PluginProbe ʕ •ᴥ•ʔ
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) / 9.5.9
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) v9.5.9
9.5.11 9.5.10.1 9.5.10 trunk 9.4.0 9.4.1 9.4.2 9.4.3 9.5.0 9.5.0.1 9.5.0.2 9.5.1 9.5.2 9.5.2.2 9.5.2.3 9.5.3 9.5.3.1 9.5.3.2 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8 9.5.9
really-simple-ssl / readme.txt
really-simple-ssl Last commit date
assets 2 months ago core 2 months ago languages 2 months ago lets-encrypt 2 months ago lib 2 months ago mailer 2 months ago modal 2 months ago placeholders 2 months ago progress 2 months ago security 2 months ago settings 2 months ago testssl 2 months ago upgrade 2 months ago .wp-env.json 2 months ago SECURITY.md 2 months ago class-admin.php 2 months ago class-cache.php 2 months ago class-certificate.php 2 months ago class-front-end.php 2 months ago class-installer.php 2 months ago class-mixed-content-fixer.php 2 months ago class-multisite.php 2 months ago class-server.php 2 months ago class-site-health.php 2 months ago class-wp-cli.php 2 months ago compatibility.php 2 months ago force-deactivate.txt 2 months ago functions.php 2 months ago index.php 2 months ago readme.txt 2 months ago rector.php 2 months ago rlrsssl-really-simple-ssl.php 2 months ago rsssl-auto-loader.php 2 months ago sbom.json.gz 2 months ago ssl-test-page.php 2 months ago system-status.php 2 months ago uninstall.php 2 months ago upgrade.php 2 months ago
readme.txt
672 lines
1 === Really Simple Security - Simple and Performant Security (formerly Really Simple SSL)===
2 Contributors: RogierLankhorst, markwolters, hesseldejong, vicocotea, marcelsanting, janwoostendorp, wimbraam
3 Donate link: https://www.paypal.me/reallysimplessl
4 Tags: security, https, 2fa, vulnerabilities, two factor
5 Requires at least: 6.6
6 License: GPL2
7 Tested up to: 6.9
8 Requires PHP: 7.4
9 Stable tag: 9.5.9
10
11 Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
12
13 == Description ==
14
15 === Really simple, Effective and Performant WordPress Security ===
16 Really Simple Security is the most lightweight and easy-to-use security plugin for WordPress. It secures your WordPress website with SSL certificate generation, including proper 301 https redirection and SSL enforcement, scanning for possible vulnerabilities, Login Protection and implementing essential WordPress hardening features.
17
18 We believe that security should have the absolute minimum effect on website performance, user experience and maintainability. Therefore, Really Simple Security is:
19
20 * **Lightweight:** Every security feature is developed with a modular approach and with performance in mind. Disabled features won't load any redundant code.
21 * **Easy-to-use:** 1-minute configuration with short onboarding setup.
22
23 === Security Features ===
24
25 = Easy SSL Migration =
26 Migrates your website to HTTPS and enforces SSL in just one click.
27
28 * 301 redirect via PHP or .htaccess
29 * Secure cookies
30 * Let's Encrypt: Install an SSL Certificate if your hosting provider supports manual installation.
31 * Server Health Check: Your server configuration is every bit as important for your website security.
32
33 = WordPress Hardening =
34 Tweak your configuration and keep WordPress fortified and safe by tackling potential weaknesses.
35
36 * Prevent code execution in the uploads folder
37 * Prevent login feedback and disable user enumeration
38 * Disable XML-RPC
39 * Disable directory browsing
40 * Username restrictions (block 'admin' and public names)
41 * and much more..
42
43 = Vulnerability Detection =
44 Get notified when plugins, themes or WP core contain vulnerabilities and need appropriate action.
45
46 = Login Protection =
47 Allow or enforce Two-Factor Authentication (2FA) for specific user roles. Users receive a two-factor code via Email.
48
49 === Improve Security with Really Simple Security Pro ===
50 [Protect your site with all essential security features by upgrading to Really Simple Security Pro.](https://really-simple-ssl.com/)
51
52 = Advanced SSL enforcement =
53 * Mixed Content Scan & Fixer. Detect files that are requested over HTTP and fix them to HTTPS, both Front- and Back-end.
54 * Enable HTTP Strict Transport Security and configure your site for the HSTS Preload list.
