Atlant Security

Changelog

1.1.4

  • Added: CSV export on the Malware Scanner page — one-click downloads of full, untruncated File Findings and Database Findings (Reddit community suggestion). Paths, matched snippets, and details are no longer truncated — perfect for researching a hit in Excel/Numbers or sending to a security consultant before committing to Quarantine.
  • Added: Tested up to bumped to WordPress 7.0
  • Added: Scanner CSV exports are written to the audit log, so fleet admins can see when and by whom the full-detail extracts were downloaded
  • Added: aswp_brand_name, aswp_brand_logo_url, aswp_brand_support_url filters so the Enterprise add-on can white-label the UI for agencies reselling the service
  • Improved: CSV downloads include a UTF-8 BOM so Excel on Windows opens non-ASCII paths correctly

1.1.3 — Security Hardening

  • Security: Custom Login URL grace cookie is now HMAC-signed (bound to user ID + wp_salt); the old “aswp_admin_grace=active” value can no longer bypass the hidden login URL
  • Security: Two-Factor Authentication is now actually enforced for roles listed in “Required Roles” — users who have not enrolled are confined to profile.php on login until they set up TOTP or Email OTP
  • Security: Outbound request log strips query strings and redacts Slack/Discord/Telegram webhook paths before storage — MaxMind license keys, API tokens, signed-URL signatures, and webhook secrets are no longer written to the database
  • Security: SSRF protection always blocks outbound requests to private/internal IP ranges, regardless of the monitor’s log/enforce mode
  • Security: SSRF DNS resolution now checks both IPv4 (A) and IPv6 (AAAA) records — previously only A records were inspected, letting a hostname with a public A record but a private AAAA record bypass the check on IPv6-preferring hosts
  • Security: Concurrent session limiting now keys fingerprint/activity maps by the same verifier hash WordPress uses internally — previously the limiter could never actually destroy old sessions because it mixed raw tokens with verifier hashes
  • Security: Loopback addresses (127.0.0.1, ::1) are no longer auto-whitelisted when the site is configured behind a reverse proxy or Cloudflare — on proxied hosts every visitor would otherwise appear as trusted
  • Security: REST API write-block default policy now allows authenticated users with the edit_posts capability (editors, authors) so Gutenberg and the block editor keep working; only unauthenticated writes are refused
  • Security: Post-Breach “Rotate Secret Keys” now rewrites wp-config.php directly (with a timestamped backup) instead of storing the new keys in wp_options where WordPress never reads them; falls back to a copy-paste snippet if the file is not writable
  • Security: 2FA recovery codes are now generated and stored lowercased so user-entered codes verify correctly — previously the mixed-case display and lowercased verification hashed different strings, causing valid codes to fail
  • Added: Trusted proxy IP setting in Settings › Reverse-Proxy / Load-Balancer — required for correct visitor IP detection behind Nginx, HAProxy, AWS ALB, and other reverse proxies
  • Added: weekly cron schedule registration — required by the weekly Cloudflare / Google / Microsoft / GeoIP refresh jobs which WordPress core does not ship as a default interval
  • Improved: Cloudflare / Google / Microsoft IP-range refresh cron callbacks now skip the outbound fetch when the matching integration toggle is disabled
  • Improved: Multi-line settings (currently: trusted proxy IPs) preserve newlines on save instead of being collapsed by sanitize_text_field()

1.1.2

  • Added: About page with 5-Layer Defense Architecture, competitive features list, attack vector coverage, and plugin information
  • Improved: Dashboard decluttered — informational panels moved to About page for a cleaner operational view
  • Improved: About page lists 15 unique competitive features with descriptions
  • Fixed: Setup wizard no longer auto-redirects on plugin activation or reactivation
  • Fixed: Setup wizard accessible from sidebar navigation at any time

1.1.1

  • Improved: Visitor log table uses percentage-based column widths for fluid layout across screen sizes
  • Improved: Filter bar and results info bar spacing tightened
  • Fixed: Setup wizard admin notice removed — no longer floats above page layout

1.1.0

  • Improved: Stat cards compacted — smaller icons, tighter padding, reduced font sizes
  • Improved: Page header, grid column, and IP list padding reduced for denser layout
  • Fixed: Session timeout now correctly respects “Exempt Administrators” setting for idle timeout and session fingerprint binding (was only checked for concurrent session limits)
  • Fixed: Session security settings description updated to reflect full admin bypass scope

1.0.9

  • Improved: Inner sidebar width reduced from 240px to 200px with tighter item padding
  • Improved: Table headers shortened (IP Address > IP, Country > flag only, etc.)
  • Improved: Top IPs widget uses compact 24x24px icon buttons instead of full-width buttons
  • Improved: Dashboard grid right column uses responsive minmax sizing
  • Improved: Page content padding and table cell padding reduced globally

1.0.8

  • Fixed: Visitor log column widths — JS table-resize no longer overrides CSS-defined column classes
  • Fixed: Added CSS column width classes to all table headers (visitor log + dashboard live visitors)
  • Fixed: Dashboard live visitors table shows flag only (removed redundant country code text)

