PluginProbe ʕ •ᴥ•ʔ
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) / 9.5.10
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) v9.5.10
9.5.11 9.5.10.1 9.5.10 trunk 9.4.0 9.4.1 9.4.2 9.4.3 9.5.0 9.5.0.1 9.5.0.2 9.5.1 9.5.2 9.5.2.2 9.5.2.3 9.5.3 9.5.3.1 9.5.3.2 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8 9.5.9
really-simple-ssl / readme.txt
really-simple-ssl Last commit date
assets 1 month ago core 1 month ago languages 1 month ago lets-encrypt 1 month ago lib 1 month ago mailer 1 month ago modal 1 month ago placeholders 1 month ago progress 1 month ago security 1 month ago settings 1 month ago testssl 1 month ago upgrade 1 month ago .wp-env.json 1 month ago SECURITY.md 1 month ago class-admin.php 1 month ago class-cache.php 1 month ago class-certificate.php 1 month ago class-front-end.php 1 month ago class-installer.php 1 month ago class-mixed-content-fixer.php 1 month ago class-multisite.php 1 month ago class-server.php 1 month ago class-site-health.php 1 month ago class-wp-cli.php 1 month ago compatibility.php 1 month ago force-deactivate.txt 1 month ago functions.php 1 month ago index.php 1 month ago readme.txt 1 month ago rector.php 1 month ago rlrsssl-really-simple-ssl.php 1 month ago rsssl-auto-loader.php 1 month ago sbom.json.gz 1 month ago ssl-test-page.php 1 month ago system-status.php 1 month ago uninstall.php 1 month ago upgrade.php 1 month ago
readme.txt
677 lines
1 === Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)===
2 Contributors: RogierLankhorst, markwolters, hesseldejong, vicocotea, marcelsanting, janwoostendorp, wimbraam
3 Donate link: https://www.paypal.me/reallysimplessl
4 Tags: security, https, 2fa, vulnerabilities, two factor
5 Requires at least: 6.6
6 License: GPL2
7 Tested up to: 7.0
8 Requires PHP: 7.4
9 Stable tag: 9.5.10
10
11 Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
12
13 == Description ==
14
15 === Really simple, Effective and Performant WordPress Security ===
16 Really Simple Security is the most lightweight and easy-to-use security plugin for WordPress. It secures your WordPress website with SSL certificate generation, including proper 301 https redirection and SSL enforcement, scanning for possible vulnerabilities, Login Protection and implementing essential WordPress hardening features.
17
18 We believe that security should have the absolute minimum effect on website performance, user experience and maintainability. Therefore, Really Simple Security is:
19
20 * **Lightweight:** Every security feature is developed with a modular approach and with performance in mind. Disabled features won't load any redundant code.
21 * **Easy-to-use:** 1-minute configuration with short onboarding setup.
22
23 === Security Features ===
24
25 = Easy SSL Migration =
26 Migrates your website to HTTPS and enforces SSL in just one click.
27
28 * 301 redirect via PHP or .htaccess
29 * Secure cookies
30 * Let's Encrypt: Install an SSL Certificate if your hosting provider supports manual installation.
31 * Server Health Check: Your server configuration is every bit as important for your website security.
32
33 = WordPress Hardening =
34 Tweak your configuration and keep WordPress fortified and safe by tackling potential weaknesses.
35
36 * Prevent code execution in the uploads folder
37 * Prevent login feedback and disable user enumeration
38 * Disable XML-RPC
39 * Disable directory browsing
40 * Username restrictions (block 'admin' and public names)
41 * and much more..
42
43 = Vulnerability Detection =
44 Get notified when plugins, themes or WP core contain vulnerabilities and need appropriate action.
45
46 = Login Protection =
47 Allow or enforce Two-Factor Authentication (2FA) for specific user roles. Users receive a two-factor code via Email.
48
49 === Improve Security with Really Simple Security Pro ===
50 [Protect your site with all essential security features by upgrading to Really Simple Security Pro.](https://really-simple-ssl.com/)
51
52 = Advanced SSL enforcement =
53 * Mixed Content Scan & Fixer. Detect files that are requested over HTTP and fix them to HTTPS, both Front- and Back-end.
54 * Enable HTTP Strict Transport Security and configure your site for the HSTS Preload list.
