readme.txt — Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) 9.5.0

really-simple-ssl / readme.txt

really-simple-ssl Last commit date

readme.txt

635 lines

1	=== Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)===
2	Contributors: RogierLankhorst, markwolters, hesseldejong, vicocotea, marcelsanting, janwoostendorp, wimbraam
3	Donate link: https://www.paypal.me/reallysimplessl
4	Tags: security, https, 2fa, vulnerabilities, two factor
5	Requires at least: 6.6
6	License: GPL2
7	Tested up to: 6.8
8	Requires PHP: 7.4
9	Stable tag: 9.5.0
10
11	Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
12
13	== Description ==
14
15	=== Really simple, Effective and Performant WordPress Security ===
16	Really Simple Security is the most lightweight and easy-to-use security plugin for WordPress. It secures your WordPress website with SSL certificate generation, including proper 301 https redirection and SSL enforcement, scanning for possible vulnerabilities, Login Protection and implementing essential WordPress hardening features.
17
18	We believe that security should have the absolute minimum effect on website performance, user experience and maintainability. Therefore, Really Simple Security is:
19
20	* Lightweight: Every security feature is developed with a modular approach and with performance in mind. Disabled features won't load any redundant code.
21	* Easy-to-use: 1-minute configuration with short onboarding setup.
22
23	=== Security Features ===
24
25	= Easy SSL Migration =
26	Migrates your website to HTTPS and enforces SSL in just one click.
27
28	* 301 redirect via PHP or .htaccess
29	* Secure cookies
30	* Let's Encrypt: Install an SSL Certificate if your hosting provider supports manual installation.
31	* Server Health Check: Your server configuration is every bit as important for your website security.
32
33	= WordPress Hardening =
34	Tweak your configuration and keep WordPress fortified and safe by tackling potential weaknesses.
35
36	* Prevent code execution in the uploads folder
37	* Prevent login feedback and disable user enumeration
38	* Disable XML-RPC
39	* Disable directory browsing
40	* Username restrictions (block 'admin' and public names)
41	* and much more..
42
43	= Vulnerability Detection =
44	Get notified when plugins, themes or WP core contain vulnerabilities and need appropriate action.
45
46	= Login Protection =
47	Allow or enforce Two-Factor Authentication (2FA) for specific user roles. Users receive a two-factor code via Email.
48
49	=== Improve Security with Really Simple Security Pro ===
50	[Protect your site with all essential security features by upgrading to Really Simple Security Pro.](https://really-simple-ssl.com/)
51
52	= Advanced SSL enforcement =
53	* Mixed Content Scan & Fixer. Detect files that are requested over HTTP and fix them to HTTPS, both Front- and Back-end.
54	* Enable HTTP Strict Transport Security and configure your site for the HSTS Preload list.
55
56	= Firewall =
57	Really Simple Security Pro includes a performant and efficient WordPress firewall, to stop bots, crawlers and bad actors with IP and username blocks.
58
59	* 404 blocking - Blocks crawlers as they trigger unusual numbers of 404 errors.
60	* Region blocking - Only allow/block access to your site from specific regions.
61	* Automated and customisable Firewall rules.
62	* IP blocklist and allowlist.
63
64	= Security Headers =
65	Security headers protect your site visitors against the risk of clickjacking, cross-site-forgery attacks, stealing login credentials and malware.
66
67	* Independent of your Server Configuration, works on Apache, LiteSpeed, NGINX, etc.
68	* Protect your website visitors with X-XSS Protection, X-Content-Type-Options, X-Frame-Options, a Referrer Policy and CORS headers.
69	* Automatically generate your WordPress-tailored Content Security Policy.
70
71	= Vulnerability Measures =
72	When a vulnerability is detected in a plugin, theme or WordPress core you will get notified accordingly. With Vulnerability Measures, you can configure simple but effective measures to make sure that a critical vulnerability won't remain unattended.
73
74	* Force update: An update process will be tried multiple times until it can be assumed development of a theme or plugin is abandoned. You will be notified during these steps.
75	* Quarantine: When a plugin or theme can't be updated to solve a vulnerability, Really Simple Security can quarantine the plugin.
