1.3.3 – 04 september 2017

  • Fix#527, #526, #525, #524, #509: Passwordless now send an email when activated (each time), not at each page save.

1.3.2 – 01 september 2017

  • Improvement: When PasswordLess is activated, you’ll have to valide this action by clicking on a link in an email. This will prevent you to be locked out.
  • Fix #502: Move login and PasswordLess are friends, again.

1.3.1 – 02 august 2017

  • New #510: Remove the “Avoid Double Logins” module since it’s not efficient enough
  • Improvement #511: You dont have to add 2 email addresses for the alerts
  • Improvement #478: Display a message when the malware scan found nothing
  • Improvement #512: Remove the recovery email notice, you won’t need to fill this anymore
  • Improvement #507: Lighter Move Login module with less options, no .htaccess/web.config/ngnix.conf modifications but more decisions and less bugs instead of endless bugs.
  • Improvement #506: Remove the scan and fix for empty user agent (not efficient enough in 2017, too much false positive)
  • Improvement #505: Remove the scan and fix for too long URLs (not efficient enough in 2017, too much false positive)
  • Improvement #488: New bad user agent (Gecko/2009032609 Firefox), thanks to Fabrice from
  • Improvement #481: Better message (less sarcastic, yes) when you lock yourself out.
  • Fix #504: On some servers, $_SERVER[‘SERVER_ADDR’] does not exists, well, ok.
  • Fix #502: Move login was not cool with PasswordLess
  • Fix #501: Some multisites websites could not validate their licence.
  • Fix #473: Captcha always returned “human verification fail” when autofill from browser is enabled.

1.3 – 18 july 2017

  • New: you don’t need the Free version to run the Pro version now: one plugin is enough.
  • New: migrating between the Pro plugin and the Free plugin is now easier.
  • New: able to deliver beta versions.
  • Improvement #457: no more errors after editing the wp-config.php file. We added a sandbox that doesn’t keep
  • modifications in place if there is a problem.
  • Improvement #448: Better detection of user’s right for DB scan
  • Improvement #365: removed OrangeBot from the bad user agents list.
  • Improvement #337: captcha is now also available on the user registration page.
  • Improvement #308: Sometimes after a scan (step 1), some results are still tagged as “new”, you should encounter less cases.
  • Improvement #268: settings page lock: scanners page and logs page are now locked.
  • Improvement #247: malware scan: wp-config-sample.php is not flagged as missing from core anymore.
  • Improvement #180: added a warning about disabling the XML-RPC API.
  • Fix #469: customize.php redirects to the login page (thanks to @wpmarmite)
  • Fix #454: logs export: the file name was wrong. Moreover, now it includes the date.
  • Fix #451: Fatal error on WP <4.2.11 when sending emails
  • Fix #448: on some rare cases, the tables prefix couldn’t be changed because “the user doesn’t … have edition rights”.
  • Fix #417: malware scan: huge files are skipped (otherwise the process never ends).
  • Fix #416: malware scan: sometimes it couldn’t be stopped.
  • Fix #414: fixed some PHP 7 errors.

1.2.7 free – 18th April 2017

  • Improvement: removed the monthly plans from the “Get Pro” page and improved a few things. free – 06th April 2017

  • Improvement #450: use a new API for the “Get Pro” page, to fetch prices.

1.2.6 free – 05th April 2017

  • Improvement #445: display the missing “Rate us” box in the settings page.
  • Improvements #387 and #449: changed a few things in the “Get Pro” page, mainly focused on the monthly plans.
  • Fix #447: prevented Move Login to change `&` characters into `&` in filtered URLs, it may cause problems when used as a redirection target. free – 19th March 2017

  • Fix #424: a htaccess server error appeared if you were using WP pro – 19th March 2017

  • Fix #424: a htaccess server error appeared if you were using WP

1.2.5 free – 16th March 2017

  • Improvement #413: improved PHP and WP version check on activation.
  • Improvement #408: improved Move Login settings. Now you HAVE to specify a new login URL: no default value anymore, no forgotten URL anymore. Also, your new URLs can be seen while you type in 🙂
  • Improvement #397: improved the theme/plugin installation/upload sub-modules: even white-listed IPs are blocked now.
  • Fix #402: in some cases, the scan testing the `readme.html` direct access was testing a wrong URL.
  • Fix #111: added the IP address `` to the hardcoded white-list. It should prevent some cron processes to be blocked (because of an empty User Agent for example).