55
56 = Firewall =
57 Really Simple Security Pro includes a performant and efficient WordPress firewall, to stop bots, crawlers and bad actors with IP and username blocks.
58
59 * 404 blocking - Blocks crawlers as they trigger unusual numbers of 404 errors.
60 * Region blocking - Only allow/block access to your site from specific regions.
61 * Automated and customisable Firewall rules.
62 * IP blocklist and allowlist.
63
64 = Security Headers =
65 Security headers protect your site visitors against the risk of clickjacking, cross-site-forgery attacks, stealing login credentials and malware.
66
67 * Independent of your Server Configuration, works on Apache, LiteSpeed, NGINX, etc.
68 * Protect your website visitors with X-XSS Protection, X-Content-Type-Options, X-Frame-Options, a Referrer Policy and CORS headers.
69 * Automatically generate your WordPress-tailored Content Security Policy.
70
71 = Vulnerability Measures =
72 When a vulnerability is detected in a plugin, theme or WordPress core you will get notified accordingly. With Vulnerability Measures, you can configure simple but effective measures to make sure that a critical vulnerability won't remain unattended.
73
74 * Force update: An update process will be tried multiple times until it can be assumed development of a theme or plugin is abandoned. You will be notified during these steps.
75 * Quarantine: When a plugin or theme can't be updated to solve a vulnerability, Really Simple Security can quarantine the plugin.
76
77 = Advanced Site Hardening =
78 * Choose a custom login URL
79 * Automated File Permissions check and fixer
80 * Rename and randomize your database prefix
81 * Change the debug.log file location to a non-public folder
82 * Disable application passwords
83 * Control admin creation
84 * Disable HTTP methods, reducing HTTP requests
85
86 = Login Protection =
87 Secure your website's login process and user accounts with powerful security measures.
88
89 * Two-Step verification (Email login)
90 * 2FA (two factor authentication) with TOTP
91 * Passwordless login with passkey login
92 * Enforce strong passwords and frequent password change
93 * Limit Login Attempts
94
95 With Limit Login Attempts you can configure a threshold to temporarily or permanently block IP addresses or (non-existing) usernames. You can also throw a CAPTCHA after a failed login (hCaptcha or Google reCaptcha)
96
97 = Access Control =
98 * Restrict access to your site for specific regions.
99 * Add specific IP addresses or IP ranges to the Blocklist or Allowlist.
100
101 == Useful Links ==
102 * [Documentation](https://really-simple-ssl.com/knowledge-base-overview/)
103 * [Security Definitions](https://really-simple-ssl.com/definitions/)
104 * [Translate Really Simple Security](https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl)
105 * [Issues & pull requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/issues)
106 * [Feature requests](https://github.com/Really-Simple-Plugins/really-simple-ssl/labels/feature%20request)
107
108 == Love Really Simple Security? ==
109 If you want to support the continuing development of this plugin, please consider buying [Really Simple Security Pro](https://www.really-simple-ssl.com/pro/), which includes some excellent security features and premium support.
110
111 == About Really Simple Plugins ==
112 Our mission is to make complex WordPress requirements really easy. Really Simple Security is developed by [Really Simple Plugins](https://www.really-simple-ssl.com/about-us).
113
114 For generating SSL certificates, Really Simple Security uses the [le acme2 PHP](https://github.com/fbett/le-acme2-php/) Let's Encrypt client library, thanks to 'fbett' for providing it. Vulnerability Detection uses WP Vulnerability, an open-source initiative by Javier Casares. Want to join as a collaborator? We're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl) as well!
115
116 == Installation ==
117 To install this plugin:
118
119 1. Make a backup! See [our recommendations](https://really-simple-ssl.com/knowledge-base/backing-up-your-site/).
120 2. Download the plugin.
121 3. Upload the plugin to the /wp-content/plugins/ directory.
122 4. Go to "Plugins" in your WordPress admin, then click "Activate".
123 5. You will now see the Really Simple Security onboarding process, to quickly help you through the configuration process.
124
125 == Frequently Asked Questions ==
126 = Knowledge Base =
127 For more detailed explanations and documentation on all Really Simple Security features, please search the [Knowledge Base](https://www.really-simple-ssl.com/knowledge-base/)
128
129 = What happened with Really Simple SSL? =
130 All features that made Really Simple SSL the most powerful and easy-to-use SSL generation and redirect plugin are still part of Really Simple Security. The plugin is developed with a modular approach: if you don't want to use the full set of security features, the unused code will not be loaded and won't have any effect on your site's performance.
