* NEW: Overview tab - AI Security Advisor card, next best actions, what changed since your last AI review, and quick action links to key modules.
* NEW: Security Advisor - Suggested next steps and "what changed since last report" panels use scan snapshots without an extra AI call.
* FIX: AI Security Advisor - Database upgrade on update adds the snapshot column to existing AI report tables so comparisons work on upgraded sites.
* FIX: 2FA (Pro) - Email code verification works when you press Verify or Enter.
* IMPROVED: 2FA (Pro) - Login verification updates apply immediately after plugin updates.
* IMPROVED: 2FA (Pro) - Administrator is pre-selected under Required Roles when 2FA is not yet enabled; clearer grace period help for required roles.
* FIX: AI Security Advisor - Your selected AI connector applies when you generate a report.
* IMPROVED: AI Security Advisor - Model selection follows WordPress AI Client settings.
* FIX: Setup wizard - Opens automatically on first install only.
* IMPROVED: Cloud Firewall (Pro) - Added more WP Compress service IPs to the built-in automatic whitelist (always on; no checkbox required).
* FIX: Cloud Firewall - Filter Suspicious Queries no longer false-positives on s2Member loader URLs.
* NEW: Cloud Firewall (Pro) - MonSpark uptime monitoring IPs are included in the built-in automatic whitelist (always on; no checkbox required). Thank you Heath.
* IMPROVED: Core Scanner - Detects unexpected files in the WordPress root and hidden dotfiles in wp-admin and wp-includes.
* NEW: Malware Scanner (Pro) - Flags suspicious plugin and theme folder structure when wordpress.org checksums are unavailable (review recommended, separate from malware signatures).
* IMPROVED: Malware Scanner (Pro) - Clearer integrity messaging; structural findings included in issue counts, whitelist, scheduled reports, and AI advisor context.
* IMPROVED: Core Scanner - OS metadata files (e.g. .DS_Store) are excluded from scan results.
* IMPROVED: Core Scanner - Severity levels (critical, warning, notice) with guidance for phpinfo and dev-tool files; table-based results UI.
* IMPROVED: Core Scanner - Live scan results without page reload; summary stats; Overview Core Integrity widget.
* IMPROVED: White Label (Pro) - Security Advisor and Overview use your white label plugin name in the UI and AI reports. Thank you Davina.
* IMPROVED: Visitor Log (Pro) - Cleaner Refresh button on the visitor log page.
* IMPROVED: Core Scanner - Summary strip with scan context, status banner, and last-scan metadata; delete or restore individual rows without a full rescan.
* IMPROVED: Core Scanner - Findings action buttons match Malware Scanner styling (View File, Diff, Restore, Delete).
* IMPROVED: Malware Scanner (Pro) - Issue counter on the Malware tab when suspicious files are found.
* IMPROVED: Malware Scanner (Pro) - Summary strip with last-scan context, status banner, and Whitelist all; streamlined results header.
* IMPROVED: Malware Scanner (Pro) - Findings use the same table layout as Core Scanner (file, severity, guidance, actions) with location group headers.
* IMPROVED: Core Scanner and Malware Scanner - Cleaner findings list layout.
* NEW: 2FA (Pro) - Optional mode: enable 2FA without requiring any role; leave all required roles unchecked for opt-in only (with an admin notice when saved).
* NEW: 2FA (Pro) - Users can enable 2FA from their profile (authenticator app or email, when allowed) even if their role is not required.
* NEW: 2FA (Pro) - Admins can allow authenticator app and/or email; users choose their method at login when both are enabled (preference is remembered).
* IMPROVED: 2FA (Pro) - Required roles can be fully unchecked and stay saved (previously Administrator was forced back on).
* IMPROVED: 2FA (Pro) - Grace period "Skip for now" applies only to role-required users who have not voluntarily enrolled.
* IMPROVED: 2FA (Pro) - Grace period can be set to 0 days to enforce setup immediately
* IMPROVED: CSS on wizard installation.
* FIX: Cloud Firewall (Pro) - Visitor log retention ("Keep visitor logs for") is now enforced by a daily scheduled cleanup task.
* NEW: Tools (Pro) - "Clear visitor log" button to delete all firewall visitor log entries manually.
* NEW: Setup wizard available for all; first install opens the wizard automatically.
* IMPROVED: Cloud Firewall – The firewall master switch now consistently controls all firewall enforcement (404 Guard, WooCommerce protection, country rules, and cloud IP blocking). Login Protection (brute-force limits, rename login, 2FA, and related messages) continues to operate independently when the firewall is turned off.