76
77	= Advanced Site Hardening =
78	* Choose a custom login URL
79	* Automated File Permissions check and fixer
80	* Rename and randomize your database prefix
81	* Change the debug.log file location to a non-public folder
82	* Disable application passwords
83	* Control admin creation
84	* Disable HTTP methods, reducing HTTP requests
85
86	= Login Protection =
87	Secure your website's login process and user accounts with powerful security measures.
88
89	* Two-Step verification (Email login)
90	* 2FA (two factor authentication) with TOTP
91	* Passwordless login with passkey login
92	* Enforce strong passwords and frequent password change
93	* Limit Login Attempts
94
95	With Limit Login Attempts you can configure a threshold to temporarily or permanently block IP addresses or (non-existing) usernames. You can also throw a CAPTCHA after a failed login (hCaptcha or Google reCaptcha)
96
97	= Access Control =
98	* Restrict access to your site for specific regions.
99	* Add specific IP addresses or IP ranges to the Blocklist or Allowlist.
100
101	== Useful Links ==
102	* [Documentation](https://really-simple-ssl.com/knowledge-base-overview/)
103	* [Security Definitions](https://really-simple-ssl.com/definitions/)
104	* [Translate Really Simple Security](https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl)
105	* [Issues & pull requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/issues)
106	* [Feature requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/labels/feature%20request)
107
108	== Love Really Simple Security? ==
109	If you want to support the continuing development of this plugin, please consider buying [Really Simple Security Pro](https://www.really-simple-ssl.com/pro/), which includes some excellent security features and premium support.
110
111	== About Really Simple Plugins ==
112	Our mission is to make complex WordPress requirements really easy. Really Simple Security is developed by [Really Simple Plugins](https://www.really-simple-ssl.com/about-us).
113
114	For generating SSL certificates, Really Simple Security uses the [le acme2 PHP](https://github.com/fbett/le-acme2-php/) Let's Encrypt client library, thanks to 'fbett' for providing it. Vulnerability Detection uses WP Vulnerability, an open-source initiative by Javier Casares. Want to join as a collaborator? We're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl) as well!
115
116	== Installation ==
117	To install this plugin:
118
119	1. Make a backup! See [our recommendations](https://really-simple-ssl.com/knowledge-base/backing-up-your-site/).
120	2. Download the plugin.
121	3. Upload the plugin to the /wp-content/plugins/ directory.
122	4. Go to "Plugins" in your WordPress admin, then click "Activate".
123	5. You will now see the Really Simple Security onboarding process, to quickly help you through the configuration process.
124
125	== Frequently Asked Questions ==
126	= Knowledge Base =
127	For more detailed explanations and documentation on all Really Simple Security features, please search the [Knowledge Base](https://www.really-simple-ssl.com/knowledge-base/)
128
129	= What happened with Really Simple SSL? =
130	All features that made Really Simple SSL the most powerful and easy-to-use SSL generation and redirect plugin are still part of Really Simple Security. The plugin is developed with a modular approach: if you don't want to use the full set of security features, the unused code will not be loaded and won't have any effect on your site's performance.
131
132	= Why Really Simple Security? =
133	In our experience, security solutions for WordPress are often hard to configure, trigger many false positives and have a significant impact on site performance. We have been receiving requests from our users to simplify WordPress security for years, so that has become our mission!
134
135	= I want to share my feedback or contribute to Really Simple Security =
136	You couldn't make us happier! Really Simple Security is GPL licensed and co-created by the WordPress community. All feedback is highly appreciated and has always helped us to better understand users' needs. For code contributions or suggestions, we're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl). For suggestions, please [open a support ticket](https://wordpress.org/support/plugin/really-simple-ssl/) You can also express your appreciation by [leaving a review](https://wordpress.org/support/plugin/really-simple-ssl/reviews/).
137
138	= What are Mixed Content issues? =
139	Most mixed content issues are caused by URLs in CSS or JS files. For detailed instructions on how to find mixed content read this [article](https://really-simple-ssl.com/knowledge-base/how-to-track-down-mixed-content-or-insecure-content/).