55
56 = Firewall =
57 Really Simple Security Pro includes a performant and efficient WordPress firewall, to stop bots, crawlers and bad actors with IP and username blocks.
58
59 * 404 blocking - Blocks crawlers as they trigger unusual numbers of 404 errors.
60 * Region blocking - Only allow/block access to your site from specific regions.
61 * Automated and customisable Firewall rules.
62 * IP blocklist and allowlist.
63
64 = Security Headers =
65 Security headers protect your site visitors against the risk of clickjacking, cross-site-forgery attacks, stealing login credentials and malware.
66
67 * Independent of your Server Configuration, works on Apache, LiteSpeed, NGINX, etc.
68 * Protect your website visitors with X-XSS Protection, X-Content-Type-Options, X-Frame-Options, a Referrer Policy and CORS headers.
69 * Automatically generate your WordPress-tailored Content Security Policy.
70
71 = Vulnerability Measures =
72 When a vulnerability is detected in a plugin, theme or WordPress core you will get notified accordingly. With Vulnerability Measures, you can configure simple but effective measures to make sure that a critical vulnerability won't remain unattended.
73
74 * Force update: An update process will be tried multiple times until it can be assumed development of a theme or plugin is abandoned. You will be notified during these steps.
75 * Quarantine: When a plugin or theme can't be updated to solve a vulnerability, Really Simple Security can quarantine the plugin.
76
77 = Advanced Site Hardening =
78 * Choose a custom login URL
79 * Automated File Permissions check and fixer
80 * Rename and randomize your database prefix
81 * Change the debug.log file location to a non-public folder
82 * Disable application passwords
83 * Control admin creation
84 * Disable HTTP methods, reducing HTTP requests
85
86 = Login Protection =
87 Secure your website's login process and user accounts with powerful security measures.
88
89 * Two-Step verification (Email login)
90 * 2FA (two factor authentication) with TOTP
91 * Passwordless login with passkey login
92 * Enforce strong passwords and frequent password change
93 * Limit Login Attempts
94
95 With Limit Login Attempts you can configure a threshold to temporarily or permanently block IP addresses or (non-existing) usernames. You can also throw a CAPTCHA after a failed login (hCaptcha or Google reCaptcha)
96
97 = Access Control =
98 * Restrict access to your site for specific regions.
99 * Add specific IP addresses or IP ranges to the Blocklist or Allowlist.
100
101 == Useful Links ==
102 * [Documentation](https://really-simple-ssl.com/knowledge-base-overview/)
103 * [Security Definitions](https://really-simple-ssl.com/definitions/)
104 * [Translate Really Simple Security](https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl)
105 * [Issues & pull requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/issues)
106 * [Feature requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/labels/feature%20request)
107
108 == Love Really Simple Security? ==
109 If you want to support the continuing development of this plugin, please consider buying [Really Simple Security Pro](https://www.really-simple-ssl.com/pro/), which includes some excellent security features and premium support.
110
111 == About Really Simple Plugins ==
112 Our mission is to make complex WordPress requirements really easy. Really Simple Security is developed by [Really Simple Plugins](https://www.really-simple-ssl.com/about-us).
113
114 For generating SSL certificates, Really Simple Security uses the [le acme2 PHP](https://github.com/fbett/le-acme2-php/) Let's Encrypt client library, thanks to 'fbett' for providing it. Vulnerability Detection uses WP Vulnerability, an open-source initiative by Javier Casares. Want to join as a collaborator? We're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl) as well!
115
116 == Installation ==
117 To install this plugin:
118
119 1. Make a backup! See [our recommendations](https://really-simple-ssl.com/knowledge-base/backing-up-your-site/).
120 2. Download the plugin.
121 3. Upload the plugin to the /wp-content/plugins/ directory.
122 4. Go to "Plugins" in your WordPress admin, then click "Activate".
123 5. You will now see the Really Simple Security onboarding process, to quickly help you through the configuration process.
124
125 == Frequently Asked Questions ==
126 = Knowledge Base =
127 For more detailed explanations and documentation on all Really Simple Security features, please search the [Knowledge Base](https://www.really-simple-ssl.com/knowledge-base/)
128
129 = What happened with Really Simple SSL? =
130 All features that made Really Simple SSL the most powerful and easy-to-use SSL generation and redirect plugin are still part of Really Simple Security. The plugin is developed with a modular approach: if you don't want to use the full set of security features, the unused code will not be loaded and won't have any effect on your site's performance.
