PluginProbe ʕ •ᴥ•ʔ
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) / 9.5.11
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) v9.5.11
9.5.11 9.5.10.1 9.5.10 trunk 9.4.0 9.4.1 9.4.2 9.4.3 9.5.0 9.5.0.1 9.5.0.2 9.5.1 9.5.2 9.5.2.2 9.5.2.3 9.5.3 9.5.3.1 9.5.3.2 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8 9.5.9
really-simple-ssl / readme.txt
really-simple-ssl Last commit date
assets 4 weeks ago core 4 weeks ago languages 4 weeks ago lets-encrypt 4 weeks ago lib 4 weeks ago mailer 4 weeks ago modal 4 weeks ago placeholders 4 weeks ago progress 4 weeks ago security 4 weeks ago settings 4 weeks ago testssl 4 weeks ago upgrade 4 weeks ago .wp-env.json 4 weeks ago SECURITY.md 4 weeks ago class-admin.php 4 weeks ago class-cache.php 4 weeks ago class-certificate.php 4 weeks ago class-front-end.php 4 weeks ago class-installer.php 4 weeks ago class-mixed-content-fixer.php 4 weeks ago class-multisite.php 4 weeks ago class-server.php 4 weeks ago class-site-health.php 4 weeks ago class-wp-cli.php 4 weeks ago compatibility.php 4 weeks ago force-deactivate.txt 4 weeks ago functions.php 4 weeks ago index.php 4 weeks ago readme.txt 4 weeks ago rector.php 4 weeks ago rlrsssl-really-simple-ssl.php 4 weeks ago rsssl-auto-loader.php 4 weeks ago sbom.json.gz 4 weeks ago ssl-test-page.php 4 weeks ago system-status.php 4 weeks ago uninstall.php 4 weeks ago upgrade.php 4 weeks ago
readme.txt
685 lines
1 === Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)===
2 Contributors: RogierLankhorst, markwolters, hesseldejong, vicocotea, marcelsanting, janwoostendorp, wimbraam
3 Donate link: https://www.paypal.me/reallysimplessl
4 Tags: security, https, 2fa, vulnerabilities, two factor
5 Requires at least: 6.6
6 License: GPL2
7 Tested up to: 7.0
8 Requires PHP: 7.4
9 Stable tag: 9.5.11
10
11 Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
12
13 == Description ==
14
15 === Really simple, Effective and Performant WordPress Security ===
16 Really Simple Security is the most lightweight and easy-to-use security plugin for WordPress. It secures your WordPress website with SSL certificate generation, including proper 301 https redirection and SSL enforcement, scanning for possible vulnerabilities, Login Protection and implementing essential WordPress hardening features.
17
18 We believe that security should have the absolute minimum effect on website performance, user experience and maintainability. Therefore, Really Simple Security is:
19
20 * **Lightweight:** Every security feature is developed with a modular approach and with performance in mind. Disabled features won't load any redundant code.
21 * **Easy-to-use:** 1-minute configuration with short onboarding setup.
22
23 === Security Features ===
24
25 = Easy SSL Migration =
26 Migrates your website to HTTPS and enforces SSL in just one click.
27
28 * 301 redirect via PHP or .htaccess
29 * Secure cookies
30 * Let's Encrypt: Install an SSL Certificate if your hosting provider supports manual installation.
31 * Server Health Check: Your server configuration is every bit as important for your website security.
32
33 = WordPress Hardening =
34 Tweak your configuration and keep WordPress fortified and safe by tackling potential weaknesses.
35
36 * Prevent code execution in the uploads folder
37 * Prevent login feedback and disable user enumeration
38 * Disable XML-RPC
39 * Disable directory browsing
40 * Username restrictions (block 'admin' and public names)
41 * and much more..
42
43 = Vulnerability Detection =
44 Get notified when plugins, themes or WP core contain vulnerabilities and need appropriate action.
45
46 = Login Protection =
47 Allow or enforce Two-Factor Authentication (2FA) for specific user roles. Users receive a two-factor code via Email.
48
49 === Improve Security with Really Simple Security Pro ===
50 [Protect your site with all essential security features by upgrading to Really Simple Security Pro.](https://really-simple-ssl.com/)
51
52 = Advanced SSL enforcement =
53 * Mixed Content Scan & Fixer. Detect files that are requested over HTTP and fix them to HTTPS, both Front- and Back-end.