131
132 = Why Really Simple Security? =
133 In our experience, security solutions for WordPress are often hard to configure, trigger many false positives and have a significant impact on site performance. We have been receiving requests from our users to simplify WordPress security for years, so that has become our mission!
134
135 = I want to share my feedback or contribute to Really Simple Security =
136 You couldn't make us happier! Really Simple Security is GPL licensed and co-created by the WordPress community. All feedback is highly appreciated and has always helped us to better understand users' needs. For code contributions or suggestions, we're on [GitHub](https://github.com/really-simple-plugins/really-simple-ssl). For suggestions, please [open a support ticket](https://wordpress.org/support/plugin/really-simple-ssl/) You can also express your appreciation by [leaving a review](https://wordpress.org/support/plugin/really-simple-ssl/reviews/).
137
138 = What are Mixed Content issues? =
139 Most mixed content issues are caused by URLs in CSS or JS files. For detailed instructions on how to find mixed content read this [article](https://really-simple-ssl.com/knowledge-base/how-to-track-down-mixed-content-or-insecure-content/).
140
141 = Generating a Let's Encrypt SSL Certificate =
142 We added the possibility to generate a Free SSL Certificate with Let's Encrypt in our Really Simple Security Wizard. We have an updated list available for all possible integrations [here](https://really-simple-ssl.com/install-ssl-certificate/). Please leave feedback about another integration, incorrect information, or you need help.
143
144 = How do I fix a redirect loop? =
145 If you are experiencing redirect loops on your site, try these [instructions](https://really-simple-ssl.com/knowledge-base/my-website-is-in-a-redirect-loop/). This can sometimes happen during the migration to HTTPS or due to conflicting redirect rules.
146
147 = Is the plugin multisite compatible? =
148 Yes. There is a dedicated network settings page where you can control settings for your entire network, at once.
149
150 = How do I enforce strong passwords? =
151 Under Login Protection, you can configure minimum strength settings and require users to change their passwords after a defined interval. Disabling weak password usage is a best practice.
152
153 = How can I change my login URL? =
154 You can set a custom login URL under Advanced Site Hardening, which helps prevent brute force login attacks and bots targeting wp-login.php.
155
156 = Does this plugin redirect HTTP to HTTPS? =
157 Yes. The plugin enforces HTTPS and handles all necessary redirects, optionally using .htaccess or PHP.
158
159 = Can I use Really Simple Security besides WordFence? =
160 Really Simple Security and WordFence greatly overlap in term of functionality. If you like to use specific features from both plugins, we strongly recommend not to enable similar features twice. The benefit of Really Simple Security is that disabled features don't load any code, so won't have an impact on site performance.
161
162 == Changelog ==
163 = 9.5.9 - 2026-03-31 =
164 * Changed: Reworked vulnerability detection and measures logic.
165
166 = 9.5.8 - 2026-02-26 =
167 * Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
168 * Fixed: Resolved an issue where "Prevent login feedback" could show a ghost username on the login retry screen.
169 * Fixed: Prevented "Failed to send buffer of zlib output compression" notices when using the Mixed Content Fixer with zlib.output_compression enabled.
170 * Changed: Updated review notice text.