140
141	= Generating a Let's Encrypt SSL Certificate =
142	We added the possibility to generate a Free SSL Certificate with Let's Encrypt in our Really Simple Security Wizard. We have an updated list available for all possible integrations [here](https://really-simple-ssl.com/install-ssl-certificate/). Please leave feedback about another integration, incorrect information, or you need help.
143
144	= How do I fix a redirect loop? =
145	If you are experiencing redirect loops on your site, try these [instructions](https://really-simple-ssl.com/knowledge-base/my-website-is-in-a-redirect-loop/). This can sometimes happen during the migration to HTTPS or due to conflicting redirect rules.
146
147	= Is the plugin multisite compatible? =
148	Yes. There is a dedicated network settings page where you can control settings for your entire network, at once.
149
150	= How do I enforce strong passwords? =
151	Under Login Protection, you can configure minimum strength settings and require users to change their passwords after a defined interval. Disabling weak password usage is a best practice.
152
153	= How can I change my login URL? =
154	You can set a custom login URL under Advanced Site Hardening, which helps prevent brute force login attacks and bots targeting wp-login.php.
155
156	= Does this plugin redirect HTTP to HTTPS? =
157	Yes. The plugin enforces HTTPS and handles all necessary redirects, optionally using .htaccess or PHP.
158
159	= Can I use Really Simple Security besides WordFence? =
160	Really Simple Security and WordFence greatly overlap in term of functionality. If you like to use specific features from both plugins, we strongly recommend not to enable similar features twice. The benefit of Really Simple Security is that disabled features don't load any code, so won't have an impact on site performance.
161
162	== Changelog ==
163	= 9.5.0 =
164	* Improvement: reworked .htaccess handling with insert_with_markers and improved WP Rocket integration.
165	* Improvement: SBOM added to plugin.
166	* Improvement: corrected spelling, grammar, and consistency issues in plugin strings; updated geopolitical terms.
167	* Fix: whitelisted LiteSpeed Cache crawler in .htaccess to prevent redirect issues.
168	* Fix: corrected 2FA grace period email logic to avoid sending reminders to users with active 2FA.
169	* Fix: updated hosting provider name from "XXL Hosting" to "Superspace".
170
171	= 9.4.3 =
172	* Improvement: improved compatibility with plain permalinks.
173	* Improvement: updated links in the plugin.
174	* Fix: handled a case where the user ID could be empty in 2FA.
175	* Fix: learn more button in vulnerability e-mail link now links to the correct page.
176	* Fix: fixed an issue where rsssl_user_can_manage could be undefined when downloading the system status.
177
178	= 9.4.2 =
179	* Fix: Adjusted .htaccess redirect requirements for subfolder configurations
180	* Fix: re-send e-mail button on the 2FA page will now show a message when the e-mail is sent.
181	* Fix: restored SCSS files.
182	* Fix: fixed an issue where the plugin kept redirecting to its settings page after activation.
183	* Improvement: updated the way other plugins are installed via the onboarding and dashboard page.
184	* Improvement: added notice with an option to force verify e-mail address.
185	* Improvement: updated minimum WordPress version to 6.6.
186
187	= 9.4.1 =
188	* Fix: fixed a translations error where text domain was loaded too early.
189
190	= 9.4.0 =
191	* Improvement: More detailed feedback when using CLI commands.
192	* Improvement: On activation, detect `EXTENDIFY_PARTNER_ID` constant and run `wp rsssl activate_recommended_features`.
193	* Improvement: Standardize RSS onboarding hoster list to brand names.
194	* Improvement: "Disable user enumeration" now returns 401 Unauthorized (instead of 404 Not Found) for non-authenticated requests to the /wp/v2/users/ endpoint.
195	* Include SimplyBook in “onboarding” and “other plugins” sections.
196	* Fix: Adjust plugin initialization timing to prevent a textdomain warning.
197	* Fix: Fixed the feedback when an email is resend during Two-Factor Authentication setup.
198	* Fix: Fixed the Single Sign on link to support custom login urls.