54 * Enable HTTP Strict Transport Security and configure your site for the HSTS Preload list.
55
56 = Firewall =
57 Really Simple Security Pro includes a performant and efficient WordPress firewall, to stop bots, crawlers and bad actors with IP and username blocks.
58
59 * 404 blocking - Blocks crawlers as they trigger unusual numbers of 404 errors.
60 * Region blocking - Only allow/block access to your site from specific regions.
61 * Automated and customisable Firewall rules.
62 * IP blocklist and allowlist.
63
64 = Security Headers =
65 Security headers protect your site visitors against the risk of clickjacking, cross-site-forgery attacks, stealing login credentials and malware.
66
67 * Independent of your Server Configuration, works on Apache, LiteSpeed, NGINX, etc.
68 * Protect your website visitors with X-XSS Protection, X-Content-Type-Options, X-Frame-Options, a Referrer Policy and CORS headers.
69 * Automatically generate your WordPress-tailored Content Security Policy.
70
71 = Vulnerability Measures =
72 When a vulnerability is detected in a plugin, theme or WordPress core you will get notified accordingly. With Vulnerability Measures, you can configure simple but effective measures to make sure that a critical vulnerability won't remain unattended.
73
74 * Force update: An update process will be tried multiple times until it can be assumed development of a theme or plugin is abandoned. You will be notified during these steps.
75 * Quarantine: When a plugin or theme can't be updated to solve a vulnerability, Really Simple Security can quarantine the plugin.
76
77 = Advanced Site Hardening =
78 * Choose a custom login URL
79 * Automated File Permissions check and fixer
80 * Rename and randomize your database prefix
81 * Change the debug.log file location to a non-public folder
82 * Disable application passwords
83 * Control admin creation
84 * Disable HTTP methods, reducing HTTP requests
85
86 = Login Protection =
87 Secure your website's login process and user accounts with powerful security measures.
88
89 * Two-Step verification (Email login)
90 * 2FA (two factor authentication) with TOTP
91 * Passwordless login with passkey login
92 * Enforce strong passwords and frequent password change
93 * Limit Login Attempts
94
95 With Limit Login Attempts you can configure a threshold to temporarily or permanently block IP addresses or (non-existing) usernames. You can also throw a CAPTCHA after a failed login (hCaptcha or Google reCaptcha)
96
97 = Access Control =
98 * Restrict access to your site for specific regions.
99 * Add specific IP addresses or IP ranges to the Blocklist or Allowlist.
100
101 == Useful Links ==
102 * [Documentation](https://really-simple-ssl.com/knowledge-base-overview/)
103 * [Security Definitions](https://really-simple-ssl.com/definitions/)
104 * [Translate Really Simple Security](https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl)
105 * [Issues & pull requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/issues)
106 * [Feature requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/labels/feature%20request)
107
108 == Love Really Simple Security? ==
109 If you want to support the continuing development of this plugin, please consider buying [Really Simple Security Pro](https://www.really-simple-ssl.com/pro/), which includes some excellent security features and premium support.
110
111 == About Really Simple Plugins ==
112 Our mission is to make complex WordPress requirements really easy. Really Simple Security is developed by [Really Simple Plugins](https://www.really-simple-ssl.com/about-us).
113
114 For generating SSL certificates, Really Simple Security uses the [le acme2 PHP](https://github.com/fbett/le-acme2-php/) Let's Encrypt client library, thanks to 'fbett' for providing it. Vulnerability Detection uses WP Vulnerability, an open-source initiative by Javier Casares. Want to join as a collaborator? We're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl) as well!
115
116 == Installation ==
117 To install this plugin:
118
119 1. Make a backup! See [our recommendations](https://really-simple-ssl.com/knowledge-base/backing-up-your-site/).
120 2. Download the plugin.
121 3. Upload the plugin to the /wp-content/plugins/ directory.
122 4. Go to "Plugins" in your WordPress admin, then click "Activate".
123 5. You will now see the Really Simple Security onboarding process, to quickly help you through the configuration process.
124
125 == Frequently Asked Questions ==
126 = Knowledge Base =
127 For more detailed explanations and documentation on all Really Simple Security features, please search the [Knowledge Base](https://www.really-simple-ssl.com/knowledge-base/)
128
129 = What happened with Really Simple SSL? =
130 All features that made Really Simple SSL the most powerful and easy-to-use SSL generation and redirect plugin are still part of Really Simple Security. The plugin is developed with a modular approach: if you don't want to use the full set of security features, the unused code will not be loaded and won't have any effect on your site's performance.
