PluginProbe ʕ •ᴥ•ʔ
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) / 9.5.10.1
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) v9.5.10.1
9.5.11 9.5.10.1 9.5.10 trunk 9.4.0 9.4.1 9.4.2 9.4.3 9.5.0 9.5.0.1 9.5.0.2 9.5.1 9.5.2 9.5.2.2 9.5.2.3 9.5.3 9.5.3.1 9.5.3.2 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8 9.5.9
really-simple-ssl / readme.txt
really-simple-ssl Last commit date
assets 1 month ago core 1 month ago languages 1 month ago lets-encrypt 1 month ago lib 1 month ago mailer 1 month ago modal 1 month ago placeholders 1 month ago progress 1 month ago security 1 month ago settings 1 month ago testssl 1 month ago upgrade 1 month ago .wp-env.json 1 month ago SECURITY.md 1 month ago class-admin.php 1 month ago class-cache.php 1 month ago class-certificate.php 1 month ago class-front-end.php 1 month ago class-installer.php 1 month ago class-mixed-content-fixer.php 1 month ago class-multisite.php 1 month ago class-server.php 1 month ago class-site-health.php 1 month ago class-wp-cli.php 1 month ago compatibility.php 1 month ago force-deactivate.txt 1 month ago functions.php 1 month ago index.php 1 month ago readme.txt 1 month ago rector.php 1 month ago rlrsssl-really-simple-ssl.php 1 month ago rsssl-auto-loader.php 1 month ago sbom.json.gz 1 month ago ssl-test-page.php 1 month ago system-status.php 1 month ago uninstall.php 1 month ago upgrade.php 1 month ago
readme.txt
681 lines
1 === Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)===
2 Contributors: RogierLankhorst, markwolters, hesseldejong, vicocotea, marcelsanting, janwoostendorp, wimbraam
3 Donate link: https://www.paypal.me/reallysimplessl
4 Tags: security, https, 2fa, vulnerabilities, two factor
5 Requires at least: 6.6
6 License: GPL2
7 Tested up to: 7.0
8 Requires PHP: 7.4
9 Stable tag: 9.5.10.1
10
11 Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
12
13 == Description ==
14
15 === Really simple, Effective and Performant WordPress Security ===
16 Really Simple Security is the most lightweight and easy-to-use security plugin for WordPress. It secures your WordPress website with SSL certificate generation, including proper 301 https redirection and SSL enforcement, scanning for possible vulnerabilities, Login Protection and implementing essential WordPress hardening features.
17
18 We believe that security should have the absolute minimum effect on website performance, user experience and maintainability. Therefore, Really Simple Security is:
19
20 * **Lightweight:** Every security feature is developed with a modular approach and with performance in mind. Disabled features won't load any redundant code.
21 * **Easy-to-use:** 1-minute configuration with short onboarding setup.
22
23 === Security Features ===
24
25 = Easy SSL Migration =
26 Migrates your website to HTTPS and enforces SSL in just one click.
27
28 * 301 redirect via PHP or .htaccess
29 * Secure cookies
30 * Let's Encrypt: Install an SSL Certificate if your hosting provider supports manual installation.
31 * Server Health Check: Your server configuration is every bit as important for your website security.
32
33 = WordPress Hardening =
34 Tweak your configuration and keep WordPress fortified and safe by tackling potential weaknesses.
35
36 * Prevent code execution in the uploads folder
37 * Prevent login feedback and disable user enumeration
38 * Disable XML-RPC
39 * Disable directory browsing
40 * Username restrictions (block 'admin' and public names)
41 * and much more..
42
43 = Vulnerability Detection =
44 Get notified when plugins, themes or WP core contain vulnerabilities and need appropriate action.
45
46 = Login Protection =
47 Allow or enforce Two-Factor Authentication (2FA) for specific user roles. Users receive a two-factor code via Email.
48
49 === Improve Security with Really Simple Security Pro ===
50 [Protect your site with all essential security features by upgrading to Really Simple Security Pro.](https://really-simple-ssl.com/)
51
52 = Advanced SSL enforcement =
53 * Mixed Content Scan & Fixer. Detect files that are requested over HTTP and fix them to HTTPS, both Front- and Back-end.
54 * Enable HTTP Strict Transport Security and configure your site for the HSTS Preload list.