199
200	= 9.3.5 =
201	* April 29th, 2025
202	* Improvement: Tested up to WordPress 6.8
203	* Improvement: Some translation updates
204	* Improvement: Check for autoloader in cron
205	* Fix: 2FA methods can now be set on profile page
206
207	= 9.3.3 =
208	* April 2nd, 2025
209	* Improvement: Added multiple WP-CLI commands to better align with recent plugin features
210	* Improvement: Added support for custom/multiple roles in Two Factor Authentication
211
212	= 9.3.2.1 =
213	* March 20th, 2025
214	* Fix: Properly handle unknown plugins in upgrade requests, preventing unintended behavior.
215
216	= 9.3.2 =
217	* March 5th, 2025
218	* Improvement: Added filters to customize Let's Encrypt Wizard behavior
219	* Fix: Removed default checkbox behavior from configuration settings.
220	* Fix: Handle multiple tooltip reasons for disabled select fields
221
222	= 9.3.1 =
223	* February 12th, 2025
224	* Improvement: Not able to use email needed functions when email is not yet verified.
225	* Fix: All instruction links are now correct.
226	* Fix: Undefined array key "m" when showing vulnerability details.
227	* Fix: Prevent errors when downgrading to free.
228	* Fix: Compatibility between 2FA and JetPack “Log in using WordPress.com account” setting
229
230	= 9.2.0 =
231	* January 20th, 2025
232	* Fix: Added nonce check to certificate re-check button.
233	* Fix: In some cases the review notice was not properly dismissible.
234
235	= 9.1.4 =
236	* Improvement: do not track 404's for logged in users
237	* Improvement: implemented the rsssl_wpconfig_path filter in all wp-config functions
238	* Improvement: Faster onboarding completion after clicking Finish button
239	* Improvement: CSS. Shields in user interface on datatables are no longer cut off
240
241	= 9.1.3 =
242	* November 28th
243	* Improvement: Width Vulnerabilities -> configuration
244	* Improvement: 2Fa lockout notice
245	* Improvement: catch use of short init in advanced-headers file
246	* Improvement: string improvements and translator comments
247	* Improvement: Bitnami support for rsssl_find_wordpress_base_path()
248	* Improvement: integrate Site health notifications with Solid Security
249	* Improvement: Enhanced random password generation in Rename Admin User feature
250	* Improvement: Always return string in wpconfig_path() function
251	* Improvement: Removes configuration options for a user in edit user.
252	* Fix: Remove duplicate site URL.
253	* Fix: ensure rsssl_sanitize_uri_value() function always returns a string, to prevent errors.
254	* Fix: multisite users who have enabled roles couldn’t use the 2fa if an other role than theirs has been forced.
255	* Fix: The ‘Skip Onboarding’ button presented an undefined page after selecting the email method as an option.
256	* Fix: Update translation loading according to the new 6.7 method.
257
258	= 9.1.2 =
259	* security: authentication bypass
260
261	= 9.1.1.1 =
262	* November 5th, 2024
263	*Improvement: updated black friday dates
264
265	= 9.1.1 =
266	* November 5th, 2024
267	* Improvement: setting a rsssl-safe-mode.lock file now also enables safe mode and deactivates the Firewall, 2FA and LLA for debugging purposes.
268	* Improvement: update to system status
269	* Improvement: textual changes
270	* Improvement: Updated instructions URLs
271	* Improvement: Changed site health notices from critical to recommended
272	* Improvement: dropped obsolete react library
273	* Fix: fixed a bug where the 2FA grace period was kept active after a reset
274
275	= 9.1.0 =
276	* October 22nd
277	* Improvement: Allow scanning for security headers via http://scan.really-simple-ssl.com with one click
278	* Improvement: Remove unnecessary rsssl_update_option calls.
279	* Fix: prevent potential errors with login feedback..
280	* Fix: Catch type error when $transients is not an array.
281
282	= 9.0.2 =
283	* Fix: issue with deactivating 2fa
284
285	= 9.0.0 =
286	* September 16th
287	* Fix: Instructions URL in the Firewall settings.
288	* Fix: Fixed incorrect instructions URL
289	* Fix: Let's Encrypt returning an old certificate on auto-renewed certificates
290	* Improvement: As the X-Frame-Options is deprecated and replaced by frame ancestors, we drop the header as recommendation.