131
132 = Why Really Simple Security? =
133 In our experience, security solutions for WordPress are often hard to configure, trigger many false positives and have a significant impact on site performance. We have been receiving requests from our users to simplify WordPress security for years, so that has become our mission!
134
135 = I want to share my feedback or contribute to Really Simple Security =
136 You couldn't make us happier! Really Simple Security is GPL licensed and co-created by the WordPress community. All feedback is highly appreciated and has always helped us to better understand users' needs. For code contributions or suggestions, we're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl). For suggestions, please [open a support ticket](https://wordpress.org/support/plugin/really-simple-ssl/) You can also express your appreciation by [leaving a review](https://wordpress.org/support/plugin/really-simple-ssl/reviews/).
137
138 = What are Mixed Content issues? =
139 Most mixed content issues are caused by URLs in CSS or JS files. For detailed instructions on how to find mixed content read this [article](https://really-simple-ssl.com/knowledge-base/how-to-track-down-mixed-content-or-insecure-content/).
140
141 = Generating a Let's Encrypt SSL Certificate =
142 We added the possibility to generate a Free SSL Certificate with Let's Encrypt in our Really Simple Security Wizard. We have an updated list available for all possible integrations [here](https://really-simple-ssl.com/install-ssl-certificate/). Please leave feedback about another integration, incorrect information, or you need help.
143
144 = How do I fix a redirect loop? =
145 If you are experiencing redirect loops on your site, try these [instructions](https://really-simple-ssl.com/knowledge-base/my-website-is-in-a-redirect-loop/). This can sometimes happen during the migration to HTTPS or due to conflicting redirect rules.
146
147 = Is the plugin multisite compatible? =
148 Yes. There is a dedicated network settings page where you can control settings for your entire network, at once.
149
150 = How do I enforce strong passwords? =
151 Under Login Protection, you can configure minimum strength settings and require users to change their passwords after a defined interval. Disabling weak password usage is a best practice.
152
153 = How can I change my login URL? =
154 You can set a custom login URL under Advanced Site Hardening, which helps prevent brute force login attacks and bots targeting wp-login.php.
155
156 = Does this plugin redirect HTTP to HTTPS? =
157 Yes. The plugin enforces HTTPS and handles all necessary redirects, optionally using .htaccess or PHP.
158
159 = Can I use Really Simple Security besides WordFence? =
160 Really Simple Security and WordFence greatly overlap in term of functionality. If you like to use specific features from both plugins, we strongly recommend not to enable similar features twice. The benefit of Really Simple Security is that disabled features don't load any code, so won't have an impact on site performance.
161
162 == Changelog ==
163 = 9.5.11 - 2026-05-05 =
164 * Fixed: fatal error that could occur when a plugin uses admin_enqueue_scripts incorrectly.
165 * Fixed: a bug where the wrong settings value could be saved.
166
167 = 9.5.10.1 - 2026-04-29 =
168 * Fixed: Undefined variable during cron.
169 * Changed: Updated 2FA login flow to address inconsistent verification behavior.
170
171 = 9.5.10 - 2026-04-21 =
172 * Fixed: Some styling (CSS) issues to improve compatibility with WordPress 7.0.
173 * Changed: Removed an unused AJAX callback.
174 * Changed: Tested up to WordPress 7.0.
175
176 = 9.5.9 - 2026-03-31 =
177 * Changed: Reworked vulnerability detection and measures logic.
178
179 = 9.5.8 - 2026-02-26 =
180 * Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
181 * Fixed: Resolved an issue where "Prevent login feedback" could show a ghost username on the login retry screen.
182 * Fixed: Prevented "Failed to send buffer of zlib output compression" notices when using the Mixed Content Fixer with zlib.output_compression enabled.
183 * Changed: Updated review notice text.
