaddr fails, the firewall will fallback to checking against known Googlebot IP ranges
- TWEAK: Updated the column header for the “Permanent Blocked IP Addresses” table to be consistent with other tables
- TWEAK: Prevent warning when DISALLOW_FILE_EDIT has already been defined
- TWEAK: Fix instances of one translation function being used for multiple sentences
- TWEAK: Improved the UX during AJAX calls
- TWEAK: Removed Trash spam comments duplicated description
5.3.0 – 01/May/2024
- FEATURE: Added bulk force logout features for logged in users
- FIX: An issue with the WooCommerce my account page logout function when the cookie based brute force feature is turned on
- FIX: Warning undefined array key SCRIPT_FILENAME
- FIX: Custom redirection after login not working if url contains the redirect_to parameter
- FIX: List of administrator accounts not showing on the user security page
- FIX: Issue with cookie based bruteforce prevention solved if salt postfix feature is on.
- FIX: Fixed country field not showing in the 404 event logs (Premium)
- FIX: Fixed country field not showing in the smart 404 blocked IP log (Premium)
- TWEAK: Fixed translation issue not showing as per admin user set language instead of site settings
- TWEAK: Firewall upgrade changes are applied without access to the admin interface
- TWEAK: Change the labels for the switches to a more appropriate wording
- TWEAK: In the file scanner results show the file sizes in a human readable format
- TWEAK: Updated the default message for attempts to access wp-admin
- TWEAK: Internal refactor of the update code to improve code clarity.
- TWEAK: Port the ‘Block fake Googlebots’ feature to the PHP-based firewall
- TWEAK: Remove requirement for at least one IP for ‘Blacklist’, ‘Login whitelist’ and ‘Login lockout IP whitelist’ to be enabled.
- TWEAK: Added error message when a user tries to block their own IP on registration approval
- TWEAK: Added method to update badge on AJAX call
- TWEAK: internal refactor of the AIOWPSecurity_Utility_File class to improve code clarity
- TWEAK: Seasonal notice content update for 2024
5.2.9 – 06/Mar/2024
- FIX: Remove call to update_event_table_column_to_timestamp in update routine
- FIX: Remove call to wp_timezone() which is only available in WP 5.3+
5.2.8 – 05/Mar/2024
- FIX: The user check that affects the Duo authentication plugin
- FIX: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
- FIX: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
- TWEAK: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
- TWEAK: Debug log table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Global meta table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Permanent block table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Refactor list item actions to further improve code clarity
- TWEAK: Removed blacklist admin menu as previously announced
- TWEAK: Removed miscellaneous admin menu as previously announced
- TWEAK: Removed various admin menu tabs as previously announced
- TWEAK: Store IP lookup result for other types of entries in the login lockdown table
- TWEAK: Update the footer review prompt
- TWEAK: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
- TWEAK: Improve comment spam detection to not interfere with other forms
5.2.7 – 06/Feb/2024
- SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.
5.2.6 – 06/Feb/2024
- SECURITY: Removed unnecessary use of the “tab” query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
- FEATURE: Added logout event to the audit logs
- FEATURE: Add ability to delete the default readme.html file and wp-config-sample.php file
- FIX: Correct some translation calls that were using the wrong text domain
- FIX: PHP notice caused by the file scanner being unable to read its data file
- FIX: Unlock request button was not showing and redirects to 127.0.0.1
- FIX: Database errors for the aiowps_login_lockdown table during plugin installation
- TWEAK: Refactor the 6G UI
- TWEAK: Added an option to set the Cloudflare Turnstile CAPTCHA theme
- TWEAK: Added CSS styling for audit log details column
- TWEAK: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
- TWEAK: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
- TWEAK: Display json string instead of null if json_decode does not work for audit log details
- TWEAK: Event table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Various tweaks to get codebase up to coding standards
- TWEAK: Various tweaks to ensure multiple sentences are not passed to a single translation function
- TWEAK: Fix the broken UI for RSS and Atom firewall settings and added a more info box
- TWEAK: Fix the issue of unique ID in DOM
- TWEAK: Merge Username and Display Name tabs in User Security Settings
- TWEAK: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
- TWEAK: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
- TWEAK: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
- TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu
- TWEAK: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
- TWEAK: Moved the ‘Salt’ tab into the User security menu
- TWEAK: Moved ‘Blacklist Manager’ tab into the Firewall menu.
