THE TOP RATED WORDPRESS SECURITY AND FIREWALL PLUGIN
All-in-One Security (AIOS) is a security plugin designed especially for WordPress, now brought to you from the team at UpdraftPlus.
Customers love All-In-One Security because it’s easy to use, and it does a whole lot for free.
All-In-One Security gives you Login Security Tools, to keep bots at bay and protect your website from brute force attacks.
Our Web Application Firewall gives you automatic protection from security threats.
Content Protection Features protect what you’ve worked so hard to build; All-In-One Security eliminates comment spam and prevents other websites from stealing your content with features like iFrame prevention and copywriting protection.
Still on the fence?
We’re currently the Only WordPress Security Plugin with a 5 Star user rating across more than 1 million installs.
Our security team maintains a list of known exploits, actively building protections against them and releasing these as new firewall rules to free and paying customers, at the same time.
We’re already the world’s number one for backups, so you know you can trust us with the security of your website too.
LOGIN SECURITY FEATURE SUITE
Protect against brute-force attacks and keep bots at bay. All-In-One Security takes WordPress’ default login security features to a whole new level.
Supports best practice: All-In-One Security detects if an account has the default ‘admin’ username or if a user has identical login and display names, prompting the user to change this in support of better security practices.
Hide login page from bots: Configure a custom URL for the WordPress ‘Admin’ login page, making it harder for bots to find.
Change default wp_ prefix: Hackers use automated code to attack websites like yours. Make life harder for them and protect your site with this simple but effective AIOS security feature.
Login lockout: External users making multiple login attempts can be locked out for a configured period of time. You can also lockout users with invalid usernames. See a list of all locked out users and unlock with one click.
Reporting: All-In-One Security provides a wealth of information about website users. View activity by username, IP address, login and logout dates and times. See a list of users currently logged in, and a list of all failed login attempts.
Force logouts: Ensure users don’t stay logged in indefinitely. With All-In-One Security you can force logouts for all users after a configurable amount of time.
Robot verification: For additional security and to prevent spam registrations, implement Cloudflare Turnstile, Google reCAPTCHA, plain maths CAPTCHA or a honeypot to registration pages, or enable manual approval of user accounts instead.
Stops user enumeration: Prevent external users and bots from fetching user information via author permalink.
Two-factor authentication: All-In-One Security TFA supports Google Authenticator, Microsoft Authenticator, Authy and many more.
Password strength tool: Calculates how long it would take for your password to be cracked through a brute force attack.
General visitor lockout Put your site into “maintenance mode” and lock down the front-end to all visitors. This can be useful while doing back end tasks, like performing site upgrades or investigating security threats.
WordPress Salts Security Feature Extended: All-In-One Security adds 64 new characters to WordPress Salts and changes them weekly, making it even more challenging for hackers to crack your users’ WordPress passwords.
FIREWALL & FILE PROTECTION SECURITY SUITE
A Web Application Firewall (WAF) is your website’s first line of defence, protecting your site by monitoring traffic and blocking malicious requests.
Progressively activate firewall settings: These range from basic, intermediate and advanced.
Automatic protection from the latest threats: Our team maintains a list of known exploits, actively building protections against them which are then released as new firewall rules to free and paying customers.
6G blacklist: All-In-One Security incorporates ‘6G Blacklist’ firewall rules, protecting your site against a known list of malicious URL requests, bots, spam referrers and other attacks (courtesy of Perishable Press).
Protect against fake Google bots: Bots presenting as Google crawlers can steal your content and litter your webpage with comment spam. Protect against it with the All-In-One Security Web Application Firewall.
Blacklist functionality: Ban users by IP address, IP address range or by specifying user agents.
Prevent DDOS attacks: Prevent malicious users from performing DDOS attacks through a known vulnerability in WordPress XML-RPC pingback functionality.
Prevent image hotlinking: Protect server bandwidth and your website’s content by preventing other sites from using your imagery via hotlinking.
Cross site scripting (XSS) protection: All-In-One Security prevents attackers from injecting malicious script into your website via a special cookie.
File change detection: Security scanners alert you to file changes in your WordPress system, so you can see if a change is legitimate or suspicious, and investigate as appropriate.
Disable PHP file editing: Protect your PHP code by disabling the ability to edit files in the WordPress administration area.
Permission setting alerts: Identify files or folders where the permission settings are not secure and correct with one-click.