171
172 = 9.5.7 - 2026-02-10 =
173 * Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
174 * Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
175 * Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
176
177 = 9.5.6 - 2025-01-20 =
178 * Fixed: 2FA users list not displaying all users
179 * Fixed: Cloudflare cache not clearing after SSL activation
180 * Changed: improved deactivation process
181
182 = 9.5.6 - 2025-12-16 =
183 * Fixed: JavaScript error when using custom roles with 2FA
184 * Fixed: fatal error caused by hosts class being instantiated twice
185 * Fixed: fatal error when upgrading from older plugin versions
186 * Fixed: WP-CLI activate_ssl command now works correctly on first attempt
187 * Changed: removed two unused files from the plugin
188 * Changed: updated readme to align with standards
189
190 = 9.5.4 - 2025-11-18 =
191 * Fixed: 2FA login error when user has no assigned roles
192 * Fixed: fatal error when wp-config.php path is empty
193 * Changed: added file locking to .htaccess and wp-config.php to prevent race conditions
194 * Changed: clarified .htaccess directory indexing comment
195 * Changed: replaced site_url() with home_url() in the 404 resource check on the homepage
196 * Changed: security functions now skip cron jobs and CLI environments
197 * Changed: Let's Encrypt wizard final step now shows only SSL activation button
198 * Changed: added a license.txt file
199
200 = 9.5.3.1 =
201 * Fixed: WP-CLI commands not working correctly
202
203 = 9.5.3 =
204 * Fixed: text domain loaded too early warning from unused translation
205 * Fixed: deactivation modal now always displays
206 * Changed: refactored the onboarding code
207
208 = 9.5.2.3 =
209 * Fixed: 2FA reset now correctly calls the 2FA reset service
210
211 = 9.5.2.2 =
212 * Fixed: 2FA TypeError when updating from older plugin versions
213
214 = 9.5.2 =
215 * Fixed: all users will now appear in the 2FA list
216 * Fixed: tasks will now always display on multisite
217 * Changed: activate_ssl WP-CLI command supports --force to skip confirmation
218
219 = 9.5.1 =
220 * Fixed: missing getmyuid function check to prevent errors
221 * Fixed: Right-To-Left CSS now works correctly when SCRIPT_DEBUG is enabled
222 * Changed: standardized REST namespaces to really-simple-security
223
224 = 9.5.0.2 =
225 * Fixed: prevent empty content from being written into .htaccess
226
227 = 9.5.0.1 =
228 * Fixed: .htaccess protected from empty overwrites, auto-creation requires filter opt-in
229
230 = 9.5.0 =
231 * Fixed: whitelisted LiteSpeed Cache crawler in .htaccess to prevent redirect issues
232 * Fixed: 2FA grace period email logic to avoid reminders to users with active 2FA
233 * Fixed: updated hosting provider name from "XXL Hosting" to "Superspace"
234 * Changed: reworked .htaccess handling with insert_with_markers and WP Rocket integration
235 * Changed: SBOM added to plugin
236 * Changed: improved text consistency and updated geopolitical terminology
237
238 = 9.4.3 =
239 * Fixed: user ID could be empty in 2FA
240 * Fixed: learn more button in vulnerability email now links to correct page
241 * Fixed: rsssl_user_can_manage undefined error when downloading system status
242 * Changed: improved compatibility with plain permalinks
243 * Changed: updated links in the plugin
244
245 = 9.4.2 =
246 * Fixed: .htaccess redirect requirements for subfolder configurations
247 * Fixed: re-send email button on 2FA page now shows confirmation message
248 * Fixed: restored SCSS files
249 * Fixed: plugin kept redirecting to settings page after activation
250 * Changed: updated plugin installation via onboarding and dashboard page
251 * Changed: added notice with option to force verify email address
252 * Changed: updated minimum WordPress version to 6.6
253
254 = 9.4.1 =
255 * Fixed: text domain loaded too early warning
256
257 = 9.4.0 =
258 * Fixed: plugin initialization timing to prevent textdomain warning
259 * Fixed: feedback when email is resent during 2FA setup
260 * Fixed: Single Sign On link now supports custom login URLs
261 * Added: SimplyBook in onboarding and other plugins sections
262 * Changed: more detailed feedback when using CLI commands
263 * Changed: detect EXTENDIFY_PARTNER_ID and run activate_recommended_features
264 * Changed: standardized onboarding hoster list to brand names
265 * Changed: user enumeration now returns 401 instead of 404
