Here is the list of the settings removed in iThemes Security 8.0, along with an explanation of why it was removed.
404 Detection
More often than not, the 404 Detection setting ended up locking out legitimate visitors to your site. On sites with lots of broken links, it could even end up blocking crawlers like Googlebot, which is a problem for SEO.
Instead of using 404 Detection, we recommend turning on the Disable PHP Execution settings in System Tweaks. These are now enabled by default in iThemes Security 8.0.
Away Mode
Attackers don’t stop trying to break into your website based on the time of day. The Away Mode feature often created a false sense of website security and caused conflicts with third-party plugins that need access parts of the WordPress admin at any time of the day. Away Mode represents an outdated approach to security, as much stronger methods are now available for securing the WordPress Admin dashboard.
Instead of using Away Mode, we recommend enforcing strong passwords, enabling reCAPTCHA for your WordPress login, and enabling two-factor authentication so users can protect their accounts.
Change Content Directory
The Change Content Direction setting falls into the category of security by obscurity, but it was a pretty ineffective form at that. When used on an existing site, this feature could break your site which is ultimately why we decided to remove it.
If you’d still like to use a different content directory, we recommend defining the WP_CONTENT_DIR and WP_CONTENT_URL constants manually when first creating your website.
Multisite Tweaks
This settings module didn’t provide security features, only UI tweaks that aren’t particularly relevant to keeping your website safe and secure.
WordPress Tweaks
WordPress Tweaks are settings designed to harden some of WordPress’s potential soft spots, but these settings are no longer beneficial or are ineffective at providing security in 2021.
Remove Windows Live Writer Header – This feature doesn’t have any security benefit, it could hide the URL to your WordPress install’s wp-includes directory. But this URL is exposed in many other ways. Additionally, knowing that URL doesn’t give attackers a foothold of any significance.
EditURI Header – Hiding the URL of the XML-RPC API on your site is also an ineffective security measure. Instead, we recommend keeping the “Allow Multiple Authentication Attempts per XML-RPC Request” setting disabled in WordPress Tweaks. If you don’t make use of any services that require XML-RPC, you can disable it entirely in WordPress Tweaks.
Comment Spam – The method used to block spam is no longer effective in 2021. Instead, we recommend enabling reCAPTCHA for your comments section.
Login Error Messages – This setting caused significant friction for legitimate users trying to use your site and provided little security protection. Learn why WordPress doesn’t consider disclosing usernames a security issue.
Mitigate Attachment File Traversal Attack – This protection was added to WordPress core.
Protect Against Tabnapping – This protection was added to WordPress core and is no longer exploitable in most browsers.
System Tweaks
These settings have been removed from System Tweaks.
Suspicious Query Strings, Non-English Characters, Long URL Strings – These features provided little deterrence to a motivated attacker and were the most common cause of conflicts with other plugins.
Filter Request Methods – This is no longer a relevant form of protection.
Remove File Writing Permissions – This feature didn’t offer much protection, since the server’s web user would have the ability to change the permissions back. Instead, it would often create conflicts with other plugins and web hosts that expect to be able to write to the wp-config.php or .htaccess files.
Miscellaneous Settings
The Backup Full Database setting in the Database Backups module has been removed. The Database Backups module is a simple tool for making backups of your WordPress site, but it isn’t a general database management tool. If you have multiple WordPress sites sharing the same database table, we instead recommend configuring backups on each site separately. This will give you smaller and more relevant backups that will be easier to restore from if something goes wrong.
The SSL module no longer has fine-grained controls for determining which parts of your website should use SSL, instead it enforces SSL for your entire site when enabled. Your whole site should be protected behind HTTPS, otherwise you’re leaving sections of your website unsafe and causing your SEO to suffer.
The Strengthen when Outdated setting has been removed from the Version Management module. This setting overrode your choices in WordPress Tweaks for how your site should be protected. It also caused confusion with the Two-Factor setting that requires users to use Two-Factor when your site is running outdated software. Instead, we recommend enabling “Disable File Editor”, keeping “Allow Multiple Authentication Attempts per XML-RPC Request” turned off, and Disabling XML-RPC as appropriate at all times.