131
132 = Why Really Simple Security? =
133 In our experience, security solutions for WordPress are often hard to configure, trigger many false positives and have a significant impact on site performance. We have been receiving requests from our users to simplify WordPress security for years, so that has become our mission!
134
135 = I want to share my feedback or contribute to Really Simple Security =
136 You couldn't make us happier! Really Simple Security is GPL licensed and co-created by the WordPress community. All feedback is highly appreciated and has always helped us to better understand users' needs. For code contributions or suggestions, we're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl). For suggestions, please [open a support ticket](https://wordpress.org/support/plugin/really-simple-ssl/) You can also express your appreciation by [leaving a review](https://wordpress.org/support/plugin/really-simple-ssl/reviews/).
137
138 = What are Mixed Content issues? =
139 Most mixed content issues are caused by URLs in CSS or JS files. For detailed instructions on how to find mixed content read this [article](https://really-simple-ssl.com/knowledge-base/how-to-track-down-mixed-content-or-insecure-content/).
140
141 = Generating a Let's Encrypt SSL Certificate =
142 We added the possibility to generate a Free SSL Certificate with Let's Encrypt in our Really Simple Security Wizard. We have an updated list available for all possible integrations [here](https://really-simple-ssl.com/install-ssl-certificate/). Please leave feedback about another integration, incorrect information, or you need help.
143
144 = How do I fix a redirect loop? =
145 If you are experiencing redirect loops on your site, try these [instructions](https://really-simple-ssl.com/knowledge-base/my-website-is-in-a-redirect-loop/). This can sometimes happen during the migration to HTTPS or due to conflicting redirect rules.
146
147 = Is the plugin multisite compatible? =
148 Yes. There is a dedicated network settings page where you can control settings for your entire network, at once.
149
150 = How do I enforce strong passwords? =
151 Under Login Protection, you can configure minimum strength settings and require users to change their passwords after a defined interval. Disabling weak password usage is a best practice.
152
153 = How can I change my login URL? =
154 You can set a custom login URL under Advanced Site Hardening, which helps prevent brute force login attacks and bots targeting wp-login.php.
155
156 = Does this plugin redirect HTTP to HTTPS? =
157 Yes. The plugin enforces HTTPS and handles all necessary redirects, optionally using .htaccess or PHP.
158
159 = Can I use Really Simple Security besides WordFence? =
160 Really Simple Security and WordFence greatly overlap in term of functionality. If you like to use specific features from both plugins, we strongly recommend not to enable similar features twice. The benefit of Really Simple Security is that disabled features don't load any code, so won't have an impact on site performance.
161
162 == Changelog ==
163 = 9.5.10 - 2026-04-21 =
164 * Fixed: Some styling (CSS) issues to improve compatibility with WordPress 7.0.
165 * Changed: Removed an unused AJAX callback.
166 * Changed: Tested up to WordPress 7.0.
167
168 = 9.5.9 - 2026-03-31 =
169 * Changed: Reworked vulnerability detection and measures logic.
170
171 = 9.5.8 - 2026-02-26 =
172 * Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
173 * Fixed: Resolved an issue where "Prevent login feedback" could show a ghost username on the login retry screen.
174 * Fixed: Prevented "Failed to send buffer of zlib output compression" notices when using the Mixed Content Fixer with zlib.output_compression enabled.
175 * Changed: Updated review notice text.
