Released on: Monday, 07 January 2019 15:54
Official support for ClassicPress 1.x. We now officially support ClassicPress on top of WordPress. Both CMS are supported by the same plugin. Detection is automatic.
Show update status in Admin Tools' Control Panel page. This is on top of the update showing in WordPress' Plugins and Updates pages. This should serve as a secondary reminder. Moreover, you can forcibly reload the update information with a button on that page.
Option to disable XML-RPC services. We added a feature in Web Application Firewall, Hardening options to disable the XML-RPC service. Please note that if you activate this option the xmlrpc.php file on your site will still be accessible. However, it will always report error 405 no matter what you try to do with it. This is enough to protect against security issues affecting the XML-RPC API.
Mark All as Safe button in the Malware Scanner report viewer. This is useful when running the Malware Scanner immediately after updating WordPress or its plugins.
Language polishing. We improved the language strings for some features to remove confusion and typos.
Easier manual deactivation of the WAF using FTP or the hosting File Manager when you need to unblock yourself.. You just need to rename one file, not three. This prevents a lot of confusion and makes it easier to regain control of your site if you're accidentally locked out.
Bug fixes. We have addressed some known issues with our software. Please consult the CHANGELOG.
While our software should run on any WordPress version newer than 3.8 (with several features only working fully or at all on WordPress 4.4 and later) we VERY STRONGLY recommend using the latest version of WordPress only. Newer versions of WordPress address security issues which can not be guarded against through a web application firewall / security plugin. Moreover, newer WordPress versions address bugs and features which by themselves are not security issues but can be used to facilitate the compromise of a site. For example, support for the UTF8MB4 character code may have been billed as “Emoji support” but, in fact, addresses a whole class of very sinister database attacks, hinging on the way MySQL quashes extended characters in plain UTF8 mode, which are impossible to address in a generic firewall.
In short: trying to have a secure site with old code that contains known vulnerabilities is an exercise in futility. Do the smart thing, update WordPress first, then use a security plugin to tighten your security.
We only officially support using our software with PHP 5.6, 7.0, 7.1, 7.2 or 7.3. We strongly advise you to run the latest available version of PHP on a branch currently maintained by the PHP project for security reasons. Older versions of PHP have known major security issues which are being actively exploited to hack sites and they have stopped receiving security updates, leaving you exposed to these issues.
Our software should still run on PHP 5.4 and 5.5. However, we do not test with these versions and we no longer treat breaking support for these obsolete PHP versions of PHP as a bug.
HEADS UP! We will completely remove support for older PHP versions in the coming months.
Disclaimer: this is not a legal advisory. Please consult your lawyer if you are unsure.
On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) came into effect. We have been asked about how Admin Tools complies with it a few times. The following is our understanding of it but it does not constitute legal advice of any kind.
While storing IP information may be considered personally identifiable information, the GDPR makes an exception for IP information stored in the context of security. As such the Admin Tools' security exceptions log and related IP whitelist, IP blacklist, automatic IP blocks and automatic IP blocks history is outside the scope of personal data protection.
Text log files may, however, contain privileged information as they capture the entirety of the request sent by the user to your site. We therefore recommend that you DISABLE the "Keep a debug log file" option in the Configure WAF page. Please note that by default the logs directory is under your web root but made inaccessible over the web using a .htaccess file. If you are not using the Apache web server or your host has disabled .htaccess files you should not use this feature except when debugging your site and you should delete the logs afterwards.
Furthermore, the GDPR calls for data minimization. To comply with this requirement we urge you to set the "Maximum security exceptions log entries" option to a non-zero value in the Plugin Options page. Typically, a value of 1000 to 10000 provides a good balance between data minimization and security.
The Project Honeypot and "Warn about use of well-known passwords" features do transmit information to third parties. However, this information is anonymous and should, therefore, fall outside the scope of the GDPR.