291	* Improvement: save and continue in vulnerabilities overview not working correctly
292
293	= 8.3.0.1 =
294	* Fix: Issues with the decryption model
295
296	= 8.3.0 =
297	* August 12th, 2024
298	* Feature: Password security scan. This feature scans your users for weak passwords, and allows you to enforce non-compromised passwords.
299	* Fix: Fixed some strings that were not translatable. This has been resolved.
300	* Fix: Premium support link did not work. Now links to the correct page.
301	* Improvement: Disable the cron schedules on deactivation.
302	* Fix: Links in emails were sometimes not correct. This has been fixed.
303	* Fix: Fatal error on permission detection. This has been resolved.
304	* Improvement: Custom header for the license checks for better compatibility with some hosting environments.
305	* Improvement: Added option to disable X-powered-by header.
306	* Improvement: New improved encryption method for some settings.
307
308	= 8.1.5 =
309	* June 21th, 2024
310	* Fix: documentation links to website broken
311	* Improvement: some text changes in helptexts
312	* Improvement: new structure to upgrade database tables
313
314	= 8.1.4 =
315	* June 11th, 2024
316	* Improvement: dropdown in onboarding not entirely visible
317	* Improvement: Styling of locked XML RPC overview
318	* Fix: Not loading cookie expiration change
319	* Fix: Visual Composer compatibility icw Enforce Strong Password
320	* Fix: Multiple CloudFlare detected notices in onboarding
321	* Fix: Checkbox position in onboarding
322
323	= 8.1.3 =
324	* May 16th, 2024
325	* Fix: WP Rocket compatibility causing an issue when advanced-headers.php does not exist
326
327	= 8.1.2 =
328	* May 16th, 2024
329	* Fix: upgrade advanced-headers.php file to allow early inclusion of the file. The ABSPATH defined check causes in issue for early inclusion, so must be removed.
330
331	= 8.1.1 =
332	* May 14th, 2024
333	* New: detection of non-recommended permissions on files
334	* New: Configure region restrictions for your site
335	* Improvement: Textual change on premium overlay
336	* Improvement: Upgraded minimum required PHP version to 7.4
337	* Improvement: compatibility with Bitnami
338	* Improvement: compatibility of Limit Login Attempts with Woocommerce
339	* Improvement: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
340	* Improvement: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
341	* Fix: upgrade from <6.0 version to >8.0 causing a fatal error
342	* Fix: URL to details of detected vulnerabilities was incorrect
343
344	= 8.1.0 =
345	* Improvement: some string corrections
346	* Fix: show 'self' as default in Frame Ancestors
347	* Improvement: catch not existing rsssl_version_compare
348	* Improvement: check for openSSL module existence
349	* Improvement: set default empty array for options, for legacy upgrades
350	* Improvement: disable custom login URL when plain permalinks are enabled
351	* New: Limit Login Attempts Captcha integration
352	* Improvement: drop renamed folder notice, not needed anymore
353	* Improvement: enable advanced headers in onboarding
354	* Improvement: is_object check in updater
355
356	= 8.0.1 =
357	* Fix: enable 2FA during onboarding when not selected by user
358	* Improvement: better CSP defaults
359	* Fix: on upgrade to pro, free settings were cleared if "clear settings on deactivation" was enabled
360	* Fix: catch several array key not existing errors
361
362	= 8.0.0 =
363	* New: hide remember me checkbox
364	* New: extend blocking of malicious admin creation to multisite
365	* Improvement: drop prefetch-src from Content Security Policy
366	* Improvement: disable two-fa when login protection is disabled
367
368	= 7.2.8 =
369	* Fix: clear cron schedules on deactivation
370	* Improvement: translations update
371	* Notice: inform users about upcoming merge of free and pro plugin, not action needed, everything will be handled automatically
372
373	= 7.2.7 =
374	* Improvement: added integration with FlyingPress and Fastest Cache
375	* Improvement: fix exiting a filter, causing a compatibility issue with BuddyPress
376
377	= 7.2.6 =
378	* Improvement: text changes
379	* Improvement: css on login error message