1.2.5 pro – 16th March 2017

  • Improvement #397: improved the theme/plugin activation/deactivation/deletion sub-modules: even white-listed IPs are blocked now.
  • Fix #415: on some installations, the file `fpdf.php` was constantly showing in the malware scan, even being in the smart white-list.
  • Fix #409: the backup process couldn’t create the backup folders (D’OH!).
  • Fix #325: the protection against bad file extensions wasn’t working if domain sharding is used for medias.

1.2.4 free – 28th February 2017

  • Improvement #382: if the salt keys scan still reports problems after the MU plugin is created, it will still try to fix it.
  • Fix #282: links in email messages should now be fine.
  • Fix #170: the notice saying the `.htaccess` file is not writable now is displayed only if the file exists.
  • Tested with php 7.1.
  • Various small fixes and improvements.

1.2.4 pro – 28th February 2017

  • Fix #393: settings and profile pages were not accessible when the password protections are enabled.
  • Fix #374: the malware scanner doesn’t report empty files as malwares anymore.
  • Fix #327: in the malware scanner, white-listed files and “old WP files” are now removed from the “not from WP core” list.
  • Fix #209: in the malware scanner, the “scan” button wasn’t reporting the right status on first scan (only after reloading the page).
  • Fix #283: use the right charset collate for the “Anti Front Brute Force” and “GeoIP Management” database tables.
  • Fix #282: links in email messages should now be fine. free – 21th February 2017

  • Fix #391: whenever an IP address is banned, the message was displayed to everybody.

1.2.3 free – 20th February 2017

  • Improvement #370: in the scanner, each scan has now its own documentation ?. The “Read the documentation” links can be found at step 3, the Manual Operations.
  • Improvement #357: for the “Too Long URL” protection, requests made with `wp_request_***()` to self are not blocked anymore.
  • Fix #373: fixed a bug that allowed a specifically forged URL to cheat the “Too Long URL” protection.
  • Fix #367: fixed a PHP notice `Missing argument 2 for SecuPress_Action_Log::pre_process_action_wp_login()`.
  • Fix #363: fixed a possible failure on step 2 of the scanner (Auto-Fix).
  • Fix #352: revamp the whole “Auto Update” scan and protection, mainly focusing on the constant definitions.
  • Fix #347: the Twitter bird now can sing correctly.
  • Fix #343: when some scans display a message “Unable to determine…”, a link to activate manually the protection should be displaying. Some were missing.
  • Fix #329: the directory listing scan now reports a “Good” status if folders display an empty page with HTTP code 200.

1.2.3 pro – 20th February 2017

  • Improvement #321: the malware scan now has a way to toggle multiple checkboxes at the same time. Yay for speed.
  • Improvement #273: logged in users are not considered as spam by the antispam anymore.
  • Fix #369: reviewed our 3 log-in protections (PasswordLess, Only One Connection, Captcha). Lots of work has been done to prevent users to be locked out.
  • Fix #368: fixed a `gzinflate()` error while importing settings. The down side is *old settings exports won’t work anymore: please do new settings exports after this update*.
  • Fix #360: in the malware scan, removed Akismet from core files. Sometimes it is not included in WordPress releases and triggers false positives.
  • Fix #349: alerts were still reporting whitelisted IPs.

1.2.2 free – 27th January 2017

  • Fix #355: fixed a “recursion” that caused some scans to return a “bad” status while the corresponding protections were working ¯\(°_o)/¯
  • Fix #351: fixed license invalidation on multisite or multilingual sites.
  • Fix #346: fixed a PHP warning about `vsprintf()` in the scanner page.
  • Fix #345: don’t manipulate headers if they have been already sent.
  • Fix #313: fixed one of our easter eggs. ?
  • Fix #256: in the `wp-config.php` file, don’t comment a constant that is already commented or the sky will fall.
  • Fix #46, #154, #328, #348: fixed the whole chmod scan. Some fixes made in version 1.0.3 dramagically disappeared at some point, we bring them back: chmod values are correct again, test for the `web.config` file is back (if applicable). In the scan result, the list of files/folders were incomplete. In the scan result, folders are not called files anymore. Test for `.htaccess` and `web.config` existence instead of testing for Apache / IIS7.

1.2.2 pro – 27th January 2017

  • Improvement #356: added back a “View details” link on the plugin row (in the plugins list), so the changelog and all the info can be viewed anytime.
  • Fix #269: fixed PDF export failure.

1.2.1 free – 11th January 2017

  • Happy new year! ?
  • Improvement #336: prevent a rare PHP warning: array_count_values() can only count string and integer values! that could mess with the scan results.
  • Improvement #322: CSS animations are no more on Logs page, interacting with them is now easier.
  • Fix #342: in the Malware Scan module, the “Save All Changes” button under the Directory Index option was disabled.

1.2.1 pro – 11th January 2017

  • Fix #340: solve a fatal error on deactivation.