176
177 = 9.5.7 - 2026-02-10 =
178 * Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
179 * Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
180 * Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
181
182 = 9.5.6 - 2025-01-20 =
183 * Fixed: 2FA users list not displaying all users
184 * Fixed: Cloudflare cache not clearing after SSL activation
185 * Changed: improved deactivation process
186
187 = 9.5.6 - 2025-12-16 =
188 * Fixed: JavaScript error when using custom roles with 2FA
189 * Fixed: fatal error caused by hosts class being instantiated twice
190 * Fixed: fatal error when upgrading from older plugin versions
191 * Fixed: WP-CLI activate_ssl command now works correctly on first attempt
192 * Changed: removed two unused files from the plugin
193 * Changed: updated readme to align with standards
194
195 = 9.5.4 - 2025-11-18 =
196 * Fixed: 2FA login error when user has no assigned roles
197 * Fixed: fatal error when wp-config.php path is empty
198 * Changed: added file locking to .htaccess and wp-config.php to prevent race conditions
199 * Changed: clarified .htaccess directory indexing comment
200 * Changed: replaced site_url() with home_url() in the 404 resource check on the homepage
201 * Changed: security functions now skip cron jobs and CLI environments
202 * Changed: Let's Encrypt wizard final step now shows only SSL activation button
203 * Changed: added a license.txt file
204
205 = 9.5.3.1 =
206 * Fixed: WP-CLI commands not working correctly
207
208 = 9.5.3 =
209 * Fixed: text domain loaded too early warning from unused translation
210 * Fixed: deactivation modal now always displays
211 * Changed: refactored the onboarding code
212
213 = 9.5.2.3 =
214 * Fixed: 2FA reset now correctly calls the 2FA reset service
215
216 = 9.5.2.2 =
217 * Fixed: 2FA TypeError when updating from older plugin versions
218
219 = 9.5.2 =
220 * Fixed: all users will now appear in the 2FA list
221 * Fixed: tasks will now always display on multisite
222 * Changed: activate_ssl WP-CLI command supports --force to skip confirmation
223
224 = 9.5.1 =
225 * Fixed: missing getmyuid function check to prevent errors
226 * Fixed: Right-To-Left CSS now works correctly when SCRIPT_DEBUG is enabled
227 * Changed: standardized REST namespaces to really-simple-security
228
229 = 9.5.0.2 =
230 * Fixed: prevent empty content from being written into .htaccess
231
232 = 9.5.0.1 =
233 * Fixed: .htaccess protected from empty overwrites, auto-creation requires filter opt-in
234
235 = 9.5.0 =
236 * Fixed: whitelisted LiteSpeed Cache crawler in .htaccess to prevent redirect issues
237 * Fixed: 2FA grace period email logic to avoid reminders to users with active 2FA
238 * Fixed: updated hosting provider name from "XXL Hosting" to "Superspace"
239 * Changed: reworked .htaccess handling with insert_with_markers and WP Rocket integration
240 * Changed: SBOM added to plugin
241 * Changed: improved text consistency and updated geopolitical terminology
242
243 = 9.4.3 =
244 * Fixed: user ID could be empty in 2FA
245 * Fixed: learn more button in vulnerability email now links to correct page
246 * Fixed: rsssl_user_can_manage undefined error when downloading system status
247 * Changed: improved compatibility with plain permalinks
248 * Changed: updated links in the plugin
249
250 = 9.4.2 =
251 * Fixed: .htaccess redirect requirements for subfolder configurations
252 * Fixed: re-send email button on 2FA page now shows confirmation message
253 * Fixed: restored SCSS files
254 * Fixed: plugin kept redirecting to settings page after activation
255 * Changed: updated plugin installation via onboarding and dashboard page
256 * Changed: added notice with option to force verify email address
257 * Changed: updated minimum WordPress version to 6.6
258
259 = 9.4.1 =
260 * Fixed: text domain loaded too early warning
261
262 = 9.4.0 =
263 * Fixed: plugin initialization timing to prevent textdomain warning
264 * Fixed: feedback when email is resent during 2FA setup
265 * Fixed: Single Sign On link now supports custom login URLs
266 * Added: SimplyBook in onboarding and other plugins sections
267 * Changed: more detailed feedback when using CLI commands
268 * Changed: detect EXTENDIFY_PARTNER_ID and run activate_recommended_features
269 * Changed: standardized onboarding hoster list to brand names
270 * Changed: user enumeration now returns 401 instead of 404