380	* Improvement: header detection improved by always checking the last url in the redirect chain
381	* New: Added option to limit login cookie expiration time
382	* Fix: custom 404 pages i.c.w. custom login url
383
384	= 7.2.5 =
385	* Fix: IP detection header order
386	* Fix: table creation on activation of LLA module
387
388	= 7.2.4 =
389	* Fix: PHP warning in Password Security module
390	* Fix: change login url feature not working with password protected pages
391	* Improvement: move database table creation to Limit Login Attempts module
392	* Improvement: prevent php error caused by debug.log file hardening feature
393
394	= 7.2.3 =
395	* Fix: CSP data not showing in datatable
396
397	= 7.2.2 =
398	* Improvement: improved check for PharData class
399
400	= 7.2.1 =
401	* Fix: Config for CSP preventing Learning mode from completing
402	* Fix: datatable styling
403	* Fix: using deactivate_https with wp-cli did not remove htaccess rules
404	* Improvement: add query parameter to enforce email verification &rsssl_force_verification
405	* Improvement: css for check certificate manually button
406
407	= 7.2.0 =
408	* Fix: changed link to article
409	* Fix: remove flags .js file which was added twice, props @adamainsworth
410	* Fix: typo in missing advanced-headers.php notice
411	* Improvement: catch php warning when script src is empty when using hide wp version, props @chris-yau
412	* Improvement: new save & continue feedback
413	* Improvement: datatable styling
414	* Improvement: new react based modal
415	* Improvement: menu re-structured
416	* Improvement: re-check vulnerability status after core update
417	* Improvement: link in the email security notification to the vulnerability page instead of to a general explanation
418
419	= 7.1.3 =
420	* October 11th 2023
421	* Fix: React ErrorBoundary preventing Let's Encrypt generation to complete.
422
423	= 7.1.2 =
424	* October 6th 2023
425	* Fix: hook change in integrations loader causing modules not to load. props @rami5342
426
427	= 7.1.1 =
428	* October 5th 2023
429	* Fix: incorrect function usage, props @heutger
430
431	= 7.1.0 =
432	* October 4th 2023
433	* Improvement: detection if advanced-headers.php file is running
434
435	= 7.0.9 =
436	* September 5th 2023
437	* Improvement: typo update word
438	* Improvement: translatability in several strings.
439
440	= 7.0.8 =
441	* August 8th 2023
442	* Improvement: WordPress tested up to 6.3
443	* Improvement: improve file existence check json
444	* Fix: handling of legacy options in php 8.1
445	* Fix: count remaining tasks
446
447	= 7.0.7 =
448	* July 25th 2023
449	* Improvement: modal icon placement in wizard on smaller screens
450	* Improvement: expire cached detected headers five minutes after saving the settings
451	* Fix: handling of legacy options in php 8.1
452	* Fix: prevent issues with CloudFlare when submitting support form from within the plugin
453	* Fix: translations singular/plural for japanese translations @maboroshin
454
455	= 7.0.6 =
456	* July 4th 2023
457	* Improvement: support custom wp-content directory in advanced-headers.php
458	* Improvement: prevent usage of subdirectories in custom login url
459	* Fix: translations not loading for chunked react components
460	* Improvement: add option to manually re-check vulnerabilities '&rsssl_check_vulnerabilities', props @fawp
461
462	= 7.0.5 =
463	* Fix: some users with a non www site reporting issues on the login page over http://www, due to the changes in the wp redirect. Reverting to the old method. props @pedalnorth, @mossifer.
464
465	= 7.0.4 =
466	* June 14th 2023
467	* Improvement: notice informing about the new free vulnerability detection feature
468	* Improvement: improved the php redirect method
469	* Improvement: make the wp-config.php not writable notice dismissable
470	* Fix: feedback on hardening features enable action not showing as enabled, props @rtpHarry
471
472	= 7.0.3 =
473	* Fix: fix false positives on some plugins
474	* Improvement: vulnerability notifications in site health, if notifications are enabled.
475
476	= 7.0.2 =
477	* Improvement: improve matching precision on plugins with vulnerabilities.