Ability to create custom rules: Advanced users can add custom rules to block access to various resources on your site.
Access prevention: Prevent external users from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
CONTENT PROTECTION SECURITY SUITE
Eliminate spam, protect your WordPress content, and your search engine rankings with these important security features from All-In-One-Security.
Comment SPAM prevention : Webpages littered with spam comments damage your brand, effect the user experience and impact SEO.
All-In-One Security stops SPAM at the source by preventing comments that originate from other domains. AIOS automatically and permanently blocks spammers’ IP addresses. Site owners can use Cloudflare Turnstile or Google reCAPTCHA to reduce comment spam and block malicious users with just one click.
iFrame protection: Preventing other websites from reproducing your content via an ‘iFrame’ is a useful security feature that protects your intellectual property and your website visitors.
Copywriting protection: Stop users from stealing your content by disabling the right-click, select and copy text function.
Disable RSS and Atom Feeds: RSS and Atom Feeds can be used by bots to ‘scrape’ your website content and present it as their own. This feature prevents that by disabling RSS and Atom Feeds on your website.
LATEST AND GENERAL SECURITY FEATURES
Audit Log: The All-In-One Security audit log gives Admins a view of events taking place on their WordPress website. They can see if anything strange is happening and detect security risks. For example, you can see if a plugin or theme has been added, removed, updated, activated or deactivated without your knowledge or consent.
INTERESTED IN AIOS PREMIUM?
For even greater protections, consider All-In-One Security (AIOS) Premium. It’s one of the most cost-effective and comprehensive WordPress Security plugins on the market and extends the powers of ‘Free’ with:
MALWARE SCANNING (Premium only)
Finding out by accident that your website’s security has been compromised due to malware is too late.
Malware can have a dramatic effect on search rankings. It can slow your site down, access customer data, send unsolicited emails, change your content or prevent users from accessing it.
Alerts you to blacklisting: Search engines can very quickly blacklist a site hacked with malicious code. All-In-One Security Premium monitors your site’s status daily and alerts you if you’ve been blacklisted.
Notification if something is amiss: We’ll notify you of any malware issues within 24 hours so you can take action, before it’s too late.
Response time monitoring: You’ll know immediately if website response time is negatively affected.
Up-time monitoring: All-In-One Security checks website uptime every 5 minutes. We’ll notify you if your site/server goes down.
Flexible assignment: Register and remove WordPress sites from security scanning at any time.
Security Reports: Security Reports are available via the ‘My Account’ page and directly via email.
FLEXIBLE TWO-FACTOR AUTHENTICATION (PREMIUM ONLY)
TFA is available in our free packages. All-In-One Security Premium affords whole new levels of control over how TFA is implemented.
Role specific configuration: Make TFA compulsory for certain roles, e.g. for admin and editor roles.
Require TFA after set time period: For example, you could require all admins to have TFA once their accounts are a week old.
Trusted Devices: Ask for TFA after a chosen number of days for trusted devices instead of on every login.
Anti-bot Protection: Option to hide the existence of forms on WooCommerce login pages unless JavaScript is active.
Customise design layout: Customise the design of TFA so that it aligns with your existing web design.
Emergency Codes: Generate a one-time use emergency code to allow access if your device is lost.
Multisite Compatible: Compatible with WordPress multisite networks and sub-sites.
Support for login forms: Support for WooCommerce and Affiliates-WP, Elementor Pro, bbPress and all third-party login forms without any further coding needed. Also compatible with ‘Theme my Login’
SMART 404 BLOCKING (PREMIUM ONLY)
404 errors occur when someone legitimately mistypes a URL, but they’re also generated by hackers searching for security weaknesses in your site.
Block bots producing 404s: All-In-One Security Premium automatically and permanently blocks IP addresses of bots and hackers based on how many 404 errors they generate.
Reporting: Handy charts keep you informed of how many 404s have occurred and which IP address or country is producing them
COUNTRY BLOCKING (PREMIUM ONLY)
Most security attacks come from a handful of countries and so it’s possible to prevent most attacks with our country blocking tool.
* Block traffic based on country of origin: All-In-One Security Premium utilises an IP database that promises 99.5% accuracy.
* Block traffic to specific pages: Block access to your whole WordPress site or on a page-by-page basis.
* Whitelist some users from blocked countries: Whitelist IP addresses or IP ranges even if they are part of a blocked country.