266
267 = 9.3.5 - 2025-04-29 =
268 * Fixed: 2FA methods can now be set on profile page
269 * Changed: tested up to WordPress 6.8
270 * Changed: translation updates
271 * Changed: check for autoloader in cron
272
273 = 9.3.3 - 2025-04-02 =
274 * Changed: added multiple WP-CLI commands to align with recent plugin features
275 * Changed: added support for custom/multiple roles in Two Factor Authentication
276
277 = 9.3.2.1 - 2025-03-20 =
278 * Fixed: properly handle unknown plugins in upgrade requests
279
280 = 9.3.2 - 2025-03-05 =
281 * Fixed: removed default checkbox behavior from configuration settings
282 * Fixed: handle multiple tooltip reasons for disabled select fields
283 * Changed: added filters to customize Let's Encrypt Wizard behavior
284
285 = 9.3.1 - 2025-02-12 =
286 * Fixed: all instruction links are now correct
287 * Fixed: undefined array key "m" when showing vulnerability details
288 * Fixed: prevent errors when downgrading to free
289 * Fixed: 2FA compatibility with JetPack WordPress.com login
290 * Changed: email functions require verified email address
291
292 = 9.2.0 - 2025-01-20 =
293 * Fixed: added nonce check to certificate re-check button
294 * Fixed: review notice was not properly dismissible in some cases
295
296 = 9.1.4 =
297 * Fixed: shields in UI datatables no longer cut off
298 * Changed: do not track 404s for logged in users
299 * Changed: implemented rsssl_wpconfig_path filter in all wp-config functions
300 * Changed: faster onboarding completion after clicking Finish button
301
302 = 9.1.3 - 2024-11-28 =
303 * Fixed: remove duplicate site URL
304 * Fixed: rsssl_sanitize_uri_value() now always returns a string
305 * Fixed: multisite 2FA role enforcement for users with multiple roles
306 * Fixed: Skip Onboarding button undefined page with email method
307 * Fixed: translation loading updated for WordPress 6.7
308 * Changed: improved 2FA lockout notice
309 * Changed: catch use of short init in advanced-headers file
310 * Changed: string improvements and translator comments
311 * Changed: Bitnami support for rsssl_find_wordpress_base_path()
312 * Changed: integrate Site Health notifications with Solid Security
313 * Changed: enhanced random password generation in Rename Admin User
314 * Changed: always return string in wpconfig_path() function
315
316 = 9.1.2 =
317 * Security: authentication bypass fix
318
319 = 9.1.1.1 - 2024-11-05 =
320 * Fixed: 2FA grace period was kept active after a reset
321
322 = 9.1.1 - 2024-10-30 =
323 * Fixed: 2FA grace period kept active after reset
324 * Changed: safe-mode.lock file deactivates Firewall, 2FA and LLA for debugging
325 * Changed: update to system status
326 * Changed: textual changes
327 * Changed: updated instructions URLs
328 * Changed: site health notices changed from critical to recommended
329 * Changed: dropped obsolete react library
330
331 = 9.1.0 - 2024-10-22 =
332 * Fixed: prevent potential errors with login feedback
333 * Fixed: catch type error when $transients is not an array
334 * Changed: allow scanning for security headers via scan.really-simple-ssl.com
335 * Changed: remove unnecessary rsssl_update_option calls
336
337 = 9.0.2 =
338 * Fixed: issue with deactivating 2FA
339
340 = 9.0.0 - 2024-09-16 =
341 * Fixed: instructions URL in the Firewall settings
342 * Fixed: incorrect instructions URL
343 * Fixed: Let's Encrypt returning old certificate on auto-renewed certificates
344 * Changed: dropped X-Frame-Options header in favor of frame-ancestors
345 * Changed: save and continue in vulnerabilities overview not working correctly
346
347 = 8.3.0.1 =
348 * Fixed: issues with the decryption model
349
350 = 8.3.0 - 2024-08-12 =
351 * Fixed: some strings were not translatable
352 * Fixed: premium support link did not work
353 * Fixed: links in emails were sometimes incorrect
354 * Fixed: fatal error on permission detection
355 * Added: password security scan detects weak and compromised passwords
356 * Changed: disable cron schedules on deactivation
357 * Changed: custom license check header improves hosting compatibility
358 * Changed: added option to disable X-powered-by header
359 * Changed: new improved encryption method for some settings
360
361 = 8.1.5 - 2024-06-21 =
362 * Fixed: documentation links to website broken
363 * Changed: some text changes in helptexts
364 * Changed: new structure to upgrade database tables