55
56 = Firewall =
57 Really Simple Security Pro includes a performant and efficient WordPress firewall, to stop bots, crawlers and bad actors with IP and username blocks.
58
59 * 404 blocking - Blocks crawlers as they trigger unusual numbers of 404 errors.
60 * Region blocking - Only allow/block access to your site from specific regions.
61 * Automated and customisable Firewall rules.
62 * IP blocklist and allowlist.
63
64 = Security Headers =
65 Security headers protect your site visitors against the risk of clickjacking, cross-site-forgery attacks, stealing login credentials and malware.
66
67 * Independent of your Server Configuration, works on Apache, LiteSpeed, NGINX, etc.
68 * Protect your website visitors with X-XSS Protection, X-Content-Type-Options, X-Frame-Options, a Referrer Policy and CORS headers.
69 * Automatically generate your WordPress-tailored Content Security Policy.
70
71 = Vulnerability Measures =
72 When a vulnerability is detected in a plugin, theme or WordPress core you will get notified accordingly. With Vulnerability Measures, you can configure simple but effective measures to make sure that a critical vulnerability won't remain unattended.
73
74 * Force update: An update process will be tried multiple times until it can be assumed development of a theme or plugin is abandoned. You will be notified during these steps.
75 * Quarantine: When a plugin or theme can't be updated to solve a vulnerability, Really Simple Security can quarantine the plugin.
76
77 = Advanced Site Hardening =
78 * Choose a custom login URL
79 * Automated File Permissions check and fixer
80 * Rename and randomize your database prefix
81 * Change the debug.log file location to a non-public folder
82 * Disable application passwords
83 * Control admin creation
84 * Disable HTTP methods, reducing HTTP requests
85
86 = Login Protection =
87 Secure your website's login process and user accounts with powerful security measures.
88
89 * Two-Step verification (Email login)
90 * 2FA (two factor authentication) with TOTP
91 * Passwordless login with passkey login
92 * Enforce strong passwords and frequent password change
93 * Limit Login Attempts
94
95 With Limit Login Attempts you can configure a threshold to temporarily or permanently block IP addresses or (non-existing) usernames. You can also throw a CAPTCHA after a failed login (hCaptcha or Google reCaptcha)
96
97 = Access Control =
98 * Restrict access to your site for specific regions.
99 * Add specific IP addresses or IP ranges to the Blocklist or Allowlist.
100
101 == Useful Links ==
102 * [Documentation](https://really-simple-ssl.com/knowledge-base-overview/)
103 * [Security Definitions](https://really-simple-ssl.com/definitions/)
104 * [Translate Really Simple Security](https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl)
105 * [Issues & pull requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/issues)
106 * [Feature requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/labels/feature%20request)
107
108 == Love Really Simple Security? ==
109 If you want to support the continuing development of this plugin, please consider buying [Really Simple Security Pro](https://www.really-simple-ssl.com/pro/), which includes some excellent security features and premium support.
110
111 == About Really Simple Plugins ==
112 Our mission is to make complex WordPress requirements really easy. Really Simple Security is developed by [Really Simple Plugins](https://www.really-simple-ssl.com/about-us).
113
114 For generating SSL certificates, Really Simple Security uses the [le acme2 PHP](https://github.com/fbett/le-acme2-php/) Let's Encrypt client library, thanks to 'fbett' for providing it. Vulnerability Detection uses WP Vulnerability, an open-source initiative by Javier Casares. Want to join as a collaborator? We're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl) as well!
115
116 == Installation ==
117 To install this plugin:
118
119 1. Make a backup! See [our recommendations](https://really-simple-ssl.com/knowledge-base/backing-up-your-site/).
120 2. Download the plugin.
121 3. Upload the plugin to the /wp-content/plugins/ directory.
122 4. Go to "Plugins" in your WordPress admin, then click "Activate".
123 5. You will now see the Really Simple Security onboarding process, to quickly help you through the configuration process.
124
125 == Frequently Asked Questions ==
126 = Knowledge Base =
127 For more detailed explanations and documentation on all Really Simple Security features, please search the [Knowledge Base](https://www.really-simple-ssl.com/knowledge-base/)
128
129 = What happened with Really Simple SSL? =
130 All features that made Really Simple SSL the most powerful and easy-to-use SSL generation and redirect plugin are still part of Really Simple Security. The plugin is developed with a modular approach: if you don't want to use the full set of security features, the unused code will not be loaded and won't have any effect on your site's performance.
