Security Ninja – Secure Firewall & Secure Malware Scanner

Description

This plugin can be downloaded for free without any paid subscription from the official WordPress repository.

Get started in minutes:

For over a decade, Security Ninja has been the guardian of thousands of websites, empowering site owners like you to navigate the digital space with confidence. Instantly run 50+ security tests to uncover hidden issues, ensuring your website’s integrity and security. Embrace Ninja’s simplicity and ease of use to fortify your site’s defenses effortlessly.

Enhanced Vulnerability Scanner
– Stay Ahead of Threats: Our vulnerability scanner proactively alerts you to known vulnerabilities, allowing you to address potential threats before they exploit your website.
– Comprehensive Protection: Security Ninja not only checks and warns for common issues but also checks for known vulnerabilities in plugins and themes.
– Peace of Mind: Knowing your site is monitored for the latest vulnerabilities means you can focus on what matters most—growing your business and creating content, worry-free.

Core Scanner – Comprehensive Protection for Your WordPress Installation

The Core Scanner module adds a critical layer of security by ensuring your WordPress installation remains untampered and free of unauthorized files.

• Full Core File Integrity Check: Every file in your core WordPress folders is scanned to ensure it hasn’t been modified or compromised.
• Detection of Unknown Files: The scanner flags any extra or unknown files in your core WordPress directories, alerting you to potential threats.
• Built-in File Viewer: Review flagged files directly within your WordPress dashboard using the integrated file viewer for a clear and easy inspection.
• Restore Core Files: If a core WordPress file has been altered, you can quickly restore it with a single click, ensuring your site is running the official version.
• Easy File Management: For unknown or suspicious files, you have the option to delete them right from the interface, keeping your WordPress installation clean and secure.

This module brings essential security functionality to your site, ensuring the integrity of your WordPress core files with minimal effort on your part.

Join thousands of satisfied users who trust Security Ninja to keep their websites safe. Start protecting your online presence today and help yourself to peace of mind.

Extensions

• MainWP – The MainWP Dashboard allows administrators to manage many WordPress websites from a central location.

Install the FREE Security Ninja for MainWP Extension to get an overview of all websites you have installed Security Ninja on!

https://www.ads-software.com/plugins/security-ninja-for-mainwp/

Security Tests for your website

Security Ninja – Your WordPress Guardian

Key Features

• Immediate Vulnerability Alerts: Get instant notifications about vulnerabilities to keep your website safe and secure.

• Comprehensive One-click Security Audit: With just one click, perform over 50+ detailed security checks that scrutinize every corner of your site for security vulnerabilities and performance issues.

• You’re in Command: Security Ninja respects your autonomy, providing insights and recommendations without making unsolicited changes to your site.

• Holistic Security Evaluation: Comprehensive checks on everything from the WordPress core, plugins, and themes to ensure they are up-to-date and secure.

• Proactive Defense Strategies: Equip yourself with the tools and knowledge to prevent attacks before they happen, safeguarding your site from potential threats.

• Optimization Beyond Security: Improve your site’s performance with database optimization tips, ensuring a seamless experience for your users.

• Knowledge Empowerment: Each test comes with an easy-to-understand explanation, documentation, and actionable steps to fix identified issues.

• Customized Security Insights: Tailored security assessments to check critical updates and configurations specific to your WordPress setup for a personalized protection strategy.

• Future-Proof Your Site: Stay ahead with tests that include the latest WordPress features and best practices for site security.

• Prevent Unauthorized Access: Strengthen your defenses with checks designed to prevent weak passwords and unauthorized file access.

• Secure Configuration Checks: Ensure your website is configured according to security best practices, from file permissions to security headers, for comprehensive protection against threats.

Enhance your website’s security, performance, and user experience with Security Ninja – your trusted partner in WordPress protection.

Security Ninja Pro has extra features: Firewall, Block Suspicious Page Requests, Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, Events Logger & Scheduled Scans.

An all-in-one security solution for any site. With premium support and continuous updates Security Ninja Pro is a perfect tool to keep your site safe. See what the PRO version offers

Automatically block 600+ million bad IPs with one click! Security Ninja Pro Firewall will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site.

