Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets.
Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well.
Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates.
v2.1.16 – 25 Mar, 2026
Tightened Comment Shield spam detection with casino, betting, gambling, promotional-link, repeated-domain, and thin-link comment heuristics for guest comments.
Added firewall logging when suspicious comments are held and when WordPress routes comments into the pending moderation queue.
Expanded the weekly executive security digest with form spam, comment queue, and broader protection-profile coverage.
Improved the HTML digest layout on mobile by stacking compressed two-column sections into a readable single-column flow.
v2.1.15 – 18 Mar, 2026
Added “Not installed” provider messaging in Spam Protection and disabled unavailable form provider toggles until Contact Form 7 or Fluent Forms is activated.
v2.1.14 – 18 Mar, 2026
Fixed the Firewall settings save flow after the Spam Protection UI refactor by removing stale legacy comment-field JavaScript references.
v2.1.13 – 18 Mar, 2026
Added form anti-spam protection for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and rate limiting.
Added a dedicated Spam Protection UI with separate Comments and Forms controls plus provider toggles.
Logged supported form spam blocks into the WAF/live feed with provider-aware source labels and separated form blocks from general WAF blocks in the live feed.
v2.1.12 – 16 Mar, 2026
Added vulnerability detail fields: fixed version, affected versions, CVSS score/vector, published date, and exploit status.
Added risk score (severity + exposure) badges in vulnerability findings.
Added risk decisions (“Accept risk” / “Ignore”) with expiry and audit log entries.
Persisted risk decisions in a dedicated table and return decisions in scan results.
Added robust formatting for affected version ranges, including Wordfence-style range objects.
Mapped API fields (patched_versions, published, etc.) to UI-friendly names.
Added inline update/deactivate actions that run without leaving the scan view.
Added post-update rescan to refresh vulnerability cards in place.
Refreshed update transients before building scan items so update actions appear consistently.
v2.1.11 – 16 Mar, 2026
Normalized slug handling for single-file plugins and edge cases to improve scan accuracy.
Continued scans when individual items fail instead of aborting the entire run.
Added timeout/backoff handling with clear 429/503 messaging for vulnerability data requests.
Added short server-side cache per (type, slug, version) and surfaced “data age” in the overview.
Added filters and sorting for severity, component type, active status, and fix availability.
Added direct actions for “Update now”, “Deactivate”, and “Open plugin page”.
Added “Last scan at”, “Errors count”, and “Data age” to the scan overview.
Improved scan flow with “Retry failed”, “Stop scan”, and smart auto-scroll.
Styled scan output filter dropdowns to match the dashboard theme and remove white backgrounds.
v2.1.10 – 16 Mar, 2026
Added Learning Mode suggestions for WAF whitelisting, with configurable thresholds and review-only approvals.
Added a Learning Suggestions panel and actions to approve or dismiss suggested patterns.
Fixed a PHP 8.4 deprecation warning by making trusted proxy settings nullable explicitly.
v2.1.9 – 16 Mar, 2026
Added Proxy/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs.
Added in-dashboard warnings when proxy headers are detected but trust is not configured.
Updated IP detection to trust forwarded headers only for configured proxies.
Restricted malware, integrity, and vulnerability scan actions to administrators only.
Hardened integrity scan file handling to prevent unsafe path traversal.
v2.1.8 – 16 Mar, 2026
Fixed PHP 7.4 compatibility by replacing PHP 8-only syntax in scanner, CAPTCHA, and login-security flows.
v2.1.7 – 16 Mar, 2026
Added an approvals workflow for WAF-blocked admin-ajax and REST requests, including targeted whitelist patterns and approve/dismiss actions.
Added admin alerts and a menu badge for pending approvals, with direct links to the Approvals tab.
Moved the Clear Logs action into the Live Security Feed toolbar.
v2.1.6 – 15 Mar, 2026
Added scan progress status notes that highlight the current component or file during Malware, Vulnerability, and Integrity scans.
v2.1.5 – 15 Mar, 2026
Added role-based 2FA enforcement so selected roles must enroll before using the admin dashboard, with a direct setup shortcut.
Moved the live Firewall security feed into its own submenu and replaced pagination with a Load more flow.
Added quick actions to unblock or allowlist locked-out IPs from the Firewall feed.
v2.1.4 – 14 Mar, 2026
Added a Login Security Pack with TOTP-based 2FA, recovery codes, trusted devices, CAPTCHA form protection, XML-RPC policy controls, and weak-password blocking.
Reworked the 2FA setup UX into a clearer step-by-step profile flow with QR provisioning and inline activation feedback.
Fixed 2FA setup and challenge-screen issues so activation errors return to the verification step and the public login flow no longer depends on admin-only helpers.
v2.1.3 – 14 Mar, 2026
Added WP-CLI scan commands for malware, integrity, vulnerability, and combined scan execution.
Added readme documentation and FAQ examples for running VulnTitan scans from the terminal.
v2.1.2 – 14 Mar, 2026
Refined the Vulnerability scanner UI with a more professional overview and findings layout.
Moved the Vulnerability Overview panel outside the scrolling results area so it stays sticky as a separate summary block.
Improved clean-result messaging so results now explicitly reference the scanned plugin, theme, or WordPress core component.
v2.1.1 – 14 Mar, 2026
Added a live-updating Firewall security feed with auto-refresh, pause/resume controls, quick filters, search, and per-event forensic detail panels.
Expanded Firewall feed event data so administrators can inspect richer request, actor, and rule context directly in the admin UI.
Improved live refresh behavior so recent event polling no longer overwrites unsaved Firewall settings while the page is open.
v2.1.0 – 13 Mar, 2026
Added Comment Shield anti-spam protection for WordPress comments with honeypot, submit-time validation, duplicate detection, link controls, and IP rate limiting.
Added Firewall dashboard and weekly digest statistics for blocked or moderated comment spam activity.
Changed Firewall MU loader status to show WordPress-relative paths such as wp-content/mu-plugins/vulntitan-firewall.php instead of absolute server filesystem paths.
v2.0.8 – 13 Mar, 2026
Added a weekly executive security digest email with 7-day firewall telemetry, login abuse summaries, WAF detections, and top targeted paths/rules.
Added Firewall settings for enabling the weekly digest and overriding the recipient email address.
Upgraded the digest into a professional branded HTML email template with VulnTitan logo, metric cards, timeline, and protection profile summary.
v2.0.7 – 13 Mar, 2026
Fixed custom login logout requests on some Nginx-backed WordPress sites so hidden login logout no longer triggers 502 Bad Gateway responses.
Stabilized hidden login request bootstrapping and canonical custom login route handling for logout/login flows.
v2.0.6 – 12 Mar, 2026
Added configurable custom login slug support so administrators can use a private login URL instead of the default wp-login.php path.
Hidden direct guest access to default wp-login.php and wp-admin entry points when custom login protection is enabled.
Reworked the Firewall page with a tabbed settings layout, a wider recent events section, and toast-style action feedback.
v2.0.4 – 10 Mar, 2026
Redesigned the VulnTitan Dashboard into an elite, professional security command center layout.
Redesigned the Firewall page into a professional command center layout.
Removed the dashboard sidebar to keep the UI focused on scan operations.
Redesigned the top navigation bar to match the new elite dashboard and firewall style.
Fixed scan progress indicator layout in the redesigned dashboard.
