test post

Author Anuarthi Manoharan

By Anuarthi Manoharan

26 May 2026
Uncategorized

UDP

1.26.4 – 07/May/2026

Changes

Fix: In version 1.26.2, a regression prevented the backup schedule, including the day name or number, as well as backup entity exclusion rules, from being saved.
Tweak: Alert users who wrongly enter URLs instead of an actual hostname for SFTP and FTP remote storage.
Tweak: Updated DreamObjects endpoints by removing the deprecated objects-us-west-1, marking objects-us-east-1.dream.io as unavailable (Nov. 12th, 2025), and adding admin notices to inform users of this change.
Tweak: get_structured_data() now accepts params to avoid timeouts.

1.26.3 - 08/Apr/2026

Changes

Feature: Added a new command to get given plugins installation info.
Fix: Fixed backup failures on tables with invisible columns and large data volumes.
Fix: Unable to uncheck all categories on post in UDC dashboard
Tweak: Ensure autobackup notice is always a string to prevent PHP 8.1+ deprecation in wp_kses()
Tweak: Fix the JS errors that occur when deleting the last generated UDC keys.
Tweak: Implemented adjustments for UI misalignment issues caused by the WordPress 7 visual design refresh across the admin dashboard. The plugin's interface now aligns correctly with the updated design standards.
Tweak: Prevent broken settings pages in other plugins in multisite when UpdraftPlus is active due to modified menu URLs.
Tweak: Update all links in the addons folder to use teamupdraft.com instead of updraftplus.com.
Tweak: Replaced esc_html_e() with esc_html__() where string concatenation was silently discarding the colon separator in SFTP connection failure message and noscript JavaScript warning notice
Tweak: Switched to native phpseclib API/function for Dropbox token decryption, replacing deprecated mcrypt_decrypt since PHP 7.1 and removed in PHP 7.2.
Tweak: Implemented streaming extraction for large files during restoration to handle cases where file size exceeds the PHP memory limit.
Tweak: Clear out PHP "Undefined offset" notice that occurred while restoring a backup of single site to multisite. It happened during the search-replace operation due to the absence of the users and usermeta tables.
Tweak: Enhance the unzip file function to handle more folder inclusion/exclusion
Tweak: Update all links in the methods folder to use teamupdraft.com instead of updraftplus.com.
Tweak: Add post status and date fields to get_posts API response for UDC

1.26.2 - 03/Mar/2026

Changes

Tweak: Added PHP 8.5 support to UpdraftClone
Tweak: Fix deprecation warnings in PHP 8.4 for the Dropbox integration
Tweak: Make abort backup warning icon responsive with percentage-based sizing
Tweak: Prevent the suppressed PHP warnings from being output in the backup and restore log on PHP 8.0+
Tweak: On a site where the site owner has restricted (super-)administrators (so that they can't restore backups), require a constant to first be set to use the HTTP debug tool for internal IP addresses.
Tweak: Update all links in the settings folder to use teamupdraft.com instead of updraftplus.com.
Tweak: When deleting backup sets created through a direct site-to-site migration, the 'Also delete from remote storage' checkbox is unnecessary.

1.26.1 - 19/Jan/2026

Changes

Fix: Google Drive chunked uploads didn't resume from where it left off but started from the beginning resulting in file duplicates
Tweak: Add a WP-CLI command to register a product key (premium)
Tweak: Add product registration link on the premium version
Tweak: Fix JS error on UpdraftCentral Cloud connect modal.
Tweak: Fix grammatical error in the low disk space admin notice.
Tweak: Update links for better user experience
Tweak: Update the premium links on the settings page
Tweak: Update all links in the includes/notices/central folders to use teamupdraft.com instead of updraftplus.com.
Tweak: Upgrade the common-libs tag version

1.25.9 - 12/Nov/2025

Changes

Fix: A regression that resulted in the list of tables within the "Database size" tools not being displayed, due to code refactoring implemented in version 1.25.8.
Tweak: Add function for returning Advanced Tools menu data in a structured format.
Tweak: Resolve regression in 1.25.2 which caused the admin notice "Not yet connected to licence" was linking to teamupdraft.com instead of the UpdraftPlus Premium/Extensions tab.
Tweak: Refactoring connection keys data function to deduplicate and read from a single source
Tweak: Restored the missing backup confirmation pop-up icon for older WordPress versions.
Tweak: Stripped unwanted HTML from the plain-text notice and added new lines after each sentences in the sale offer message.
Tweak: Update Black Friday seasonal sale URL/link
Tweak: Updated "Check our premium" and "Back up non-WP tables and external databases" URL links to avoid HTTP 404 (not found) errors.
Tweak: Update database charset detection to support both CHARSET= and CHARACTER SET syntax in SQL dumps
Tweak: Replaced deprecated (boolean) casting