PREMIUM SUPPORT
Unlimited support: Personalised, email support as and when you need it.
Fastest response times: We offer a response time of three days. 99% of All-In-One Security Premium customers receive a response to
their enquiry within 24 hours.
Plugin Support
If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via aiosplugin.com
Developers
If you are a developer and you need some extra hooks or filters for this plugin then let us know.
Translations
All-In-One Security plugin can be translated to any language.
Currently available translations:
English
German
Spanish
French
Hungarian
Italian
Swedish
Russian
Chinese
Portuguese (Brazil)
Persian
Privacy Policy
This plugin may collect IP addresses for security reasons such as mitigating brute force login threats and malicious activity.
The collected information is stored on your server. No information is transmitted to third parties or remote server locations.
Usage
Go to the settings menu after you activate the plugin and follow the instructions.
Customers of ‘Free’ AIOS can get support from this very webpage. Select ‘Support’ from the tabs above and post a topic. We aim to respond to all support requests within 24 hours during the working week.
Is All-In-One Security compatible with other plugins?
Yes. AIOS works smoothly with most popular WordPress plugins.
Is All-in-One-Security regularly updated?
Yes. WordPress Security is something that evolves over time. We update AIOS with new security features (and fixes if required) on a regular basis so you can be assured that your site will keep benefitting from new security protection techniques for as long as you need them.
Will All-In-One Security slow down my website?
No.
Should I install All-In-One Security for free or should I purchase AIOS Premium?
The decision is yours to make. ‘Free’ AIOS incorporates a web application firewall, comprehensive login security tools including two-factor authentication and all the latest recommended WordPress security practices and techniques.
But if your WordPress site is a business website, if it showcases what you do, or who you are, we generally recommend AIOS Premium. Prices start from as little as $70 for the year.
What are the additional features of All-In-One Security Premium?
AIOS Premium scans your WordPress website for malware whilst also monitoring your site’s response time and uptime, notifying you of any issues within 24 hours, AIOS Premium customers also benefit from hands-on ticketed support via email (rather than via WP Support forums).
Additional security tools include Country Blocking, Smart 404 Error Blocking and Advanced Two Factor Authentication.
More information is available from our All-In-One Security website
How do I get started with All-In-One Security Premium?
In the web shop, purchase your preferred subscription. After completing the purchase, you will be emailed a link to download the plugin. You can also access the link through your “My Account” page.
After downloading the zip file, install and activate the plugin through WP Admin->Plugins->Add New->Upload Plugin.
The premium extends the free version. Therefore you should keep the free version installed and active. You will also be prompted to enter your AIOS username and password to connect your site to licenses. This will allow the plugin to receive updates.
Do I need to have the free version before downloading Premium?
Yes, you need to have the free version of the plugin installed and activated before installing Premium. Premium plugin is an add-on that requires the free version to be present.
Does All-In-One Security work with multi-site network installations?
Yes, AIOS Premium is compatible with WordPress multisites. For multisite networks, the protection will apply to the network as a whole, and the dashboard and options will be available on the main site of the WordPress multisite.
Can a WordPress security plugin stop all attacks on my site?
There is no 100% guarantee that a security plugin will be able to protect against all attacks, as there is always the possibility of unknown WordPress vulnerabilities or other unexpected factors, and attackers are always seeking to develop new ways around protections. However, All-In-One Security gives good protection against known attack methods, and is under continuous development to monitor and improve protections.
Does All-In-One Security work on all servers and hosts?
AIOS should be compatible with most hosts, unless the host has specifically restricted the use of security plugins. Similarly, certain features may not work on some servers, especially Windows/IIS platforms. Features that use the ‘.htaccess’ file will not apply on a Windows IIS server or NGINX server (but development is ongoing to port those protections to all servers).
Can I cover my subdomains and test sites with a licence for AIOS Premium?
Development and test sites require their own licence if updates to the plugin are needed.
However, these sites can be disconnected from the licence when they have served their purpose. You can disconnect the licence via the site’s WP Admin->Plugins page, and it will be available to be reassigned to a different site.
Is the All In One Security & Firewall Plugin GDPR and other privacy law compliant?
Please read more about GDPR compliance here: https://aiosplugin.com/privacy-policy/ .
