Download Security Ninja Premium v5.284

List of improvements in Security Ninja Premium version 5.284

• = 5.284 =
• 2026-05-23
• FIX: Change Login URL (Pro) — Checkout and other frontend flows that use WordPress `admin-post.php` (for example FluentCart account creation during checkout) no longer show “Access Denied” for visitors. Legitimate public handlers registered with `admin_post_nopriv_*` are allowed; direct access to the rest of wp-admin stays blocked.
• IMPROVED: Rename Login (Pro) — Recognized temporary-login plugin links (Temporary Login Without Password, One Time Login, Magic Login, Login Links) are no longer blocked when accessing wp-admin before authentication completes. Extend via the `securityninja_rename_login_allow_autologin` filter.
• IMPROVED: AI Security Advisor now uses WordPress 7 structured AI responses for more reliable report output.
• IMPROVED: AI Security Advisor reports now include richer context from Security Tests, Vulnerability Scanner, Core Scanner, and recent security events.
• IMPROVED: Pro sites now include Malware Scanner findings in AI report context when available.
• NEW: WordPress 7 Abilities (optional, on by default): expose read-only security data to other WordPress AI clients—Security Test summary (passed/warning/failed), 7-day attack activity vs the previous week, and the latest saved AI Security Advisor report. Control exposure under Security Advisor → Settings; turning this off does not affect generating reports or follow-ups on the Security Advisor page.
• NEW: Added a dismissable “Re-evaluate with AI” reminder after tests, scans, and firewall setting changes (stays hidden after dismiss until a new security event occurs).
• = 5.283 =
• 2026-05-18
• FIX: Cloud Firewall (Pro) — Satellite ASN softening now works consistently across country blocking (including Starlink).
• FIX: 2FA setup during frontend login now shows the manual entry secret key again, matching the backend user profile setup flow.
• IMPROVED: Cloud Firewall (Pro) — IP Management shows your blacklist, whitelist, and temporary blocks in one searchable table, so you can see everything in one place.
• IMPROVED: Add, edit, and remove IP rules directly from the table; add several at once with one IP or range per line.
• IMPROVED: Copy your full blacklisted or whitelisted lists, or clear temporary blocks, from easy buttons below the table.
• = 5.282 =
• 2026-05-05
• FIX: Two-factor authentication (Pro) — When 2FA is enabled but required roles were missing or invalid, login could skip the 2FA step. Security Ninja now falls back to requiring **Administrator*so the code prompt always appears for protected accounts.
• FIX: Saving 2FA status would fail if firewall not enabled. Thank you Vassos.
• Added a new Tools-page Cleanup button. Securely removes any legacy options or data. Thank you Davina for the idea.
• FIX: Cloud Firewall (Pro) — Clearing **all*countries in country blocking and saving now actually turns country blocking off. Previously, choosing “none” could leave old selections in place because empty lists were not saved correctly.
• IMPROVED: Cloud Firewall — IP whitelist entries written as **ranges*(CIDR, one per line on IP Management) now apply the same way everywhere: visitor checks, secret recovery links, and automatic whitelist logic no longer treat ranges like plain single IPs only in some code paths.
• NEW: Cloud Firewall (Pro) — Option to soften country blocking for satellite ISPs like Starlink. Easily enable or adjust under Firewall → Settings for smoother access while keeping strong protection.
• IMPROVED: Cloud Firewall (Pro) — If a country or cloud block is skipped because the visitor is using a satellite ISP (satellite ASN softening), you’ll now see this clearly in the Events log.
• = 5.281 =
• 2026-04-22
• FIX: 2FA — Post-verification redirects now match WordPress core validation for relative and absolute `redirect_to` URLs ( Rename Login compatible ). AJAX responses always include a safe `redir_to` / `redirect_url` with `admin_url()` fallback so editors and other roles are not sent to the front page unexpectedly. Thank you Davina.
• IMPROVED: Security Tests — the “outdated plugins” check no longer saves full WordPress.org plugin metadata to the database. Thank you Davina.
• IMPROVED: AI Security Advisor — improved PII handling.
• FIX: Malware Scanner — “Revert Whitelist” now correctly persists file removal, so reverted files no longer reappear after page reload. Thank you Vassos.
• IMPROVED: Malware Scanner — respects the same ignore paths as the scanner library during filesystem traversal (e.g. `wp-admin/` and `wp-includes/`), so WordPress core files are no longer signature-scanned when already excluded—use Core Scanner for core integrity.
• IMPROVED: Malware Scanner — WordPress core JS bundles under `wp-includes/js/dist/` and `wp-admin/js/` are excluded from malware pattern matching by default (fewer false positives on minified/vendor scripts). Plugins, themes, and uploads are still scanned.
• = 5.280 =
• 2026-04-17
• Fix for display bug on Events -> Settings subtab. Thank you Aldin for spotting it.
• = 5.279 =
• 2026-04-15
• Improved AI Security Advisor interface and functionality Big improvements.
• FIX: Cloud Firewall — Failed login warning emails no longer cause a fatal error (“Class Wf_Sn_Security_Utils not found”) when `wp_login_failed` ran before the `init` hook (e.g. another plugin handling login during `plugins_loaded`).
• IMPROVED: Security Tests — long help text is no longer embedded on every plugin admin screen, so the dashboard stays lighter in memory and loads faster.
• Updated translation files
• = 5.277 =
• 2026-04-04
• FIX: Firewall redirect Blocked visitor redirect now supports external URLs as configured. We now use validated `wp_redirect()` for this setting (http/https only), preventing fallback to wp-admin when an external domain is set.
• IMPROVED: Cloud Firewall crawler validation now supports verified AI crawlers (OpenAI and Perplexity) using user-agent plus cached published IP ranges. Anthropic are not auto-whitelisted.
• = 5.276 =
• 2026-03-27
• Maintenance release Minor improvements and stability.
• FIX: Security Fixes — Saving the Fixes screen now applies wp-config changes only when toggles are ON: disable file editor, disable WP_DEBUG, and secure session cookies. Previously, always-present form keys made the “on” paths run even when options were OFF, which could append duplicate `define()` lines and trigger PHP notices (thanks Masahiro Kasahara for the report). `update_define` also skips appending a constant that is already defined (e.g. set from an included file).