478
479	= 7.0.1 =
480	* Fix: When the Rest API is not available, the ajax fallback should kick in, which didn't work correctly in 7.0. props @justaniceguy
481
482	= 7.0.0 =
483	* New: Vulnerability Detection is in Beta - [Read more](https://really-simple-ssl.com/vulnerability-detection/) or [Get Started](https://really-simple-ssl.com/instructions/about-vulnerabilities/)
484	* Improvement: move onboarding rest api to do_action rest_route
485	* Improvement: catch several edge situations in SSL Labs api
486	* Improvement: SSL Labs block responsiveness
487	* Improvement: more robust handling of wp-config.php detection
488
489	= 6.3.0 =
490	* Improvement: added support for the new Let's Encrypt staging environment
491
492	= 6.2.5 =
493	* Improvement: add warning alert option
494	* Fix: capability mismatch in multisite. props @verkkovaraani
495
496	= 6.2.4 =
497	* Improvement: optionally enable notification emails in onboarding wizard
498	* Improvement: onboarding styling
499	* Fix: catch non array value from notices array, props @kenrichman
500	* Fix: typo in documenation link, props @bookman53
501
502	= 6.2.3 =
503	* Improvement: Changed Back-end react to functional components
504	* Improvement: multisite notice should link to network admin page
505	* Improvement: detect existing CAA records to check Let's Encrypt compatibility
506	* Improvement: tested up to wp 6.2
507	* Improvement: UX improvement learning mode
508
509	= 6.2.2 =
510	* Fix: capability mismatch for a non administrator in multisite admin, props @jg-visual
511
512	= 6.2.1 =
513	* Fix: race condition when activating SSL through wp-cli, because of upgrade script
514	* Fix: missing disabled state in textarea and checkboxes
515	* Fix: some strings not translatable
516	* Fix: Let's Encrypt renewal with add on
517	* Improvement: permissions check re-structuring
518	* Improvement: notice on subsite within multisite environment about wildcard updated
519
520	= 6.2.0 =
521	* New: optional email notifications on advanced settings
522	* Improvement: added tooltips
523	* Improvement: added warnings for .htaccess redirect
524	* Improvement: don't send user email change on renaming admin user, as the email doesn't actually change
525	* Improvement: Use BASEPATH only for wp-load.php, so symlinked folders will load based on ABSPATH
526	* Improvement: Improved support for environments where Rest API is blocked
527
528	= 6.1.1 =
529	* Fix: WP CLI not completing SSL when because site_has_ssl option is not set if website has not been visited before, props @oolongm
530	* Improvement: prevent 'undefined' status showing up in api calls on settings page
531	* Improvement: show notice if users are using an <2.0 Let's Encrypt shell add-on which is not compatible with 6.0
532
533	= 6.1.0 =
534	* Improvement: some UX changes
535	* Improvement: Limit number of notices in the dashboard
536	* Improvement: load rest api request url over https if website is loaded over https
537	* Fix: empty menu item visible in Let's Encrypt menu
538
539	= 6.0.14 =
540	* Fix: settings page when using plain permalinks, props @mvsitecreator, props @doug2son
541
542	= 6.0.13 =
543	* Improvement: improve method of dropping empty menu items in settings dashboard
544	* Improvement: dynamic links in auto installer
545	* Improvement: Let's Encrypt Auto installer not working correctly, props @mirkolofio
546	* Improvement: change rest_api method to core wp apiFetch()
547	* Improvement: scroll highlighted setting into view after clicking "fix" on a task
548	* Improvement: run http method test in batches, and set a default, to prevent possibility of curl timeouts on systems with CURL issues
549	* Improvement: clean up code-execution.php file after test, props @spinhead
550	* Improvement: give notification if 'DISABLE_FILE_EDITING' is set to false in the wp-config.php props @joeri1977
551	* Improvement: drop some unnecessary translations
552	* Improvement: set better default, and change transients to option for more persistent behavior in wp version test, props @photomaldives
553	* Fix: Burst Statistics not activating after installation
554	* Fix: CSS for blue labels in progress dashboard below 1080px
555	* Fix: WPCLI SSL activation not working due to capability checks, props @oolongm
556	* Fix: catch invalid account error in Let's Encrypt generation, props @bugsjr
557	* Fix: do not block user enumeration for gutenberg
558
559	= 6.0.12 =
560	* Fix: on multisite, the test for users with admin username did not use the correct prefix, $wpdb->base_prefix, props @jg-visual
561	* Improvement: allow submenu in back-end react application
562	* Improvement: Skip value update when no change has been made
563	* Improvement: no redirect on dismiss of admin notice, props @gangesh, @rtpHarry, @dumel
564	* Improvement: remove obsolete warning
565	* Improvement: qtranslate support on settings page
566
567	= 6.0.11 =
568	* Fix: on some environments, the HTTP_X_WP_NONCE is not available in the code, changed logged in check to accomodate such environments
569	* Fix: dismiss on admin notices not immediately dismissing, requiring dismiss through dashboard, props @dumel
570
571	= 6.0.10 =
572	* Fix: Apache 2.4 support for the block code execution in the uploads directory hardening feature, props @overlake
573	* Fix: When used with Varnish cache, Rest API get requests were cached, causing the settings page not to update.