FIX: Remove call to update_event_table_column_to_timestamp in update routine
FIX: Remove call to wp_timezone() which is only available in WP 5.3+
5.2.8 – 05/Mar/2024
FIX: The user check that affects the Duo authentication plugin
FIX: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
FIX: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
TWEAK: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
TWEAK: Debug log table existing datetime field converted to timestamp to be timezone independent
TWEAK: Global meta table existing datetime field converted to timestamp to be timezone independent
TWEAK: Permanent block table existing datetime field converted to timestamp to be timezone independent
TWEAK: Refactor list item actions to further improve code clarity
TWEAK: Removed blacklist admin menu as previously announced
TWEAK: Removed miscellaneous admin menu as previously announced
TWEAK: Removed various admin menu tabs as previously announced
TWEAK: Store IP lookup result for other types of entries in the login lockdown table
TWEAK: Update the footer review prompt
TWEAK: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
TWEAK: Improve comment spam detection to not interfere with other forms
5.2.7 – 06/Feb/2024
SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.
5.2.6 – 06/Feb/2024
SECURITY: Removed unnecessary use of the “tab” query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
FEATURE: Added logout event to the audit logs
FEATURE: Add ability to delete the default readme.html file and wp-config-sample.php file
FIX: Correct some translation calls that were using the wrong text domain
FIX: PHP notice caused by the file scanner being unable to read its data file
FIX: Unlock request button was not showing and redirects to 127.0.0.1
FIX: Database errors for the aiowps_login_lockdown table during plugin installation
TWEAK: Refactor the 6G UI
TWEAK: Added an option to set the Cloudflare Turnstile CAPTCHA theme
TWEAK: Added CSS styling for audit log details column
TWEAK: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
TWEAK: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
TWEAK: Display json string instead of null if json_decode does not work for audit log details
TWEAK: Event table existing datetime field converted to timestamp to be timezone independent
TWEAK: Various tweaks to get codebase up to coding standards
TWEAK: Various tweaks to ensure multiple sentences are not passed to a single translation function
TWEAK: Fix the broken UI for RSS and Atom firewall settings and added a more info box
TWEAK: Fix the issue of unique ID in DOM
TWEAK: Merge Username and Display Name tabs in User Security Settings
TWEAK: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
TWEAK: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
TWEAK: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu
TWEAK: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
TWEAK: Moved the ‘Salt’ tab into the User security menu
TWEAK: Moved ‘Blacklist Manager’ tab into the Firewall menu.
TWEAK: Password resets, removed and deleted users are now recorded in the audit log
TWEAK: Stop 404 IP from being locked if there’s a current lock on that IP
TWEAK: Unify date and time conversion with users timezone support
TWEAK: Changed how empty data in ip lookup result is stored in the database
TWEAK: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
TWEAK: Add captcha support for Contact Form 7
TWEAK: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
TWEAK: Enhance reset password email by adding IP info
TWEAK: Remove defunct imagetoolbar meta tag
TWEAK: Login lockout tables existing datetime field converted to timestamp to be timezone independent
TWEAK: Code improvements – utilising WP_Error objects instead of arrays
5.2.5 – 25/Oct/2023
SECURITY: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
FEATURE: Block POST requests that have a blank user-agent and referer
FEATURE: Added reverse IP Lookup data to the login lockdown notification email
FIX: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
FIX: Prevent the firewall message store from filling up with unused entries
FIX: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
FIX: An issue that prevented MainWP updates from being performed correctly
FIX: Prevent user enumeration via the REST API and oEmbed protocol
FIX: User agent blacklist not matching all strings correctly
FIX: Logged in user table not showing the correct information
TWEAK: Improve comment spam detection by using hidden fields and cookies
TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
TWEAK: The menu actions in the dashboard admin menu are now processed via AJAX
TWEAK: Converted checkboxes in the admin menu pages to switches
TWEAK: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
TWEAK: Combined various user admin menus into a new ‘User Security’ admin menu
TWEAK: Export configuration filename now reflects the local timezone.
TWEAK: Improve the UI/UX of the file scanner making way for future improvements
TWEAK: Redesign the feature manager badges
TWEAK: Removed various admin menu tabs as previously announced
TWEAK: Add features that depend on other plugins to the feature manager conditionally
TWEAK: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
TWEAK: Audit log date and time are now displayed in the sites timezone
TWEAK: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
TWEAK: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the “rename login page” setting is on.
