All-In-One Security 5.2.6 Release

Audit log improvements: Admins can now view which users are logged out and track password resets and deleted users. This feature is valuable for monitoring site security and analyzing user activity.

Customizable CAPTCHA theme: Added support for setting Cloudflare’s Turnstile CAPTCHA theme. Administrators can now adjust the CAPTCHA design, including colors, to match their website’s look and feel. This improves user experience and enhances security by making CAPTCHA challenges harder for bots to bypass.

Contact Form 7 CAPTCHA support: CAPTCHA can now be integrated into forms created with the Contact Form 7 plugin, adding an extra layer of security.

Streamlined menus: Several menus and items have been reduced, combined, or relocated to simplify navigation. Other minor UX improvements include converting dates and times to timestamps for timezone independence.

Nonce checks added: Implemented nonce checks for various table list actions to prevent cross-site request forgery (CSRF) attacks. This fix addresses a vulnerability that could allow unauthorized actions on 404 records if an attacker deceived a logged-in admin into clicking a specially-crafted link. Special thanks to dhakal_anada for reporting this issue.

Cross-site scripting (XSS) vulnerability fix: Removed unnecessary uses of the tab query parameter on admin menu pages to prevent non-persistent cross-site scripting attacks. This change mitigates the risk of malicious script injections via the AIOS admin page. We appreciate Matthew Rollings for disclosing this vulnerability.

For a detailed list of all changes and improvements, please review the Changelog below.

• SECURITY: Removed unnecessary use of the tab query parameter on various admin menu pages to prevent a XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect.
• Feature: Added logout event to the audit logs
• Feature: Add ability to delete the default readme.html file and wp-config-sample.php file
• Fix: Correct some translation calls that were using the wrong text domain
• Fix: PHP notice caused by the file scanner being unable to read its data file
• Fix: Unlock request button was not showing and redirects to 127.0.0.1
• Fix: Database errors for the aiowps_login_lockdown table during plugin installation
• Tweak: Refactor the 6G UI
• Tweak: Added an option to set the Cloudflare Turnstile CAPTCHA theme
• Tweak: Added CSS styling for audit log details column
• Tweak: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
• Tweak: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
• Tweak: Display json string instead of null if json_decode does not work for audit log details
• Tweak: Event table existing datetime field converted to timestamp to be time zone independent
• Tweak: Various tweaks to get codebase up to coding standards
• Tweak: Various tweaks to ensure multiple sentences are not passed to a single translation function
• Tweak: Fix the broken UI for RSS and Atom firewall settings and added a more info box
• Tweak: Fix the issue of unique ID in DOM
• Tweak: Merge Username and Display Name tabs in User Security Settings
• Tweak: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
• Tweak: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
• Tweak: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
• TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu
• Tweak: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
• Tweak: Moved the ‘Salt’ tab into the User security menu
• Tweak: Moved ‘Blacklist Manager’ tab into the Firewall menu.
• Tweak: Password resets, removed and deleted users are now recorded in the audit log
• Tweak: Stop 404 IP from being locked if there’s a current lock on that IP
• Tweak: Unify date and time conversion with users time zone support
• Tweak: Changed how empty data in ip lookup result is stored in the database
• Tweak: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
• Tweak: Add captcha support for Contact Form 7
• Tweak: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
• Tweak: Enhance reset password email by adding IP info
• Tweak: Remove defunct imagetoolbar meta tag
• Tweak: Login lockout tables existing datetime field converted to timestamp to be time zone independent
• Tweak: Code improvements – utilizing WP_Error objects instead of arrays