Add AI-powered help to every option to make its purpose easier to understand, with practical examples and usage tips.
2.8.1
Removed deprecated log_save method.
Slight code improvements for better readability.
2.8
Output the module description HTML as is, instead using wp_kses to avoid stripping out the tags.
Added button and style tags in the allowed list of tags.
Fix striped out the HTML tag in the Captcha CloudFlare availability title.
2.7.9
Fix: Security enhancement by replacing unserialize() with a custom deserialization class.
WordPress 6.9 compatibility check/
WordPress 6.9 tag update.
2.7.7
Add 2FA reset links for the users in the Users interface.
Included the in_footer argument for wp_register_script().
Fix: Include no-role as default in the list for the option “Enable the 2FA for specific roles”.
2.7.6
Add escape output for all texts through esc_html_e, esc_html__, esc_html, esc_attr, esc_url.
Add nonces to urls.
Check if a specific superglobal property exists before using it.
Fix wp_kses() stripping out certain html tags. Add to allowed list.
2.7.4
Code improvements, revisions and cleanup.
Add escapes to different texts.
Fix textdomain typos.
2.7.2
Front shortcode [wph-2fa-user-settings] for user 2FA options configuration https://wp-hide.com/2fa-shortcode-let-users-manage-2fa-from-the-front-end/
Compatibility file for FlyingPress
2.7
Remove double quotes in the Apache rewrites for better compatibility.
Fix: Ensure the $module_object is object, before retrieve the get_module_description()
WordPress 6.8.2 compatibility check and tag update
2.6.8
New feature: Disabling Directory Listing
New feature: Disabling Author Archive
Include the malcare-waf.php and bv_connector_ to the ignore list when checking for dangerous files in the WordPress root.
Include the disable_author_archive into the sample setup.
2.6.7
Fix apache rewrite for “Author Archives via User IDs” option
2.6.6
New feature – Prevent Access to Author Archives via User IDs
WordPress 6.8.1 compatibility check and tag update
2.6.5
Fix: Check for wtlwp_token GET argument if “Temporary Login Without Password” when using the Two Factor Authentication ( 2FA ) feature.
2.6.4
Process the text/xml content type, to allow changing the default URLs in certain sitemaps.
New filter wp-hide/2fa/process_wp_login https://wp-hide.com/documentation/wp-hide-2fa-process_wp_login/
New 2FA option – Disable 2FA when login using a Temporary Login
Compatibility with “Temporary Login Without Password” when using the Two Factor Authentication ( 2FA ) feature.
WordPress 6.8 compatibility check and tag update.
2.6.3
Fix: Custom login page logo ( remove negate empty on $custom_logo_image_id )
2.6.2
New feature – Enable the 2FA for specific roles. Choose the roles for which the 2FA feature will trigger.
Fill the missing options with the component default value.
Avoid re-loading the settings if they exists in the WPH class.
Update the GoogleAuthenticator.php
Fix: Creation of dynamic property WPH::$_2fa is deprecated
2.6.1
Comparison fix within WPForms Lite compatibility file.
Fix: Missing 2Fa icons and js asset.
2.6
New feature – 2FA – Two-Factor Authentication
2FA – Email
2FA – Auth APP
2FA – Recovery Codes
Minor bug fixes
Readme content text description updates
Readme video demo update
2.5.8
Separate all module components settings from the components settings description, to ensure the __() and _e() translation functions trigger after the init action.
Relocate the filter wp-hide/ignore_ob_start_callback higher in the ob_start_callback method, to allow by-passing the buffer processing.
Ignore the comments removal when the content type is application/json
Use module separate method get_interface_menu_position for setting up the position hierarchy in the menus.
Fix: Ensure the security widget is loading the correct data for any users that has access to the dashboard.
Fix: avoid calling the get_plugins() as it triggers a rare issue on ceertain servers, when loading over HTTP protocol.
2.5.6
Add separate components description texts, for the translations to be available, after init action ( changed in the WordPress 6.5 )
Update the Components classes ( rewrites ) to use separate description.
Updated the translation PO file.
Fix: Check if $all_themes has the key, before retrieve the value in is_child_theme()
2.5.4
Fix: Remove the protocol from URLs in the theme’s style file module, to prevent issues when the site’s protocol is inconsistent (e.g., using both HTTP and HTTPS).
2.5.2
Fix: Sanitize the replacement_path in the router.
WordPress 6.7.1 compatibility check and tag update.
2.5.1
Update the compatibility file for WPForms Lite and WPForms PRO
2.5
Include a version number for all script and style assets to ensure the correct data loads when cached.