5.2.4 – 16/Aug/2023
FIX: Ported firewall settings from disabling on upgrade
5.2.3 – 09/Aug/2023
FIX: Fatal error “set_value() on null” when the firewall config is missing
FIX: PHP notices when running under cron
FIX: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
TWEAK: Add communication mechanism so that firewall can send data to WordPress
TWEAK: Remove incorrect mentions of the .htaccess file on PHP Firewall rules
5.2.2 – 04/Aug/2023
FEATURE: An allow list of IP addresses which bypass the firewall rules
FIX: Fix get_class() on null fatal error when updating via ManageWP
FIX: No such file or directory notice generated by the firewall’s config file
FIX: Only send the upgrade email if one or more of the ported rules had been enabled
FIX: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
FIX: Google reCaptcha now appears correctly on the WooCommerce checkout page
FIX: Prevent Woocommerce auto login if manual registration approval is turned on
FIX: Premium upgrade tab UI overlapping issue.
FIX: Allow maintenance mode to be controlled via WP-CLI (Premium)
FIX: Use the correct site id for login success events added to audit log table on Multisite
FIX: Added missing features to the feature manager list
FIX: A warning when using the update all command via WP-CLI
TWEAK: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
TWEAK: Added ‘aios_audit_log_record_event’ filter to allow events to not be recorded
TWEAK: Improve the feature item manager code structure making way for future improvements
TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
TWEAK: Move the ‘Custom rules’ tab from the ‘Firewall’ section to its own tab in the ‘Tools’ section
TWEAK: Move the ‘Prevent hotlinking’ tab to the ‘File protection’ tab in the ‘Filesystem Security’ menu
TWEAK: Moved all CAPTCHA settings to the ‘CAPTCHA settings’ tab in the ‘Brute Force’ menu
TWEAK: Moved the ‘Password tool’ tab to the ‘Tools’ admin menu
TWEAK: Moved the ‘Visitor lockout’ tab to the ‘Tools’ admin menu
TWEAK: Moved the ‘User registration honeypot’ tab to the ‘Brute force’ admin menu
TWEAK: Remove ‘Account activity table’ as these entries are also recorded in the audit log
TWEAK: Removed the ‘Failed login records’ tab as previously announced, these are now recorded in the audit log
TWEAK: Improve list table code performance
TWEAK: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements
5.2.1 – 12/Jul/2023
FIX: Include helper class file from loader
TWEAK: Conditionally load TFA block JavaScript
5.2.0 – 10/Jul/2023
SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users’ passwords are. This information has limited value (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
FIX: After editing a file reset permissions back to the original permissions
FIX: Corrected some broken links in the plugin
FIX: Fatal error: cannot declare class
FIX: Normalise all arguments in the stacktrace
FIX: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
FIX: Too many redirects error for forced logout users solved
TWEAK: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
TWEAK: Reset password page missing translation and generate password button added for renamed login page
TWEAK: Added ‘aios_audit_log_event_user_ip’ filter to allow filtering of IP addresses in the audit log
TWEAK: Added action hook “aios_reset_all_settings” for reset all settings.
TWEAK: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2
5.1.9 – 09/May/2023
FEATURE: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
FEATURE: Detect spambots posting comments and discard it completely or mark as spam.
FEATURE: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
FEATURE: Added a “Delete all” and “Delete filtered” bulk action to the audit log table
FIX: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
FIX: Change where the audit log event handler is loaded to prevent an error on plugin deletion
FIX: Fix context class checks to support cli
TWEAK: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
TWEAK: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
TWEAK: Change some nonce checks to use our internal function to check user capability and nonces
TWEAK: User registrations and successful logins are now recorded in the audit log
TWEAK: Added a commands class and refactored AJAX handlers
TWEAK: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
TWEAK: Improve database table prefix feature UI.
TWEAK: WordPress core updates are now recorded in the audit log
TWEAK: Translation updates are now recorded in the audit log
TWEAK: Add an entity changed event to the audit log when upgrader information is not available
TWEAK: Automated emails sent by AIOS that failed to send due to from address
5.1.8 – 11/April/2023
FIX: 404 detection – Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
FIX: Uncaught fatal error on null ‘set_value’
FIX: Remove audit log event handler actions on plugin deletion to prevent an error
FIX: Remove some audit log event handler on plugin deletion to prevent an error
FIX: Get correct wp-config path when installed in a subdirectory
TWEAK: AIOS_Helper::request_remote timed out exception ignored.
TWEAK: Requests_IPv6 class name deprecated in WordPress 6.2.