184
185 = 9.5.7 - 2026-02-10 =
186 * Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
187 * Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
188 * Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
189
190 = 9.5.6 - 2025-01-20 =
191 * Fixed: 2FA users list not displaying all users
192 * Fixed: Cloudflare cache not clearing after SSL activation
193 * Changed: improved deactivation process
194
195 = 9.5.6 - 2025-12-16 =
196 * Fixed: JavaScript error when using custom roles with 2FA
197 * Fixed: fatal error caused by hosts class being instantiated twice
198 * Fixed: fatal error when upgrading from older plugin versions
199 * Fixed: WP-CLI activate_ssl command now works correctly on first attempt
200 * Changed: removed two unused files from the plugin
201 * Changed: updated readme to align with standards
202
203 = 9.5.4 - 2025-11-18 =
204 * Fixed: 2FA login error when user has no assigned roles
205 * Fixed: fatal error when wp-config.php path is empty
206 * Changed: added file locking to .htaccess and wp-config.php to prevent race conditions
207 * Changed: clarified .htaccess directory indexing comment
208 * Changed: replaced site_url() with home_url() in the 404 resource check on the homepage
209 * Changed: security functions now skip cron jobs and CLI environments
210 * Changed: Let's Encrypt wizard final step now shows only SSL activation button
211 * Changed: added a license.txt file
212
213 = 9.5.3.1 =
214 * Fixed: WP-CLI commands not working correctly
215
216 = 9.5.3 =
217 * Fixed: text domain loaded too early warning from unused translation
218 * Fixed: deactivation modal now always displays
219 * Changed: refactored the onboarding code
220
221 = 9.5.2.3 =
222 * Fixed: 2FA reset now correctly calls the 2FA reset service
223
224 = 9.5.2.2 =
225 * Fixed: 2FA TypeError when updating from older plugin versions
226
227 = 9.5.2 =
228 * Fixed: all users will now appear in the 2FA list
229 * Fixed: tasks will now always display on multisite
230 * Changed: activate_ssl WP-CLI command supports --force to skip confirmation
231
232 = 9.5.1 =
233 * Fixed: missing getmyuid function check to prevent errors
234 * Fixed: Right-To-Left CSS now works correctly when SCRIPT_DEBUG is enabled
235 * Changed: standardized REST namespaces to really-simple-security
236
237 = 9.5.0.2 =
238 * Fixed: prevent empty content from being written into .htaccess
239
240 = 9.5.0.1 =
241 * Fixed: .htaccess protected from empty overwrites, auto-creation requires filter opt-in
242
243 = 9.5.0 =
244 * Fixed: whitelisted LiteSpeed Cache crawler in .htaccess to prevent redirect issues
245 * Fixed: 2FA grace period email logic to avoid reminders to users with active 2FA
246 * Fixed: updated hosting provider name from "XXL Hosting" to "Superspace"
247 * Changed: reworked .htaccess handling with insert_with_markers and WP Rocket integration
248 * Changed: SBOM added to plugin
249 * Changed: improved text consistency and updated geopolitical terminology
250
251 = 9.4.3 =
252 * Fixed: user ID could be empty in 2FA
253 * Fixed: learn more button in vulnerability email now links to correct page
254 * Fixed: rsssl_user_can_manage undefined error when downloading system status
255 * Changed: improved compatibility with plain permalinks
256 * Changed: updated links in the plugin
257
258 = 9.4.2 =
259 * Fixed: .htaccess redirect requirements for subfolder configurations
260 * Fixed: re-send email button on 2FA page now shows confirmation message
261 * Fixed: restored SCSS files
262 * Fixed: plugin kept redirecting to settings page after activation
263 * Changed: updated plugin installation via onboarding and dashboard page
264 * Changed: added notice with option to force verify email address
265 * Changed: updated minimum WordPress version to 6.6
266
267 = 9.4.1 =
268 * Fixed: text domain loaded too early warning
269
270 = 9.4.0 =
271 * Fixed: plugin initialization timing to prevent textdomain warning
272 * Fixed: feedback when email is resent during 2FA setup
273 * Fixed: Single Sign On link now supports custom login URLs
274 * Added: SimplyBook in onboarding and other plugins sections
275 * Changed: more detailed feedback when using CLI commands
276 * Changed: detect EXTENDIFY_PARTNER_ID and run activate_recommended_features
277 * Changed: standardized onboarding hoster list to brand names
278 * Changed: user enumeration now returns 401 instead of 404