365
366 = 8.1.4 - 2024-06-11 =
367 * Fixed: cookie expiration change not loading
368 * Fixed: Visual Composer compatibility with Enforce Strong Password
369 * Fixed: multiple CloudFlare detected notices in onboarding
370 * Fixed: checkbox position in onboarding
371 * Changed: dropdown in onboarding not entirely visible
372 * Changed: styling of locked XML RPC overview
373
374 = 8.1.3 - 2024-05-16 =
375 * Fixed: WP Rocket compatibility when advanced-headers.php does not exist
376
377 = 8.1.2 - 2024-05-16 =
378 * Fixed: advanced-headers.php now supports early inclusion
379
380 = 8.1.1 - 2024-05-14 =
381 * Fixed: upgrade from <6.0 to >8.0 causing fatal error
382 * Fixed: URL to details of detected vulnerabilities was incorrect
383 * Added: detection of non-recommended permissions on files
384 * Added: configure region restrictions for your site
385 * Changed: textual change on premium overlay
386 * Changed: upgraded minimum required PHP version to 7.4
387 * Changed: compatibility with Bitnami
388 * Changed: compatibility of Limit Login Attempts with WooCommerce
389 * Changed: remove duplicate X-Really-Simple-SSL-Test from advanced-headers-test.php
390 * Changed: clear notice about .htaccess writable if do_not_edit_htaccess is enabled
391
392 = 8.1.0 =
393 * Fixed: show 'self' as default in Frame Ancestors
394 * Added: Limit Login Attempts Captcha integration
395 * Changed: some string corrections
396 * Changed: catch not existing rsssl_version_compare
397 * Changed: check for openSSL module existence
398 * Changed: set default empty array for options, for legacy upgrades
399 * Changed: disable custom login URL when plain permalinks are enabled
400 * Changed: drop renamed folder notice, not needed anymore
401 * Changed: enable advanced headers in onboarding
402 * Changed: is_object check in updater
403
404 = 8.0.1 =
405 * Fixed: enable 2FA during onboarding when not selected by user
406 * Fixed: upgrading to Pro preserves settings when clear on deactivation enabled
407 * Fixed: catch several array key not existing errors
408 * Changed: better CSP defaults
409
410 = 8.0.0 =
411 * Added: hide remember me checkbox
412 * Added: extend blocking of malicious admin creation to multisite
413 * Changed: drop prefetch-src from Content Security Policy
414 * Changed: disable two-fa when login protection is disabled
415
416 = 7.2.8 =
417 * Fixed: clear cron schedules on deactivation
418 * Changed: translations update
419 * Changed: info notice about automatic free and pro plugin merge
420
421 = 7.2.7 =
422 * Changed: added integration with FlyingPress and Fastest Cache
423 * Changed: fix exiting a filter, causing compatibility issue with BuddyPress
424
425 = 7.2.6 =
426 * Fixed: custom 404 pages with custom login URL
427 * Added: option to limit login cookie expiration time
428 * Changed: text changes
429 * Changed: CSS on login error message
430 * Changed: header detection improved by checking the last URL in redirect chain
431
432 = 7.2.5 =
433 * Fixed: IP detection header order
434 * Fixed: table creation on activation of LLA module
435
436 = 7.2.4 =
437 * Fixed: PHP warning in Password Security module
438 * Fixed: change login URL feature not working with password protected pages
439 * Changed: move database table creation to Limit Login Attempts module
440 * Changed: prevent PHP error caused by debug.log file hardening feature
441
442 = 7.2.3 =
443 * Fixed: CSP data not showing in datatable
444
445 = 7.2.2 =
446 * Changed: improved check for PharData class
447
448 = 7.2.1 =
449 * Fixed: config for CSP preventing Learning mode from completing
450 * Fixed: datatable styling
451 * Fixed: using deactivate_https with WP-CLI did not remove htaccess rules
452 * Changed: add query parameter to enforce email verification
453 * Changed: CSS for check certificate manually button
454
455 = 7.2.0 =
456 * Fixed: changed link to article
457 * Fixed: remove flags .js file which was added twice
458 * Fixed: typo in missing advanced-headers.php notice
459 * Changed: catch PHP warning when script src is empty when using hide WP version
460 * Changed: new save & continue feedback
461 * Changed: datatable styling
462 * Changed: new react based modal
463 * Changed: menu re-structured
464 * Changed: re-check vulnerability status after core update
465 * Changed: vulnerability notification emails now link to specific details
466