1.25.8 - 07/Oct/2025

Changes

Fix: A fatal error in UpdraftCentral when trying to manage posts when no posts exist.
Fix: During a failure in the file copy process while restoring, a directory was created with the same name as the file, and the restoration process persisted when it ought to have been stopped
Fix: PHP fatal error in WP CLI commands for listing or scanning existing backups on PHP 8.0+ after a rescan
Tweak: Add UpdraftCentral support to import_settings function with return values
Tweak: Add support for new Amazon AWS S3 regions
Tweak: Added Burst Statistics to the family plugin list
Tweak: Adjust the backup logic to recognize invisible columns, and when that occurs, use a query that explicitly specifies the required columns instead of relying on "SELECT *".
Tweak: Ensure the restore process terminates with an error when file copying/moving fails
Tweak: Improve the backup email report to better reflect the backup types and status.
Tweak: New endpoint for getting locked settings data for UpdraftCentral
Tweak: Perform a search and replace on __PHP_Incomplete_Class to make it work with unserialize() when object deserialization is not allowed.
Tweak: Refactoring site info section to deduplicate and read from single source
Tweak: Resolved a PHP warning triggered when uploading the plugin via the WP Plugins page — caused by translation functions (e.g. __()) being called too early.
Tweak: Some text was left out of the translation POT file, which meant that certain translator plugins and libraries could not find the text, making it impossible to translate.
Tweak: Update the db_size function to allow returning either data or html, depending on the argument that is passed in.

1.25.7 - 07/Aug/2025

Changes

Fix: A regression for verifying the presence of old folders in the backup directory; old folders created during the restoration of the "Others" entity were not detected correctly.
Fix: The per-backup lock entries were not removed, resulting in an accumulation of these entries in the database over time. (Includes clean-up of old entries).
Tweak: Add IDrive e2 and MEGA to the S3-Compatible storage list
Tweak: Internal function call to prevent a PHP 8.1 deprecation notice on fresh WP installs
Tweak: Add wp-staging to the default uploads exclusion list
Tweak: Add UpdraftCentral handler for site icon upload request.
Tweak: Added support for the database view dashicon in WordPress versions prior to 5.5.
Tweak: Include site icon information in the 'get_site_icon' response of the UpdraftCentral core module.
Tweak: Resolve the empty list issue on the backup email reports created by the UpdraftPlus free version
Tweak: The "Get every Feature of UpdraftPlus Premium" box shouldn't be displayed after purchases got claimed/activated
Tweak: Remove seasonal (new year, summer, spring and plugin collection) sale notices
Tweak: Handle unsupported character set defined for table fields during database pre-restoration.
Tweak: Updated links in the Premium Extensions tab of the plugin’s admin menu page.

1.25.6 - 27/May/2025

Changes

Fix: A regression that prevented the remote storage label from being updated
Fix: A regression that could cause unintended behaviour when restoring special files
Fix: A fatal error when executing a standalone php backup script with "do_action('updraft_backup_all')".
Fix: Regression that caused certain features (e.g. PHP Info) to break due to a missing HTML attribute on the triggering element
Fix: An issue that caused migration failure for sites using the Performance Lab plugin or other plugins implementing an object cache drop-in
Tweak: handle non fatal file rename failure during restore
Tweak: The automatic backup Feature is now disabled by default on new installs
Tweak: return post status and formatted date from UDC post API
Tweak: Replace a call to unserialize() in the Dropbox storage library
Tweak: Validate the DreamObjects endpoint to ensure only expected DreamObjects enpoint formats can pass through.
Tweak: Position the "includes all tables not listed below" option at the beginning of the first known table in the DB restoration widget.
Tweak: Add a new default endpoint in DreamObjects along with UI to allow users to add custom endpoint in the format "s3.<region>.dream.io".
Tweak: The Azure Storage Service add-on now requires PHP 5.6 or higher to support the mandatory use of TLS 1.2, which will be enforced starting August 31, 2025.

