* IMPROVED: Made the dashboard widget visible when white label mode is enabled. Previously the widget was hidden instead. Thank you for the suggestion, Dmitry.
* IMPROVED: Added count-based limit (5000 entries) to visitor log pruning to prevent database bloat on high-traffic sites.
* IMPROVED: Removed deprecated X-XSS-Protection header from REST API - modern browsers ignore this header and Content-Security-Policy is the recommended replacement. Thank you Dmitry for the suggestions.
* IMPROVED: More information on CSP in our knowledgebase.
* FIX: Fixed typo in Permissions-Policy description (explitly → explicitly).
* FIX: Updated Permissions-Policy documentation link from Feature-Policy to Permissions-Policy URL.
* FIX: Corrected Nginx example in Content-Security-Policy test descriptions (was showing X-Frame-Options instead of CSP).
* Preparing for plugin rewrite -> improving the free version and streamlining the premium and free feature set.
* NEW: Enhanced username enumeration protection - Now prevents username discovery via REST API /wp-json/wp/v2/users endpoint and oEmbed API, in addition to existing ?author=N scan protection. Thanks Allen.
* Removed duplicate 2FA login requests to prevent error flashes. Thanks to Eric for spotting this.
* Added try-catch to prevent problems with corrupted IP location database, thank you Wan.
* Fix for recommendation engine "wp-config.php not found in the wordpress root directory" - now properly checks for when the config file has been moved up on level. Thank you Eric.
* Fix - 2FA email, user reported emails were sent twice with two different codes. Thank you Eric.
* Improved 2FA setup page stability and performance across different WordPress configurations.
* 2FA - naming of the accounts are now a little more intuitive. Thank you Davina.
* NEW: Added XML-RPC protection feature. This update enhances your site's security by allowing you to easily enable or disable XML-RPC access.
* Improved: Malware signatures tweaked and improved, thank you users for suggestions.
* NEW: Add secret key display and copy functionality to 2FA module in frontend and backend. Allowing users to easier add the key to their system.
* FIX: Timezone on Overview page was incorrect, thank you for spotting Ivar.
* FIX: Resolved JavaScript conflicts that prevented 2FA functionality from working with ARMember and other plugins
* FIX: 2FA QR code/key generation now works reliably across all site configurations, even if other scripts have errors. "Skip for now" link, "Generate new QR code" button, code input validation, and temporary secret usage during setup all function correctly.
* FIX: 2FA setup UI and logic are now robust—QR code generation.
* IMPROVED: Enhanced 2FA JavaScript with robust error handling and DOM ready protection
* IMPROVED: Added inline JavaScript handlers as fallback to ensure 2FA works even when external scripts fail
* IMPROVED: Better error messages and user feedback during 2FA setup process
* NEW: Setting up 2FA for users in admin pages
* Fix for coupon protection in WooCommerce modern block cart and checkout page - Thank you Priit.
* Remove translated messages for errors logging in, creating a loop trying to present translated messages using WP's translation engine.
* Fix: Fixed database prefix renaming to properly handle option names containing embedded prefixes. Thank you Chris!
* Enhanced: Improved custom login URL security with proper access control and error handling
* NEW: Added "Reset Secret Access URL" button to the Tools page. This allows administrators to quickly reset the secret access URL used for firewall whitelisting.
* FIX: Prevent firewall from blocking REST API endpoints for plugins like Webba Booking
* Improved - Better instructions for setting up 2FA.
* FIX: Visitor log issue with White Label enabled.
* NEW: Filter by event type in the Events tab overview.
* FIX: Core Scanner - Resolved false positive alerts when users delete default themes (like Twenty Twenty-Three and Twenty Twenty-Four). The scanner now properly distinguishes between missing essential core files and intentionally removed theme/plugin files. Theme and plugin modifications are still detected as security issues, but deletions are no longer flagged as problems.
* CHANGE: Core Scanner – Focus on critical core files only. Modifications under `wp-content/` (themes, plugins, language packs) are excluded from Core Scanner "modified core files" results and from the tab counter. Deletions of default themes/plugins remain treated as non-issues.
* Remove references to the plugin name in the email sent with Secret Access URL details - if White label feature enabled.
* FIX: Issues with logging in with custom login URL for some users.
* FIX: User ID 1 Change - Fixed issue where users would lose administrator privileges when changing user ID 1 to a new ID. The fix now properly transfers user capabilities and ensures administrator role is maintained.
* NEW: Events Logger – REST API diagnostics. Added hooks to log REST authentication failures, pre-dispatch errors, final REST error responses, and successful REST post creations. View details in Events.
* FIX: Some settings not saving for some users (block admin function)
* FIX: Added specific whitelist rules for WPVivid Backup Pro and Free version files containing legitimate php_uname() usage and nested function calls.
* Updated French translation file.