Released on: Tuesday, 25 September 2018 04:33
Third public beta. This is the third beta release of Admin Tools for WordPress. Beta releases have undergone initial quality assurance but they might still contain bugs. This release fixed some known issues in the first beta. Please report any issues you run into with this version.
PHPShield feature now will block additional stream wrappers. This offers better protection for your site
Check passwords against leaked passwords database. This can be optionally enabled and allows you to check the password of specific user Roles against a list of leaked passwords. This is done securely, without transmitting the actual password.
Make all Admin Tools strings compatible with WordPress' translation feature. This is a first step towards being able to use translations.
Remove IP workarounds "recommended setting" notice due to high rate of false detections. Our recommendation has and continues to be turning this off unless you have confirmed that no matter who causes a security exception it's always the same IP being logged and / or blocked as the attacker.
Fixed: database issues. Admin Tools would fail to work on some servers due to the way it handled the database connection provided by WordPress.
Fixed: fatal error using Quick Setup wizard on IIS. Admin Tools would assume you're using an Apache server at all times which is simply not true.
Fixed: Optimize WAF was shown on unsupported servers. Since this feature requires .htaccess file support it will only work on Apache and Litespeed. We make sure that now only sites on these servers will display this feature.
Fixed: Malware Scanner progress did not appear in a modal. Apparently, we never told it to. Now it looks much better.
Fixed: Missing error strings for the GeoIP database update. You know what happens when the GeoIP database update fails? You wouldn't know because you'd get gibberish instead of something human-readable. Now the error messages are in plain English and have tips for fixing the issue you are experiencing.
While our software should run on any WordPress version newer than 3.8 (with several features only working fully or at all on WordPress 4.4 and later) we VERY STRONGLY recommend using the latest version of WordPress only. Newer versions of WordPress address security issues which can not be guarded against through a web application firewall / security plugin. Moreover, newer WordPress versions address bugs and features which by themselves are not security issues but can be used to facilitate the compromise of a site. For example, support for the UTF8MB4 character code may have been billed as “Emoji support” but, in fact, addresses a whole class of very sinister database attacks, hinging on the way MySQL quashes extended characters in plain UTF8 mode, which are impossible to address in a generic firewall.
In short: trying to have a secure site with old code that contains known vulnerabilities is an exercise in futility. Do the smart thing, update WordPress first, then use a security plugin to tighten your security.
We do not provide support for PHP versions 4.3, 4.4, 5.0, 5.1, 5.2 or 5.3 anymore. These versions of PHP have been end of life for years. In fact, the last one of them (PHP 5.3) has been end of life since August 2014 and widely considered a security risk, unfit for production sites. Our software requires PHP 5.4 or later and is compatible with PHP 5.4, 5.5, 5.6, 7.0, 7.1 and 7.2. We strongly recommend using PHP 5.6 or 7.2.
HEADS UP! The next version family, Admin Tools for WordPress 1.1, will no longer support PHP 5.4 and 5.5.
Disclaimer: this is not a legal advisory. Please consult your lawyer if you are unsure.
On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) came into effect. We have been asked about how Admin Tools complies with it a few times. The following is our understanding of it but it does not constitute legal advice of any kind.
While storing IP information may be considered personally identifiable information, the GDPR makes an exception for IP information stored in the context of security. As such the Admin Tools' security exceptions log and related IP whitelist, IP blacklist, automatic IP blocks and automatic IP blocks history is outside the scope of personal data protection.
Text log files may, however, contain privileged information as they capture the entirety of the request sent by the user to your site. We therefore recommend that you DISABLE the "Keep a debug log file" option in the Configure WAF page. Please note that if your logs directory is under your web root and you have not used Admin Tools' features, such as the .htaccess Maker, to secure these directories all your logs may be publicly accessible. We recommend that you always make your logs and temporary directories inaccessible to the web for security reasons.
Furthermore, the GDPR calls for data minimization. To comply with this requirement we urge you to set the "Maximum security exceptions log entries" option to a non-zero value in the Plugin Options page. Typically, a value of 1000 to 10000 provides a good balance between data minimization and security.
The Project Honeypot and "Warn about use of well-known passwords" features do transmit information to third parties. However, this information is anonymous and should, therefore, fall outside the scope of the GDPR.