1.25.5 - 17/Apr/2025

Changes

Fix: A bug that prevented the Rackspace "Create new API user and container" dialog from opening.
Tweak: An HTTP header intended to terminate the browser's connection was incorrectly assigned a value that the header does not support.
Tweak: Ability to automatically choose the proper checkout page when the user is about to buy TeamUpdraft products from within the plugin
Tweak: Clear Divi theme CSS cache at the end of the restoration process
Tweak: Resolve PHP warning in pCloud addon when upgrading from free to premium version.
Tweak: Update error messages when the user fails to connect to their TeamUpdraft account on the 'Premium/Extensions' tab.

1.25.4 - 24/Mar/2025

Changes

Fix: Regression in 1.25.3 - missing database encryption input field due to the use of the "wp_kses_post" function that doesn't allow "<input>" tag to be rendered
Tweak: Add new fields to UpdraftCentral handler

1.25.3 - 21/Mar/2025

Changes

Fix: An issue that prevented an UpdraftClone backup from sending when attempting to boot an UpdraftClone from WP_CLI
Fix: An issue that prevented changing the default UpdraftClone region when attempting to boot an UpdraftClone from WP_CLI
Tweak: The "x-amz-content-sha256" request header is now signed and included in the S3 signature version 4. Some S3-based providers mandate the signing of this header for accurate signature calculation.
Tweak: Introduce a new constant named "UPDRAFTPLUS_S3_EXCLUDE_SIGV4_CONTENT_SHA256_HEADER". This constant allows for the exclusion of the "x-amz-content-sha256" headers from being signed if desired; it accepts a boolean value, defaulting to false.
Tweak: Add 'noopener, noreferrer' window features to the Javascript's window.open() call to prevent the target page from changing content of the original page
Tweak: Favicon fetching Feature for UpdraftCentral
Tweak: Minor Tweak to "updates" module to include icons to plugin and screenshot url to theme update items
Tweak: New UpdraftCentral module for background fetching
Tweak: Revise the wording found in the expert settings regarding the deletion of local backup files
Tweak: Update seasonal notices
Tweak: Enhance the notifications to signify the introduction of other plugins that belong to the same plugin family
Tweak: To avoid CORS issues and ensure the UpdraftPlus plugin is functional and accessible via the UpdraftCentral dashboard, the hostname and/or domain origin is changed from updraftplus.com to teamupdraft.com.
COMPATIBILITY: Resolved PHP deprecation warnings in lockadmin.php by eliminating the use of dynamic properties

1.25.2 - 26/Feb/2025

Changes

Feature: Added a "Cron events" tab in the Advanced Tools section to check for the presence of the UpdraftPlus cron job.
Fix: Resolve the issue of uploads to pCloud failing after a folder name change by resetting the "folderid" whenever the folder name is updated.
Tweak: Add site information for WooCommerce and HPOS support to the database backup header.
Tweak: Create a log entry when a bot verification page appears during the file upload in the migration procedure.
Tweak: Improve error message clarity for failed connection tests in migration.
Tweak: Include details in the backup log file about the status and availability of the proxy configured in the system.
Tweak: Update the Google library to support the WP_PROXY_HOST and WP_PROXY_PORT constants.
Tweak: Update the link for Onedrive and Azure app creation
COMPATIBILITY: Got rid of PHP 8.4 deprecation messages caused by the E_STRICT constant usage

1.25.1 - 11/Jan/2025

Changes

SECURITY: Fix a non-persistent reflected XSS vulnerability due to a missing nonce combined with missing sanitisation. This could allow an attacker, who persuaded you to click a personally-crafted link to your site's dashboard whilst you were logged in, to once run JavaScript code in your dashboard. Thanks to Asaf Mozes for finding and responsibly disclosing this issue.
Fix: Prevent the restoration from failing when there is a 'sync-xhr=()' permission policy on the response header.
Fix: Improve the approach of acquiring a suggested region for Amazon AWS S3 if a failure arises during the getBucketLocation() call, particularly when the XML response fails to provide a field for the suggested region - this resolves issues with regions (e.g. us-east-2) which recently changed their response behaviour
Tweak: Broaden the support to incorporate the "ap-southeast-4" region of Amazon AWS S3 and additional recently updated regions
Tweak: A regression in the paid version update checker to version 4.13.2, resulting in non-appearance of notices concerning subscription status or WP version compatibility.