131
132 = Why Really Simple Security? =
133 In our experience, security solutions for WordPress are often hard to configure, trigger many false positives and have a significant impact on site performance. We have been receiving requests from our users to simplify WordPress security for years, so that has become our mission!
134
135 = I want to share my feedback or contribute to Really Simple Security =
136 You couldn't make us happier! Really Simple Security is GPL licensed and co-created by the WordPress community. All feedback is highly appreciated and has always helped us to better understand users' needs. For code contributions or suggestions, we're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl). For suggestions, please [open a support ticket](https://wordpress.org/support/plugin/really-simple-ssl/) You can also express your appreciation by [leaving a review](https://wordpress.org/support/plugin/really-simple-ssl/reviews/).
137
138 = What are Mixed Content issues? =
139 Most mixed content issues are caused by URLs in CSS or JS files. For detailed instructions on how to find mixed content read this [article](https://really-simple-ssl.com/knowledge-base/how-to-track-down-mixed-content-or-insecure-content/).
140
141 = Generating a Let's Encrypt SSL Certificate =
142 We added the possibility to generate a Free SSL Certificate with Let's Encrypt in our Really Simple Security Wizard. We have an updated list available for all possible integrations [here](https://really-simple-ssl.com/install-ssl-certificate/). Please leave feedback about another integration, incorrect information, or you need help.
143
144 = How do I fix a redirect loop? =
145 If you are experiencing redirect loops on your site, try these [instructions](https://really-simple-ssl.com/knowledge-base/my-website-is-in-a-redirect-loop/). This can sometimes happen during the migration to HTTPS or due to conflicting redirect rules.
146
147 = Is the plugin multisite compatible? =
148 Yes. There is a dedicated network settings page where you can control settings for your entire network, at once.
149
150 = How do I enforce strong passwords? =
151 Under Login Protection, you can configure minimum strength settings and require users to change their passwords after a defined interval. Disabling weak password usage is a best practice.
152
153 = How can I change my login URL? =
154 You can set a custom login URL under Advanced Site Hardening, which helps prevent brute force login attacks and bots targeting wp-login.php.
155
156 = Does this plugin redirect HTTP to HTTPS? =
157 Yes. The plugin enforces HTTPS and handles all necessary redirects, optionally using .htaccess or PHP.
158
159 = Can I use Really Simple Security besides WordFence? =
160 Really Simple Security and WordFence greatly overlap in term of functionality. If you like to use specific features from both plugins, we strongly recommend not to enable similar features twice. The benefit of Really Simple Security is that disabled features don't load any code, so won't have an impact on site performance.
161
162 == Changelog ==
163 = 9.5.10.1 - 2026-04-29 =
164 * Fixed: Undefined variable during cron.
165 * Changed: Updated 2FA login flow to address inconsistent verification behavior.
166
167 = 9.5.10 - 2026-04-21 =
168 * Fixed: Some styling (CSS) issues to improve compatibility with WordPress 7.0.
169 * Changed: Removed an unused AJAX callback.
170 * Changed: Tested up to WordPress 7.0.
171
172 = 9.5.9 - 2026-03-31 =
173 * Changed: Reworked vulnerability detection and measures logic.
174
175 = 9.5.8 - 2026-02-26 =
176 * Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
177 * Fixed: Resolved an issue where "Prevent login feedback" could show a ghost username on the login retry screen.
178 * Fixed: Prevented "Failed to send buffer of zlib output compression" notices when using the Mixed Content Fixer with zlib.output_compression enabled.
179 * Changed: Updated review notice text.