- TWEAK: Password resets, removed and deleted users are now recorded in the audit log
- TWEAK: Stop 404 IP from being locked if there’s a current lock on that IP
- TWEAK: Unify date and time conversion with users timezone support
- TWEAK: Changed how empty data in ip lookup result is stored in the database
- TWEAK: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
- TWEAK: Add captcha support for Contact Form 7
- TWEAK: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
- TWEAK: Enhance reset password email by adding IP info
- TWEAK: Remove defunct imagetoolbar meta tag
- TWEAK: Login lockout tables existing datetime field converted to timestamp to be timezone independent
- TWEAK: Code improvements – utilising WP_Error objects instead of arrays
5.2.5 – 25/Oct/2023
- SECURITY: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
- FEATURE: Block POST requests that have a blank user-agent and referer
- FEATURE: Added reverse IP Lookup data to the login lockdown notification email
- FIX: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
- FIX: Prevent the firewall message store from filling up with unused entries
- FIX: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
- FIX: An issue that prevented MainWP updates from being performed correctly
- FIX: Prevent user enumeration via the REST API and oEmbed protocol
- FIX: User agent blacklist not matching all strings correctly
- FIX: Logged in user table not showing the correct information
- TWEAK: Improve comment spam detection by using hidden fields and cookies
- TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
- TWEAK: The menu actions in the dashboard admin menu are now processed via AJAX
- TWEAK: Converted checkboxes in the admin menu pages to switches
- TWEAK: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
- TWEAK: Combined various user admin menus into a new ‘User Security’ admin menu
- TWEAK: Export configuration filename now reflects the local timezone.
- TWEAK: Improve the UI/UX of the file scanner making way for future improvements
- TWEAK: Redesign the feature manager badges
- TWEAK: Removed various admin menu tabs as previously announced
- TWEAK: Add features that depend on other plugins to the feature manager conditionally
- TWEAK: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
- TWEAK: Audit log date and time are now displayed in the sites timezone
- TWEAK: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
- TWEAK: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the “rename login page” setting is on.
5.2.4 – 16/Aug/2023
- FIX: Ported firewall settings from disabling on upgrade
5.2.3 – 09/Aug/2023
- FIX: Fatal error “set_value() on null” when the firewall config is missing
- FIX: PHP notices when running under cron
- FIX: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
- TWEAK: Add communication mechanism so that firewall can send data to WordPress
- TWEAK: Remove incorrect mentions of the .htaccess file on PHP Firewall rules
5.2.2 – 04/Aug/2023
- FEATURE: An allow list of IP addresses which bypass the firewall rules
- FIX: Fix get_class() on null fatal error when updating via ManageWP
- FIX: No such file or directory notice generated by the firewall’s config file
- FIX: Only send the upgrade email if one or more of the ported rules had been enabled
- FIX: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
- FIX: Google reCaptcha now appears correctly on the WooCommerce checkout page
- FIX: Prevent Woocommerce auto login if manual registration approval is turned on
- FIX: Premium upgrade tab UI overlapping issue.
