9.3.1

• February 12th, 2025
• Improvement: Not able to use email needed functions when email is not yet verified.
• Fix: All instruction links are now correct.
• Fix: Undefined array key “m” when showing vulnerability details.
• Fix: Prevent errors when downgrading to free.
• Fix: Compatibility between 2FA and JetPack “Log in using WordPress.com account” setting

9.2.0

• January 20th, 2025
• Fix: Added nonce check to certificate re-check button.
• Fix: In some cases the review notice was not properly dismissible.

9.1.4

• Improvement: do not track 404’s for logged in users
• Improvement: implemented the rsssl_wpconfig_path filter in all wp-config functions
• Improvement: Faster onboarding completion after clicking Finish button
• Improvement: CSS. Shields in user interface on datatables are no longer cut off

9.1.3

• November 28th
• Improvement: Width Vulnerabilities -> configuration
• Improvement: 2Fa lockout notice
• Improvement: catch use of short init in advanced-headers file
• Improvement: string improvements and translator comments
• Improvement: Bitnami support for rsssl_find_wordpress_base_path()
• Improvement: integrate Site health notifications with Solid Security
• Improvement: Enhanced random password generation in Rename Admin User feature
• Improvement: Always return string in wpconfig_path() function
• Improvement: Removes configuration options for a user in edit user.
• Fix: Remove duplicate site URL.
• Fix: ensure rsssl_sanitize_uri_value() function always returns a string, to prevent errors.
• Fix: multisite users who have enabled roles couldn’t use the 2fa if an other role than theirs has been forced.
• Fix: The ‘Skip Onboarding’ button presented an undefined page after selecting the email method as an option.
• Fix: Update translation loading according to the new 6.7 method.

9.1.2

• security: authentication bypass

9.1.1.1

• November 5th, 2024
  *Improvement: updated black friday dates

9.1.1

• November 5th, 2024
• Improvement: setting a rsssl-safe-mode.lock file now also enables safe mode and deactivates the Firewall, 2FA and LLA for debugging purposes.
• Improvement: update to system status
• Improvement: textual changes
• Improvement: Updated instructions URLs
• Improvement: Changed site health notices from critical to recommended
• Improvement: dropped obsolete react library
• Fix: fixed a bug where the 2FA grace period was kept active after a reset

9.1.0

• October 22nd
• Improvement: Allow scanning for security headers via http://scan.really-simple-ssl.com with one click
• Improvement: Remove unnecessary rsssl_update_option calls.
• Fix: prevent potential errors with login feedback..
• Fix: Catch type error when $transients is not an array.

9.0.2

• Fix: issue with deactivating 2fa

9.0.0

• September 16th
• Fix: Instructions URL in the Firewall settings.
• Fix: Fixed incorrect instructions URL
• Fix: Let’s Encrypt returning an old certificate on auto-renewed certificates
• Improvement: As the X-Frame-Options is deprecated and replaced by frame ancestors, we drop the header as recommendation.
• Improvement: save and continue in vulnerabilities overview not working correctly

8.3.0.1

• Fix: Issues with the decryption model

8.3.0

• August 12th, 2024
• Feature: Password security scan. This feature scans your users for weak passwords, and allows you to enforce non-compromised passwords.
• Fix: Fixed some strings that were not translatable. This has been resolved.
• Fix: Premium support link did not work. Now links to the correct page.
• Improvement: Disable the cron schedules on deactivation.
• Fix: Links in emails were sometimes not correct. This has been fixed.
• Fix: Fatal error on permission detection. This has been resolved.
• Improvement: Custom header for the license checks for better compatibility with some hosting environments.
• Improvement: Added option to disable X-powered-by header.
• Improvement: New improved encryption method for some settings.

8.1.5

• June 21th, 2024
• Fix: documentation links to website broken
• Improvement: some text changes in helptexts
• Improvement: new structure to upgrade database tables

8.1.4

• June 11th, 2024
• Improvement: dropdown in onboarding not entirely visible
• Improvement: Styling of locked XML RPC overview
• Fix: Not loading cookie expiration change
• Fix: Visual Composer compatibility icw Enforce Strong Password
• Fix: Multiple CloudFlare detected notices in onboarding
• Fix: Checkbox position in onboarding

8.1.3

• May 16th, 2024
• Fix: WP Rocket compatibility causing an issue when advanced-headers.php does not exist

8.1.2

• May 16th, 2024
• Fix: upgrade advanced-headers.php file to allow early inclusion of the file. The ABSPATH defined check causes in issue for early inclusion, so must be removed.