180
181 = 9.5.7 - 2026-02-10 =
182 * Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
183 * Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
184 * Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
185
186 = 9.5.6 - 2025-01-20 =
187 * Fixed: 2FA users list not displaying all users
188 * Fixed: Cloudflare cache not clearing after SSL activation
189 * Changed: improved deactivation process
190
191 = 9.5.6 - 2025-12-16 =
192 * Fixed: JavaScript error when using custom roles with 2FA
193 * Fixed: fatal error caused by hosts class being instantiated twice
194 * Fixed: fatal error when upgrading from older plugin versions
195 * Fixed: WP-CLI activate_ssl command now works correctly on first attempt
196 * Changed: removed two unused files from the plugin
197 * Changed: updated readme to align with standards
198
199 = 9.5.4 - 2025-11-18 =
200 * Fixed: 2FA login error when user has no assigned roles
201 * Fixed: fatal error when wp-config.php path is empty
202 * Changed: added file locking to .htaccess and wp-config.php to prevent race conditions
203 * Changed: clarified .htaccess directory indexing comment
204 * Changed: replaced site_url() with home_url() in the 404 resource check on the homepage
205 * Changed: security functions now skip cron jobs and CLI environments
206 * Changed: Let's Encrypt wizard final step now shows only SSL activation button
207 * Changed: added a license.txt file
208
209 = 9.5.3.1 =
210 * Fixed: WP-CLI commands not working correctly
211
212 = 9.5.3 =
213 * Fixed: text domain loaded too early warning from unused translation
214 * Fixed: deactivation modal now always displays
215 * Changed: refactored the onboarding code
216
217 = 9.5.2.3 =
218 * Fixed: 2FA reset now correctly calls the 2FA reset service
219
220 = 9.5.2.2 =
221 * Fixed: 2FA TypeError when updating from older plugin versions
222
223 = 9.5.2 =
224 * Fixed: all users will now appear in the 2FA list
225 * Fixed: tasks will now always display on multisite
226 * Changed: activate_ssl WP-CLI command supports --force to skip confirmation
227
228 = 9.5.1 =
229 * Fixed: missing getmyuid function check to prevent errors
230 * Fixed: Right-To-Left CSS now works correctly when SCRIPT_DEBUG is enabled
231 * Changed: standardized REST namespaces to really-simple-security
232
233 = 9.5.0.2 =
234 * Fixed: prevent empty content from being written into .htaccess
235
236 = 9.5.0.1 =
237 * Fixed: .htaccess protected from empty overwrites, auto-creation requires filter opt-in
238
239 = 9.5.0 =
240 * Fixed: whitelisted LiteSpeed Cache crawler in .htaccess to prevent redirect issues
241 * Fixed: 2FA grace period email logic to avoid reminders to users with active 2FA
242 * Fixed: updated hosting provider name from "XXL Hosting" to "Superspace"
243 * Changed: reworked .htaccess handling with insert_with_markers and WP Rocket integration
244 * Changed: SBOM added to plugin
245 * Changed: improved text consistency and updated geopolitical terminology
246
247 = 9.4.3 =
248 * Fixed: user ID could be empty in 2FA
249 * Fixed: learn more button in vulnerability email now links to correct page
250 * Fixed: rsssl_user_can_manage undefined error when downloading system status
251 * Changed: improved compatibility with plain permalinks
252 * Changed: updated links in the plugin
253
254 = 9.4.2 =
255 * Fixed: .htaccess redirect requirements for subfolder configurations
256 * Fixed: re-send email button on 2FA page now shows confirmation message
257 * Fixed: restored SCSS files
258 * Fixed: plugin kept redirecting to settings page after activation
259 * Changed: updated plugin installation via onboarding and dashboard page
260 * Changed: added notice with option to force verify email address
261 * Changed: updated minimum WordPress version to 6.6
262
263 = 9.4.1 =
264 * Fixed: text domain loaded too early warning
265
266 = 9.4.0 =
267 * Fixed: plugin initialization timing to prevent textdomain warning
268 * Fixed: feedback when email is resent during 2FA setup
269 * Fixed: Single Sign On link now supports custom login URLs
270 * Added: SimplyBook in onboarding and other plugins sections
271 * Changed: more detailed feedback when using CLI commands
272 * Changed: detect EXTENDIFY_PARTNER_ID and run activate_recommended_features
273 * Changed: standardized onboarding hoster list to brand names
274 * Changed: user enumeration now returns 401 instead of 404