- FIX: Allow maintenance mode to be controlled via WP-CLI (Premium)
- FIX: Use the correct site id for login success events added to audit log table on Multisite
- FIX: Added missing features to the feature manager list
- FIX: A warning when using the update all command via WP-CLI
- TWEAK: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
- TWEAK: Added ‘aios_audit_log_record_event’ filter to allow events to not be recorded
- TWEAK: Improve the feature item manager code structure making way for future improvements
- TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
- TWEAK: Move the ‘Custom rules’ tab from the ‘Firewall’ section to its own tab in the ‘Tools’ section
- TWEAK: Move the ‘Prevent hotlinking’ tab to the ‘File protection’ tab in the ‘Filesystem Security’ menu
- TWEAK: Moved all CAPTCHA settings to the ‘CAPTCHA settings’ tab in the ‘Brute Force’ menu
- TWEAK: Moved the ‘Password tool’ tab to the ‘Tools’ admin menu
- TWEAK: Moved the ‘Visitor lockout’ tab to the ‘Tools’ admin menu
- TWEAK: Moved the ‘User registration honeypot’ tab to the ‘Brute force’ admin menu
- TWEAK: Remove ‘Account activity table’ as these entries are also recorded in the audit log
- TWEAK: Removed the ‘Failed login records’ tab as previously announced, these are now recorded in the audit log
- TWEAK: Improve list table code performance
- TWEAK: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements
5.2.1 – 12/Jul/2023
- FIX: Include helper class file from loader
- TWEAK: Conditionally load TFA block JavaScript
5.2.0 – 10/Jul/2023
- SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users’ passwords are. This information has limited value (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
- FIX: After editing a file reset permissions back to the original permissions
- FIX: Corrected some broken links in the plugin
- FIX: Fatal error: cannot declare class
- FIX: Normalise all arguments in the stacktrace
- FIX: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
- FIX: Too many redirects error for forced logout users solved
- TWEAK: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
- TWEAK: Reset password page missing translation and generate password button added for renamed login page
- TWEAK: Added ‘aios_audit_log_event_user_ip’ filter to allow filtering of IP addresses in the audit log
- TWEAK: Added action hook “aios_reset_all_settings” for reset all settings.
- TWEAK: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2
5.1.9 – 09/May/2023
- FEATURE: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
- FEATURE: Detect spambots posting comments and discard it completely or mark as spam.
- FEATURE: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
- FEATURE: Added a “Delete all” and “Delete filtered” bulk action to the audit log table
- FIX: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
- FIX: Change where the audit log event handler is loaded to prevent an error on plugin deletion
- FIX: Fix context class checks to support cli
- TWEAK: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
- TWEAK: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
- TWEAK: Change some nonce checks to use our internal function to check user capability and nonces
- TWEAK: User registrations and successful logins are now recorded in the audit log
- TWEAK: Added a commands class and refactored AJAX handlers
- TWEAK: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
- TWEAK: Improve database table prefix feature UI.
- TWEAK: WordPress core updates are now recorded in the audit log
- TWEAK: Translation updates are now recorded in the audit log
- TWEAK: Add an entity changed event to the audit log when upgrader information is not available
- TWEAK: Automated emails sent by AIOS that failed to send due to from address
5.1.8 – 11/April/2023
- FIX: 404 detection – Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
- FIX: Uncaught fatal error on null ‘set_value’
- FIX: Remove audit log event handler actions on plugin deletion to prevent an error
- FIX: Remove some audit log event handler on plugin deletion to prevent an error
- FIX: Get correct wp-config path when installed in a subdirectory
- TWEAK: AIOS_Helper::request_remote timed out exception ignored.
- TWEAK: Requests_IPv6 class name deprecated in WordPress 6.2.
- TWEAK: Failed login attempts are now recorded in the audit log
5.1.7 – 24/March/2023
- FIX: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
- TWEAK: Clarify dashboard notice title and change image.
5.1.6 – 21/March/2023
- FEATURE: Added an audit log
- FEATURE: Add salt postfix option to improve your site’s security
- FEATURE: Shared library that can be used from the firewall.
- FIX: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
- FIX: Divi child theme conflict – Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
- FIX: Captcha settings tab in multisite installation for subsites not showing
- FIX: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
- TWEAK: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
- TWEAK: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
- TWEAK: Code clean up for disable cookie based brute force constant as rule moved to firewall
- TWEAK: Comment spam IP monitoring page UI
- TWEAK: Updated seasonal notices
- TWEAK: Improve internal code structure making way for future improvements
- TWEAK: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
- TWEAK: Added new internal function to check user capability and nonces
- TWEAK: Improve config code with inline saving.