8.1.1

• May 14th, 2024
• New: detection of non-recommended permissions on files
• New: Configure region restrictions for your site
• Improvement: Textual change on premium overlay
• Improvement: Upgraded minimum required PHP version to 7.4
• Improvement: compatibility with Bitnami
• Improvement: compatibility of Limit Login Attempts with Woocommerce
• Improvement: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
• Improvement: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
• Fix: upgrade from <6.0 version to >8.0 causing a fatal error
• Fix: URL to details of detected vulnerabilities was incorrect

8.1.0

• Improvement: some string corrections
• Fix: show ‘self’ as default in Frame Ancestors
• Improvement: catch not existing rsssl_version_compare
• Improvement: check for openSSL module existence
• Improvement: set default empty array for options, for legacy upgrades
• Improvement: disable custom login URL when plain permalinks are enabled
• New: Limit Login Attempts Captcha integration
• Improvement: drop renamed folder notice, not needed anymore
• Improvement: enable advanced headers in onboarding
• Improvement: is_object check in updater

8.0.1

• Fix: enable 2FA during onboarding when not selected by user
• Improvement: better CSP defaults
• Fix: on upgrade to pro, free settings were cleared if “clear settings on deactivation” was enabled
• Fix: catch several array key not existing errors

8.0.0

• New: hide remember me checkbox
• New: extend blocking of malicious admin creation to multisite
• Improvement: drop prefetch-src from Content Security Policy
• Improvement: disable two-fa when login protection is disabled

7.2.8

• Fix: clear cron schedules on deactivation
• Improvement: translations update
• Notice: inform users about upcoming merge of free and pro plugin, not action needed, everything will be handled automatically

7.2.7

• Improvement: added integration with FlyingPress and Fastest Cache
• Improvement: fix exiting a filter, causing a compatibility issue with BuddyPress

7.2.6

• Improvement: text changes
• Improvement: css on login error message
• Improvement: header detection improved by always checking the last url in the redirect chain
• New: Added option to limit login cookie expiration time
• Fix: custom 404 pages i.c.w. custom login url

7.2.5

• Fix: IP detection header order
• Fix: table creation on activation of LLA module

7.2.4

• Fix: PHP warning in Password Security module
• Fix: change login url feature not working with password protected pages
• Improvement: move database table creation to Limit Login Attempts module
• Improvement: prevent php error caused by debug.log file hardening feature

7.2.3

• Fix: CSP data not showing in datatable

7.2.2

• Improvement: improved check for PharData class

7.2.1

• Fix: Config for CSP preventing Learning mode from completing
• Fix: datatable styling
• Fix: using deactivate_https with wp-cli did not remove htaccess rules
• Improvement: add query parameter to enforce email verification &rsssl_force_verification
• Improvement: css for check certificate manually button

7.2.0

• Fix: changed link to article
• Fix: remove flags .js file which was added twice, props @adamainsworth
• Fix: typo in missing advanced-headers.php notice
• Improvement: catch php warning when script src is empty when using hide wp version, props @chris-yau
• Improvement: new save & continue feedback
• Improvement: datatable styling
• Improvement: new react based modal
• Improvement: menu re-structured
• Improvement: re-check vulnerability status after core update
• Improvement: link in the email security notification to the vulnerability page instead of to a general explanation

7.1.3

• October 11th 2023
• Fix: React ErrorBoundary preventing Let’s Encrypt generation to complete.

7.1.2

• October 6th 2023
• Fix: hook change in integrations loader causing modules not to load. props @rami5342

7.1.1

• October 5th 2023
• Fix: incorrect function usage, props @heutger

7.1.0

• October 4th 2023
• Improvement: detection if advanced-headers.php file is running

7.0.9

• September 5th 2023
• Improvement: typo update word
• Improvement: translatability in several strings.