275
276 = 9.3.5 - 2025-04-29 =
277 * Fixed: 2FA methods can now be set on profile page
278 * Changed: tested up to WordPress 6.8
279 * Changed: translation updates
280 * Changed: check for autoloader in cron
281
282 = 9.3.3 - 2025-04-02 =
283 * Changed: added multiple WP-CLI commands to align with recent plugin features
284 * Changed: added support for custom/multiple roles in Two Factor Authentication
285
286 = 9.3.2.1 - 2025-03-20 =
287 * Fixed: properly handle unknown plugins in upgrade requests
288
289 = 9.3.2 - 2025-03-05 =
290 * Fixed: removed default checkbox behavior from configuration settings
291 * Fixed: handle multiple tooltip reasons for disabled select fields
292 * Changed: added filters to customize Let's Encrypt Wizard behavior
293
294 = 9.3.1 - 2025-02-12 =
295 * Fixed: all instruction links are now correct
296 * Fixed: undefined array key "m" when showing vulnerability details
297 * Fixed: prevent errors when downgrading to free
298 * Fixed: 2FA compatibility with JetPack WordPress.com login
299 * Changed: email functions require verified email address
300
301 = 9.2.0 - 2025-01-20 =
302 * Fixed: added nonce check to certificate re-check button
303 * Fixed: review notice was not properly dismissible in some cases
304
305 = 9.1.4 =
306 * Fixed: shields in UI datatables no longer cut off
307 * Changed: do not track 404s for logged in users
308 * Changed: implemented rsssl_wpconfig_path filter in all wp-config functions
309 * Changed: faster onboarding completion after clicking Finish button
310
311 = 9.1.3 - 2024-11-28 =
312 * Fixed: remove duplicate site URL
313 * Fixed: rsssl_sanitize_uri_value() now always returns a string
314 * Fixed: multisite 2FA role enforcement for users with multiple roles
315 * Fixed: Skip Onboarding button undefined page with email method
316 * Fixed: translation loading updated for WordPress 6.7
317 * Changed: improved 2FA lockout notice
318 * Changed: catch use of short init in advanced-headers file
319 * Changed: string improvements and translator comments
320 * Changed: Bitnami support for rsssl_find_wordpress_base_path()
321 * Changed: integrate Site Health notifications with Solid Security
322 * Changed: enhanced random password generation in Rename Admin User
323 * Changed: always return string in wpconfig_path() function
324
325 = 9.1.2 =
326 * Security: authentication bypass fix
327
328 = 9.1.1.1 - 2024-11-05 =
329 * Fixed: 2FA grace period was kept active after a reset
330
331 = 9.1.1 - 2024-10-30 =
332 * Fixed: 2FA grace period kept active after reset
333 * Changed: safe-mode.lock file deactivates Firewall, 2FA and LLA for debugging
334 * Changed: update to system status
335 * Changed: textual changes
336 * Changed: updated instructions URLs
337 * Changed: site health notices changed from critical to recommended
338 * Changed: dropped obsolete react library
339
340 = 9.1.0 - 2024-10-22 =
341 * Fixed: prevent potential errors with login feedback
342 * Fixed: catch type error when $transients is not an array
343 * Changed: allow scanning for security headers via scan.really-simple-ssl.com
344 * Changed: remove unnecessary rsssl_update_option calls
345
346 = 9.0.2 =
347 * Fixed: issue with deactivating 2FA
348
349 = 9.0.0 - 2024-09-16 =
350 * Fixed: instructions URL in the Firewall settings
351 * Fixed: incorrect instructions URL
352 * Fixed: Let's Encrypt returning old certificate on auto-renewed certificates
353 * Changed: dropped X-Frame-Options header in favor of frame-ancestors
354 * Changed: save and continue in vulnerabilities overview not working correctly
355
356 = 8.3.0.1 =
357 * Fixed: issues with the decryption model
358
359 = 8.3.0 - 2024-08-12 =
360 * Fixed: some strings were not translatable
361 * Fixed: premium support link did not work
362 * Fixed: links in emails were sometimes incorrect
363 * Fixed: fatal error on permission detection
364 * Added: password security scan detects weak and compromised passwords
365 * Changed: disable cron schedules on deactivation
366 * Changed: custom license check header improves hosting compatibility
367 * Changed: added option to disable X-powered-by header
368 * Changed: new improved encryption method for some settings
369
370 = 8.1.5 - 2024-06-21 =
371 * Fixed: documentation links to website broken
372 * Changed: some text changes in helptexts
373 * Changed: new structure to upgrade database tables