271
272 = 9.3.5 - 2025-04-29 =
273 * Fixed: 2FA methods can now be set on profile page
274 * Changed: tested up to WordPress 6.8
275 * Changed: translation updates
276 * Changed: check for autoloader in cron
277
278 = 9.3.3 - 2025-04-02 =
279 * Changed: added multiple WP-CLI commands to align with recent plugin features
280 * Changed: added support for custom/multiple roles in Two Factor Authentication
281
282 = 9.3.2.1 - 2025-03-20 =
283 * Fixed: properly handle unknown plugins in upgrade requests
284
285 = 9.3.2 - 2025-03-05 =
286 * Fixed: removed default checkbox behavior from configuration settings
287 * Fixed: handle multiple tooltip reasons for disabled select fields
288 * Changed: added filters to customize Let's Encrypt Wizard behavior
289
290 = 9.3.1 - 2025-02-12 =
291 * Fixed: all instruction links are now correct
292 * Fixed: undefined array key "m" when showing vulnerability details
293 * Fixed: prevent errors when downgrading to free
294 * Fixed: 2FA compatibility with JetPack WordPress.com login
295 * Changed: email functions require verified email address
296
297 = 9.2.0 - 2025-01-20 =
298 * Fixed: added nonce check to certificate re-check button
299 * Fixed: review notice was not properly dismissible in some cases
300
301 = 9.1.4 =
302 * Fixed: shields in UI datatables no longer cut off
303 * Changed: do not track 404s for logged in users
304 * Changed: implemented rsssl_wpconfig_path filter in all wp-config functions
305 * Changed: faster onboarding completion after clicking Finish button
306
307 = 9.1.3 - 2024-11-28 =
308 * Fixed: remove duplicate site URL
309 * Fixed: rsssl_sanitize_uri_value() now always returns a string
310 * Fixed: multisite 2FA role enforcement for users with multiple roles
311 * Fixed: Skip Onboarding button undefined page with email method
312 * Fixed: translation loading updated for WordPress 6.7
313 * Changed: improved 2FA lockout notice
314 * Changed: catch use of short init in advanced-headers file
315 * Changed: string improvements and translator comments
316 * Changed: Bitnami support for rsssl_find_wordpress_base_path()
317 * Changed: integrate Site Health notifications with Solid Security
318 * Changed: enhanced random password generation in Rename Admin User
319 * Changed: always return string in wpconfig_path() function
320
321 = 9.1.2 =
322 * Security: authentication bypass fix
323
324 = 9.1.1.1 - 2024-11-05 =
325 * Fixed: 2FA grace period was kept active after a reset
326
327 = 9.1.1 - 2024-10-30 =
328 * Fixed: 2FA grace period kept active after reset
329 * Changed: safe-mode.lock file deactivates Firewall, 2FA and LLA for debugging
330 * Changed: update to system status
331 * Changed: textual changes
332 * Changed: updated instructions URLs
333 * Changed: site health notices changed from critical to recommended
334 * Changed: dropped obsolete react library
335
336 = 9.1.0 - 2024-10-22 =
337 * Fixed: prevent potential errors with login feedback
338 * Fixed: catch type error when $transients is not an array
339 * Changed: allow scanning for security headers via scan.really-simple-ssl.com
340 * Changed: remove unnecessary rsssl_update_option calls
341
342 = 9.0.2 =
343 * Fixed: issue with deactivating 2FA
344
345 = 9.0.0 - 2024-09-16 =
346 * Fixed: instructions URL in the Firewall settings
347 * Fixed: incorrect instructions URL
348 * Fixed: Let's Encrypt returning old certificate on auto-renewed certificates
349 * Changed: dropped X-Frame-Options header in favor of frame-ancestors
350 * Changed: save and continue in vulnerabilities overview not working correctly
351
352 = 8.3.0.1 =
353 * Fixed: issues with the decryption model
354
355 = 8.3.0 - 2024-08-12 =
356 * Fixed: some strings were not translatable
357 * Fixed: premium support link did not work
358 * Fixed: links in emails were sometimes incorrect
359 * Fixed: fatal error on permission detection
360 * Added: password security scan detects weak and compromised passwords
361 * Changed: disable cron schedules on deactivation
362 * Changed: custom license check header improves hosting compatibility
363 * Changed: added option to disable X-powered-by header
364 * Changed: new improved encryption method for some settings
365
366 = 8.1.5 - 2024-06-21 =
367 * Fixed: documentation links to website broken
368 * Changed: some text changes in helptexts
369 * Changed: new structure to upgrade database tables
