Plugin / 6Scan Security

Changelog

1.0.1

• Initial alpha release.

1.0.2

• Error reporting form added.
• If install fails, user now sees better error description.
• Fixed a bug that could occur when installing the plugin on servers with an empty or outdated root CA list.

1.0.3

• Bugfix, regarding access to 6Scan’s SSL server.

1.0.4

• Gate script now works correctly with servers, that have DOCUMENT_ROOT different from the real document root (like 000webhost).
• More sanity checks before installing (checking for openssl_* functions, required php.ini flags, and more).
• Added helpful links to errors that might occur while installing.
• Now verification file resides on server as long as 6Scan Security is installed.

1.0.5

• 6Scan Security Plugin has an easier to use activation feature
• Support submenu added
• Htaccess rules have been changed to tighten the security even more
• Fixed few bugs, which could occur under Windows server environment

1.0.6

• Now supports curl transport, if fopen() fails
• Improved communication with 6Scan server

1.0.7

• Installation process improved.
• Added settings menu
• Added support for more security scanning servers

1.0.8

• Security tightened even more
• Small bugfixes

1.0.9

• Adjusted signature update protocol for new API

1.0.10

• Site verification process improved

2.0.1

• Smoother install process
• Displays vulnerability count
• Added patch to work with very slow servers

2.1.1

• Added WAF security settings
• Added manual fix instructions for security vulnerabilities
• New dashboard design
• Added new feature: login security. Login security can optionally lock out users who attempt a brute-force or dictionary attack on your blog’s login form.

2.1.2

• In addition to website security, we have introduced a backup feature, allowing users to automatically create backups of their database and files. The backups are securely uploaded to our cloud datacenter and are only accessible by the site owner.
• Changed the UI of the ticket submission form.
• UI minor bugfix: on site verification failure, the message to user was double escaped.
• Some servers had security settings that denied long GET requests. A fix was introduced to avoid this condition.

2.1.3

• Added another security check to CSRF on POST check. Now empty referrers are considered safe, because some user agents do not pass the referrer at all (for security or privacy reasons).
• Changed server communication protocol when performing backups for more reliability.
• Error messages have been rewritten to be more clear.
• Can now connect to MySQL database through socket.
• Added support for non-legacy tar implementations.
• Fixed: login security could sometimes lock-out users that were using XML-RPC to make posts.
• Storage upload engine was completely rewritten.
• Backup feature now makes sure that no old backups are left in the WordPress directory (otherwise they could stack and inflate the backup size).

2.1.4

• Fixed a bug in a gatekeeper script, where a special configuration would cause scripts to get the wrong value from the PHP_SELF variable.
• Older versions of WordPress would sometimes not update security signatures. Fixed that condition.
• Fixed a bug where WAF security options would sometimes not act as intended.

2.1.5

• If a security vulnerability has been discovered, it is now shown on the WordPress administrator panel.
• Fixed: under certain configurations, server firewalls could mistake a backup request for a security threat and block it.
• Fixed a bug where some servers would add their html code to scripts’ output and confuse the 6Scan plugin.

2.2

• Worked around a problem with WP_Filesystem that many users saw during installation. This problem could pop up if the file ownership on some of your files is not as WordPress requires. 6Scan Security now installs and functions correctly even if WP_Filesystem does not, although correct file permissions are still required.
• Fixed minor UI discrepancies.
• Optimizations to secure automatic backup feature.

2.2.1

• We have added a pure PHP implemented fallback for openssl_verify function, so that if your webhosting does not have openssl package, you can still use 6Scan without compromising on traffic security.

2.2.3

• We have added a full support for WP_Filesystem. If wordpress is running without permissions to access filesystem, user is required to enter the FTP credentials (Based entirely on WordPress filesystem implementation)
• Added a 6Scan Security dashboard widget
• We also make sure to set a correct permissions mode on our verification file (There are some servers, that create it without runnable permissions by default)

2.2.5

• Now running pure PHP code, when performing database backup. Now database backup has much less prerequisites

2.2.7

• Solved permission issues, while changing .htaccess. There could be an error, of wp_filesystem was initialized to other than ‘direct’.

2.2.8

• Changed path references. Now the are referenced as $wp_filesystem->abspath() and alike (The ABSPATH define is only used in several ‘direct’ access parts)

2.3.0

• Fixed a bug during install with wp_filesystem()
• When user clicks “Activation” he sees a local page with terms, textbox for his email address and an “Install” button. Registration data (user’s email and url) will be passed to 6Scan server only after user clicks Install
• 6Scan Security now supports WordPress 3.5

2.3.1

• Minor bugfixes during installation. A failed install could’ve caused the login credentials to be lost during page reload

2.3.2

• A minor UI change. During plugin’s reactivation user could see a “register” while already logged into his secure dashboard

3.0.1

• 6Scan Security now allows users to access their security dashboard of all registered websites. To allow that, newly registered users now have to enter a password (while activating the plugin)

3.0.3

• Few minor bugs fixed

3.0.4

• Improved backup processes

3.0.5

• New WordPress version + one more scan server added

3.0.6

• Improved attacks detection and blocking