* Fixed: 2FA - Changed key name format from "site_url (username):email" to "site_url:username" - Thank you Davina.
* Fixed: Compatibility warning with WordPress 6.7 regarding translation loading timing
* Fixed: Server security restriction warning when checking wp-config.php file location
* Fixed: Fixed critical bug where database prefix changer added an extra underscore when updating wp-config.php, causing WordPress to look for non-existent tables with double underscores (e.g., wp_12345__posts instead of wp_12345_posts). Thank you Tchai.
* Fixed: Database prefix changer to properly update option names and meta keys when changing from custom prefixes (not just "wp_").
* IMPROVED: Database prefix changer now works with any prefix, not just the default "wp_". Can now rename tables when changing from one custom prefix to another. All plugin tables are automatically included in the renaming process.
* NEW: Failed login email warnings - administrators receive email notifications when someone attempts to log in with their username and fails. Can be enabled in Login Form Protection settings.
* NEW: Admin IPs are automatically whitelisted on plugin activation and successful admin login to prevent administrators from being blocked. Thank you Val.
* FIX: Fixed country blocking to respect "only block backend" setting when enabled. Thank you Guru for the tip.
* IMPROVED: Secret access URL processing has been moved up in the request cycle to make sure IP whitelisting happens before any ban checks, so blocked visitors should be able to get back on the site more reliably.
* IMPROVED: wp-config.php backups are stored in encrypted format (AES-256-CBC) to ensure data security. Each backup uses a unique encryption key and initialization vector. This was introduced in a previous release, but was not added to the changelog.
* Update 3rd party libraries - Freemius SDK 2.13.0 among others.
* IMPROVED: Made the dashboard widget visible when white label mode is enabled. Previously the widget was hidden instead. Thank you for the suggestion, Dmitry.
* IMPROVED: Added count-based limit (5000 entries) to visitor log pruning to prevent database bloat on high-traffic sites.
* IMPROVED: Removed deprecated X-XSS-Protection header from REST API - modern browsers ignore this header and Content-Security-Policy is the recommended replacement. Thank you Dmitry for the suggestions.
* IMPROVED: More information on CSP in our knowledgebase.
* FIX: Fixed typo in Permissions-Policy description (explitly → explicitly).
* FIX: Updated Permissions-Policy documentation link from Feature-Policy to Permissions-Policy URL.
* FIX: Corrected Nginx example in Content-Security-Policy test descriptions (was showing X-Frame-Options instead of CSP).
* Preparing for plugin rewrite -> improving the free version and streamlining the premium and free feature set.
* NEW: Enhanced username enumeration protection - Now prevents username discovery via REST API /wp-json/wp/v2/users endpoint and oEmbed API, in addition to existing ?author=N scan protection. Thanks Allen.
* Removed duplicate 2FA login requests to prevent error flashes. Thanks to Eric for spotting this.
* Added try-catch to prevent problems with corrupted IP location database, thank you Wan.
* Fix for recommendation engine "wp-config.php not found in the wordpress root directory" - now properly checks for when the config file has been moved up on level. Thank you Eric.
* Fix - 2FA email, user reported emails were sent twice with two different codes. Thank you Eric.
* Improved 2FA setup page stability and performance across different WordPress configurations.
* 2FA - naming of the accounts are now a little more intuitive. Thank you Davina.
* NEW: Added XML-RPC protection feature. This update enhances your site's security by allowing you to easily enable or disable XML-RPC access.
* Improved: Malware signatures tweaked and improved, thank you users for suggestions.
* NEW: Add secret key display and copy functionality to 2FA module in frontend and backend. Allowing users to easier add the key to their system.
* FIX: Timezone on Overview page was incorrect, thank you for spotting Ivar.
* FIX: Resolved JavaScript conflicts that prevented 2FA functionality from working with ARMember and other plugins
* FIX: 2FA QR code/key generation now works reliably across all site configurations, even if other scripts have errors. "Skip for now" link, "Generate new QR code" button, code input validation, and temporary secret usage during setup all function correctly.
* FIX: 2FA setup UI and logic are now robust—QR code generation.
* IMPROVED: Enhanced 2FA JavaScript with robust error handling and DOM ready protection
* IMPROVED: Added inline JavaScript handlers as fallback to ensure 2FA works even when external scripts fail
* IMPROVED: Better error messages and user feedback during 2FA setup process
* NEW: Setting up 2FA for users in admin pages
* Fix for coupon protection in WooCommerce modern block cart and checkout page - Thank you Priit.