Load the user interaction JavaScript on the login page as well, to ensure functionality on that page.
Add submenu items to the main menu for improved accessibility.
Check if LSWCP_TAG_PREFIX is defined when using LiteSpeed Cache before clearing the caches.
Clear the Elementor caches, if active, when options change.
Fix: Use rtrim instead of trim to strip the trailing / in the URL.
Update and check compatibility with WordPress 6.7.
2.4.7
Fix: Check if data block is serialized, before applying the revert replacements.
Compatibility update for WP Job Manager
WP Rocket: check if contant WP_ROCKET_WHITE_LABEL_FOOTPRINT is already defined before define.
Compatibility file for Dokan
2.4.4
Prevent redirection to the login page when using GravityForms and use the query gf_page.
On option_block_revert check if the variable is serialized before processing the reverting for the block.
WordPress 6.6.1 compatibility check and tag update.
2.4.2
Undefined function fix.
2.4.1
Add self_admin_url filter for components like WordPress update routine.
Check if the correct page before add the admin_enqueue_scripts action, for the custom logo interface.
WordPress 6.6 compatibility check and tag update.
2.4
New feature: Block common Theme / Plugin detectors and scanners https://wp-hide.com/documentation/block-theme-plugin-detectors/
Fix: Return true when checking the post meta update if not changed.
2.3.9
New feature: Customize the default login page Logo
Improve the default plugin set-up with more options and include the Headers sample settings.
Slight visual improvements.
Inform to restart the LiteSpeed on certain servers (e.g. Hostinger ).
Use preg_replace to sanitize the input for security improvements.
Compatibility file for WPForms Lite
WordPress 6.5.3 compatibility check and tag update
2.3.8.2
Disable the filter wph/components/rewrite-default/superglobal_variables_replacements and the ignore for _wp_http_referer as produce issues with specific plugins
2.3.8.1
Fix Too few arguments to function WPH_module_rewrite_default::_array_replacements_recursivelly()
2.3.8
Ignore the _wp_http_referer when reversing urls, to ensure when compared with existing is not failing.
Fix for WPForms Lite plugin when using a custom admin URL.
2.3.7
Preserve the field types when replacing superglobals data.
2.3.6
Ensure the is_user_logged_in function is available before calling it.
2.3.5
Update the plugin headers
New module – Disable Admin Url redirect to Login page
Remove deprecated admin-new-_wp-login_php file
WordPress 6.5 compatibility check and tag update
2.3.1
New filter wp-hide/interface/process/minimum_slug_length for customizing the minimum length of the admin and login slug https://wp-hide.com/documentation/wp-hide-interface-process-minimum_slug_length/
Oxygen builder compatibility file updates.
Add end slash for admin custom slug, into the rewrite, to ensure exact match.
Add the filter wph/components/force_run_on_admin to more options for allowing to run into the admin https://wp-hide.com/documentation/wph-components-force_run_on_admin/
WordPress 6.4.2 compatibility check and tag update
2.2.9
Allow custom login URL without requiring a PHP extension.
Require at least 5 chars for the customization of login and admin URL to avoid words conflicts.
Scan XML RPC update, check if the service is disabled to avoid returning false positive.
Compatibility with Redirection plugin; show the default redirect URLs within the interfaces.
Add FLYING_PRESS_VERSION and LiteSpeed Purge to the internal site_cache_clear()
WordPress 6.4.1 compatibility tag update
2.2.4
Fix Undefined array key “file” warning.
Ignore wp-admin, wp-content, wp-includes as custom slugs for any of the options, to avoid code conflicts.
2.2.1
Reverse the replacements for $_FILES super global variable too.
Adjust the login form width, when using the Google Captcha or Cloudflare Turnstile Captcha
Use init action, to send the customized login e-mail, to avoid sending multiple time on certain servers environment.
Use debug_backtrace to avoid looping, in conjunction with certain plugins, for login_url filter.
Add a filter for site_url to apply the login customisation when the scheme is ‘login’ or ‘login_post’
Fix reset options form and submit buttons.
Fix various texts and instances.
Tested for WordPress 6.4
2.1.8
New feature Captcha for Login, Register, Password Forget pages etc.
New Captcha – Google Captcha V2
New Captcha – Google Captcha V3
Tested for PHP 8.2.4
2.1.5
Use transient for domain_get_ip to avoid execution delays with certain hosts.
Separate options for Copy / Cut / Paste into the User Interactions interface for better control over the options
Few Typos fix
Compatibility updates for TranslatePress – Multilingual
2.1.1
New filter wph/components/components_run/ignore_component which allows selective disabling for specific components to apply on the front site
https://wp-hide.com/documentation/wph-components-components_run-ignore_component/
Set minimum required WordPress version as 4.0
Set minimum required PHP version as 5.4
2.1
Relocate the plugins_themes_compatibility prior module components initialization.