374
375 = 8.1.4 - 2024-06-11 =
376 * Fixed: cookie expiration change not loading
377 * Fixed: Visual Composer compatibility with Enforce Strong Password
378 * Fixed: multiple CloudFlare detected notices in onboarding
379 * Fixed: checkbox position in onboarding
380 * Changed: dropdown in onboarding not entirely visible
381 * Changed: styling of locked XML RPC overview
382
383 = 8.1.3 - 2024-05-16 =
384 * Fixed: WP Rocket compatibility when advanced-headers.php does not exist
385
386 = 8.1.2 - 2024-05-16 =
387 * Fixed: advanced-headers.php now supports early inclusion
388
389 = 8.1.1 - 2024-05-14 =
390 * Fixed: upgrade from <6.0 to >8.0 causing fatal error
391 * Fixed: URL to details of detected vulnerabilities was incorrect
392 * Added: detection of non-recommended permissions on files
393 * Added: configure region restrictions for your site
394 * Changed: textual change on premium overlay
395 * Changed: upgraded minimum required PHP version to 7.4
396 * Changed: compatibility with Bitnami
397 * Changed: compatibility of Limit Login Attempts with WooCommerce
398 * Changed: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
399 * Changed: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
400
401 = 8.1.0 =
402 * Fixed: show 'self' as default in Frame Ancestors
403 * Added: Limit Login Attempts Captcha integration
404 * Changed: some string corrections
405 * Changed: catch not existing rsssl_version_compare
406 * Changed: check for openSSL module existence
407 * Changed: set default empty array for options, for legacy upgrades
408 * Changed: disable custom login URL when plain permalinks are enabled
409 * Changed: drop renamed folder notice, not needed anymore
410 * Changed: enable advanced headers in onboarding
411 * Changed: is_object check in updater
412
413 = 8.0.1 =
414 * Fixed: enable 2FA during onboarding when not selected by user
415 * Fixed: upgrading to Pro preserves settings when clear on deactivation enabled
416 * Fixed: catch several array key not existing errors
417 * Changed: better CSP defaults
418
419 = 8.0.0 =
420 * Added: hide remember me checkbox
421 * Added: extend blocking of malicious admin creation to multisite
422 * Changed: drop prefetch-src from Content Security Policy
423 * Changed: disable two-fa when login protection is disabled
424
425 = 7.2.8 =
426 * Fixed: clear cron schedules on deactivation
427 * Changed: translations update
428 * Changed: info notice about automatic free and pro plugin merge
429
430 = 7.2.7 =
431 * Changed: added integration with FlyingPress and Fastest Cache
432 * Changed: fix exiting a filter, causing compatibility issue with BuddyPress
433
434 = 7.2.6 =
435 * Fixed: custom 404 pages with custom login URL
436 * Added: option to limit login cookie expiration time
437 * Changed: text changes
438 * Changed: CSS on login error message
439 * Changed: header detection improved by checking the last URL in redirect chain
440
441 = 7.2.5 =
442 * Fixed: IP detection header order
443 * Fixed: table creation on activation of LLA module
444
445 = 7.2.4 =
446 * Fixed: PHP warning in Password Security module
447 * Fixed: change login URL feature not working with password protected pages
448 * Changed: move database table creation to Limit Login Attempts module
449 * Changed: prevent PHP error caused by debug.log file hardening feature
450
451 = 7.2.3 =
452 * Fixed: CSP data not showing in datatable
453
454 = 7.2.2 =
455 * Changed: improved check for PharData class
456
457 = 7.2.1 =
458 * Fixed: config for CSP preventing Learning mode from completing
459 * Fixed: datatable styling
460 * Fixed: using deactivate_https with WP-CLI did not remove htaccess rules
461 * Changed: add query parameter to enforce email verification
462 * Changed: CSS for check certificate manually button
463
464 = 7.2.0 =
465 * Fixed: changed link to article
466 * Fixed: remove flags .js file which was added twice
467 * Fixed: typo in missing advanced-headers.php notice
468 * Changed: catch PHP warning when script src is empty when using hide WP version
469 * Changed: new save & continue feedback
470 * Changed: datatable styling
471 * Changed: new react based modal
472 * Changed: menu re-structured
473 * Changed: re-check vulnerability status after core update
474 * Changed: vulnerability notification emails now link to specific details
475
476 = 7.1.3 - 2023-10-11 =
