Improved search-engine crawler verification: Google and Bing crawlers are now also confirmed against their official published IP ranges, refreshed automatically, so genuine crawlers are recognized reliably even when a host’s reverse DNS is slow or unavailable.
Scan preflight now runs once per scan instead of repeating mid-scan, preventing needless scan-cache resets that slowed large first-time scans.
1.6.4
Fixed ghost administrator detection being skipped during automated background scans, so hidden admin accounts are now caught on scheduled and remote scans, not just manual ones.
1.6.3
Fixed quick scans dropping unknown and modified plugin or core file findings that a deep scan had detected; these integrity findings now persist across both scan types.
Improved ghost administrator detection to catch admin accounts hidden from the WordPress Users list, and made suspicious admin username findings clearer.
1.6.2
Scanner now shows clear maintenance notices and improved messaging when cloud deep-analysis limits are reached.
Firewall traffic log now records the real user agent for pre-WordPress blocks instead of a placeholder.
Improved CSV export formatting for audit and firewall logs, made firewall log processing more resilient to unusual entries, and refined content scanning and header checks for better reliability.
Added an option to block AI training crawlers (GPTBot, ClaudeBot, and similar) while keeping AI assistants and AI search crawlers allowed.
Search-engine crawlers (Google, Bing) are now confirmed by reverse DNS; requests that falsely claim to be them are blocked on the Balanced and Maximum policies, while genuine crawlers and transient DNS hiccups are always allowed through.
1.6.1
Performance: greatly reduced the number of database queries on every page load by reading all settings in a single cached query, autoloading small status flags, and loading background and cloud work only where it is actually needed.
Fixed a fatal error that could occur when the dashboard loaded its site health and reporting statistics.
Hardened encryption of stored secrets with authenticated encryption bound to each storage slot, and made credential recovery safer so a temporary decryption error can no longer clear a valid connection.
Tightened the file permissions of the plugin’s encryption key.
1.6.0
Sensitive-data scanner now reports exposed archives and backups only in the site root and wp-content, not inside uploads/plugins/themes.
Exposed-file findings are scored by severity and confirmed more accurately to reduce false positives.
Strong-password enforcement can now target specific user roles (defaults to Administrators); removed the rarely-used password-reuse and role-promotion options.
Two-factor enforcement now defaults to Administrators, and the role pickers list the site’s actual roles, including custom ones.
REST API restriction now allows anonymous reads of public content for better theme and headless compatibility, while still blocking user enumeration.
Bundled PHP libraries are now namespace-isolated to avoid conflicts with other plugins that ship the same dependencies.
1.5.3
Fixed a fatal error when the hidden login 404 block rendered themes like Avada/WooCommerce.
1.5.2
Improved scanner compatibility with refreshed WordPress.org file baselines.
Improved activation validation for invalid email addresses and license keys.
1.5.1
Added an admin compatibility notice for security plugins that may overlap with SiteFort server hardening.
1.5.0
Improved scanner worker wakeup reliability on hosts that interrupt one-second loopback requests.
Improved scanner cloud queue utilization and final scan log hydration on managed hosting.
Added a secure tool to rename the default admin username with locking, transactions, multisite handling, and audit logging.
1.4.0
Improved scanner cloud upload reliability with streamed S3 batch uploads and safer fallback handling.
Prevented SiteFort runtime data files from delaying scan completion while preserving malicious hash detections.
1.3.0
Improved cloud wakeup handling so completed cloud scan jobs can securely resume site polling without requiring the admin console.
1.2.0
Fixed scan finding notification actions to open the scanner page instead of the dashboard.
Added concise contextual copy to SiteFort notification emails before scan, firewall, vulnerability, digest, and fallback event details.
Improved scanner findings empty states and vulnerability remediation card updates during active scans.
1.1.0
Improved scanner worker recovery and server-load interruption messaging.
Optimized setup wizard two-factor loading with a consolidated overview request.
Hardened command queue and login lockout cleanup to prevent stale database growth.
1.0.2
Bundled shared timestamp parsing into the admin shared asset to avoid a separate time chunk.
1.0.1
Hardened automated scan scheduling with scanner-owned cron intervals, boot-time reconciliation, site-time run alignment, and stale schedule cleanup.
Fixed audit log, dashboard, and firewall timestamps to use UTC event time consistently.
Fixed dashboard and report daily totals to respect the WordPress site timezone instead of the server or database timezone.
Added site-time display and CSV export fields for audit events while keeping UTC as the canonical timestamp.
Updated file logs to write ISO-8601 UTC timestamps and retain legacy UTC log parsing.
