BulletProof Security Blog

• ARQ Core|ARQ Fire Improvement: Flow & Processing Sequences|Performance & Resource Optimizations|Additional FailSafe Conditions: 
Flow|Sequences: WP Core, Plugins & Themes: Shiny, Manual, Bulk & Automatic Updates & Installations

• Plugin & Theme Shiny, Manual, Bulk & Automatic Updates & Installations: Install or Update button click > ABT FailSafe Function > AJAX Action Function Triggered – ARQ Turned Off > upgrader_pre_install Filter Triggered – ARQ Turned Off FailSafe > upgrader_post_install Filter Triggered – ARQ File Backup > AFS Cron FailSafe – ARQ Turned On.

• Plugin & Theme Automatic Update: upgrader_pre_install Filter Triggered – ARQ Turned Off > upgrader_post_install Filter Triggered – ARQ File Backup > AFS Cron FailSafe – ARQ Turned On.

• WP Core Manual Update|Re-install: Update or Re-install button click > ABT FailSafe Function > AJAX Action Function Triggered – ARQ Turned Off > ABT Function > ARQ File Backup & ARQ Turned On > AFS Cron FailSafe check.

• WP Core Automatic Update: ARQ Fire Function > WP AutoUpdate Function – ARQ Turned Off & ARQ File Backup > AFS Cron FailSafe check.

• ARQ Cron|AFS Cron Improvements: The AFS Cron now turns on the ARQ Cron for: Shiny, Manual, Bulk & Automatic Updates. The BPS Pro Dashboard Status Display for ARQ will display Pending until the AFS Cron turns ARQ back On. Min: 15 seconds|Max: 60 seconds. Notes: If normal/standard WP Cron Jobs are being overridden by “direct” crons then the ARQ Pending status will be displayed until the “direct” cron job has been run.

• BugFix: ARQ Fire logic flaw was causing redundant file backup processing.
• BugFix: AutoRestore Automation FailSafe Error message displayed when performing Plugin or Theme Bulk updates on the WordPress Updates page.
• Dev Note: AJAX post_var variable unique value names created for install vs update plugin or theme actions.
• Dev Note: When Plugin or Theme updates or installations are performed, language translation files are installed “after the fact”. Solution: AFS Cron /languages/ folder backup performed before turning ARQ back On.
• Dev Note: Security Log Alerts and the BPS Pro Dashboard Status Display are no longer displayed on the WP Updates or the WP About page.

• Change: Total # of Security Log Entries by Type: WP Core, Plugin & Theme: Shiny, Manual, Bulk & Automatic Updates & Installations: ARQ Cron Turned Off, Backup performed and ARQ Cron Turned On general Log Entry Types. Note: There are a total of 14 new unique log entry types depending on the specific type of WP Core, Plugin or Theme update or installation. Current Total number Security Log entries by Type: 38.

• Feature Change|Improvement: JTC Anti-Spam|Anti-Hacker stand-alone function created. JTC Anti-Spam|Anti-Hacker is no longer dependent on whether or not Login Security & Monitoring is turned On and can be used independently.

• New Option: Enable Login Security for WooCommerce: Check this checkbox if you have the WooCommerce plugin installed if you would like to use BPS Login Security on the WooCommerce custom login page. BPS Login Security will still continue to work normally on the standard WordPress Login page when you check this checkbox. This checkbox option setting is not for turning Login Security On or Off if you are using WooCommerce. Use the Login Security Turn On|Turn Off option to turn Login Security On or Off.

• New Option: Enable JTC for WooCommerce: Check this checkbox if you have the WooCommerce plugin installed if you would like to use BPS JTC on the WooCommerce custom login page. BPS JTC will still continue to work normally on the standard WordPress Forms: Login, Register, Lost Password, Comment, BuddyPress Register and BuddyPress Sidebar Login Forms when you check this checkbox. This checkbox option setting is not for turning JTC On or Off if you are using WooCommerce. Use the JTC Enable|Disable JTC For These Forms option checkboxes to enable or disable JTC on each of your Forms.

• Dev Note: LSM & JTC protect the Standard WordPress Forms: Login, Register, Lost Password, Comment, BuddyPress Register Form and BuddyPress Sidebar Login Forms and the WooCommerce custom Login page/Form. If WooCommerce is deactivated or WooCommerce is not installed and the Enable Login Security for WooCommerce and/or the Enable JTC for WooCommerce checkbox options are checked then LSM & JTC will still work normally on the Standard WordPress Forms. M&A Core: LSM, JTC, SW, SWNO, XTF, BUF.

• New Dismiss Notice: BPS Pro WooCommerce Options Notice: Enable Login Security for WooCommerce & Enable JTC for WooCommerce: BPS Pro Login Security & Monitoring (LSM) & JTC Anti-Spam|Anti-Hacker (JTC) can be enabled/disabled for the WooCommerce custom login page by checking or unchecking the Enable Login Security for WooCommerce & Enable JTC for WooCommerce checkbox option settings. The LSM and JTC WooCommerce options are automatically enabled during the BPS Pro upgrade if you already had WooCommerce installed before upgrading BPS Pro. If you just installed WooCommerce you can either run the Setup Wizard to enable the LSM and JTC WooCommerce options or you can enable these options manually by going to the BPS Pro LSM and JTC plugin pages if you want to enable LSM and/or JTC for WooCommerce.

• XTF Form Update: New DB options added for Enable Login Security for WooCommerce and Enable JTC for WooCommerce.

• New System Info Checks: WP Temp Dir, PHP Temp Dir, PHP Upload Temp Dir, Session Save Path and WP_TEMP_DIR constant value check. The new System Info checks display either: [the directory path if it exists and is writable] or [Not set/defined or directory is not writable]. Useful for checking Temp directory, upload Temp directory and Session Save Path issues/problems.

• Change|Compatibility: Security Logging templates: Changed negative offset -1 to 0 for POST Request Body capture for PHP7.1.x compatibility. Fixes PHP error: PHP Warning: file_get_contents(): Failed to seek to position -1 in the stream. Templates affected: 403.php, 404.php & 405.php.

• Change|Improvement: AutoRestore|Quarantine Alert message text wording improvement.

• Change|Improvement: Login Security email alert text changes:
Old: A User Account Has Been Locked. New: A User Account has been locked on website: example.com
Old: A User Has Logged in. New: A User has logged in on website: example.com
Old: An Administrator Has Logged in. New: An Administrator has logged in on website: example.com

• BugFix: Custom User Roles: Pre-save and correct Custom User Roles db option values during BPS upgrade. Fixes problem with ISL and ACE not allowing users with a Custom User Role to login if ISL or ACE is turned On.

• Procedural: Suppress PHP Notice error: Undefined variable: source in /bulletproof-security/includes/arq-cron.php on line 659.

• Change|Improvement: Various CSS and HTML changes for Form elements & jQuery UI Accordion widget.

• Dev Note: All urls pointing to ait-pro.com sites changed from http to https urls.

• Bonus Custom Code: New Bonus Custom Code has been created to block the WP REST API JSON Requests to the /users and /comments Routes, which prevents your author name/username and User ID from being publicly displayed. https://forum.ait-pro.com/forums/topic/wp-rest-api-block-json-requests-to-users-comments-routes/.