- TWEAK: Allow audit log to be filtered and exported to CSV
5.1.5 – 13/February/2023
- FEATURE: Added Cloudflare Turnstile CAPTCHA support
- FIX: Notices about undefined array key HTTP_USER_AGENT solved.
- FIX: New v5 features not saved in export file and not properly reset after uninstallation.
- FIX: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
- FIX: Fatal error ‘Call to a member function contains_contents() on null’
- TWEAK: Removed wrong information about login whitelist being implemented via htaccess.
- TWEAK: Refactoring settings tasks for WP CLI AIOS premium commands.
- TWEAK: Page load performance issue due to incompatible tfa premium plugin active check improved.
- TWEAK: Make sure translation domain is registered before attempting to use it
- TWEAK: Replaced click with press in text because users could be on mobile etc and not using a mouse.
- TWEAK: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
- TWEAK: Improve the UI/UX for the 404 detection tab
- TWEAK: Improve internal code structure making way for future improvements
- TWEAK: PHP 8.2 deprecation warning for dynamic properties
- TWEAK: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the “view system log” feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
- FIX: Fatal error ‘Call to a member function contains_contents() on null’
- TWEAK: Firewall gets constants from a single source.
5.1.4 – 14/December/2022
- FEATURE: Add option to disable RSS and ATOM feeds.
- FIX: The IP address blacklist manager wasn’t working.
5.1.3 – 09/December/2022
- SECURITY: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
- FEATURE: Implement firewall events system
- FIX: Protect subsites when firewall is loaded via plugins_hook
- TWEAK: Improve the UX for uploading import files
- TWEAK: Add a default CAPTCHA option making way for new CAPTCHAs in the future
5.1.2 – 07/December/2022
- FEATURE: User Agent – Blacklist manager functionality should be based on PHP instead .htaccess rules.
- FIX: Sorting by ‘status’ on the comment spam table
- FIX: Copy protection feature not working on iPhone
- FIX: Cookie based brute force prevention locks out if plugin deactivated and activated again.
- FIX: The notice to reapply .htaccess rules after reactivating the plugin is displayed on subsites.
- FIX: Various WordPress command line notices about undefined $_SERVER indexes
- FIX: Deactivate and reactivate plugin firewall settings file sync issue solved.
- TWEAK: 2FA setting page to show premium options for AIOS premium.
- TWEAK: Remove characters that should not have been on the scanner page
- TWEAK: Organise firewall rules into subdirectories
- TWEAK: Added GDPR question answer to the AIOS WP org plugin’s FAQ section.
- TWEAK: Allow AIOS management permission to be filtered via
aios_management_permission
filter - TWEAK: Make use of is_main_site() function.
- TWEAK: Copy IP to clipboard when clicking on it at WP Security -> Brute Force -> Login whitelist.
- TWEAK: Better context detection for the firewall
5.1.1 – 16/November/2022
- SECURITY: Fixed a failure to check bulk action nonces, leading to a CSRF vulnerability. Exploitation would require an attacker to craft a link specifically for your site, and persuade you to click it whilst logged in; if you did so, this could result in bulk actions being carried out on AIOS list tables (e.g. delete entries from blocked IP address lists), with the attacker being restricted to deleting entries by database ID numbers that he cannot know directly (e.g. 15, 16, 17) and not IP address (e.g. 100.101.102.103).
- FEATURE: Cookie-based brute force prevention implemented with the new PHP based firewall system.
- FIX: AIOWPSecurity_WP_Loaded_Tasks::site_lockout_tasks() method visibility
- FIX: Prevent the dismiss notice button removing all notices from page including notices that contained important information
- FIX: Brute Force > Login Whitelist issue access password protected pages by user solved.
- FIX: Force logout link not working in the currently logged-in users list.
- FIX: Google reCAPTCHA site key and secret key are not verified immediately.
- TWEAK: Code style changes for scanner related pages and future item manager class.
- TWEAK: Capitalisation style reapply for firewall menu tabs.
- TWEAK: Instead login lockdown used login lockout word in UI and mail content. Changed constant AIOWPS_DISABLE_LOGIN_LOCKDOWN to AIOWPS_DISABLE_LOGIN_LOCKOUT.