Read more about Pro features on the Security Ninja website

What others say about the plugin

• WP Mayor: “Easy-to-Use WordPress Security Plugin”
• WPLift
• WPExplorer
• WP Loop
• Bitcatcha.com
• WebHostingSecretRevealed
• Ravi Singh
• Tutorials 7
• onlinedecoded.com

Tests
* The tests include:
* brute-force attack on user accounts to test password strength
* numerous installation parameters tests
* file permissions
* version hiding
* 0-day exploits tests
* debug and auto-update modes tests
* database configuration tests
* Apache and PHP related tests
* WP options tests

• Complete list of tests:
  • Check if Application Passwords feature is enabled (new to WP 5.6)
  • Check if WordPress core is up to date
  • Check if automatic WordPress core updates are enabled
  • Check if plugins are up to date
  • Check if there are deactivated plugins
  • Check if active plugins have been updated in the last 12 months
  • Check if active plugins are compatible with your version of WP
  • Check if themes are up to date
  • Check if there are any deactivated themes
  • Check if full WordPress version info is revealed in page’s meta data
  • Check if REST API links are displayed in page’s meta data
  • Check the PHP version is up to date
  • Check the MySQL version
  • Check if server response headers contain detailed PHP version info
  • Check if expose_php PHP directive is turned off
  • Check if user with username “admin” and administrator privileges exists
  • Check if “anyone can register” option is enabled
  • Check user’s password strength with a brute-force attack
  • Check for display of unnecessary information on failed login attempts
  • Check if database table prefix is the default one
  • Check if security keys and salts have proper values
  • Check the age of security keys and salts
  • Test the strength of WordPress database password
  • Check if general debug mode is enabled
  • Check if the debug.log file exists
  • Check if database debug mode is enabled
  • Check if JavaScript debug mode is enabled
  • Check if display_errors PHP directive is turned off
  • Check if WordPress installation address is the same as the site address
  • Check if wp-config.php file has the right permissions (chmod) set
  • Check if register_globals PHP directive is turned off
  • Check if PHP safe mode is disabled
  • Check if allow_url_include PHP directive is turned off
  • Check if plugins/themes file editor is enabled
  • Check if uploads folder is browsable by browsers
  • Test if user with ID 1 and administrator role exists
  • Check if Windows Live Writer link is present in pages’ header data
  • Check if wp-config.php is present on the default location
  • Check if MySQL server is connectable from outside with the WP user
  • Check if EditURI link is present in pages’ header data
  • Check if TimThumb script is used in the active theme
  • Check if the server is vulnerable to the Shellshock bug #6271
  • Check if the server is vulnerable to the Shellshock bug #7169
  • Check if admin interface is delivered via SSL
  • Check if MySQL account used by WordPress has too many permissions
  • Test if a list of usernames can be fetched by looping through user IDs on https://siteurl.com/?author={ID} (also called username enumeration)
  • Check if server response headers contain Strict-Transport-Security
  • Check if server response headers contain X-Frame-Options
  • Check if server response headers contain X-Content-Type-Options
  • Check if server response headers contain Content-Security-Policy
  • Check if server response headers contain Strict-Transport-Security
  • Check if server response headers contain Referrer-Policy
  • Check if server response headers contain Feature-Policy
  • Check for unwanted files in your root folder you should remove

License info

• jQuery Cookie Plugin, Copyright 2013 Klaus Hartl

• The vulnerability scanner uses data from the National Vulnerability Database – NVD

• This product includes IP2Location LITE data available from https://lite.ip2location.com.

• This plugin uses the Persist Admin notice Dismissals by Collins Agbonghama @collizo4sky

How can I report security bugs?

You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. Report a security vulnerability.

Screenshots

Installation

Installing from WordPress

1. Open WordPress admin, go to Plugins, click Add New
2. Enter “Security Ninja” in search and hit Enter
3. Plugin will show up as the first on the list, click “Install Now”
4. Activate & go to Tools – Security Ninja to make your site more secure

Installing Manually

1. Download the plugin.
2. Unzip it and upload to wp-content/plugin/
3. Open WordPress admin – Plugins and click “Activate” next to the plugin
4. Activate & go to Security Ninja to make your site more secure

FAQ

Who is this plugin for?

Security Ninja is perfect for anyone looking to bolster their site’s defenses against hackers and ensure robust security.

Will this plugin slow down my site?

No significant slowdown occurs. You might notice a brief slow down during scanning, lasting less than a minute.

Will it work with my theme?

Yes, Security Ninja is designed to be compatible with all themes, ensuring wide-ranging applicability.

What changes will Security Ninja make to my site?

Security Ninja performs diagnostics and offers recommendations without making any direct changes to your site.

How safe is this plugin?

Absolutely safe. It functions solely as a diagnostic tool, providing insights without altering your site.

Is using Security Ninja legal?