* FIX: Cloud Firewall - Manual whitelist entries for localhost (127.0.0.1 / ::1) now reliably exempt requests from cloud reputation blocks; server cron and WP-CLI traffic is no longer blocked during early firewall checks. Non-public IPs are excluded from cloud blacklist matching.
* FIX: Cloud Firewall (Pro) - Country blocking now blocks the full site when "Only block these countries from login functionality" is OFF, regardless of the "Prevent Banned IPs from Accessing the Site" setting. Previously, country bans could behave like login-only blocks when that IP setting was OFF.
* IMPROVED: Wizard - single Pro overview on Welcome for free users; removed per-step upgrade buttons.
* IMPROVED: Wizard - Events Logger and Vulnerability Scanner activation steps.
* IMPROVED: Wizard - Login protection as dedicated Pro step.
* IMPROVED: Wizard - Pro badges on footer nav for Login, Fixes, and WooCommerce (hidden for licensed Pro users).
* IMPROVED: Wizard - skip wizard from intro; rerun warning only shown after wizard has been completed once.
* IMPROVED: Wizard - Dead code cleanup.
* REMOVED: WP Pointer "thank you for installing" tour and dashboard welcome banner (replaced by wizard).
* IMPROVED: Renamed review-notice dismiss nonce for clarity (`wf_sn_dismiss_review`).
* NEW: Security Tests Quick Filter - **Fixable** shows tests with one-click auto-fix available.
* NEW: Malware Scanner - **Whitelist all** button for currently flagged files (with confirmation).
* FIX: Apply Fix - after a fix completes, the test row refreshes automatically (spinner stops, status icon and score update, clear success message).
* IMPROVED: Tools page - unique form IDs and dedicated nonce fields/actions per form (Update Database, Reset 2FA, Legacy cleanup, Import, Secret URL reset).
* IMPROVED: Cloud Firewall - suspicious-query filtering now resolves visitor hostnames only when needed for blocked-hostname rules, with per-IP caching. Thank you Paul.
* IMPROVED: Cloud Firewall - Bundled data lists (ManageWP/UptimeRobot/Uptimia service IPs and the country list) are now stored as JSON data files so security scanners no longer flag them as false positives. Thank you Daryl.
* REMOVED: Unused MainWP remote actions (run_malware_scan, update_vulnerabilities, force_create_tables); malware runs via run_all_tests, tables created on activation/upgrade.
* FIX: Scheduled Scanner (Pro) - Scheduled scans now self-heal. If the scheduled event goes missing (for example after a long scan times out or a cron/optimization plugin clears it), it is recreated automatically instead of requiring you to re-save settings.
* FIX: Scheduled Scanner (Pro) - Email reports now show the correct status changes. Status labels (Good / Warning / Failed) and the "improvement" vs "security concern" wording are no longer reversed.
* IMPROVED: Security Tests - When a test cannot reach your site (e.g. a connection timeout), it now reports a "Warning / could not verify" result instead of a hard failure, so temporary network hiccups no longer look like new security problems.
* FIX: 2FA (Pro) - After verifying 2FA, the post-login redirect now mirrors WordPress core's capability handling. Users on roles that cannot access wp-admin are sent to an appropriate page instead of the dashboard (which could bounce them to the front page and appear logged out). Thank you Jason.
* IMPROVED: Updated bundled dependencies - Freemius WordPress SDK (2.13.1 → 2.13.2), phpseclib (2.0.54 → 2.0.55), and PHP Malware Scanner (1.0.30 → 1.0.31).
* FIX: Change Login URL (Pro) — Works when Cloud Firewall is disabled; only “Change login URL” and the slug need to be enabled under Login Protection.
* FIX: Change Login URL (Pro) — `/your-slug/` login URLs work even when permalinks are Plain (fixes 404 when the Preview link used a path-style URL).
* FIX: Change Login URL (Pro) — Reliable path matching for subdirectory installs; fallback serves login if WordPress resolved the request as a 404.
* FIX: Change Login URL (Pro) — wp-admin blocking applies to `/wp-admin` with or without a trailing slash.
* IMPROVED: Change Login URL (Pro) — Admin Preview shows the same URL the plugin uses (`?slug` on Plain permalinks, `/slug/` otherwise).
* FIX: Change Login URL (Pro) — Checkout and other frontend flows that use WordPress `admin-post.php` (for example FluentCart account creation during checkout) no longer show “Access Denied” for visitors. Legitimate public handlers registered with `admin_post_nopriv_*` are allowed; direct access to the rest of wp-admin stays blocked.