279
280 = 9.3.5 - 2025-04-29 =
281 * Fixed: 2FA methods can now be set on profile page
282 * Changed: tested up to WordPress 6.8
283 * Changed: translation updates
284 * Changed: check for autoloader in cron
285
286 = 9.3.3 - 2025-04-02 =
287 * Changed: added multiple WP-CLI commands to align with recent plugin features
288 * Changed: added support for custom/multiple roles in Two Factor Authentication
289
290 = 9.3.2.1 - 2025-03-20 =
291 * Fixed: properly handle unknown plugins in upgrade requests
292
293 = 9.3.2 - 2025-03-05 =
294 * Fixed: removed default checkbox behavior from configuration settings
295 * Fixed: handle multiple tooltip reasons for disabled select fields
296 * Changed: added filters to customize Let's Encrypt Wizard behavior
297
298 = 9.3.1 - 2025-02-12 =
299 * Fixed: all instruction links are now correct
300 * Fixed: undefined array key "m" when showing vulnerability details
301 * Fixed: prevent errors when downgrading to free
302 * Fixed: 2FA compatibility with JetPack WordPress.com login
303 * Changed: email functions require verified email address
304
305 = 9.2.0 - 2025-01-20 =
306 * Fixed: added nonce check to certificate re-check button
307 * Fixed: review notice was not properly dismissible in some cases
308
309 = 9.1.4 =
310 * Fixed: shields in UI datatables no longer cut off
311 * Changed: do not track 404s for logged in users
312 * Changed: implemented rsssl_wpconfig_path filter in all wp-config functions
313 * Changed: faster onboarding completion after clicking Finish button
314
315 = 9.1.3 - 2024-11-28 =
316 * Fixed: remove duplicate site URL
317 * Fixed: rsssl_sanitize_uri_value() now always returns a string
318 * Fixed: multisite 2FA role enforcement for users with multiple roles
319 * Fixed: Skip Onboarding button undefined page with email method
320 * Fixed: translation loading updated for WordPress 6.7
321 * Changed: improved 2FA lockout notice
322 * Changed: catch use of short init in advanced-headers file
323 * Changed: string improvements and translator comments
324 * Changed: Bitnami support for rsssl_find_wordpress_base_path()
325 * Changed: integrate Site Health notifications with Solid Security
326 * Changed: enhanced random password generation in Rename Admin User
327 * Changed: always return string in wpconfig_path() function
328
329 = 9.1.2 =
330 * Security: authentication bypass fix
331
332 = 9.1.1.1 - 2024-11-05 =
333 * Fixed: 2FA grace period was kept active after a reset
334
335 = 9.1.1 - 2024-10-30 =
336 * Fixed: 2FA grace period kept active after reset
337 * Changed: safe-mode.lock file deactivates Firewall, 2FA and LLA for debugging
338 * Changed: update to system status
339 * Changed: textual changes
340 * Changed: updated instructions URLs
341 * Changed: site health notices changed from critical to recommended
342 * Changed: dropped obsolete react library
343
344 = 9.1.0 - 2024-10-22 =
345 * Fixed: prevent potential errors with login feedback
346 * Fixed: catch type error when $transients is not an array
347 * Changed: allow scanning for security headers via scan.really-simple-ssl.com
348 * Changed: remove unnecessary rsssl_update_option calls
349
350 = 9.0.2 =
351 * Fixed: issue with deactivating 2FA
352
353 = 9.0.0 - 2024-09-16 =
354 * Fixed: instructions URL in the Firewall settings
355 * Fixed: incorrect instructions URL
356 * Fixed: Let's Encrypt returning old certificate on auto-renewed certificates
357 * Changed: dropped X-Frame-Options header in favor of frame-ancestors
358 * Changed: save and continue in vulnerabilities overview not working correctly
359
360 = 8.3.0.1 =
361 * Fixed: issues with the decryption model
362
363 = 8.3.0 - 2024-08-12 =
364 * Fixed: some strings were not translatable
365 * Fixed: premium support link did not work
366 * Fixed: links in emails were sometimes incorrect
367 * Fixed: fatal error on permission detection
368 * Added: password security scan detects weak and compromised passwords
369 * Changed: disable cron schedules on deactivation
370 * Changed: custom license check header improves hosting compatibility
371 * Changed: added option to disable X-powered-by header
372 * Changed: new improved encryption method for some settings
373
374 = 8.1.5 - 2024-06-21 =
375 * Fixed: documentation links to website broken
376 * Changed: some text changes in helptexts
377 * Changed: new structure to upgrade database tables