370
371 = 8.1.4 - 2024-06-11 =
372 * Fixed: cookie expiration change not loading
373 * Fixed: Visual Composer compatibility with Enforce Strong Password
374 * Fixed: multiple CloudFlare detected notices in onboarding
375 * Fixed: checkbox position in onboarding
376 * Changed: dropdown in onboarding not entirely visible
377 * Changed: styling of locked XML RPC overview
378
379 = 8.1.3 - 2024-05-16 =
380 * Fixed: WP Rocket compatibility when advanced-headers.php does not exist
381
382 = 8.1.2 - 2024-05-16 =
383 * Fixed: advanced-headers.php now supports early inclusion
384
385 = 8.1.1 - 2024-05-14 =
386 * Fixed: upgrade from <6.0 to >8.0 causing fatal error
387 * Fixed: URL to details of detected vulnerabilities was incorrect
388 * Added: detection of non-recommended permissions on files
389 * Added: configure region restrictions for your site
390 * Changed: textual change on premium overlay
391 * Changed: upgraded minimum required PHP version to 7.4
392 * Changed: compatibility with Bitnami
393 * Changed: compatibility of Limit Login Attempts with WooCommerce
394 * Changed: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
395 * Changed: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
396
397 = 8.1.0 =
398 * Fixed: show 'self' as default in Frame Ancestors
399 * Added: Limit Login Attempts Captcha integration
400 * Changed: some string corrections
401 * Changed: catch not existing rsssl_version_compare
402 * Changed: check for openSSL module existence
403 * Changed: set default empty array for options, for legacy upgrades
404 * Changed: disable custom login URL when plain permalinks are enabled
405 * Changed: drop renamed folder notice, not needed anymore
406 * Changed: enable advanced headers in onboarding
407 * Changed: is_object check in updater
408
409 = 8.0.1 =
410 * Fixed: enable 2FA during onboarding when not selected by user
411 * Fixed: upgrading to Pro preserves settings when clear on deactivation enabled
412 * Fixed: catch several array key not existing errors
413 * Changed: better CSP defaults
414
415 = 8.0.0 =
416 * Added: hide remember me checkbox
417 * Added: extend blocking of malicious admin creation to multisite
418 * Changed: drop prefetch-src from Content Security Policy
419 * Changed: disable two-fa when login protection is disabled
420
421 = 7.2.8 =
422 * Fixed: clear cron schedules on deactivation
423 * Changed: translations update
424 * Changed: info notice about automatic free and pro plugin merge
425
426 = 7.2.7 =
427 * Changed: added integration with FlyingPress and Fastest Cache
428 * Changed: fix exiting a filter, causing compatibility issue with BuddyPress
429
430 = 7.2.6 =
431 * Fixed: custom 404 pages with custom login URL
432 * Added: option to limit login cookie expiration time
433 * Changed: text changes
434 * Changed: CSS on login error message
435 * Changed: header detection improved by checking the last URL in redirect chain
436
437 = 7.2.5 =
438 * Fixed: IP detection header order
439 * Fixed: table creation on activation of LLA module
440
441 = 7.2.4 =
442 * Fixed: PHP warning in Password Security module
443 * Fixed: change login URL feature not working with password protected pages
444 * Changed: move database table creation to Limit Login Attempts module
445 * Changed: prevent PHP error caused by debug.log file hardening feature
446
447 = 7.2.3 =
448 * Fixed: CSP data not showing in datatable
449
450 = 7.2.2 =
451 * Changed: improved check for PharData class
452
453 = 7.2.1 =
454 * Fixed: config for CSP preventing Learning mode from completing
455 * Fixed: datatable styling
456 * Fixed: using deactivate_https with WP-CLI did not remove htaccess rules
457 * Changed: add query parameter to enforce email verification
458 * Changed: CSS for check certificate manually button
459
460 = 7.2.0 =
461 * Fixed: changed link to article
462 * Fixed: remove flags .js file which was added twice
463 * Fixed: typo in missing advanced-headers.php notice
464 * Changed: catch PHP warning when script src is empty when using hide WP version
465 * Changed: new save & continue feedback
466 * Changed: datatable styling
467 * Changed: new react based modal
468 * Changed: menu re-structured
469 * Changed: re-check vulnerability status after core update
470 * Changed: vulnerability notification emails now link to specific details
471
472 = 7.1.3 - 2023-10-11 =