TWEAK: Failed login attempts are now recorded in the audit log
5.1.7 – 24/March/2023
FIX: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
TWEAK: Clarify dashboard notice title and change image.
5.1.6 – 21/March/2023
FEATURE: Added an audit log
FEATURE: Add salt postfix option to improve your site’s security
FEATURE: Shared library that can be used from the firewall.
FIX: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
FIX: Divi child theme conflict – Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
FIX: Captcha settings tab in multisite installation for subsites not showing
FIX: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
TWEAK: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
TWEAK: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
TWEAK: Code clean up for disable cookie based brute force constant as rule moved to firewall
TWEAK: Comment spam IP monitoring page UI
TWEAK: Updated seasonal notices
TWEAK: Improve internal code structure making way for future improvements
TWEAK: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
TWEAK: Added new internal function to check user capability and nonces
TWEAK: Improve config code with inline saving.
TWEAK: Allow audit log to be filtered and exported to CSV
5.1.5 – 13/February/2023
FEATURE: Added Cloudflare Turnstile CAPTCHA support
FIX: Notices about undefined array key HTTP_USER_AGENT solved.
FIX: New v5 features not saved in export file and not properly reset after uninstallation.
FIX: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
FIX: Fatal error ‘Call to a member function contains_contents() on null’
TWEAK: Removed wrong information about login whitelist being implemented via htaccess.
TWEAK: Refactoring settings tasks for WP CLI AIOS premium commands.
TWEAK: Page load performance issue due to incompatible tfa premium plugin active check improved.
TWEAK: Make sure translation domain is registered before attempting to use it
TWEAK: Replaced click with press in text because users could be on mobile etc and not using a mouse.
TWEAK: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
TWEAK: Improve the UI/UX for the 404 detection tab
TWEAK: Improve internal code structure making way for future improvements
TWEAK: PHP 8.2 deprecation warning for dynamic properties
TWEAK: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the “view system log” feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
FIX: Fatal error ‘Call to a member function contains_contents() on null’
TWEAK: Firewall gets constants from a single source.
5.1.4 – 14/December/2022
FEATURE: Add option to disable RSS and ATOM feeds.
FIX: The IP address blacklist manager wasn’t working.
5.1.3 – 09/December/2022
SECURITY: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
FEATURE: Implement firewall events system
FIX: Protect subsites when firewall is loaded via plugins_hook
TWEAK: Improve the UX for uploading import files
TWEAK: Add a default CAPTCHA option making way for new CAPTCHAs in the future
5.1.2 – 07/December/2022
FEATURE: User Agent – Blacklist manager functionality should be based on PHP instead .htaccess rules.
FIX: Sorting by ‘status’ on the comment spam table
FIX: Copy protection feature not working on iPhone
FIX: Cookie based brute force prevention locks out if plugin deactivated and activated again.
FIX: The notice to reapply .htaccess rules after reactivating the plugin is displayed on subsites.
FIX: Various WordPress command line notices about undefined $_SERVER indexes
TWEAK: 2FA setting page to show premium options for AIOS premium.
TWEAK: Remove characters that should not have been on the scanner page
TWEAK: Organise firewall rules into subdirectories
TWEAK: Added GDPR question answer to the AIOS WP org plugin’s FAQ section.
TWEAK: Allow AIOS management permission to be filtered via aios_management_permission filter
TWEAK: Make use of is_main_site() function.
TWEAK: Copy IP to clipboard when clicking on it at WP Security -> Brute Force -> Login whitelist.
TWEAK: Better context detection for the firewall
5.1.1 – 16/November/2022
SECURITY: Fixed a failure to check bulk action nonces, leading to a CSRF vulnerability. Exploitation would require an attacker to craft a link specifically for your site, and persuade you to click it whilst logged in; if you did so, this could result in bulk actions being carried out on AIOS list tables (e.g. delete entries from blocked IP address lists), with the attacker being restricted to deleting entries by database ID numbers that he cannot know directly (e.g. 15, 16, 17) and not IP address (e.g. 100.101.102.103).
FEATURE: Cookie-based brute force prevention implemented with the new PHP based firewall system.
FIX: Prevent the dismiss notice button removing all notices from page including notices that contained important information
FIX: Brute Force > Login Whitelist issue access password protected pages by user solved.
FIX: Force logout link not working in the currently logged-in users list.
FIX: Google reCAPTCHA site key and secret key are not verified immediately.