1.24.12 - 23/Dec/2024

Changes

Fix: The pre-restoration stage failed to properly address the tables that were to be excluded, which caused a logical error that misread the checked "include all tables not listed" option as an instruction to restore every table
Fix: Update PHPSecLib library to version 2.0.48 which has the fixes for the "gmp_pow(): base and exponent overflow" on certain PHP versions and could cause backups to fail on the SFTP remote storage
Tweak: Complete the review and removal of calls to the unserialize() PHP function allowing class instantiation begun in 1.24.7. (The final removal involved a theoretical security defect, if your development site allowed an attacker to post content to it which you migrated to another site, and which contained customised code that could perform destructive actions which the attacker knew about, prior to you then cloning the site. The result of this removal is that some search-replaces, highly unlikely to be encountered in practice, will be skipped).
Tweak: Drop search and replace Feature for PHP 5.2 users (to fulfil the preceding item)
Tweak: Tweak UpdraftCentral media module to add "has_image_editor" property to each media item
Tweak: On the restoration screen in a multisite configuration, the dropdown labeled "which site to restore" was covering other HTML elements, which caused some buttons to be positioned at the bottom instead of at the top
Tweak: Avoid deregistering jQuery-UI CSS if already printed by other plugins to prevent compatibility issues
Tweak: In the context of database restoration, the execution of LOCK and/or ALTER SQL statements must be avoided for any tables that are part of the "skipped tables" list
Tweak: openssl_free_key() is only needed on PHP < 8
Tweak: Various coding style changes to comply with "Plugin Check" rules

1.24.11 - 15/Nov/2024

Changes

Tweak: Do not request drive.readonly scope on Google Drive connections, due to Google's app permissions review (unannounced and requires us to create a Youtube video for their review process) - this means that (until the review completes) new connections to Google Drive can only access backups created by UpdraftPlus directly, and not backups which you manually upload to Google Drive. This restores the ability to make new connections to Google Drive.
Tweak: Adjustment of the UpdraftPlus_S3_Compat class to preserve compatibility with the external UpdraftPlus AWS SDK plugin (https://github.com/DavidAnderson684/updraftplus-aws-sdk).

1.24.9 - 14/Nov/2024

Changes

Fix: A regression in 1.24.8 when handling restoration of wp-config.php
Tweak: The changes in handling of loading text domains in 1.24.8 did not cover most cases
Tweak: Introduce the "updraftplus_use_builtin_wpcore_restoration" filter which can be used to restore WP-Core entity using a different WP-Core restoration mechanism especially in a case that the admin-ajax.php file couldn't be deleted during the restoration

1.24.8 - 13/Nov/2024

Changes

Tweak: Add descriptions for the 'Clone Package' dropdown when creating a clone.
Tweak: Move the "load_plugin_textdomain" call from being called through "plugins_loaded" action to being called via "init" action
Tweak: Update the log message to specify that backup files are marked as "processed" when no remote storage is selected, and as "uploaded" when remote storage is selected.
Tweak: Some code tidying in the restore class

1.24.7 - 04/Nov/2024

Changes

Tweak: Include the .part file extension into the cleanup list, guaranteeing that files associated with this extension are regularly deleted from the backup directory
Tweak: The update functionalities in the WordPress plugin information box (6.5 and later) have been adjusted to stop updates from taking place in the same window, ensuring that the "auto-backup before update" dialog appears as intended
Tweak: Add customized "unserialized" method into the UpdraftPlus class which can handle the use of the "options" argument or its absence when running across different PHP versions
Tweak: Add the UPDRAFTPLUS_SEND_UNWRITABLE_BACKUP_DIRECTORY_EMAIL constant to disable the sending of unwritable backup directory emails to users.
Tweak: Clearer notifications to users regarding unconfigured remote storage settings and/or the selection of remote storage that are not part of their UpdraftPlus version
Tweak: During the resumption of OneDrive’s chunk uploads, the authorisation header and bearer token should not be included as it may lead to an unauthenticated error due to a different upload URL.
Tweak: Implement code to enable automatic activation of the UpdraftPlus plugin during the migration process from a multisite setup to a standalone site
Tweak: In a multisite environment, ensure that users can access the UpdraftPlus plugin page even in the absence of the WP_ALLOW_MULTISITE constant
Tweak: UpdraftClone now supports PHP 8.4
Tweak: Prevent a potential PHP deprecation notice when zip creation fails

1.24.6 - 25/Sep/2024

Changes

Tweak: In 1.24.5, the browser title wrongly displayed as "UpdraftPlus" when accessing an unrelated plugin page using the main menu.