378
379 = 8.1.4 - 2024-06-11 =
380 * Fixed: cookie expiration change not loading
381 * Fixed: Visual Composer compatibility with Enforce Strong Password
382 * Fixed: multiple CloudFlare detected notices in onboarding
383 * Fixed: checkbox position in onboarding
384 * Changed: dropdown in onboarding not entirely visible
385 * Changed: styling of locked XML RPC overview
386
387 = 8.1.3 - 2024-05-16 =
388 * Fixed: WP Rocket compatibility when advanced-headers.php does not exist
389
390 = 8.1.2 - 2024-05-16 =
391 * Fixed: advanced-headers.php now supports early inclusion
392
393 = 8.1.1 - 2024-05-14 =
394 * Fixed: upgrade from <6.0 to >8.0 causing fatal error
395 * Fixed: URL to details of detected vulnerabilities was incorrect
396 * Added: detection of non-recommended permissions on files
397 * Added: configure region restrictions for your site
398 * Changed: textual change on premium overlay
399 * Changed: upgraded minimum required PHP version to 7.4
400 * Changed: compatibility with Bitnami
401 * Changed: compatibility of Limit Login Attempts with WooCommerce
402 * Changed: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
403 * Changed: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
404
405 = 8.1.0 =
406 * Fixed: show 'self' as default in Frame Ancestors
407 * Added: Limit Login Attempts Captcha integration
408 * Changed: some string corrections
409 * Changed: catch not existing rsssl_version_compare
410 * Changed: check for openSSL module existence
411 * Changed: set default empty array for options, for legacy upgrades
412 * Changed: disable custom login URL when plain permalinks are enabled
413 * Changed: drop renamed folder notice, not needed anymore
414 * Changed: enable advanced headers in onboarding
415 * Changed: is_object check in updater
416
417 = 8.0.1 =
418 * Fixed: enable 2FA during onboarding when not selected by user
419 * Fixed: upgrading to Pro preserves settings when clear on deactivation enabled
420 * Fixed: catch several array key not existing errors
421 * Changed: better CSP defaults
422
423 = 8.0.0 =
424 * Added: hide remember me checkbox
425 * Added: extend blocking of malicious admin creation to multisite
426 * Changed: drop prefetch-src from Content Security Policy
427 * Changed: disable two-fa when login protection is disabled
428
429 = 7.2.8 =
430 * Fixed: clear cron schedules on deactivation
431 * Changed: translations update
432 * Changed: info notice about automatic free and pro plugin merge
433
434 = 7.2.7 =
435 * Changed: added integration with FlyingPress and Fastest Cache
436 * Changed: fix exiting a filter, causing compatibility issue with BuddyPress
437
438 = 7.2.6 =
439 * Fixed: custom 404 pages with custom login URL
440 * Added: option to limit login cookie expiration time
441 * Changed: text changes
442 * Changed: CSS on login error message
443 * Changed: header detection improved by checking the last URL in redirect chain
444
445 = 7.2.5 =
446 * Fixed: IP detection header order
447 * Fixed: table creation on activation of LLA module
448
449 = 7.2.4 =
450 * Fixed: PHP warning in Password Security module
451 * Fixed: change login URL feature not working with password protected pages
452 * Changed: move database table creation to Limit Login Attempts module
453 * Changed: prevent PHP error caused by debug.log file hardening feature
454
455 = 7.2.3 =
456 * Fixed: CSP data not showing in datatable
457
458 = 7.2.2 =
459 * Changed: improved check for PharData class
460
461 = 7.2.1 =
462 * Fixed: config for CSP preventing Learning mode from completing
463 * Fixed: datatable styling
464 * Fixed: using deactivate_https with WP-CLI did not remove htaccess rules
465 * Changed: add query parameter to enforce email verification
466 * Changed: CSS for check certificate manually button
467
468 = 7.2.0 =
469 * Fixed: changed link to article
470 * Fixed: remove flags .js file which was added twice
471 * Fixed: typo in missing advanced-headers.php notice
472 * Changed: catch PHP warning when script src is empty when using hide WP version
473 * Changed: new save & continue feedback
474 * Changed: datatable styling
475 * Changed: new react based modal
476 * Changed: menu re-structured
477 * Changed: re-check vulnerability status after core update
478 * Changed: vulnerability notification emails now link to specific details
479
480 = 7.1.3 - 2023-10-11 =