477 * Fixed: React ErrorBoundary preventing Let's Encrypt generation to complete
478
479 = 7.1.2 - 2023-10-06 =
480 * Fixed: hook change in integrations loader causing modules not to load
481
482 = 7.1.1 - 2023-10-05 =
483 * Fixed: incorrect function usage
484
485 = 7.1.0 - 2023-10-04 =
486 * Changed: detection if advanced-headers.php file is running
487
488 = 7.0.9 - 2023-09-05 =
489 * Changed: typo update word
490 * Changed: translatability in several strings
491
492 = 7.0.8 - 2023-08-08 =
493 * Fixed: handling of legacy options in PHP 8.1
494 * Fixed: count remaining tasks
495 * Changed: WordPress tested up to 6.3
496 * Changed: improve file existence check json
497
498 = 7.0.7 - 2023-07-25 =
499 * Fixed: handling of legacy options in PHP 8.1
500 * Fixed: prevent issues with CloudFlare when submitting support form
501 * Fixed: translations singular/plural for Japanese translations
502 * Changed: modal icon placement in wizard on smaller screens
503 * Changed: expire cached detected headers five minutes after saving settings
504
505 = 7.0.6 - 2023-07-04 =
506 * Fixed: translations not loading for chunked react components
507 * Changed: support custom wp-content directory in advanced-headers.php
508 * Changed: prevent usage of subdirectories in custom login URL
509 * Changed: added manual vulnerability recheck parameter
510
511 = 7.0.5 =
512 * Fixed: reverted redirect method to fix non-www site login issues
513
514 = 7.0.4 - 2023-06-14 =
515 * Fixed: feedback on hardening features enable action not showing as enabled
516 * Changed: notice informing about the new free vulnerability detection feature
517 * Changed: improved the PHP redirect method
518 * Changed: make the wp-config.php not writable notice dismissable
519
520 = 7.0.3 =
521 * Fixed: fix false positives on some plugins
522 * Changed: vulnerability notifications in site health, if notifications are enabled
523
524 = 7.0.2 =
525 * Changed: improve matching precision on plugins with vulnerabilities
526
527 = 7.0.1 =
528 * Fixed: REST API ajax fallback now works correctly
529
530 = 7.0.0 =
531 * Added: Vulnerability Detection (Beta)
532 * Changed: move onboarding rest api to do_action rest_route
533 * Changed: catch several edge situations in SSL Labs api
534 * Changed: SSL Labs block responsiveness
535 * Changed: more robust handling of wp-config.php detection
536
537 = 6.3.0 =
538 * Changed: added support for the new Let's Encrypt staging environment
539
540 = 6.2.5 =
541 * Fixed: capability mismatch in multisite
542 * Changed: add warning alert option
543
544 = 6.2.4 =
545 * Fixed: catch non array value from notices array
546 * Fixed: typo in documentation link
547 * Changed: optionally enable notification emails in onboarding wizard
548 * Changed: onboarding styling
549
550 = 6.2.3 =
551 * Changed: back-end react to functional components
552 * Changed: multisite notice should link to network admin page
553 * Changed: detect existing CAA records to check Let's Encrypt compatibility
554 * Changed: tested up to WP 6.2
555 * Changed: UX improvement learning mode
556
557 = 6.2.2 =
558 * Fixed: capability mismatch for non-administrator in multisite admin
559
560 = 6.2.1 =
561 * Fixed: race condition when activating SSL through WP-CLI
562 * Fixed: missing disabled state in textarea and checkboxes
563 * Fixed: some strings not translatable
564 * Fixed: Let's Encrypt renewal with add on
565 * Changed: permissions check re-structuring
566 * Changed: notice on subsite within multisite environment about wildcard updated
567
568 = 6.2.0 =
569 * Added: optional email notifications on advanced settings
570 * Changed: added tooltips
571 * Changed: added warnings for .htaccess redirect
572 * Changed: don't send user email change on renaming admin user
573 * Changed: use BASEPATH only for wp-load.php, symlinked folders load based on ABSPATH
574 * Changed: improved support for environments where Rest API is blocked
575
576 = 6.1.1 =
577 * Fixed: WP-CLI SSL activation fix when site not visited before
578 * Changed: prevent 'undefined' status showing up in api calls on settings page
579 * Changed: notice for incompatible Let's Encrypt shell add-on versions
580
581 = 6.1.0 =
582 * Fixed: empty menu item visible in Let's Encrypt menu
583 * Changed: some UX changes
584 * Changed: limit number of notices in the dashboard