1.24.5 - 24/Sep/2024

Changes

Fix: Incorrect regular expression for DigitalOcean Spaces endpoint
Fix: CSS conflicts with the LearnDash LMS Instructor Role Add-on plugin which caused some UI elements to disappear
Tweak: Reorganize UpdraftPlus in left-hand menu and rename it to "UpdraftPlus"; to disable it, follow this guide: https://updraftplus.com/new-location-of-updraftplus-in-the-wordpress-dashboard/
Tweak: Add span wrapper to UpdraftCentral connection failed message
Tweak: Add the "Go here to complete your settings" link into the appropriate admin notice that when clicked will jump to the UpdraftVault configuration if no settings are specified.
Tweak: Adjust regex patterns that didn't match some temporary files, causing them to not be automatically removed
Tweak: After a restoration, clicking "Delete old folders" will also remove the wp-config-pre-ud-restore-backup.php file
Tweak: On the settings page/tab; prevent the floating "Save changes" button from getting clicked multiple times and/or sending multiple AJAX requests
Tweak: Remove pCloud from the add-ons list on the "Premium / Extensions" tab (there is no change in its availability)
Tweak: Renamed wp-config-backup.php to wp-config-pre-ud-restore-backup.php to clarify its purpose as a backup file created before restoring WordPress core entities, and it will only be generated if the user does not select the "Over-write wp-config.php" option during restoration, as the previous name was too generic and could cause confusion
Tweak: The popup modal for automatic plugin updates fails to retain the backup checkbox selection when the "remember" option is enabled in a Multisite environment.
Tweak: Updated autobackup selector to resolve issues caused by the missing "update-link" class in WPForms Pro plugin

1.24.4 - 2/Jul/2024

Changes

Fix: Case-sensitive issue of bit field type names in a table.
Fix: Resolved issue where backup files could not be deleted from remote storage when either the root directory was active or no directory was specified in the OneDrive configuration form.
Fix: When users attempt to update a plugin using the "View Version x.x.x Details" link instead of choosing "Update Now," the plugin is successfully updated; however, the UI incorrectly displays an "Update Failed" message
Fix: Conflict with the Gravity Forms plugin when there was an older version of jQuery UI presented on the "Installed Plugins" page.
Tweak: Ensure compliance with Google Granular Consent and check for required permissions during storage access authorisation of Google Drive and Google Cloud
Tweak: Prevent PHP warning and deprecation messages after completing access authorisation to Google Drive storage.
Tweak: Prevent PHP warning when Dropbox remote storage has been authenticated and the page is refreshed.
Tweak: Added filter updraftplus_working_dir_localpath to allow temporary unzip path to be modified by developers
Tweak: Modify the displayed title of the plugin from "WordPress Backup & Migration Plugin" to "WP Backup & Migration Plugin" as required by the plugin directory team
Tweak: Parse certain php events and log proper error messages

1.24.3 - 30/Apr/2024

Changes

Fix: Regression in 1.23.16 for improving logs which then caused incorrect_offset error reported by Dropbox wasn't properly handled.
Tweak: The UpdraftVault remote storage can handle Wasabi as well as Amazon S3 storage in the background.
Tweak: Fix WP_Theme_JSON_Resolver::theme_has_support deprecation warning for UpdraftCentral
Tweak: Prevent "PHP Warning: Undefined property: UpdraftPlus_BackupModule_pcloud::$description" during rescan remote storage.
Tweak: Prevent PHP deprecation warnings during database backups when encountering null values in bit field types.
Tweak: Show a warning message when the WP_ACCESSIBLE_HOSTS constant is defined and updraftplus.com is not permitted by its value
Tweak: Update notices
Tweak: Split multiple sentences into separate translation function calls.
Tweak: Trim spaces from S3-Compatible (Generic) endpoint.

1.24.2 - 26/Mar/2024

Changes

Fix: The "Continue restoration" and "Dismiss" buttons on the unfinished restoration dialog were not responsive to being pressed due to a recent regression
Fix: Conflict with other plugins due to different version of third party library (Guzzle) and the composer autoload.php was called too early
Fix: Undefined "NET_SCP_LOCAL_FILE" constant when SCP was in use for the SFTP/SCP remote storage
Tweak: Add compatibility fields when returning plugins and themes to UpdraftCentral
Tweak: Due to issues in some cURL versions 7.x in handling HTTP/2 connections, all HTTP connections to the OneDrive API are now forced to use HTTP/1.1 version, on cURL versions after 7.61 and before 8.0. Also, a constant named UPDRAFTPLUS_ONEDRIVE_CURL_HTTP_VERSION can be set in the wp-config.php file to change the default HTTP version to another preferred version
Tweak: Adjust margin to Fix broken UI for the 'View logs' button on backups.
Tweak: Ensure all "SET SQL_MODE" statements in the database backup file are internally handled and are subjected only to a restoration outside UpdraftPlus plugin
Tweak: Prevent PHP 8.2 coding style deprecation notices in the autobackup addon
Tweak: In the context of OneDrive's chunk upload, authorisation header and bearer token should not be included during upload session as it may lead to 401 HTTP status due to different upload URL
Tweak: Remove default value for updraftplus_https_to_http_additional_warning and updraftplus_http_to_https_additional_warning filters.
Tweak: Set the SQL_MODE to 'NO_AUTO_VALUE_ON_ZERO' in the database backup file.
Tweak: Seasonal notice content update for 2024
Tweak: During the operations that require phpseclib, include the composer autoload.php only when the phpseclib is really needed