Avoid looping with certain 3rd codes by caching the home url.
HTML Comments removal regex updates.
Compatibility update for qTranslate-XT plugin, when using the option redirect to language and customizing the default login url through WP Hide
2.0.6
Use regex patterns for Scan – Replacements, for better accuracy in the identification of the fingerprints proposed to be changed.
Deprecated Expect-CT.
Remove the Expect-CT from the recommended headers.
2.0.4
Suppress the option to block the Developer Tools / Inspect when page/post preview.
Add to cache clear for Autoptimize, Perfmatters, Breeze, Site Ground Cache, when flushing the caches.
Site Ground Cachepress plugin compatibility update
WordPress compatibility check for 6.2
WordPress compatibility tag update.
1.9.9
Decrease the Scan progress background AJAX update, to avoid time-outs on slow connections.
Improvement: When using the Disable Developer Tools option, check if iPhone device and disable, through JavaScript instead PHP, to avoid caching.
New Screenshot for better pre-visualization of the actual interface.
Fix: Scan Admin component, Fix button URL.
1.9.7
New Security Headers component – Referrer-Policy.
Check the post meta and option value if serialized ( double serialization ), before reversing the URLs.
Code improvements.
Updated translation PO file.
1.9.5
Replaced the deprecated Feature-Policy with Permissions-Policy security header.
Fix: Scan disable redirects when testing firewall, to ensure correct results
Fix count() error for not countable variable.
PO language file updates
1.9.3
Add additional description for potentially dangerous files found within WordPress root.
Typo fix for “Dangerous Files”
Fix: Tipsy JavaScript error
Fix: Undefined variable $site_score within render_overview()
Fix: Divided by zero when calculating the overall scan progress
Fix: Wrong remote_html variable
1.9.1
New feature – Security Scan.
Security Scan dashboard widget
Inform on possible LiteSpeed service restart if use such system.
Check if HTTP_USER_AGENT environment variable exists before making comparison.
Fix Oxigen compatibility when using the HTML Minify.
Fix: Cache Enable static call.
1.8.8
New component Headers -> Remove Server Header.
Prevent output of “document.addEventListener” unless an user-interaction option is active.
Add X-XSS-Protection into the headers list, to avoid reporting as not used as security header.
Code Improvements and clean-up.
PO language file update.
1.8.6
Ignore the “Disable Developer Tools” on iPhone
WordPress 6.1 compatibility tag
Fix: Security headers progress comparison step.
Slight css changes
1.8.5
Improved Disable Developer Tools feature, by returning an empty page.
W3 Total Cache – implements support for Push CDN and custom folders
Compatibility fix with JCH Optimize.
Ignore invalid SSL certificate when testing rewrites, to allow local instances.
Fix: static to public functions for a2-optimized compatibility class.
Fix: use preg_match to ensure the HTML data is valid and avoid faulty code with multiple head tags.
Slight text changes within some options, for better explanations.
1.8.3
New options interface – User Interactions: Disable Mouse right click, Disable Text Selection, Disable Copy / Paste, Disable Print, Disable Print Screen, Disable Developer Tools, Disable View Source, Disable Drag / Drop
Better accessibility for additional details regarding each of the options.
Improved progress score calculation for Headers.
A2 Optimized WP – compatibility fix.
WordPress 6.0.2 tag compatibility update
Fix CDN option external help page URL.
1.8.1
Improved server environment rewrite test checking routines.
Separate rewrite tests for static files and PHP files. This avoids reporting issues for servers not supporting rewrites for php-files.
1.8
Add a new button to reset the current page options.
Use regex to sanitize the URL arguments
Relocated the Reset All Settings button to the bottom of the interface.
Compatibility for Super Page Cache for Cloudflare
Slight layout improvements and changes.
WordPress 6.0.1 compatibilit tag
1.7.9.2
Change the advanced_notice class within the interfaces to avoid issues caused by 3rd theme.
Do not remove comments when json request
WordPress 6.0 compatibilit tag
1.7.8.1
When checking and calculating the the Headers protection score, ignore the SSL verification for the domain, to allow usage of invalid certificates.
Check if set headers are actually passed-through on the front side, as some servers may block that.
Set WP_ROCKET_WHITE_LABEL_FOOTPRINT to remove the footer comment for WP Rocket, when active
1.7.8
New Security Functionality – Headers. HTTP Response Headers are a powerful tool to Harden Your Website Security.