467 = 7.1.3 - 2023-10-11 =
468 * Fixed: React ErrorBoundary preventing Let's Encrypt generation to complete
469
470 = 7.1.2 - 2023-10-06 =
471 * Fixed: hook change in integrations loader causing modules not to load
472
473 = 7.1.1 - 2023-10-05 =
474 * Fixed: incorrect function usage
475
476 = 7.1.0 - 2023-10-04 =
477 * Changed: detection if advanced-headers.php file is running
478
479 = 7.0.9 - 2023-09-05 =
480 * Changed: typo update word
481 * Changed: translatability in several strings
482
483 = 7.0.8 - 2023-08-08 =
484 * Fixed: handling of legacy options in PHP 8.1
485 * Fixed: count remaining tasks
486 * Changed: WordPress tested up to 6.3
487 * Changed: improve file existence check json
488
489 = 7.0.7 - 2023-07-25 =
490 * Fixed: handling of legacy options in PHP 8.1
491 * Fixed: prevent issues with CloudFlare when submitting support form
492 * Fixed: translations singular/plural for Japanese translations
493 * Changed: modal icon placement in wizard on smaller screens
494 * Changed: expire cached detected headers five minutes after saving settings
495
496 = 7.0.6 - 2023-07-04 =
497 * Fixed: translations not loading for chunked react components
498 * Changed: support custom wp-content directory in advanced-headers.php
499 * Changed: prevent usage of subdirectories in custom login URL
500 * Changed: added manual vulnerability recheck parameter
501
502 = 7.0.5 =
503 * Fixed: reverted redirect method to fix non-www site login issues
504
505 = 7.0.4 - 2023-06-14 =
506 * Fixed: feedback on hardening features enable action not showing as enabled
507 * Changed: notice informing about the new free vulnerability detection feature
508 * Changed: improved the PHP redirect method
509 * Changed: make the wp-config.php not writable notice dismissable
510
511 = 7.0.3 =
512 * Fixed: fix false positives on some plugins
513 * Changed: vulnerability notifications in site health, if notifications are enabled
514
515 = 7.0.2 =
516 * Changed: improve matching precision on plugins with vulnerabilities
517
518 = 7.0.1 =
519 * Fixed: REST API ajax fallback now works correctly
520
521 = 7.0.0 =
522 * Added: Vulnerability Detection (Beta)
523 * Changed: move onboarding rest api to do_action rest_route
524 * Changed: catch several edge situations in SSL Labs api
525 * Changed: SSL Labs block responsiveness
526 * Changed: more robust handling of wp-config.php detection
527
528 = 6.3.0 =
529 * Changed: added support for the new Let's Encrypt staging environment
530
531 = 6.2.5 =
532 * Fixed: capability mismatch in multisite
533 * Changed: add warning alert option
534
535 = 6.2.4 =
536 * Fixed: catch non array value from notices array
537 * Fixed: typo in documentation link
538 * Changed: optionally enable notification emails in onboarding wizard
539 * Changed: onboarding styling
540
541 = 6.2.3 =
542 * Changed: back-end react to functional components
543 * Changed: multisite notice should link to network admin page
544 * Changed: detect existing CAA records to check Let's Encrypt compatibility
545 * Changed: tested up to WP 6.2
546 * Changed: UX improvement learning mode
547
548 = 6.2.2 =
549 * Fixed: capability mismatch for non-administrator in multisite admin
550
551 = 6.2.1 =
552 * Fixed: race condition when activating SSL through WP-CLI
553 * Fixed: missing disabled state in textarea and checkboxes
554 * Fixed: some strings not translatable
555 * Fixed: Let's Encrypt renewal with add on
556 * Changed: permissions check re-structuring
557 * Changed: notice on subsite within multisite environment about wildcard updated
558
559 = 6.2.0 =
560 * Added: optional email notifications on advanced settings
561 * Changed: added tooltips
562 * Changed: added warnings for .htaccess redirect
563 * Changed: don't send user email change on renaming admin user
564 * Changed: use BASEPATH only for wp-load.php, symlinked folders load based on ABSPATH
565 * Changed: improved support for environments where Rest API is blocked
566
567 = 6.1.1 =
568 * Fixed: WP-CLI SSL activation fix when site not visited before
569 * Changed: prevent 'undefined' status showing up in api calls on settings page
570 * Changed: notice for incompatible Let's Encrypt shell add-on versions
571
572 = 6.1.0 =
573 * Fixed: empty menu item visible in Let's Encrypt menu
574 * Changed: some UX changes
575 * Changed: limit number of notices in the dashboard