7.0.8

• August 8th 2023
• Improvement: WordPress tested up to 6.3
• Improvement: improve file existence check json
• Fix: handling of legacy options in php 8.1
• Fix: count remaining tasks

7.0.7

• July 25th 2023
• Improvement: modal icon placement in wizard on smaller screens
• Improvement: expire cached detected headers five minutes after saving the settings
• Fix: handling of legacy options in php 8.1
• Fix: prevent issues with CloudFlare when submitting support form from within the plugin
• Fix: translations singular/plural for japanese translations @maboroshin

7.0.6

• July 4th 2023
• Improvement: support custom wp-content directory in advanced-headers.php
• Improvement: prevent usage of subdirectories in custom login url
• Fix: translations not loading for chunked react components
• Improvement: add option to manually re-check vulnerabilities ‘&rsssl_check_vulnerabilities’, props @fawp

7.0.5

• Fix: some users with a non www site reporting issues on the login page over http://www, due to the changes in the wp redirect. Reverting to the old method. props @pedalnorth, @mossifer.

7.0.4

• June 14th 2023
• Improvement: notice informing about the new free vulnerability detection feature
• Improvement: improved the php redirect method
• Improvement: make the wp-config.php not writable notice dismissable
• Fix: feedback on hardening features enable action not showing as enabled, props @rtpHarry

7.0.3

• Fix: fix false positives on some plugins
• Improvement: vulnerability notifications in site health, if notifications are enabled.

7.0.2

• Improvement: improve matching precision on plugins with vulnerabilities.

7.0.1

• Fix: When the Rest API is not available, the ajax fallback should kick in, which didn’t work correctly in 7.0. props @justaniceguy

7.0.0

• New: Vulnerability Detection is in Beta – Read more or Get Started
• Improvement: move onboarding rest api to do_action rest_route
• Improvement: catch several edge situations in SSL Labs api
• Improvement: SSL Labs block responsiveness
• Improvement: more robust handling of wp-config.php detection

6.3.0

• Improvement: added support for the new Let’s Encrypt staging environment

6.2.5

• Improvement: add warning alert option
• Fix: capability mismatch in multisite. props @verkkovaraani

6.2.4

• Improvement: optionally enable notification emails in onboarding wizard
• Improvement: onboarding styling
• Fix: catch non array value from notices array, props @kenrichman
• Fix: typo in documenation link, props @bookman53

6.2.3

• Improvement: Changed Back-end react to functional components
• Improvement: multisite notice should link to network admin page
• Improvement: detect existing CAA records to check Let’s Encrypt compatibility
• Improvement: tested up to wp 6.2
• Improvement: UX improvement learning mode

6.2.2

• Fix: capability mismatch for a non administrator in multisite admin, props @jg-visual

6.2.1

• Fix: race condition when activating SSL through wp-cli, because of upgrade script
• Fix: missing disabled state in textarea and checkboxes
• Fix: some strings not translatable
• Fix: Let’s Encrypt renewal with add on
• Improvement: permissions check re-structuring
• Improvement: notice on subsite within multisite environment about wildcard updated

6.2.0

• New: optional email notifications on advanced settings
• Improvement: added tooltips
• Improvement: added warnings for .htaccess redirect
• Improvement: don’t send user email change on renaming admin user, as the email doesn’t actually change
• Improvement: Use BASEPATH only for wp-load.php, so symlinked folders will load based on ABSPATH
• Improvement: Improved support for environments where Rest API is blocked

6.1.1

• Fix: WP CLI not completing SSL when because site_has_ssl option is not set if website has not been visited before, props @oolongm
• Improvement: prevent ‘undefined’ status showing up in api calls on settings page
• Improvement: show notice if users are using an <2.0 Let’s Encrypt shell add-on which is not compatible with 6.0

6.1.0

• Improvement: some UX changes
• Improvement: Limit number of notices in the dashboard
• Improvement: load rest api request url over https if website is loaded over https
• Fix: empty menu item visible in Let’s Encrypt menu

6.0.14

• Fix: settings page when using plain permalinks, props @mvsitecreator, props @doug2son