481 * Fixed: React ErrorBoundary preventing Let's Encrypt generation to complete
482
483 = 7.1.2 - 2023-10-06 =
484 * Fixed: hook change in integrations loader causing modules not to load
485
486 = 7.1.1 - 2023-10-05 =
487 * Fixed: incorrect function usage
488
489 = 7.1.0 - 2023-10-04 =
490 * Changed: detection if advanced-headers.php file is running
491
492 = 7.0.9 - 2023-09-05 =
493 * Changed: typo update word
494 * Changed: translatability in several strings
495
496 = 7.0.8 - 2023-08-08 =
497 * Fixed: handling of legacy options in PHP 8.1
498 * Fixed: count remaining tasks
499 * Changed: WordPress tested up to 6.3
500 * Changed: improve file existence check json
501
502 = 7.0.7 - 2023-07-25 =
503 * Fixed: handling of legacy options in PHP 8.1
504 * Fixed: prevent issues with CloudFlare when submitting support form
505 * Fixed: translations singular/plural for Japanese translations
506 * Changed: modal icon placement in wizard on smaller screens
507 * Changed: expire cached detected headers five minutes after saving settings
508
509 = 7.0.6 - 2023-07-04 =
510 * Fixed: translations not loading for chunked react components
511 * Changed: support custom wp-content directory in advanced-headers.php
512 * Changed: prevent usage of subdirectories in custom login URL
513 * Changed: added manual vulnerability recheck parameter
514
515 = 7.0.5 =
516 * Fixed: reverted redirect method to fix non-www site login issues
517
518 = 7.0.4 - 2023-06-14 =
519 * Fixed: feedback on hardening features enable action not showing as enabled
520 * Changed: notice informing about the new free vulnerability detection feature
521 * Changed: improved the PHP redirect method
522 * Changed: make the wp-config.php not writable notice dismissable
523
524 = 7.0.3 =
525 * Fixed: fix false positives on some plugins
526 * Changed: vulnerability notifications in site health, if notifications are enabled
527
528 = 7.0.2 =
529 * Changed: improve matching precision on plugins with vulnerabilities
530
531 = 7.0.1 =
532 * Fixed: REST API ajax fallback now works correctly
533
534 = 7.0.0 =
535 * Added: Vulnerability Detection (Beta)
536 * Changed: move onboarding rest api to do_action rest_route
537 * Changed: catch several edge situations in SSL Labs api
538 * Changed: SSL Labs block responsiveness
539 * Changed: more robust handling of wp-config.php detection
540
541 = 6.3.0 =
542 * Changed: added support for the new Let's Encrypt staging environment
543
544 = 6.2.5 =
545 * Fixed: capability mismatch in multisite
546 * Changed: add warning alert option
547
548 = 6.2.4 =
549 * Fixed: catch non array value from notices array
550 * Fixed: typo in documentation link
551 * Changed: optionally enable notification emails in onboarding wizard
552 * Changed: onboarding styling
553
554 = 6.2.3 =
555 * Changed: back-end react to functional components
556 * Changed: multisite notice should link to network admin page
557 * Changed: detect existing CAA records to check Let's Encrypt compatibility
558 * Changed: tested up to WP 6.2
559 * Changed: UX improvement learning mode
560
561 = 6.2.2 =
562 * Fixed: capability mismatch for non-administrator in multisite admin
563
564 = 6.2.1 =
565 * Fixed: race condition when activating SSL through WP-CLI
566 * Fixed: missing disabled state in textarea and checkboxes
567 * Fixed: some strings not translatable
568 * Fixed: Let's Encrypt renewal with add on
569 * Changed: permissions check re-structuring
570 * Changed: notice on subsite within multisite environment about wildcard updated
571
572 = 6.2.0 =
573 * Added: optional email notifications on advanced settings
574 * Changed: added tooltips
575 * Changed: added warnings for .htaccess redirect
576 * Changed: don't send user email change on renaming admin user
577 * Changed: use BASEPATH only for wp-load.php, symlinked folders load based on ABSPATH
578 * Changed: improved support for environments where Rest API is blocked
579
580 = 6.1.1 =
581 * Fixed: WP-CLI SSL activation fix when site not visited before
582 * Changed: prevent 'undefined' status showing up in api calls on settings page
583 * Changed: notice for incompatible Let's Encrypt shell add-on versions
584
585 = 6.1.0 =
586 * Fixed: empty menu item visible in Let's Encrypt menu
587 * Changed: some UX changes
588 * Changed: limit number of notices in the dashboard