473 * Fixed: React ErrorBoundary preventing Let's Encrypt generation to complete
474
475 = 7.1.2 - 2023-10-06 =
476 * Fixed: hook change in integrations loader causing modules not to load
477
478 = 7.1.1 - 2023-10-05 =
479 * Fixed: incorrect function usage
480
481 = 7.1.0 - 2023-10-04 =
482 * Changed: detection if advanced-headers.php file is running
483
484 = 7.0.9 - 2023-09-05 =
485 * Changed: typo update word
486 * Changed: translatability in several strings
487
488 = 7.0.8 - 2023-08-08 =
489 * Fixed: handling of legacy options in PHP 8.1
490 * Fixed: count remaining tasks
491 * Changed: WordPress tested up to 6.3
492 * Changed: improve file existence check json
493
494 = 7.0.7 - 2023-07-25 =
495 * Fixed: handling of legacy options in PHP 8.1
496 * Fixed: prevent issues with CloudFlare when submitting support form
497 * Fixed: translations singular/plural for Japanese translations
498 * Changed: modal icon placement in wizard on smaller screens
499 * Changed: expire cached detected headers five minutes after saving settings
500
501 = 7.0.6 - 2023-07-04 =
502 * Fixed: translations not loading for chunked react components
503 * Changed: support custom wp-content directory in advanced-headers.php
504 * Changed: prevent usage of subdirectories in custom login URL
505 * Changed: added manual vulnerability recheck parameter
506
507 = 7.0.5 =
508 * Fixed: reverted redirect method to fix non-www site login issues
509
510 = 7.0.4 - 2023-06-14 =
511 * Fixed: feedback on hardening features enable action not showing as enabled
512 * Changed: notice informing about the new free vulnerability detection feature
513 * Changed: improved the PHP redirect method
514 * Changed: make the wp-config.php not writable notice dismissable
515
516 = 7.0.3 =
517 * Fixed: fix false positives on some plugins
518 * Changed: vulnerability notifications in site health, if notifications are enabled
519
520 = 7.0.2 =
521 * Changed: improve matching precision on plugins with vulnerabilities
522
523 = 7.0.1 =
524 * Fixed: REST API ajax fallback now works correctly
525
526 = 7.0.0 =
527 * Added: Vulnerability Detection (Beta)
528 * Changed: move onboarding rest api to do_action rest_route
529 * Changed: catch several edge situations in SSL Labs api
530 * Changed: SSL Labs block responsiveness
531 * Changed: more robust handling of wp-config.php detection
532
533 = 6.3.0 =
534 * Changed: added support for the new Let's Encrypt staging environment
535
536 = 6.2.5 =
537 * Fixed: capability mismatch in multisite
538 * Changed: add warning alert option
539
540 = 6.2.4 =
541 * Fixed: catch non array value from notices array
542 * Fixed: typo in documentation link
543 * Changed: optionally enable notification emails in onboarding wizard
544 * Changed: onboarding styling
545
546 = 6.2.3 =
547 * Changed: back-end react to functional components
548 * Changed: multisite notice should link to network admin page
549 * Changed: detect existing CAA records to check Let's Encrypt compatibility
550 * Changed: tested up to WP 6.2
551 * Changed: UX improvement learning mode
552
553 = 6.2.2 =
554 * Fixed: capability mismatch for non-administrator in multisite admin
555
556 = 6.2.1 =
557 * Fixed: race condition when activating SSL through WP-CLI
558 * Fixed: missing disabled state in textarea and checkboxes
559 * Fixed: some strings not translatable
560 * Fixed: Let's Encrypt renewal with add on
561 * Changed: permissions check re-structuring
562 * Changed: notice on subsite within multisite environment about wildcard updated
563
564 = 6.2.0 =
565 * Added: optional email notifications on advanced settings
566 * Changed: added tooltips
567 * Changed: added warnings for .htaccess redirect
568 * Changed: don't send user email change on renaming admin user
569 * Changed: use BASEPATH only for wp-load.php, symlinked folders load based on ABSPATH
570 * Changed: improved support for environments where Rest API is blocked
571
572 = 6.1.1 =
573 * Fixed: WP-CLI SSL activation fix when site not visited before
574 * Changed: prevent 'undefined' status showing up in api calls on settings page
575 * Changed: notice for incompatible Let's Encrypt shell add-on versions
576
577 = 6.1.0 =
578 * Fixed: empty menu item visible in Let's Encrypt menu
579 * Changed: some UX changes
580 * Changed: limit number of notices in the dashboard