1.24.1 - 21/Feb/2024

Changes

Feature: Implement Backblaze Object Lock support (Premium version)
Fix: The email backup and basic report setting didn't work causing notification email confirming backup status couldn't be delivered to admin's email address (free version)
Fix: Fix WP-Optimize premium discovery for UpdraftCentral
Fix: Regression in 1.23.16 for correcting calls to translation functions which then caused some HTML attributes to be empty
Fix: Restoring backup sets via Migrate/Clone tab had caused all associated backup entities being downloaded immediately ignoring user preferences about the entities they wanted to restore
Fix: Third-party library conflict (phpseclib) with WP All Import Pro and AIO WP Migration plugins that caused failure in testing SFTP credentials and backing up to the SFTP remote storage
Fix: Restore compatibility with WordPress multisite running on versions < 4.9 caused by use of function not present before then
Tweak: Add new translation entries for UpdraftCentral
Tweak: Got rid of PHP 8.2 deprecation messages caused by a null value being passed to the htmlspecialchars() function and creation of dynamic property
Tweak: Got rid of PHP 8.3 deprecation messages caused by calling get_class() without arguments.
Tweak: Refactor methods in UpdraftPlus_Database_Utility class
Tweak: Send an email if the backup directory is not writable.
Tweak: Add and set the `filename_only` parameter to reduce search times when looking for specific backup files in Dropbox.
Tweak: Autoload PHP secure communication library (phpseclib) in a better way that would prevent already-loaded phpseclib classes (by other plugin) from being used in certain operations
Tweak: Add updraftplus_backup_db_header_append filter to allow site owners to include arbitrary content in their database backup header

1.23.16 - 23/Dec/2023

Changes

Tweak: Added demo link for the family plugin in advertisement
Tweak: Removed https / http prefix from s3generic endpoints
Tweak: Resolve PHP 8.0 compatibility with ob_implicit_flush function
Tweak: Dropbox error logs improvement
Tweak: As required by the wordpress.org plugin team, all UpdraftPlus news is forbidden to be displayed in the "WordPress News" section of the dashboard for users of the free plugin even if consent is first given.
Tweak: Fix some incorrect calls to translation functions

1.23.14 - 30/Nov/2023

Changes

Fix: Resolved Google Cloud remote storage authentication flow
Tweak: Changed updraftvault links functionality to open in different tab
Tweak: Clarify significance of warnings in report emails
Tweak: Make the news-consent's layer fit with the confirmation text thus removing empty space that can reveal some of the UpdraftPlus news
Tweak: Declare a shim "php_uname" function when it's found to be undefined to prevent a fatal error in the phpseclib library (which calls it)

1.23.13 - 22/Nov/2023

Changes

Fix: An issue that prevented incremental backups from running via WP-CLI or Cron when the option to backup mu-plugins was enabled but no mu-plugins existed
Fix: OneDrive remote storage authentication was giving the error "Invalid input."
Fix: The option to back up additional, user-chosen files (i.e. the morefiles entity) was no longer present in the UI
Tweak: Remove unused "migrator-lite.php" string during search and replace operations
Tweak: Replace remaining hardcoded text domain with UPDRAFTCENTRAL_TEXT_DOMAIN placeholder within the central folder
Tweak: LiteSpeed admin dashboard warning is now displayed upon completion of migration on the destination site, even after dismissing the message on the source site.
Tweak: Do not show UpdraftPlus news in the WordPress events and news widget section without first gaining user consent
Tweak: Change order of checks when seeing if cPanel is present/accessible for asking about disk quota in order to prevent unwanted an PHP notice when safe_mode is active
Tweak: Prevent potential fatal error if something has modified an updates check's 'translation' property to be invalid before passing on to UpdraftPlus
Tweak: Update bundled cacert.pem file