- TWEAK: Update tabs, links to match capitalisation style of other UpdraftPlus plugins.
- TWEAK: Added the filter
aios_server_type
to override theAIOWPSecurity_Utility::get_server_type()
method’s return value. - TWEAK: Notice – Account activity logs, 404 event logs older than 90 days cleared automatically to show.
- TWEAK: Premium upgrade page FAQs linked to correct URL.
- TWEAK: IP address lookup called only once in same page request. Visitor blocking called when user is not logged in. User online information updated on login only.
- TWEAK: User login lockout – minimum lockout time length should be less than maximum lockout time length validated.
- TWEAK: Take a backup of wp-config before inserting firewall contents.
- TWEAK: Ability to downgrade the firewall’s protection which allows users to reverse the changes from setting up the firewall.
- TWEAK: Set a global context for $wp_file_descriptions context so that it gets assigned to correctly, preventing a subtle visual change in the theme editor
- TWEAK: Black Friday notice
- TWEAK: Update readme.txt file
5.1.0 – 12/October/2022
- FIX: The login loader is visible infinitely on the login screen and administrators can’t log in if the user has enabled maintenance mode and 2FA authentication simultaneously.
- FIX: Pressing the “Disable Firewall” button didn’t clear new 6G firewall rules.
- FIX: The application password was disabled by default on the activation of the AIOS plugin.
- FIX: The error occurred with the error message: Uncaught TypeError: fclose(): Argument #1 ($stream) must be of type resource, bool given in all-in-one-wp-security-and-firewall/classes/wp-security-utility-htaccess.php:164 in the server where the root folder is not writable.
- TWEAK: IP address lookup service whatismyipaddress removed, API for bot.whatismyipaddress.com is no longer available.
- TWEAK: The simple math captcha box was shown when the user was filling in the 2FA code at login time.
- TWEAK: Firewall max upload limit default value increased instead 10MB to 100MB.
- TWEAK: Google reCaptcha multilingual implemented to show in local language messages instead of English only.
- TWEAK: Update headings, labels and buttons to match capitalisation style of other plugins.
- TWEAK: Add premium upgrade tab.
5.0.9 – 06/October/2022
- FIX: PHP Notice: Only variables should be passed by reference in /wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-notices.php on line 202.
- TWEAK: Auto disable the login whitelisting on upgrade for all server types and shown related notice.
- TWEAK : 2FA – Warning: Deprecated: Call get_controller(‘totp’), not get_totp_controller() in /includes/simba-tfa/simba-tfa.php on line 713.
5.0.8 – 29/September/2022
- SECURITY/FEATURE: Fix IP address detection, and give IP address detection settings in the Admin Dashboard > WP Security > Settings > Advanced Settings, provide user guidance on how to use them, and notify the user if there any problem is apparent. Versions from 5.0.0 to 5.0.7 had a defect allowing an attacker to spoof their IP address, aiding them to avoid detection or locking out legitimate users. Thanks to Calvin Alkan for the responsible disclosure.
- FIX: The 403 forbidden error was shown on the wp login screen if the login url contains the redirect_to parameter and the deny bad query strings firewall feature is enabled on localhost.
- FIX: The PUT request method was blocked when the user enabled the 6G firewall.
- FIX: The login whitelisting didn’t work on servers not supporting .htaccess files, without this information being displayed in the user interface. The feature is now ported to PHP so that it works on all servers. Thanks to Calvin Alkan for identifying this issue.
- TWEAK: Add index keys to the login lockdown, failed_logins and the permanent block tables to prevent poor database reading performance in the event of vast numbers of rows being stored in these tables (see the “SECURITY” item above, since the defect described there can allow this). Thanks to Calvin Alkan for identifying this issue.
- TWEAK: Resolve a PHP-firewall ‘Unable to locate workspace’ log message.
- TWEAK: Added a constant AIOS_DISABLE_GET_EXTERNAL_IP. Define this in your wp-config.php to disable getting the IP address via an external API when the IP retrieval method fail to get a valid IP address.
- TWEAK: Replace deprecated …