Yes, it’s completely legal for your own site. It’s designed to run tests on the site where it’s installed, aiding in your site’s security enhancement.

What if I encounter issues with the plugin?

While we strive for universal compatibility, if you face any issues, our support team is ready to assist. Visit our support forum to open a new thread, and we’ll help you as soon as possible.

Reviews

Free version is useless

skylabb August 29, 2024 4 replies

The only thing you can run is “Test your website security” which tells you where the vulnerabilities are. My site is hacked and want to find where the malware is,

This plugin is amazing

Vassos Hadjivassiliou April 19, 2024 1 reply

If you’re in the WordPress game, WP Security Ninja is a total game-changer. Seriously, it’s like a secret weapon for developers. It’s so user-friendly, you’ll wonder why you didn’t snag it sooner. And let me tell you, I grabbed the Pro version, and man, no regrets whatsoever. It’s worth every single penny.

I don’t want to be tracked, but also not to be asked for this on every reload

Bastbra September 23, 2024

Hi, I’ve been using Security Ninja, and I am happy, but it’s getting on my nerves that the plugin asks for acceptance on every dashboard reload to use my data for “freemius.com”. If I click “No, thanks” or “x” it will reappear again and again and again. Is this the way to get users to accept it after 10 times? Edit: Now the new update even crashed the site down and only by luck it was possible to track the problem down (Security Ninja) and gain access again.

Works perfect, it’s worth to get pro

earthwormhenry October 25, 2023

No problems after one year works perfectly.

Visitors log problem resolves quickly

jrostinmagnin January 11, 2023

Resolves problem with log visitors very useful The problem was resolved within a day. Very good support

Awesome Plugin

james030 January 3, 2023

Very useful!

Contributors & Developers

Changelog

5.221

• Fixed issue with new QR code shown for some users already having 2FA enabled when trying to log in.
• Fix issue with events logger not sending HTML emails.
• Enhanced email reports in the events logger to look better.
• Improved translation strings in events logger module.

5.220

• Fixed issue with the topbar not using the correct White label icon and title for some users.
• Further improvements to the translation strings.
• Enhancement: White label: Now having an empty icon URL will not show the icon in the topbar.
• Added more debug logging to the scheduled scanner.
• Added missing Bulgarian translation.* Enhancement: 2FA code input field not focusing automatically.
• Fix – visitor log table was not created on some systems.
• Tested up to WordPress 6.7.

5.219

• Improved translations in the plugin.
• PRO: New Language Support!
  We’ve expanded the language support in Security Ninja Pro to better serve our global community. With this update, we’ve added full translations for 16 languages, allowing users to navigate the plugin more comfortably in their native language. Here are the newly supported languages: Danish (da_DK), German (de_DE), Spanish (es_ES), Finnish (fi_FI), French (fr_FR), Croatian (hr_HR), Icelandic (is_IS), Italian (it_IT), Korean (ko_KR), Norwegian Bokm?l (nb_NO), Dutch (nl_NL), Portuguese (pt_PT), Russian (ru_RU), Swedish (sv_SE), Chinese (Simplified) (zh_CN) and Hindi (hi_IN).

This update makes Security Ninja more accessible to millions of users worldwide, with full support for major languages in Europe, Asia, and beyond.

5.218

• Added headers to prevent caching on Cloudflare and other proxies.
• Fixed compatibility issue with Fluent Bookings plugin. Thank you to everyone reporting this issue.
• Added Divi Dashboard to the cloud firewall whitelist. Thank you James.
• Trimmed 2FA module code.
• Trimmed file viewer module code.
• Trimmed unused code in the test descriptions and updated the strings for translation.
• Translation updates.

5.217

• Fix: Events logger emails had a bug where the content generated list did not look correctly in the email.
• Added .inc, .xml, .json, .md, .yml, .yaml, .sql and .ini as allowed file extensions for the file viewer.

5.216

• Refactored the code for enabling the firewall.
• Fix: Resolved an issue with the scheduled scanner not running properly.
• Further improvements to the cloud firewall.
• Added WPCompress to the cloud firewall whitelist.
• When disabling the firewall, 2FA is also disabled and all user 2fa secrets are deleted.
• Improved translation strings, increased the amount of the plugin being translated.