1.0.7

  • Added: Inner sidebar navigation (Nexus SEO style) — all plugin pages accessible from a persistent left panel
  • Added: WordPress sidebar shows single “Atlant Security” entry instead of 23 submenu items
  • Added: Sidebar brand header with logo, active page highlighting, version footer
  • Added: Responsive sidebar — collapses to horizontal nav on screens below 1024px
  • Fixed: Plugin footer now renders inside page layout instead of WP’s admin footer area
  • Fixed: “Sorry, you are not allowed to access this page” error caused by removing WordPress $submenu entries — now uses CSS-based hiding to preserve permission checks

1.0.6

  • Improved: All plugin admin pages now send no-cache headers to prevent stale data from caching plugins
  • Fixed: Top Pages widget CSS class mismatch causing broken styling
  • Fixed: Top IPs widget now excludes whitelisted IPs from the list

1.0.5

  • Fixed: decodeEntities function scoping bug in admin.js causing HTML entity rendering issues

1.0.4

  • Added: GeoIP country resolution — MaxMind GeoLite2-Country integration with pure-PHP MMDB reader, auto-download, weekly auto-update, and dedicated admin page with test lookup
  • Added: Custom Login URL module — move wp-login.php to a custom slug with automatic redirect of the default login page
  • Added: Password Policy module — configurable minimum length, character requirements, common password blocking, and passphrase generator
  • Added: Force SSL Admin as a plugin-managed setting (defines FORCE_SSL_ADMIN constant at runtime)
  • Added: Auto-Update Plugins and Auto-Update Themes toggles in Settings and Hardening checklist
  • Improved: Admin sidebar pages reordered alphabetically for easier navigation
  • Improved: Post-Breach Command Center layout — lockdown status widget moved into Critical Actions grid
  • Improved: Hardening checklist — Force SSL Admin now toggleable from the checklist (was “Manual fix required”)
  • Fixed: Post-Breach page SQL queries referenced nonexistent table name (aswp_ip_blocks > aswp_blocked_ips)
  • Fixed: Post-Breach blocked IP count query used wrong column names (expires_at > permanent/blocked_until)
  • Fixed: Database migration duplicate-key error that broke all AJAX endpoints (visitor log, dashboard widgets)
  • Fixed: Settings loss on plugin reactivation — WAF mode, auto-blocks, and setup wizard no longer reset
  • Fixed: Timezone mismatch between stat cards and live visitors (gmdate/NOW vs current_time)
  • Fixed: Text domain loaded too early warning on WordPress 6.7+ (moved to init hook)
  • Fixed: Plugin deletion wiped all data — uninstall now requires explicit opt-in via deactivation dialog or Settings toggle
  • Fixed: ALTER TABLE ADD INDEX SQL errors corrupting AJAX JSON responses when WP_DEBUG_DISPLAY is on
  • Fixed: Consistent timezone handling across all 12 modules
  • Fixed: Correlated subquery in update_blocked_counts cron job — replaced with single JOIN
  • Fixed: Daily digest cron hook not cleared on plugin deactivation
  • Fixed: GeoIP database directory cleanup in uninstall.php
  • Internal: Complete codebase prefix migration from fwwp_ to aswp_ with automatic database migration on upgrade

1.0.3

  • Added: Honeypot module with hidden link trap, fake login page, comment honeypot, CF7 integration
  • Added: 3-layer safe bot protection for honeypots (robots.txt, nofollow, UA detection)
  • Added: Security Headers admin page with letter-grade scoring
  • Added: Two-Factor Authentication admin page with TOTP and Email OTP
  • Added: Notifications admin page (Email, Slack, Webhook, Daily Digest)
  • Fixed: Top IPs widget now shows VirusTotal link, Block button, and Details button
  • Fixed: IP Detail Modal — added max-height, scroll, wider layout
  • Fixed: Blocked IPs now correctly log 403 status code instead of 200
  • Fixed: TwoFA role handling for comma-separated role strings

1.0.2

  • Added: 5 new security modules — AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard
  • Added: 5 new admin pages with full settings UI for each module
  • Improved: Dashboard with live visitors auto-refresh, traffic chart, top IPs/pages widgets

1.0.1

  • Added: Setup Wizard with 7-step guided configuration
  • Added: IP Detail Modal on Dashboard
  • Improved: Dashboard stat cards, browser distribution chart
  • Fixed: Setup wizard pagination and button responsiveness

1.0.0

  • Initial release with 17 security modules
  • Web Application Firewall with 28+ attack pattern rules
  • Brute force protection with progressive lockout
  • Malware scanner (file and database)
  • Post-breach recovery toolkit (12 actions)
  • IP blocking and whitelisting
  • Visitor log with filtering and pagination
  • Admin audit log
  • WordPress hardening (6 toggles)
  • Rate limiter (11 endpoint categories)
  • Real-time security dashboard

Plugin Website
Visit website

Author
Atlant
Version:
1.1.4
Last Updated
April 24, 2026
Requires
WordPress 6.0
Tested Up To
WordPress 7.0
Requires PHP
8.0

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.