* IMPROVED: Rename Login (Pro) — Recognized temporary-login plugin links (Temporary Login Without Password, One Time Login, Magic Login, Login Links) are no longer blocked when accessing wp-admin before authentication completes. Extend via the `securityninja_rename_login_allow_autologin` filter.
* IMPROVED: AI Security Advisor now uses WordPress 7 structured AI responses for more reliable report output.
* IMPROVED: AI Security Advisor reports now include richer context from Security Tests, Vulnerability Scanner, Core Scanner, and recent security events.
* IMPROVED: Pro sites now include Malware Scanner findings in AI report context when available.
* NEW: WordPress 7 Abilities (optional, on by default): expose read-only security data to other WordPress AI clients—Security Test summary (passed/warning/failed), 7-day attack activity vs the previous week, and the latest saved AI Security Advisor report. Control exposure under Security Advisor → Settings; turning this off does not affect generating reports or follow-ups on the Security Advisor page.
* NEW: Added a dismissable "Re-evaluate with AI" reminder after tests, scans, and firewall setting changes (stays hidden after dismiss until a new security event occurs).
* FIX: Two-factor authentication (Pro) — When 2FA is enabled but required roles were missing or invalid, login could skip the 2FA step. Security Ninja now falls back to requiring **Administrator** so the code prompt always appears for protected accounts.
* FIX: Saving 2FA status would fail if firewall not enabled. Thank you Vassos.
* Added a new Tools-page Cleanup button. Securely removes any legacy options or data. Thank you Davina for the idea.
* FIX: Cloud Firewall (Pro) — Clearing **all** countries in country blocking and saving now actually turns country blocking off. Previously, choosing “none” could leave old selections in place because empty lists were not saved correctly.
* IMPROVED: Cloud Firewall — IP whitelist entries written as **ranges** (CIDR, one per line on IP Management) now apply the same way everywhere: visitor checks, secret recovery links, and automatic whitelist logic no longer treat ranges like plain single IPs only in some code paths.
* NEW: Cloud Firewall (Pro) — Option to soften country blocking for satellite ISPs like Starlink. Easily enable or adjust under Firewall → Settings for smoother access while keeping strong protection.
* IMPROVED: Cloud Firewall (Pro) — If a country or cloud block is skipped because the visitor is using a satellite ISP (satellite ASN softening), you'll now see this clearly in the Events log.
* Maintenance release - Minor improvements and stability.
* FIX: Security Fixes — Saving the Fixes screen now applies wp-config changes only when toggles are ON: disable file editor, disable WP_DEBUG, and secure session cookies. Previously, always-present form keys made the “on” paths run even when options were OFF, which could append duplicate `define()` lines and trigger PHP notices (thanks Masahiro Kasahara for the report). `update_define` also skips appending a constant that is already defined (e.g. set from an included file).
* Setup wizard – Fixed errors in the wizard and made a few small improvements.
* FIX: Event Logger – Plugin and theme installs are now logged (previously only updates were recorded). Activate and deactivate events are always logged with a fallback label when plugin name cannot be read.
* NEW: Event Logger – Now also logs activated_plugin, deactivated_plugin, add_user_role, and remove_user_role for a fuller audit trail.
* Event Logger – reliability: Event Logger now records settings changes, post updates, plugin activation/deactivation, and user events correctly when the module is enabled. Previously, events could be missing due to licensing checks blocking the write path; logging no longer depends on that for storing events.
* Event Logger – less noise: A single click to update an already-published post now creates one log entry instead of three. Saving a settings page (e.g. General) creates one entry instead of duplicate entries.
* Event Logger – clearer actions: Settings saves are logged with the action "options_saved" and show which settings page was updated (e.g. General, Reading). Internal WordPress hook names like "whitelist_options" are no longer shown in the log.
* Event Logger – security: Passwords and account activation keys are never stored in the log or shown in event details. User registration and profile update events only store non-sensitive data.
* AI Security Advisor – Get a plain-English security summary and top improvements from your security tests. Uses WordPress 7 AI Connectors (OpenAI, Google, Anthropic); no domains, URLs, or personal data are sent.
* AI Security Advisor – Overview tab shows when your site was last reviewed and a one-line teaser from the latest report, or invites you to run your first review or set up a connector.
* AI Security Advisor – Dashboard widget shows advisor status at a glance (last reviewed, ready for first review, or set up) with a quick link to the Security Advisor page.
* Event Logger – Login events are recorded only when a valid user is present, so your log stays accurate when other plugins or tools fire login-related hooks.
full change log for this version on link
https://wpsecurityninja.com/changelog/