5.215

• Fix: Resolved an issue with error messages showing up regarding \wf_sn_el_modules missing. Thank you everyone reporting this issue.
• File Viewer: Added support for viewing debug.log and error_log files, allowing users to access important debugging information.
• File Viewer: Fixed a PHP notice about a missing timestamp, $timestamp. Thank you Tom for reporting this issue.
• Cloud Firewall: Added a filter secnin_show_woocommerce_login_message to allow customization of the WooCommerce login message display. https://wpsecurityninja.com/docs/filters-hooks/secnin_show_woocommerce_login_message/

5.214

• Fixed issues with 2FA setup not working for some users.
• Improved malware scanner better interface and improvements to the backend.
• Started work reintroducing the database malwarescanner and preparing for a beta release.
• Improvement to the license activation process.

5.213

• Fixed an issue where license activation could lead to a flood of email verification requests. This occurred when users agreed to activate their license but didn’t complete the email confirmation process. Previously, users were allowed to remain anonymous, but this caused unintended complications.
• Fixed an issue in the malware scanner that occasionally caused the scan to stop unexpectedly.

5.212

• Resolved issues causing unexpected errors for some users.
• Improved MainWP integration for smoother functionality.

5.211

• Code cleanup and refactoring.
• Removed anoymous feature when signing up.
• Fix: Resolved an issue with the events logger not sending emails in some cases.
• Improved Scheduled Scanner to load results via AJAX, reducing database load and request times.
• Fix: Resolved issues loading the Core Scanner results window.

5.210

• Feature: Core Scanner module now available to all users. Keeping your core files safe is important.
• Enhancement: Improved file restoration process within the Core Scanner for more reliable recovery.
• UI: Updated dialog messages for better user understanding in file operations.
• Fix: Resolved an issue with the white label feature loading properly for some users with unlimited licenses.
• Fix: Resolved an issue with inline CSS added in admin incorrectly.
• Security: Strengthened nonce verification in AJAX calls for Core Scanner actions.
• New: Automatic license activation for agencies: Automatically activates licenses on sites without an existing activation. Makes it easy to distribute the plugin to multiple sites.
• Security: Enhanced escaping in Core Scanner’s file listing function.
• Improvement: Updated Core Scanner to use WordPress’s built-in hashing function for better security.
• Code: Improved PHPDoc comments in Core Scanner module for better code documentation.

5.209

• Improved 2FA setup and verification process.
• Fix: Resolved an issue where the 2FA setup wizard was not displayed for some users.
• Updated IP2Location package to 9.7.3 to fix an issue with country detection.
• Fix: Issue with country detection in the visitor log module – wrong flag used in some cases.
• Enhanced send_webhook_event function for better reliability and security.
• Enhanced: Vulnerability scanner now displays when each vulnerability list was last updated.
• Fix: Resolved an issue with saving country settings on some sites.
• Improved ‘PHP Headers’ security test for better accuracy and reliability. Thank you Stefan.
• Enhanced error handling and sensitive information detection in server responses.

5.208

• General: Added and updated PHPDoc comments for better code documentation and consistency.
• General: Refactored white labeling functionality for improved performance and maintainability.
• General: Optimized code organization, readability, and adherence to WordPress coding standards.
• General: Enhanced internationalization and output escaping for user-facing strings.
• General: Added a mechanism to prevent error pages from being cached by defining the DONOTCACHEPAGE constant. Thank you Bj?rn.
• Security: Strengthened nonce verification in AJAX calls.
• Security: Enhanced SQL injection prevention in visitor log queries.
• Security: Added validation to prevent banning of private or reserved IP addresses.
• Security: Implemented a 5MB file size limit and directory traversal prevention in the File Viewer module.
• Security: Restricted viewable file types to a predefined whitelist.
• 2FA: Improved error handling and logging.
• 2FA: Addressed potential issues in 2FA setup and verification process.
• Core Scanner: Improved input sanitization for file deletion functionality.
• Core Scanner: Enhanced error handling, logging, and security checks.
• Core Scanner: Refined error messages for more useful debugging information.
• File Viewer: Limited file content display to 10,000 lines to prevent excessive memory usage.
• File Viewer: Updated path handling for better security and performance.
• File Viewer: Fixed potential vulnerabilities in file path handling and content rendering.
• Code Quality: Refactored methods to use prepared statements consistently.
• Code Quality: Improved static caching for better performance.
• Code Quality: Implemented proper escaping when outputting dynamic values.
• Code Quality: Added constants for frequently used values.
• UI: Updated warning message and button text in the setup wizard.
• Tested: Confirmed compatibility with WordPress 6.6.2.
• Enhanced security and code quality in secnin-wizard.js

5.207

• Fixed issue with White label feature warning in vulnerability module.