1.23.12 - 08/Nov/2023

Changes

Fix: Issue that prevented some database restores from completing due to a change in wpdb in WordPress 6.4
Tweak: Replace Javascript onchange event with oninput event to detect changes made for HTML <input> tags on the settings page, also to add <textarea> to the event handler so that unsaved changes can be detected

1.23.11 - 03/Nov/2023

Changes

SECURITY: Fix a vulnerability which could, if you had Google Drive storage enabled, and if an attacker targetted a logged-in administrator on your site and persuaded them to access a specific URL that the attacker creates, add the attacker's own Google Drive account to the saved storage methods. Thanks to Nicolas Decayeux of Patrowl for finding and disclosing this issue.
Feature: Add JSTree for Google Drive to select existing folder
Feature: The "Must-use plugins" backup entity can be backed up and restored separately in a normal WordPress site
Fix: OneDrive folder case sensitivity issue (successfully uploaded backup files to the remote storage but failed in pruning old backup files due to different letter capitalisation; also happened in manual deletions)
Fix: When two instances of WebDav remote storage were sequentially added in the Premium version, filling some fields of the latest instance would break the WebDav URL of the previous instance
Tweak: Update phpseclib library from version 1 to 2. As previously advised, this also means that these features (Database Encryption, Dropbox & SFTP/SCP remote storage, and UpdraftCentral key creations) will no longer be available and can cause a fatal error when running on PHP 5.2
Tweak: Add a link to Trustpilot in the review prompt
Tweak: Added a warning message when the WP_HTTP_BLOCK_EXTERNAL is defined and set to true
Tweak: Added the "Copy to clipboard" button under the self-hosted central option
Tweak: File size is shown when pressing on the backup entity
Tweak: Fix the restore dialog to not display "plugins" checkbox when only there's "mu-plugins" entity
Tweak: Fixed PHP 8.2 deprecation messages caused by a null value being passed to the rtrim() function
Tweak: Resolve PHP deprecations for the dynamic property access by declaring the variables in the class
Tweak: Includes the plugin.php file path if "get_mu_plugins" function does not exist.
Tweak: Provide default options for function UpdraftPlus::backup_all()
Tweak: Add and call the `litespeed_finish_request()` function to ensure the HTTP connection made from the browser gets closed immediately without having to wait the process to complete thus leaving it run in the background
Tweak: Ensure no PHP "Class not found" is showing up during credentials testing
Tweak: Add type checking in UpdraftPlus::handle_url_actions() to prevent plugin conflicts causing PHP errors on PHP 8+

1.23.10 - 05/Sep/2023

Changes

Tweak: New S3 signature version setting is added to the S3-Compatible (Generic) configuration form, giving an opportunity for the user to choose which signature version to use (SigV2 or SigV4)
Tweak: Enable PHP 8.3 (see: https://stitcher.io/blog/new-in-php-83) support in UpdraftClone
Tweak: Adjust fread() sizes for better performance when uploading an archive via the widget

1.23.9 - 14/Aug/2023

Changes

Fix: Fatal error of Uncaught ArgumentCountError when the UpdraftPlus settings page is browsed from an IP-adressed site (i.e. no hostname) on PHP 7.1+
Fix: Incorrect caching mechanism such that when multiple Google Drive storage back-ends were in use (Premium Feature), uploading to a storage would fail due to unmatched folder ID taken from a different storage instance
Tweak: Define class properties in UpdraftPlus_Addons_Migrator class for PHP 8.2 compatibility