6.0.13

• Improvement: improve method of dropping empty menu items in settings dashboard
• Improvement: dynamic links in auto installer
• Improvement: Let’s Encrypt Auto installer not working correctly, props @mirkolofio
• Improvement: change rest_api method to core wp apiFetch()
• Improvement: scroll highlighted setting into view after clicking “fix” on a task
• Improvement: run http method test in batches, and set a default, to prevent possibility of curl timeouts on systems with CURL issues
• Improvement: clean up code-execution.php file after test, props @spinhead
• Improvement: give notification if ‘DISABLE_FILE_EDITING’ is set to false in the wp-config.php props @joeri1977
• Improvement: drop some unnecessary translations
• Improvement: set better default, and change transients to option for more persistent behavior in wp version test, props @photomaldives
• Fix: Burst Statistics not activating after installation
• Fix: CSS for blue labels in progress dashboard below 1080px
• Fix: WPCLI SSL activation not working due to capability checks, props @oolongm
• Fix: catch invalid account error in Let’s Encrypt generation, props @bugsjr
• Fix: do not block user enumeration for gutenberg

6.0.12

• Fix: on multisite, the test for users with admin username did not use the correct prefix, $wpdb->base_prefix, props @jg-visual
• Improvement: allow submenu in back-end react application
• Improvement: Skip value update when no change has been made
• Improvement: no redirect on dismiss of admin notice, props @gangesh, @rtpHarry, @dumel
• Improvement: remove obsolete warning
• Improvement: qtranslate support on settings page

6.0.11

• Fix: on some environments, the HTTP_X_WP_NONCE is not available in the code, changed logged in check to accomodate such environments
• Fix: dismiss on admin notices not immediately dismissing, requiring dismiss through dashboard, props @dumel

6.0.10

• Fix: Apache 2.4 support for the block code execution in the uploads directory hardening feature, props @overlake
• Fix: When used with Varnish cache, Rest API get requests were cached, causing the settings page not to update.
• Fix: Ensure manage_security capability for users upgraded from versions before introduction of this capability
• Fix: allow for custom rest api prefixes, props @coderevolution
• Fix: bug in Let’s Encrypt generation with DNS verification: saving of ‘disable_ocsp’ setting, create_bundle_or_renew action with quotes
• Fix: change REST API response method to prevent script errors on environments with PHP warnings and errors, causing blank settings page
• Improvement: Simplify user enumeration test
• Improvement: catch unexpected response in SSL Labs object
• Improvement: z-index on on boarding modal on smaller screen sizes, props @rtpHarry
• Improvement: hide username field if no admin username is present, props @rtpHarry

6.0.9

• Fix: incorrectly disabled email field in Let’s Encrypt wizard, props @cburgess
• Improvement: on rename admin user, catch existing username, and strange characters
• Improvement: catch openBaseDir restriction in cpanel detection function, props @alofnur
• Improvement: remove 6.0 update notices on subsites in a multisite network, props @wpcoderca, (@collizo4sky

6.0.8

• Improvement: Lets Encrypt wizard CSS styling
• Improvement: re-add link to article about Let’s Encrypt so users can easily find the URL
• Improvement: let user choose a new username when selecting “rename admin user”

6.0.7

• Fix: restrict conditions in which htaccess rewrite runs, preventing conflicts with other rewriting plugins

6.0.6

• Fix: drop upgrade of .htaccess file in upgrade script

6.0.5

• Fix: race condition in .htaccess update script, where multiple updates simultaneously caused issues with the .htaccess file

6.0.4

• Fix: using the .htaccess redirect in combination with the block code execution in uploads causes an issue in the .htaccess redirect
• Fix: deactivating Really Simple SSL does not completely remove the wp-config.php fixes, causing errors, props @minalukic812

6.0.3

• Fix: Rest Optimizer causing other plugins to deactivate when recommended plugins were activated, props @sardelich

6.0.2

• Fix: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false, props @janv01
• Fix: empty cron schedule, props @gilvansilvabr
• Improvement: several typo’s and string improvements
• Fix: auto installer used function not defined yet
• Fix: rest api optimizer causing an error in some cases @giorgos93

6.0.1

• Fix translations not loading for scripts

6.0.0

• Tested up to WordPress 6.1.0
• Improvement: User Interface
• New: Server Health Check – powered by SSLLabs
• New: WordPress Hardening Features