5.206

• A linebreak too much in the test descriptions allowed some text to show up in the footer of the plugin.

5.205

• Fixed bug not able to storing CIDR ranges.
• Improved IP and CIDR validation logic to correctly handle both IPv4 and IPv6 addresses, including CIDR ranges.
• Improved language translation strings for making more of the plugin translated.

5.204

• Fixed an issue in the Scheduled Scanner where email reports always indicated changes, even when none occurred. The reports now accurately reflect individual test changes.
• Enhanced core scanner functionality for better performance and accuracy.
• Improved security tests to provide more detailed results and clearer error messages.
• Optimized internal code to reduce impact and improve efficiency. This is part of ongoing improvements.
• Made minor adjustments to the file viewer for a smoother user experience.

5.203

• Fix: Resolved an issue that caused theme tests to fail for some users, ensuring smoother theme compatibility checks.

5.202

• New: Introduced a file viewer for both the Core Scanner and Malware Scanner, enhancing the plugin’s security auditing capabilities.
• Fix: Resolved installation and activation errors, including the missing ‘bl_ips’ table. Special thanks to Josh and others for reporting this issue.
• Update: Upgraded to Freemius 2.7.4.

5.201

• Tests: Updated MySQL recommendation to align with the latest WordPress minimum requirements. Thanks to Kittipot for the contribution.
• White Label Instructions: Enhanced the white label instructions for better clarity and ease of use.
• Compatibility: Tested and confirmed compatibility up to WordPress version 6.6.1.
• Added more details to the scheduled scanner tab to correctly show the next time the scans are scheduled.
• Changes to the scheduled scanner email sending logic, emails should be sending more accurately now.
• 2FA: Enabling 2FA no longer starts the setup process immediately.

5.200

• Updated wp-config.php file permissions test.
• Updated and tested with WP 6.6.
• Updated language files.
• Fixes for 2FA issues.

5.199

• Fix in malware scanner whitelist, thank you Christian.
• Fix tests results that gave wrong response to tests results and automatic fixing.

5.198

• Fixed a minor PHP notice triggered by the test for potential sensitive information leaks in headers. Special thanks to Koichi for reporting this issue.
• Fixed a problem with the security headers test on some websites.

5.197

• Fix for White label not hiding on some specific configurations, thank you Michael.
• Fix for saving blacklist IPs under firewall on some systems.
• Fix for detecing TimThumb – the test was giving false positives even on modern themes such as WP Astra. Thank you everyone reporting this issue.

5.196

• Improved responses from security tests to include more details.
• Enhanced handling of HTTP security headers including Content-Security-Policy, Content-Security-Policy-Report-Only, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy to support case-insensitive checks and identification of duplicate headers. Thank you Marcel.
• Enhanced error diagnostics in messages for failed tests to pinpoint the cause of failure more accurately.
• Improved function that reverts whitelisted files.
• Improved functionality that shows any results from the malware scanner.

5.195

• Improved 2FA business logic. Special thanks to all users for their valuable feedback and suggestions.
• Resolved an issue where the scheduled scanner was not running properly on some systems.
• Scheduled Scanner: Added the ability to send reports to multiple email recipients. Separate email addresses with a comma.
• Fixed the autofixer to correctly change the datatable prefix for your site. Thanks, Anthony!

5.194

• Regression fixes from issues in 5.192 + version bump to 5.194

5.192

• Enhancement: Added more details to security test reports and fixed minor issues.
• Enhancement: Improved the vulnerability scanner’s automatic update function to download new vulnerabilities on schedule when upgrading to the premium version.
• Update: Enhanced the email notification system to send more reliable warnings when vulnerabilities are detected.
• Improvement: Added extra checks to better detect and prevent spam registrations.
• Bugfix: Fixed issue with firewall settings not saving properly on some new installations.
• Improvement: Adjusted the firewall to block fewer requests for certain phrases. Thanks, Kamran.
• Enhancement: Improved the php_headers function to check for sensitive server headers like x-powered-by and x-debug-token.
• Update: Enhanced php_headers test to check not just for the presence of headers, but also for leaked information. Now, if the ‘Server’ header exists without detailed information, the test passes.
• Update: Added internationalization for error and status messages using the ‘security-ninja’ language domain.
• Update: Modified whitelisted plugin files.
• Bugfix: Made minor fixes to the 2FA logic to correctly handle redirects after verifying the code.