581 * Changed: load rest api request URL over https if website is loaded over https
582
583 = 6.0.14 =
584 * Fixed: settings page when using plain permalinks
585
586 = 6.0.13 =
587 * Fixed: CSS for blue labels in progress dashboard below 1080px
588 * Fixed: WP-CLI SSL activation not working due to capability checks
589 * Fixed: catch invalid account error in Let's Encrypt generation
590 * Fixed: do not block user enumeration for gutenberg
591 * Changed: improve method of dropping empty menu items in settings dashboard
592 * Changed: dynamic links in auto installer
593 * Changed: change rest_api method to core wp apiFetch()
594 * Changed: scroll highlighted setting into view after clicking "fix" on a task
595 * Changed: HTTP method tests run in batches to prevent CURL timeouts
596 * Changed: clean up code-execution.php file after test
597 * Changed: notification when DISABLE_FILE_EDITING is set to false
598 * Changed: drop some unnecessary translations
599 * Changed: WP version test uses options for better persistence
600
601 = 6.0.12 =
602 * Fixed: multisite admin username test uses correct database prefix
603 * Changed: allow submenu in back-end react application
604 * Changed: skip value update when no change has been made
605 * Changed: no redirect on dismiss of admin notice
606 * Changed: remove obsolete warning
607 * Changed: qtranslate support on settings page
608
609 = 6.0.11 =
610 * Fixed: login check works when HTTP_X_WP_NONCE unavailable
611 * Fixed: admin notices now dismiss immediately
612
613 = 6.0.10 =
614 * Fixed: Apache 2.4 compatibility for upload directory code blocking
615 * Fixed: Varnish cache compatibility for REST API requests
616 * Fixed: manage_security capability added for upgraded users
617 * Fixed: allow for custom rest api prefixes
618 * Fixed: Let's Encrypt DNS verification save and action issues
619 * Fixed: REST API error handling prevents blank settings page
620 * Changed: simplify user enumeration test
621 * Changed: catch unexpected response in SSL Labs object
622 * Changed: z-index on onboarding modal on smaller screen sizes
623 * Changed: hide username field if no admin username is present
624
625 = 6.0.9 =
626 * Fixed: incorrectly disabled email field in Let's Encrypt wizard
627 * Changed: on rename admin user, catch existing username, and strange characters
628 * Changed: catch openBaseDir restriction in cpanel detection function
629 * Changed: removed 6.0 update notices from subsites
630
631 = 6.0.8 =
632 * Changed: Let's Encrypt wizard CSS styling
633 * Changed: re-add link to article about Let's Encrypt
634 * Changed: let user choose a new username when selecting "rename admin user"
635
636 = 6.0.7 =
637 * Fixed: restricted .htaccess rewrite to prevent plugin conflicts
638
639 = 6.0.6 =
640 * Fixed: drop upgrade of .htaccess file in upgrade script
641
642 = 6.0.5 =
643 * Fixed: .htaccess race condition with simultaneous updates
644
645 = 6.0.4 =
646 * Fixed: .htaccess redirect compatibility with upload code blocking
647 * Fixed: deactivation now fully removes wp-config.php changes
648
649 = 6.0.3 =
650 * Fixed: Rest Optimizer no longer deactivates other plugins
651
652 = 6.0.2 =
653 * Fixed: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false
654 * Fixed: empty cron schedule
655 * Fixed: auto installer used function not defined yet
656 * Fixed: rest api optimizer causing an error in some cases
657 * Changed: several typos and string improvements
658
659 = 6.0.1 =
660 * Fixed: translations not loading for scripts
661
662 = 6.0.0 =
663 * Added: Server Health Check - powered by SSLLabs
664 * Added: WordPress Hardening Features
665 * Changed: User Interface
666 * Changed: Tested up to WordPress 6.1.0
667
668 == Upgrade notice ==
669 On settings page load, the .htaccess file is no rewritten. If you have made .htaccess customizations to the RSSSL block and have not blocked the plugin from editing it, do so before upgrading.
670 Always back up before any upgrade. Especially .htaccess, wp-config.php and the plugin folder. This way you can easily roll back.
671
672 == Screenshots ==
673 1. The Really Simple Security Dashboard provides a quick security overview.
674 2. Enable or enforce 2FA per user role.
675 3. Stay ahead of plugin, theme and WP core vulnerabilities.
676 4. Harden your site’s security with Basic Hardening features.
677 5. 1-minute configuration with the short security onboarding.