585 * Changed: load rest api request URL over https if website is loaded over https
586
587 = 6.0.14 =
588 * Fixed: settings page when using plain permalinks
589
590 = 6.0.13 =
591 * Fixed: CSS for blue labels in progress dashboard below 1080px
592 * Fixed: WP-CLI SSL activation not working due to capability checks
593 * Fixed: catch invalid account error in Let's Encrypt generation
594 * Fixed: do not block user enumeration for gutenberg
595 * Changed: improve method of dropping empty menu items in settings dashboard
596 * Changed: dynamic links in auto installer
597 * Changed: change rest_api method to core wp apiFetch()
598 * Changed: scroll highlighted setting into view after clicking "fix" on a task
599 * Changed: HTTP method tests run in batches to prevent CURL timeouts
600 * Changed: clean up code-execution.php file after test
601 * Changed: notification when DISABLE_FILE_EDITING is set to false
602 * Changed: drop some unnecessary translations
603 * Changed: WP version test uses options for better persistence
604
605 = 6.0.12 =
606 * Fixed: multisite admin username test uses correct database prefix
607 * Changed: allow submenu in back-end react application
608 * Changed: skip value update when no change has been made
609 * Changed: no redirect on dismiss of admin notice
610 * Changed: remove obsolete warning
611 * Changed: qtranslate support on settings page
612
613 = 6.0.11 =
614 * Fixed: login check works when HTTP_X_WP_NONCE unavailable
615 * Fixed: admin notices now dismiss immediately
616
617 = 6.0.10 =
618 * Fixed: Apache 2.4 compatibility for upload directory code blocking
619 * Fixed: Varnish cache compatibility for REST API requests
620 * Fixed: manage_security capability added for upgraded users
621 * Fixed: allow for custom rest api prefixes
622 * Fixed: Let's Encrypt DNS verification save and action issues
623 * Fixed: REST API error handling prevents blank settings page
624 * Changed: simplify user enumeration test
625 * Changed: catch unexpected response in SSL Labs object
626 * Changed: z-index on onboarding modal on smaller screen sizes
627 * Changed: hide username field if no admin username is present
628
629 = 6.0.9 =
630 * Fixed: incorrectly disabled email field in Let's Encrypt wizard
631 * Changed: on rename admin user, catch existing username, and strange characters
632 * Changed: catch openBaseDir restriction in cpanel detection function
633 * Changed: removed 6.0 update notices from subsites
634
635 = 6.0.8 =
636 * Changed: Let's Encrypt wizard CSS styling
637 * Changed: re-add link to article about Let's Encrypt
638 * Changed: let user choose a new username when selecting "rename admin user"
639
640 = 6.0.7 =
641 * Fixed: restricted .htaccess rewrite to prevent plugin conflicts
642
643 = 6.0.6 =
644 * Fixed: drop upgrade of .htaccess file in upgrade script
645
646 = 6.0.5 =
647 * Fixed: .htaccess race condition with simultaneous updates
648
649 = 6.0.4 =
650 * Fixed: .htaccess redirect compatibility with upload code blocking
651 * Fixed: deactivation now fully removes wp-config.php changes
652
653 = 6.0.3 =
654 * Fixed: Rest Optimizer no longer deactivates other plugins
655
656 = 6.0.2 =
657 * Fixed: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false
658 * Fixed: empty cron schedule
659 * Fixed: auto installer used function not defined yet
660 * Fixed: rest api optimizer causing an error in some cases
661 * Changed: several typos and string improvements
662
663 = 6.0.1 =
664 * Fixed: translations not loading for scripts
665
666 = 6.0.0 =
667 * Added: Server Health Check - powered by SSLLabs
668 * Added: WordPress Hardening Features
669 * Changed: User Interface
670 * Changed: Tested up to WordPress 6.1.0
671
672 == Upgrade notice ==
673 On settings page load, the .htaccess file is no rewritten. If you have made .htaccess customizations to the RSSSL block and have not blocked the plugin from editing it, do so before upgrading.
674 Always back up before any upgrade. Especially .htaccess, wp-config.php and the plugin folder. This way you can easily roll back.
675
676 == Screenshots ==
677 1. The Really Simple Security Dashboard provides a quick security overview.
678 2. Enable or enforce 2FA per user role.
679 3. Stay ahead of plugin, theme and WP core vulnerabilities.
680 4. Harden your site’s security with Basic Hardening features.
681 5. 1-minute configuration with the short security onboarding.