5.191

• Tested up to WordPress 6.5.4
• Enhanced crawler validation function now supports additional crawlers including Ahrefs, Microsoft, DuckDuckGo, Facebook, Apple, Yandex, Huawei, Common Crawl, Semrush, Swiftype, Sogou.
• Introducing 2FA (Two-Factor Authentication) in beta! Test it out before deploying to all users.
• Improved handling of locally banned IPs, enhancing plugin stability and performance.
• WPMUDEV service IPs now automatically whitelisted for smoother integration.
• Uptimia service now available for whitelisting IPs.
• Resolved issue with remove ‘Server’ header functionality that failed on some installations. Note: Some webhosts overwrites the output.

5.190

• New: Added MainwP integration for White label. Remote control your white label settings.

5.189

• Enhancement: Improved automatic removal of unwanted files, including common backup and development files, as well as files matching specific patterns like deleteme.wp*.php. For more details, visit: https://wpsecurityninja.com/docs/security-fixes/remove-unwanted-files/
• Enhancement: Added names of readme HTML files in various languages to the list of unwanted files.
• Enhancement: Improved malware scanner with detailed information about validated plugins from the public repository.
• Enhancement: Updated malware scanner page to align with the styling of the rest of the plugin and WordPress.
• Bug Fix: Fixes to the email sending part of the vulnerability module.
• Bug Fix: Resolved a JS issue in the event logger module.
• Bug Fix: Fixed a cron job issue that could cause automatic removal of unwanted files to fail in certain situations.

5.188

• Improvement: Reworked the dashboard widget overview.
• Improvement: Cleaned unused code and refactored functions to improve speed overall.

5.187

• Improvement: Stopped logging changes to posts without a title to avoid cluttering logs with irrelevant data.
• Fix: Resolved an issue where the “Update Database Tables” button was not functioning correctly.
• Improvement: If there is an error loading the events there is now a more helpful error message shown with more details that can help debug what is going on. Before there was a popup you had to click to continue.

5.186

• Fix: Scheduled Scanner not working properly in some configurations and did not execute the scheduled scans. Optimized the module to load faster and refactored part of the module.
• Improved visitor checking, fixing an issue with blocked IPs still attempting logins. Thank you Shaun.

5.185

• Fix: Resolved an issue where the white label feature did not consistently rename the plugin in all locations when a new name was entered in the settings.
• Fix: Addressed a problem with the white label feature where a blank image was displayed if no new image URL was provided. The image is now entirely removed in the absence of a suitable alternative.
• Fix: Corrected events tracking issues related to WooCommerce actions.

5.184

• Improved cloud firewall IP detection – made the firewall faster.
• Improved Events log – Among other only show details button if there are any details and to the way the time is presented.
• Updated: collizo4sky/persist-admin-notices-dismissal from 1.4.4 to 1.4.5
• Updated: phpseclib/bcmath_compat from 1.0.7 to 1.0.8

5.183

• Enhanced Multisite Compatibility: Corrected the counting of network activated plugins. Special thanks to Tom for identifying this issue.
• Image Size Fix: Resolved an issue with the maximum image size when white label settings are enabled. Thanks to Aldin for pointing this out.
• Firewall Updates: Introduced whitelisting for known services such as ManageWP and WP Rocket, now featuring easy one-click whitelisting.
• UI Enhancements: Added country flags to the visitor log and events pages for improved user experience and visual identification.

5.182

• New: Events logger can now be deactivated; default is off.
• Fix: Resolved PHP warnings in Scheduled Scanner by properly initializing default options.
• Fix: “Add-ons” now hidden when white label feature is active. Thanks to Mr. 3 for the feedback.
• Update: Changed the default warning message to “Warning: Multiple failed login attempts will result in a temporary lockout.” Thanks to Anthony for the suggestion.
• Adjustment: Modified firewall settings to reduce false blocks on login attempts. Thanks to Simon for the input.
• Documentation: Updated instructions on how to customize or disable firewall filters. Details at https://wpsecurityninja.com/docs/firewall/customizing-firewall-filter-rules/

5.181

• Added more details to blocked requests, eg. request_uri to help pinpoint patterns or methods. Thank you Bill.
• Fixed an issue where white label feature was not available for some users. (Feature is for 20 or more site licenses).

5.180

• Resolved a problem with IP blocking that allowed repeated login attempts to go unchecked.

5.179

• Fixed problem where the license.txt and readme.html file was not automatically removed even if featured turned on. Thank you Ismael.
• Merged 4 tests for unwanted files, eg readme.html and license text to the “unwanted files” test.
• Added fix regarding removing PHP server info – Thank you Brian.
• Fixed Whitelabel issue where several test descriptions included the plugin name. Thank you Mr.3
• Hiding the newsletter signup box for customers.