TWEAK: Code style changes for scanner related pages and future item manager class.
TWEAK: Capitalisation style reapply for firewall menu tabs.
TWEAK: Instead login lockdown used login lockout word in UI and mail content. Changed constant AIOWPS_DISABLE_LOGIN_LOCKDOWN to AIOWPS_DISABLE_LOGIN_LOCKOUT.
TWEAK: Update tabs, links to match capitalisation style of other UpdraftPlus plugins.
TWEAK: Added the filter aios_server_type to override the AIOWPSecurity_Utility::get_server_type() method’s return value.
TWEAK: Notice – Account activity logs, 404 event logs older than 90 days cleared automatically to show.
TWEAK: Premium upgrade page FAQs linked to correct URL.
TWEAK: IP address lookup called only once in same page request. Visitor blocking called when user is not logged in. User online information updated on login only.
TWEAK: User login lockout – minimum lockout time length should be less than maximum lockout time length validated.
TWEAK: Take a backup of wp-config before inserting firewall contents.
TWEAK: Ability to downgrade the firewall’s protection which allows users to reverse the changes from setting up the firewall.
TWEAK: Set a global context for $wp_file_descriptions context so that it gets assigned to correctly, preventing a subtle visual change in the theme editor
TWEAK: Black Friday notice
TWEAK: Update readme.txt file
5.1.0 – 12/October/2022
FIX: The login loader is visible infinitely on the login screen and administrators can’t log in if the user has enabled maintenance mode and 2FA authentication simultaneously.
FIX: Pressing the “Disable Firewall” button didn’t clear new 6G firewall rules.
FIX: The application password was disabled by default on the activation of the AIOS plugin.
FIX: The error occurred with the error message: Uncaught TypeError: fclose(): Argument #1 ($stream) must be of type resource, bool given in all-in-one-wp-security-and-firewall/classes/wp-security-utility-htaccess.php:164 in the server where the root folder is not writable.
TWEAK: IP address lookup service whatismyipaddress removed, API for bot.whatismyipaddress.com is no longer available.
TWEAK: The simple math captcha box was shown when the user was filling in the 2FA code at login time.
TWEAK: Firewall max upload limit default value increased instead 10MB to 100MB.
TWEAK: Google reCaptcha multilingual implemented to show in local language messages instead of English only.
TWEAK: Update headings, labels and buttons to match capitalisation style of other plugins.
TWEAK: Add premium upgrade tab.
5.0.9 – 06/October/2022
FIX: PHP Notice: Only variables should be passed by reference in /wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-notices.php on line 202.
TWEAK: Auto disable the login whitelisting on upgrade for all server types and shown related notice.
TWEAK : 2FA – Warning: Deprecated: Call get_controller(‘totp’), not get_totp_controller() in /includes/simba-tfa/simba-tfa.php on line 713.
5.0.8 – 29/September/2022
SECURITY/FEATURE: Fix IP address detection, and give IP address detection settings in the Admin Dashboard > WP Security > Settings > Advanced Settings, provide user guidance on how to use them, and notify the user if there any problem is apparent. Versions from 5.0.0 to 5.0.7 had a defect allowing an attacker to spoof their IP address, aiding them to avoid detection or locking out legitimate users. Thanks to Calvin Alkan for the responsible disclosure.
FIX: The 403 forbidden error was shown on the wp login screen if the login url contains the redirect_to parameter and the deny bad query strings firewall feature is enabled on localhost.
FIX: The PUT request method was blocked when the user enabled the 6G firewall.
FIX: The login whitelisting didn’t work on servers not supporting .htaccess files, without this information being displayed in the user interface. The feature is now ported to PHP so that it works on all servers. Thanks to Calvin Alkan for identifying this issue.
TWEAK: Add index keys to the login lockdown, failed_logins and the permanent block tables to prevent poor database reading performance in the event of vast numbers of rows being stored in these tables (see the “SECURITY” item above, since the defect described there can allow this). Thanks to Calvin Alkan for identifying this issue.
TWEAK: Resolve a PHP-firewall ‘Unable to locate workspace’ log message.
TWEAK: Added a constant AIOS_DISABLE_GET_EXTERNAL_IP. Define this in your wp-config.php to disable getting the IP address via an external API when the IP retrieval method fail to get a valid IP address.
TWEAK: Disable cookie access via JS and HTTP for cookie-based brute force prevention.