576 * Changed: load rest api request URL over https if website is loaded over https
577
578 = 6.0.14 =
579 * Fixed: settings page when using plain permalinks
580
581 = 6.0.13 =
582 * Fixed: CSS for blue labels in progress dashboard below 1080px
583 * Fixed: WP-CLI SSL activation not working due to capability checks
584 * Fixed: catch invalid account error in Let's Encrypt generation
585 * Fixed: do not block user enumeration for gutenberg
586 * Changed: improve method of dropping empty menu items in settings dashboard
587 * Changed: dynamic links in auto installer
588 * Changed: change rest_api method to core wp apiFetch()
589 * Changed: scroll highlighted setting into view after clicking "fix" on a task
590 * Changed: HTTP method tests run in batches to prevent CURL timeouts
591 * Changed: clean up code-execution.php file after test
592 * Changed: notification when DISABLE_FILE_EDITING is set to false
593 * Changed: drop some unnecessary translations
594 * Changed: WP version test uses options for better persistence
595
596 = 6.0.12 =
597 * Fixed: multisite admin username test uses correct database prefix
598 * Changed: allow submenu in back-end react application
599 * Changed: skip value update when no change has been made
600 * Changed: no redirect on dismiss of admin notice
601 * Changed: remove obsolete warning
602 * Changed: qtranslate support on settings page
603
604 = 6.0.11 =
605 * Fixed: login check works when HTTP_X_WP_NONCE unavailable
606 * Fixed: admin notices now dismiss immediately
607
608 = 6.0.10 =
609 * Fixed: Apache 2.4 compatibility for upload directory code blocking
610 * Fixed: Varnish cache compatibility for REST API requests
611 * Fixed: manage_security capability added for upgraded users
612 * Fixed: allow for custom rest api prefixes
613 * Fixed: Let's Encrypt DNS verification save and action issues
614 * Fixed: REST API error handling prevents blank settings page
615 * Changed: simplify user enumeration test
616 * Changed: catch unexpected response in SSL Labs object
617 * Changed: z-index on onboarding modal on smaller screen sizes
618 * Changed: hide username field if no admin username is present
619
620 = 6.0.9 =
621 * Fixed: incorrectly disabled email field in Let's Encrypt wizard
622 * Changed: on rename admin user, catch existing username, and strange characters
623 * Changed: catch openBaseDir restriction in cpanel detection function
624 * Changed: removed 6.0 update notices from subsites
625
626 = 6.0.8 =
627 * Changed: Let's Encrypt wizard CSS styling
628 * Changed: re-add link to article about Let's Encrypt
629 * Changed: let user choose a new username when selecting "rename admin user"
630
631 = 6.0.7 =
632 * Fixed: restricted .htaccess rewrite to prevent plugin conflicts
633
634 = 6.0.6 =
635 * Fixed: drop upgrade of .htaccess file in upgrade script
636
637 = 6.0.5 =
638 * Fixed: .htaccess race condition with simultaneous updates
639
640 = 6.0.4 =
641 * Fixed: .htaccess redirect compatibility with upload code blocking
642 * Fixed: deactivation now fully removes wp-config.php changes
643
644 = 6.0.3 =
645 * Fixed: Rest Optimizer no longer deactivates other plugins
646
647 = 6.0.2 =
648 * Fixed: do not show WP_DEBUG_DISPLAY notice if WP_DEBUG is false
649 * Fixed: empty cron schedule
650 * Fixed: auto installer used function not defined yet
651 * Fixed: rest api optimizer causing an error in some cases
652 * Changed: several typos and string improvements
653
654 = 6.0.1 =
655 * Fixed: translations not loading for scripts
656
657 = 6.0.0 =
658 * Added: Server Health Check - powered by SSLLabs
659 * Added: WordPress Hardening Features
660 * Changed: User Interface
661 * Changed: Tested up to WordPress 6.1.0
662
663 == Upgrade notice ==
664 On settings page load, the .htaccess file is no rewritten. If you have made .htaccess customizations to the RSSSL block and have not blocked the plugin from editing it, do so before upgrading.
665 Always back up before any upgrade. Especially .htaccess, wp-config.php and the plugin folder. This way you can easily roll back.
666
667 == Screenshots ==
668 1. The Really Simple Security Dashboard provides a quick security overview.
669 2. Enable or enforce 2FA per user role.
670 3. Stay ahead of plugin, theme and WP core vulnerabilities.
671 4. Harden your site’s security with Basic Hardening features.
672 5. 1-minute configuration with the short security onboarding.