5.178

• Added our first addon – MainWP

5.177

• Improvement for the White Label feature – Setting a maxiumum size if using SVG as an icon. Thank you Daniel.
• Improvement to the security headers interface – removed redundant text.
• Fix: Content-Security-Policy header did not load properly on some sites.
• Improvement to the white label module.
• Fix for running manual database updates.

5.176

• Fix for a PHP warning in the vulnerability module if no vulnerabilites were found, thank you Stéphane.
• Fix for country selection “No results found”.
• Updated 3rd party libraries

5.175

• Fix for where vulnerable theme version numbers would incorrectly match, eg. ‘6.4’ would not be considered the same as ‘6.4.0’ – Thank you @tischtennis
• Added “Select All” and “Select None” for the country selection. Thank you comoweb.
• Fix: Duplicate define() definitions in wp-config.php, Thank you Stéphane.

5.174

• Fix: Problem saving the “Email report” setting in the Scheduled Scanner. Thank you Pawel.
• Improved the Content Security Policy recommended header settings. Thank you Jeff for the suggestion.
• Fix: Country blocking would not properly identify some IPs. Thank you DJ for reporting.

5.173

• Streamlined performance by eliminating unused dependencies such as the phpuseragentparser library.
• Boosted loading speed through the optimization of redundant timing functions.
• Verified compatibility with WordPress 6.5.
• Introducing: A new filter ‘securityninja_ignored_file_extensions’ for enhanced customization.
• Improved Scheduled Scanner interface and functionality.
• Bug Fix: Resolved an issue with the Scheduled Scanner interface, special thanks to Pawel for reporting.
• Bug Fix: Addressed a concern where Webhooks continued to send data despite being disabled. Once enabled, the system would persist in sending data.
• Bug Fix: Users can now access posts even when “disable username enumeration” restricts frontend access while allowing backend accessibility.
• Bug Fix: Scheduled Scanner settings not saving properly. Thank you Pawel.
• Pro: Updated firewall rules to ensure enhanced protection.
• Pro: Rectified a warning message within the rename login module. Thank you Dorel.
• Updated to Freemius 2.7.0

5.172

• Fix error showing up on some installations after removing the X-XSS-Protection header. Thank you Franz.

5.171

• Optimized by removing redundant code, enhancing overall plugin performance.
• Streamlined database interactions, significantly reducing the number of calls for faster operations.
• Discontinued the use of the “X-XSS-Protection” header. Modern browsers have deprecated this feature due to advanced built-in XSS protections, eliminating false security assumptions and potential compatibility issues. Special thanks to Ivan for the recommendation.
• Enhanced Webhook Features: Fixed PHP warnings related to the recent webhook integration, ensuring smoother operation.
• Improved webhook logic for more efficient logging and faster webhook processing.
• Export Functionality Bugfix: Addressed and corrected an issue where some users experienced errors during data export.
• Security Enhancement: Introduced two new actions for improved security logging, specifically targeting attempts to access renamed login URLs: ‘attempted_access_to_wp_admin_url’ and ‘attempted_access_to_wplogin_php’.

5.170

• Update 3rd party libraries
• Language files updated.
• New: Introducing Webhook functionality (Pro users). Send selected events to a webhook URL. Works great with Zapier.
• Fix for reactivating plugin with empty firewall settings. This could cause a PHP Fatal Error warning.
• Improvement to the Events logger settings page.

5.169

• Fixed: Resolved an issue where the installation date display error occurred if the initial date saving process was unsuccessful. Special thanks to Alberto for highlighting this.

5.168

• Enhancement: Now meticulously tracking each user’s last login moment without depending on previously stored session data. Thank you Kittipot.
• Improvement: Streamlined events log by retaining only IP addresses and User Agent details for logged-in users.
• Fix: Sometimes not saving firewall settings properly. Thank you Ben.
• Fix: Removed – Some unnecessary JavaScript was loaded outside of the plugin admin pages. Thank you Lars.
• Update Freemius SDK to 2.6.2
• Added IP in sidebar for firewall events.

5.167

• Fix for the “Check if REST API is enabled”. Thank you Dorel.

5.166

• Improved MainWP integration for MainWP users.
• Improved integration with SN Vulnerability API server – GZ compression.
• Improved “Remove unwanted files” fix to look for and delete even more files.
• Fix for exporting – Thank you Dorel.
• Fix for “Username enumeration” test – Thank you Dorel.
• Added 10+ knowledgebase articles on https://wpsecurityninja.com/docs/
• Updated 3rd party libraries.