1.2 free – 20th December 2016

  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections can now be activated and deactivated separately as needed ( ゚д゚)
  • New: some scans were slightly modified, so here is a new one that will test only the ShellShock vulnerability ヽ(´ー`)人(´∇`)人(`Д´)ノ
  • New: if a scan displays a “Not able to access your front page” message, it brings you the possibility to activate the protection anyway.
  • Improvement #118: in the scanner’s manual fixes, the “Ignore this step” button is more understandable.
  • Improvement #147: in logs and alerts, no more “UAHE”, “BUC”, or any other obscur codes when a request is blocked, only a human readable sentence.
  • Improvement #199: the User Agent blacklist is now case sensitive.
  • Improvement #274: if you use a “Coming Soon” or “Maintenance” page, manual scans have now a small drill and can get through it and will no longer trigger a “Not able to access your front page” message for this reason.
  • Improvement #286: updated the “no longer in directory” and “not updated over 2 years” plugins lists.
  • Improvement #289: the scan message related to the constant `COOKIEHASH` is more accurate.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are *not* blocked.
  • Improvement #297: the checkbox to activate the protection to deny access to malicious file extensions in the uploads folder now displays rewrite rules if the configuration file is not writable.
  • Improvement #324: tell cache plugins not to cache our blocking messages nor the login pages.
  • Improvement: prevent our icons to be overridden by other plugins or themes.
  • Fix #264: the scanner related to the admin user wouldn’t fix anything in a specific case. Nothing is better than a whip sometimes.
  • Fix #265: fixed a message displayed by the chmod scan. In some cases it was speaking nonsense about files `/` and `/`.
  • Fix #281: “Ask for old password” and “Strong Passwords” are now besties ( ^_^)o自自o(^_^ )
  • Fix #285: typo in a `IfModule` (-‸ლ)
  • Fix #291: the fix related to the WordPress version disclosure ate the rewrite rules on Nginx. So we made it give them back (that was kind of scary).

1.2 pro – 20th December 2016

  • New: the malware scanner now has a smart whitelist. You can also mark files as “not a malware”: when we receive enough notifications about the same file, it is included in the whitelist for everyone.
  • New: redesign the malwares scan’s page.
  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections are now activatable and deactivatable separately when you want ( ゚д゚)
  • Improvement #139: cleanup our crons on plugin deactivation.
  • Improvement #189: better plugin activation and deactivation processes.
  • Improvement #196: now you can also deactivate your license directly within the plugin.
  • Improvement #203: now you can send a support request even if the emails are not working on your server.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are *not* blocked.
  • Improvement #298: now PasswordLess, Avoid Double Logins, and Captcha work better together ヽ(´ー`)人(´∇`)人(`Д´)ノ #graphibug
  • Fix #208: repaired layout on the “See differences”‘s page.
  • Fix #312: changed the PDF reports file name to prevent bad encoding.

1.1.3 free – 07th November 2016

  • Improvement #258: Remove the blog_id and website URL in the new salf keys to avoid aving to log in on each website on a multisite, was just annoying.
  • Improvement #259: Better hook usage to allow any cache plugin (like WP Rocket of course) to ignore login page.
  • Improvement #195: Better Move Login rules on Ngnix. And better rules in general for all modules.
  • Fix #262: Some firewall sub-modules are not working in frontend, the functions were not in the right file 😐
  • Fix #252: X-Powered by header was not hidden on Ngnix. Ngnix my friend …
  • Fix #250: WPML still appeared as a “bad plugin removed from repo”, well, the whitelist filter was not used.

1.0.2 pro – 07th November 2016

  • Fix #255: Warning: Missing argument 2 for SecuPress_Alerts::_wp_login_test() in /inc/modules/alerts/plugins/inc/php/alerts/class-secupress-alerts.php on line 299.
  • Fix #253: Bad File Extensions were not protected on Nginx. Ngnix my friend…
  • Fix #249: The Only One Connexion module didn’t worked as expected, now, it is.
  • Fix #248: Import settings didn’t import setting, now, it import settings.

1.1.2 free — 25th October 2016

  • Just new prices table compatibility

1.0.1 pro – 22th October 2016

  • Improvement: typos, and missing translations.
  • Fix #210: The plugin could be activated without the free version, merge drama.
  • Fix #222: Fatal error, we’re requiring a non existant file from free instead os pro version.
  • Fix #225: Text encoding in PDF export was broken on accents.
  • Fix #233: Fatal error in class-secupress-background-process-file-monitoring.php “Can’t use function return value in write context”, now the context is right.

