All-In-One Security (AIOS) 5.2.5 Release

UI enhancements: The latest release of AIOS introduces significant improvements to the user interface, resulting in a smoother and more intuitive experience. Key updates include:

Redesigned scanner page: A complete overhaul of the scanner page for enhanced functionality and ease of use.

New UI widgets: Several new widgets have been added to streamline user interactions.

Consolidated Admin menus: Multiple admin menus have been merged into a single, organized user security menu for easier navigation.

Acknowledgements and Fixes

We would like to extend our gratitude to Naveen Muthusamy for identifying a critical defect. This issue could have allowed potential hackers to access websites through hidden login pages on multisite installations. The defect has been resolved in this release.

For a detailed list of all changes and improvements, please refer to the full changelog below.

• SECURITY: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
• Feature: Block POST requests that have a blank user-agent and referer
• FEATURE: Added reverse IP Lookup data to the login lockdown notification email
• Fix: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
• Fix: Prevent the firewall message store from filling up with unused entries
• Fix: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
• Fix: An issue that prevented MainWP updates from being performed correctly
• Fix: Prevent user enumeration via the REST API and oEmbed protocol
• Fix: User agent blacklist not matching all strings correctly
• Fix: Logged in user table not showing the correct information
• Tweak: Improve comment spam detection by using hidden fields and cookies
• Tweak: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
• Tweak: The menu actions in the dashboard admin menu are now processed via AJAX
• Tweak: Converted checkboxes in the admin menu pages to switches
• Tweak: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
• Tweak: Combined various user admin menus into a new ‘User Security’ admin menu
• Tweak: Export configuration filename now reflects the local time zone.
• Tweak: Improve the UI/UX of the file scanner making way for future improvements
• Tweak: Redesign the feature manager badges
• Tweak: Removed various admin menu tabs as previously announced
• Tweak: Add features that depend on other plugins to the feature manager conditionally
• Tweak: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
• Tweak: Audit log date and time are now displayed in the sites time zone
• Tweak: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
• Tweak: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the ‘Rename login page’ setting is on