574	* Fix: Ensure manage_security capability for users upgraded from versions before introduction of this capability
575	* Fix: allow for custom rest api prefixes, props @coderevolution
576	* Fix: bug in Let's Encrypt generation with DNS verification: saving of 'disable_ocsp' setting, create_bundle_or_renew action with quotes
577	* Fix: change REST API response method to prevent script errors on environments with PHP warnings and errors, causing blank settings page
578	* Improvement: Simplify user enumeration test
579	* Improvement: catch unexpected response in SSL Labs object
580	* Improvement: z-index on on boarding modal on smaller screen sizes, props @rtpHarry
581	* Improvement: hide username field if no admin username is present, props @rtpHarry
582
583	= 6.0.9 =
584	* Fix: incorrectly disabled email field in Let's Encrypt wizard, props @cburgess
585	* Improvement: on rename admin user, catch existing username, and strange characters
586	* Improvement: catch openBaseDir restriction in cpanel detection function, props @alofnur
587	* Improvement: remove 6.0 update notices on subsites in a multisite network, props @wpcoderca, (@collizo4sky
588
589	= 6.0.8 =
590	* Improvement: Lets Encrypt wizard CSS styling
591	* Improvement: re-add link to article about Let's Encrypt so users can easily find the URL
592	* Improvement: let user choose a new username when selecting "rename admin user"
593
594	= 6.0.7 =
595	* Fix: restrict conditions in which htaccess rewrite runs, preventing conflicts with other rewriting plugins
596
597	= 6.0.6 =
598	* Fix: drop upgrade of .htaccess file in upgrade script
599
600	= 6.0.5 =
601	* Fix: race condition in .htaccess update script, where multiple updates simultaneously caused issues with the .htaccess file
602
603	= 6.0.4 =
604	* Fix: using the .htaccess redirect in combination with the block code execution in uploads causes an issue in the .htaccess redirect
605	* Fix: deactivating Really Simple SSL does not completely remove the wp-config.php fixes, causing errors, props @minalukic812
606
607	= 6.0.3 =
608	* Fix: Rest Optimizer causing other plugins to deactivate when recommended plugins were activated, props @sardelich
609
610	= 6.0.2 =
611	* Fix: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false, props @janv01
612	* Fix: empty cron schedule, props @gilvansilvabr
613	* Improvement: several typo's and string improvements
614	* Fix: auto installer used function not defined yet
615	* Fix: rest api optimizer causing an error in some cases @giorgos93
616
617	= 6.0.1 =
618	* Fix translations not loading for scripts
619
620	= 6.0.0 =
621	* Tested up to WordPress 6.1.0
622	* Improvement: User Interface
623	* New: Server Health Check - powered by SSLLabs
624	* New: WordPress Hardening Features
625
626	== Upgrade notice ==
627	On settings page load, the .htaccess file is no rewritten. If you have made .htaccess customizations to the RSSSL block and have not blocked the plugin from editing it, do so before upgrading.
628	Always back up before any upgrade. Especially .htaccess, wp-config.php and the plugin folder. This way you can easily roll back.
629
630	== Screenshots ==
631	1. The Really Simple Security Dashboard provides a quick security overview.
632	2. Enable or enforce 2FA per user role.
633	3. Stay ahead of plugin, theme and WP core vulnerabilities.
634	4. Harden your site’s security with Basic Hardening features.
635	5. 1-minute configuration with the short security onboarding.