1.1.1 free — 22th October 2016

  • Improvement #216: The button “Ask for support” is now always present on scanner step 3
  • Improvement + #205: typos, and missing text domain
  • Fix #186: Add description and author to the COOKIEHASH MU plugin
  • Fix #204: When fixing the last thing in step 3, redirect to step 4
  • Fix #207: Table prefix fix won’t show up on step 3
  • Fix #219: PDF Export not exporting anything, wow.
  • Fix #224: In scanner JS, HTML entities were in status text.
  • Fix #227: Notice on affected role section Undefined index: double-auth_affected_role in /inc/admin/functions/modules.php on line 555
  • Fix #232: Bad request methods scan returned false negatives status.

1.1.0 free — 19th October 2016

  • New: Design revamp for modules homepage

1.0 pro – 18th October 2016

  • Initial release

1.0.6 free — 18th October 2016

  • Fix #158 & #179: Affected roles on modules were reset to empty. I prefer a filled field.
  • Fix #159: The error message from files backup talked about DB backup. Go home!
  • Fix #178: The PasswordLess scan will now check if its module is active, and in a near future will really check for any 2FA code.
  • Fix #185: A mysterious “////” title was present in the french translation, near “WML-RPC”.
  • Fix #190: The module link in the non login time slot scan has now its # to get a correct anchor. Happy sailor.
  • Fix #191: A function was missing, so the PasswordLess scan couldn’t activate its module, now, he can and he’s happy too.
  • Fix #193: The antibruteforce scan always said “false” because we didn’t call him by its real name.
  • Fix #197: When one of our muplugin was created on plugin deactivation, it triggered a fatal error, it was so fatal that we decided to remove it.

1.0.5 free — 07th October 2016

  • Fix #167: Possibly locked at step 1 with a fake “New scan” for readme.txt files, you’re not stuck anymore.
  • Fix #166: Various CSS improvements.
  • Fix #171: Scans related to the firewall were always returning a bad status, even if the protections were running.
  • Fix #172: The scan and the protection related to the “Bad request methods” were not accurate.
  • Fix #176: A SQL warning occurred if you didn’t had logs to delete from 1.0.4, a new IF condition has been added to prevent that.

1.0.4 free — 26th September 2016

  • Improvement #164: Logs are now lighter (without a flame) and can be deleted much faster (still not as fast as WP Rocket, but who can)
  • New #160: Add a filter named `secupress.remote_timeout` if you got too many “Pending” status in scanner, add more timeout since cUrl is not always gentle with us ><

1.0.3 free — 14th September, 2016

  • Improvement: Commented salt keys (previously fixed) will now be deleted to avoid another error 500 case (in case of, you know)
  • Improvement: The banner button has now a better display on tiny screen
  • Improvement: Since SecuPress is compatible with WP 3.7 and 3.8, the icons are now compatible too
  • Improvement: Better bad user-agent blacklist, some were too current and blocked legit users.
  • Fix: User-Agent with more than 255 chars won’t be blocked anymore, too many false positive cases
  • Fix: The recovery email can now be set even if 2 users got the same email address (don’t ask …)
  • Fix: wp-config.php file permissions was sometimes set on 064 and broke some sites when autofix was done.
  • Fix: The PHP version warning was marked as bad for nothing, it will now mark it correctly

1.0.2 free — 02nd September, 2016

  • Fix: The PHP Notice: wp_enqueue_script/wp_enqueue_style called incorrectly is now called correctly and won’t disturb you anymore everywhere in your admin area
  • Fix: The Error 500 caused by commented salt keys will not happen again
  • Fix: We removed the “ping” keyword from the bad user-agents since “pingdom” is not so malicious, isn’t it?
  • Fix: SecuPress couldn’t fix the “admin user” scan with open registration and no admin account.
  • Fix: The TinyMCE editor is not broken anymore, you can use it normally now \o/

1.0.1 free — 31th August, 2016

  • Fix: The PHP Fatal Error on activation or deactivation has been killed, not by Batman because you know.
  • Fix: The following JavaScript Error Uncaught ReferenceError: secupressResetManualFix is not defined in secupress-scanner.min.js when you visit the scanner page is on vacations, forever.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, we won’t use $this in a static method anymore, promise.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, ok this one is the last.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php, well, it was the real last one.
  • Fix: Warning in settings.php usage of a protected method is now allowed.
  • Fix: Warning in modules.php because we called secupress_insert_iis7_nodes() without the second mandatory argument.
  • Fix: The following PHP Parse error "syntax error, unexpected 'ai' (T_STRING) in mu-plugins/_secupress_deactivation-notice-nginx_remove_rules.php" won’t show up anymore for french users.

1.0 free — 23th August, 2016

  • Initial release \o/