5.165

• Update the events log pruning routines.
• Code cleanup

5.164

• FIX: Clicking “Details” button in the events log. Now you can see all details properly. Thank you Tom.

5.163

• Fix for ‘undefined array’ – related to the newly introduced feature where you can change the login error message. Thank you Tom.
• Fix for emails sent out by vulnerability module even if you had no vulnerabilites.

5.162

• Fix for compatibility with “Stop Spammers Security | Block Spam Users, Comments, Forms” – Thank you @bobf000.

5.161

• Fix – Vulnerability folder creation bug on some installations. Result was that some users could not download vulnerabilities first time the function ran.
• New: Change the message shown to users when they fail to log in. Default “Something went wrong”

5.160

• Major Update with many improvements
• New Feature: Users page – Show last time a user logged in. Help identify inactive users. Go to “Users” and check the added column “Last Login”.
• New: Added inline HelpScout beacon help for free users.
• Improvement: Better email warnings with more details for any detected vulnerabilites.
• Improvement: The plugin longer stores vulnerabilites in database, saves to a local file instead. This lowers the memory usage and overall speed.
• Improvement: The events log now loads after pageload, and makes searching the log much easier and faster.
• FIX: Upgrade from free to premium error – Fatal error “Cannot redeclare”
• Improvement: Added details in sidebar for firewall activities.
• WordPress 6.3.2 compatibility.
• Improvement: Trimming backup folder /sn-backups/ monthly to keep only latest 15 backups.
• Fix: Some autofixes not working correctly.
• Fix: Missing help beacon for some users. Also, we just added over 100+ articles to the inline help.
• Updated 3rd party libraries.

5.159

• Fix: “Check if Application Passwords are enabled” gave warning eventhough function was disabled. Thank you @tischtennis

5.158

• More details for debugging API connection issues.
• Visitor log visual updates.
• Updated Freemius SDK to 2.5.7

5.157.1

• Hotfix for referencing a wrong class name after moving to PHP namespaces in 5.157

5.157

• Speed: Plugin options are no longer autoloaded. Older users might notice an improvement in website speed – Thank you Parag.
• Fix: When deleting an unwanted file via Core Scanner, the message reported an error even when file was successfully deleted.
• Fix: Malware scan could fail due to unexpected output in JavaScript.
• Improved visual layout problem in Events Logger.
• Improved visual layout in the visitor log
• General code improvements and cleaning.
• Worked on PHP 8.2 compatibility – almost complete.

5.156

• Checked WP 6.2 compatibility
• Updated Freemius SDK to 2.5.6

5.155

• NEW: Added details about blocked visitors on dashboard widget.
• FIX: Notice that detected low memory incorrectly on systems with no limit memory setting (-1)
• FIX: Warning notices regarding undefined array keys in the event logger. Thank you Jean-Claude ??

5.154

• FIX: PHP warning the first time the settings in the vulnerabilites module was updated.
• Update the “Application Passwords” test to include info on how to disable the feature. Thank you @lsbk ??
• New: More details in email report, user IP and improved layout. Thank you Kevin for the suggestion.
• New: You can now email events log reports to more than one recipient. Thank you Kevin.

5.153

• FIX: The two Shellshock tests would fail on some servers. Thank you Jeroen and Oliver.
• FIX: A bug in the visitor log details when there is a lot of info to display.
• FIX: The “Enable background plugin updates” notice was shown everywhere. Thank you Ian for pointing out.
• Enable background plugin updates notice is now hidden forever when dismissed.
• Change default time to store visitors to 7 days (much better for big sites with a lot of traffic)
• Fix bug with unexpected results for tests to show up.
• FIX: Remove unused code for plugins not updated for a while. Thank you.
• “Outdated plugins” module completely removed for now to be reworked.
• FIX: Scheduled Scanner tests with Core Scanner sometimes failed. Error found and fixed.
• Updated language files for translators, thank you ??

5.152

• Fix for not cleaning up old files when downloading vulnerable plugin list. Thank you @michaing.
• Fix for visitor log not working properly on some installations. Thank you Jean-Claude.
• Fix for bug in events logger related to comments. Thank you Thomas.
• Fix for descriptions not showing properly for some vulnerabilites.
• Upgrading phpseclib/phpseclib (2.0.40 => 2.0.41)
• Language files updated.

…

Entire changelog can be seen here: changelog