589 * Changed: load rest api request URL over https if website is loaded over https
590
591 = 6.0.14 =
592 * Fixed: settings page when using plain permalinks
593
594 = 6.0.13 =
595 * Fixed: CSS for blue labels in progress dashboard below 1080px
596 * Fixed: WP-CLI SSL activation not working due to capability checks
597 * Fixed: catch invalid account error in Let's Encrypt generation
598 * Fixed: do not block user enumeration for gutenberg
599 * Changed: improve method of dropping empty menu items in settings dashboard
600 * Changed: dynamic links in auto installer
601 * Changed: change rest_api method to core wp apiFetch()
602 * Changed: scroll highlighted setting into view after clicking "fix" on a task
603 * Changed: HTTP method tests run in batches to prevent CURL timeouts
604 * Changed: clean up code-execution.php file after test
605 * Changed: notification when DISABLE_FILE_EDITING is set to false
606 * Changed: drop some unnecessary translations
607 * Changed: WP version test uses options for better persistence
608
609 = 6.0.12 =
610 * Fixed: multisite admin username test uses correct database prefix
611 * Changed: allow submenu in back-end react application
612 * Changed: skip value update when no change has been made
613 * Changed: no redirect on dismiss of admin notice
614 * Changed: remove obsolete warning
615 * Changed: qtranslate support on settings page
616
617 = 6.0.11 =
618 * Fixed: login check works when HTTP_X_WP_NONCE unavailable
619 * Fixed: admin notices now dismiss immediately
620
621 = 6.0.10 =
622 * Fixed: Apache 2.4 compatibility for upload directory code blocking
623 * Fixed: Varnish cache compatibility for REST API requests
624 * Fixed: manage_security capability added for upgraded users
625 * Fixed: allow for custom rest api prefixes
626 * Fixed: Let's Encrypt DNS verification save and action issues
627 * Fixed: REST API error handling prevents blank settings page
628 * Changed: simplify user enumeration test
629 * Changed: catch unexpected response in SSL Labs object
630 * Changed: z-index on onboarding modal on smaller screen sizes
631 * Changed: hide username field if no admin username is present
632
633 = 6.0.9 =
634 * Fixed: incorrectly disabled email field in Let's Encrypt wizard
635 * Changed: on rename admin user, catch existing username, and strange characters
636 * Changed: catch openBaseDir restriction in cpanel detection function
637 * Changed: removed 6.0 update notices from subsites
638
639 = 6.0.8 =
640 * Changed: Let's Encrypt wizard CSS styling
641 * Changed: re-add link to article about Let's Encrypt
642 * Changed: let user choose a new username when selecting "rename admin user"
643
644 = 6.0.7 =
645 * Fixed: restricted .htaccess rewrite to prevent plugin conflicts
646
647 = 6.0.6 =
648 * Fixed: drop upgrade of .htaccess file in upgrade script
649
650 = 6.0.5 =
651 * Fixed: .htaccess race condition with simultaneous updates
652
653 = 6.0.4 =
654 * Fixed: .htaccess redirect compatibility with upload code blocking
655 * Fixed: deactivation now fully removes wp-config.php changes
656
657 = 6.0.3 =
658 * Fixed: Rest Optimizer no longer deactivates other plugins
659
660 = 6.0.2 =
661 * Fixed: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false
662 * Fixed: empty cron schedule
663 * Fixed: auto installer used function not defined yet
664 * Fixed: rest api optimizer causing an error in some cases
665 * Changed: several typos and string improvements
666
667 = 6.0.1 =
668 * Fixed: translations not loading for scripts
669
670 = 6.0.0 =
671 * Added: Server Health Check - powered by SSLLabs
672 * Added: WordPress Hardening Features
673 * Changed: User Interface
674 * Changed: Tested up to WordPress 6.1.0
675
676 == Upgrade notice ==
677 On settings page load, the .htaccess file is no rewritten. If you have made .htaccess customizations to the RSSSL block and have not blocked the plugin from editing it, do so before upgrading.
678 Always back up before any upgrade. Especially .htaccess, wp-config.php and the plugin folder. This way you can easily roll back.
679
680 == Screenshots ==
681 1. The Really Simple Security Dashboard provides a quick security overview.
682 2. Enable or enforce 2FA per user role.
683 3. Stay ahead of plugin, theme and WP core vulnerabilities.
684 4. Harden your site’s security with Basic Hardening features.
685 5. 1-minute configuration with the short security onboarding.