Bug Fix: Fatal error when running on a site with an unprefixed version of Pimple or Psr/Container that was loaded before iThemes Security.

Important: iThemes Security now requires PHP 7.3 and WordPress 5.9 or later.

New: Introducing passkeys for Passwordless Login! Users can log into their site using biometrics like Face ID, Touch ID, or Windows Hello. Enable the new "Passkeys" module to add it as a Passwordless Login method.

Bug Fix: Preliminary PHP 8.1 compatibility.

Tweak: Add Security Alert when running a PHP version older than 7.3.0. Future versions of iThemes Security will require PHP 7.3.0.

Bug Fix: Don't attempt to Hide Backend when a Cron request is being processed.

Bug Fix: Prevent entering invalid date values when selecting a custom date range in the Security Dashboard.

Tweak: Require a Title when creating a new Dashboard.

Bug Fix: Don't attempt to send a Site Scan notification for Clean scans preventing a fatal error after scheduled site scans.

Bug Fix: Initialize Theme in Dashboard Widget rectifying the "An error occurred while rendering this card" message.

Bug Fix: Use Site Registration Authentication when performing a Site Scan on Multisite Subsites rectifying the "Request is missing verification credentials" message.

Tweak: Schedule the Automatic Updater to run 5 minutes after a Site Scan finds Vulnerable Software.

Bug Fix: Help styling on WordPress 5.9.

Bug Fix: Compatibility with plugins that expected a logged-in user during lockouts.

Bug Fix: Error when visiting the Notifications page after activating a module with notifications for the first time.

Bug Fix: Update deprecated withState usages to useState.

Bug Fix: Set a default value for the Notification User Roles control.

Important: iThemes Security now requires WordPress 5.8 or later.

New Feature: Introduce a new Import Export feature that allows for greater customization and flexibility.

Bug Fix: Scroll to top of window when navigating.

Bug Fix: Allow searching for Password Requirements.

Bug Fix: Login page would be blank when Passwordless Login was configured to use the "Username First" flow.

Bug Fix: Don't load WordPress and System Tweaks modules when the `ITSEC_DISABLE_MODULES` constant is enabled.

Bug Fix: Prevent incidentally loading the Two-Factor module when it is unregistered.

Bug Fix: Conditionally display the NGINX File Path setting.

Bug Fix: Allow saving Notifications when "default recipients must contain at least 1 item" error is present.

Enhancement: Reintroduce Feature Flags management UI.

Tweak: Reposition "Advanced" and "Tools" menu items to be more readable on lengthy screens.

Bug Fix: Sites that did not support HTTPS, but had the SSL module active, but not configured, on upgrade would get redirected to the HTTPS version of the site.

Bug Fix: When the Change Admin User tool is run, update any User Groups referencing the old user id.

Bug Fix: Unregister the iThemes Security Two-Factor module when the Two-Factor Feature Plugin is enabled.

Bug Fix: Add missing and correct erroneous textdomains.

Bug Fix: WordPress footer would appear in the middle of the logs page.

Tweak: Move "Have I Been Pwned" integration to the Core plugin.

Tweak: Reduce filename length and complexity for built CSS and JS files.

Bug Fix: Disable XML-RPC rules in server config files. Previously, XML-RPC was being disabled using the XML-RPC enabled filter.

Bug Fix: Fatal error on logs page when User Logging and Two-Factor are enabled and a user logs in using Two-Factor.

Bug Fix: Add missing constants to the debug page.

Bug Fix: Fatal error when sending the "Inactive Users" notification.

Bug Fix: Remove deleted recipients when saving notifications.

Bug Fix: Allow using reserved words as prefixes for the Hide Backend Login Slug.

Bug Fix: Enforce SSL would not redirect users from HTTP to HTTPS on the front-end of the website.

Bug Fix: Correct Site Scan statuses for scans with no issues.

• Prevent Password Requirements being re-enabled if they were disabled before upgrading to iThemes Security 7.0, but had a group selected for them.
• Arguments to the implode function were reversed, causing a Fatal Error on PHP 8.
• Allow installing on WordPress 5.7.0, not just 5.7.1+.
• Ensure values passed to the TextareaListControl is an array.
• Don't run the dashboard migration if unneeded.
• Labels for Disable PHP Execution in Plugins and Themes were reversed.
• Activate the Geolocation module if Trusted Devices provided Geolocation API keys.