TWEAK: Enhanced cookie storage mechanism for cookie-based brute force prevention. Thanks to Calvin Alkan for identifying this improvement.
TWEAK: Display notice alerting the user that the block spam comment doesn’t work on non-apache servers in the block spam comment section. Thanks to Calvin Alkan for identifying this omission.
TWEAK: Added a constant AIOS_DISABLE_LOGIN_WHITELIST. Define this in your wp-config.php to disable login IP whitelist.
5.0.7 – 08/September/2022
FIX: The Login URL was prefixed with the site URL instead of the home URL when the home URL is different than the site URL.
FIX: Rename login and cookie-based brute force protection couldn’t work simultaneously when the permalink was set to plain.
FIX: Disabling the 5G Firewall Protection didn’t remove the 5G rules from the .htaccess file.
TWEAK: Add a ‘Dismiss’ button to the firewall setup notice.
5.0.6 – 07/September/2022
FIX: Stopped host cron job working in a specific situation.
FIX: A few setting options like enabling the honeypot feature for registration page, disabling the application password, enabling move spam comments to trash after specified days, moving spam comments to trash after days, enabling remove database tables upon uninstalling, and enabling remove all plugin settings upon uninstalling the plugin were overridden on upgrading the plugin.
TWEAK: Add a ‘safe message’ comment to the firewall’s settings file.
5.0.5 – 05/September/2022
FIX: Cookie based brute force etc rules to be removed from .htaccess if set in older version 4.4.12.
FIX: The IP lock notification mail was sent out for the 404 lockdown event.
TWEAK: Resolve a PHP-firewall ‘Unable to locate workspace’ log message.
5.0.4 – 03/September/2022
FIX: PHP coding warning in latest PHP version when handling email address parameter.
TWEAK: Added a constant, AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION. Define this in your wp-config.php to disable cookie based brute force login prevention.
5.0.3 – 02/September/2022
FIX: An empty IP lock notification mail could be sent out after upgrading to the 5.0.0 version.
FIX: The PHP file couldn’t be loaded via commandline if the rename login page is enabled.
FIX: When running WordPress from the command line, the warning Undefined index: REQUEST_METHOD was logged.
TWEAK: Import latest TFA module, loading JS less aggressively to avoid potential for conflicts.
5.0.2 – 02/September/2022
FIX: The user can’t login if the user set forced logout and the site’s timezone is different than UTC.
FIX: Avoid an incompatibility with Wordfence Login Security by not loading our TFA module if that plugin is active
5.0.0 – 01/September/2022
FEATURE: Two-Factor Authentication (2FA) functionality & related settings.
FEATURE: Set up a mechanism to load the firewall PHP file early.
FEATURE: PHP firewall rule engine.
FEATURE: Add WHOIS lookup functionality.
FEATURE: Implement 6G firewall rules in the new PHP-based firewall.
FEATURE: Disable WordPress application passwords.
FEATURE: Remove the plugin’s tables and options when uninstalling the plugin according to configuration settings.
FEATURE: Trash spam comments after n number of days as per configuration set in Admin Dashboard > WP Security > SPAM Prevention > the “Comment SPAM” tab > the “Comment Processing” section > the “Trash Comments After” settings.
FEATURE: Brute force Cookie-based Firewall Protection based on the PHP code instead of htaccess rules so that it also works with Nginx, IIS etc servers.
FEATURE: Allow multiple email addresses for the User Login > Notify By Email setting.
FEATURE: IPv6 range support in CIDR Format enabled.
FIX: The WooCommerce customer was redirected to the wp-login page after payment with an external payment gateway if forced logout configured after a specific number of minutes.
FIX: If the WordPress language was set to something other than English, then auto-update core, plugin, and theme emails sent in English instead of the configured language.
FIX: Database error for multisite when creating a new site solved.
FIX: Captcha options should not be autoloaded.
FIX: Database error for multisite cronjob column name.
FIX: The plugin clogs up the database with lots of rows. Delete old data after 90 days.
FIX: Rename Login issue with wp plugin list command solved.
FIX: Rename Login breaks logout functionality if WP_HOME is set to a different URL than the WordPress core files URL.
FIX: PHP Fatal error: Uncaught Error: Class ‘AIOWPSecurity_Admin_Init’ not found in html/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php:366.
FIX: The Spam comment blocked IP address remains blocked even after spammed comments are approved.