1.23.8 - 08/Aug/2023

Changes

Feature: Given the basic migration Feature in the free plugin
Fix: Content-MD5 and any V2-related headers were always included in the S3's V4 SignedHeaders even though the headers were not presented in a HTTP request
Fix: Generating URL-encoded queries for a canonical request should have used a method/mechanism which encoded query values according to RFC 3986 (for consistency and for not breaking the code)
Fix: Search / replace database not working on Admin dashboard > Settings > UpdraftPlus Backups > Advanced Tools > Search / replace database on PHP 8.2 due to stricter type checking
Fix: A newly added subsite that was restored from a normal site to the multisite was not listed in the site list in the multisite
Fix: Manual deletion of backup sets appeared to skip some files when multiple instance and/or remote storage were in use
Fix: The SFTP remote storage stopped working in the UpdraftPlus 2.23.6 release. Reverted the change "Tweak: Validate SFTP key field on credential test and before save"
Tweak: Add a warning in the log file if AWS connection fails and a TLSv1.2 connection test fails
Tweak: Add warning for user if only PclZip available
Tweak: Fix unable to switch tab when a plugin (wrongly) loads certain CSS onto UD's settings page
Tweak: Remove the word 'apparently' in the backup success message
Tweak: Update to latest phpseclib 1.0.X version (prevents deprecation notice on PHP 8.1+)
Tweak: Change "s3" property to "public" in UpdraftPlus_AWSRequest class for PHP 8.2 deprecation compatibility
Tweak: Fixed Missing/ broken links for the pCloud image in addons tab
Tweak: Buying UpdraftClone tokens through inline checkout
Tweak: Fixed Spelling errors in updraftplus repo
Tweak: Added save button at the top of setting tab content
Tweak: UpdraftCentral module now, by default, overwrites the same existing theme installed on the remote sites (if any), regardless of what version is currently installed or what version being uploaded and installed
Tweak: Define class properties in Updraft_Checkout_Embed class for PHP 8.2 deprecation compatibility
Tweak: Update the composer package yahnis-elsts/plugin-update-checker for PHP 8.2 compatibility
Tweak: Added username and email details for authenticated dropbox account in updraftplus settings
TRANSLATIONS: Split sentences to make one sentence in any translation functions

1.23.7 - 04/Jul/2023

Changes

Fix: When Dropbox returns an error, this error was not always correctly passed up to the logging layer
Fix: Search / replace database not working on Admin dashboard > Settings > UpdraftPlus Backups > Advanced Tools > Search / replace database on PHP 8.2 due to stricter type checking
Fix: The SFTP remote storage stopped working in the UpdraftPlus 2.23.6 release. Reverted the change "Tweak: Validate SFTP key field on credential test and before save"
Tweak: Fixed Missing/ broken links for the pCloud image in addons tab
Tweak: Buying UpdraftClone tokens through inline checkout
Tweak: Prevent PHP warning during some migrations when no table list provided

1.23.6 - 19/Jun/2023

Changes

Fix: Search / replace database not working on Admin dashboard > Settings > UpdraftPlus Backups > Advanced Tools > Search / replace database on PHP 8.2 due to stricter type checking
Tweak: Remove the incremental dropdown on incremental backup restore when the user selects only the database to restore
Tweak: Validate SFTP key field on credential test and before save
Tweak: Remove the unused UpdraftPlus_S3::getHttpUploadPostParams() method
Tweak: Attempt to workaround some web hosts' opcode cache producing incorrect error upon upgrade
COMPATIBILITY: Fix pCloud deprecated warning in PHP 8.2
COMPATIBILITY: Fix Google Cloud deprecated warning in PHP 8.2
COMPATIBILITY: Fix Google Drive deprecated warning in PHP 8.2
Tweak: Fixed issue with cron jobs not clearing after wiping settings
Tweak: Added link to WP-Optimize in the database size tab in the advanced tools

1.23.4 - 16/May/2023

Changes

SECURITY: Fixed a missing nonce combined with a URL sanitisation failure, which could lead to a targeted XSS opportunity (if an attacker persuades a logged-in administrator to both re-authorise their connection to a remote storage (e.g. Dropbox) and then to follow a link personally crafted for their site before re-authorising whilst logged in, he can then store a fixed JavaScript payload in the WP admin area (they would need a further route to use that ability to cause any damage). Because of the need for the administrator to co-operate in multiple steps, this attack is very unlikely (but you should of course still update).
Fix: DigitalOcean S3-compatible storage does not work with disabled SSL entirely where possible settings.
Fix: If there was an error or network connectivity issue on first attempt of uploading a plugin/theme file, then the second attempt of uploading the same file would make the file become corrupted thus resulting in installation failure.
COMPATIBILITY: Suppress htmlspecialchars deprecation warnings on PHP 8.1
COMPATIBILITY: Suppress some PHP 8.2 deprecation notices from use of ${} style variables, and others from use of dynamic properties
Tweak: Handle web hosting company setup that disabled pclose() but not popen()
Tweak: All HTTP requests to the Google Drive API now, by default, forces to use HTTP/1.1 version. Also, a constant named UPDRAFTPLUS_GDRIVE_CURL_HTTP_VERSION can be set in the wp-config.php file to change the default HTTP version to another preferred version
Tweak: Improve 'move' and 'copy' filesystem functions in restoring directories containing files to a different mount point/partition than where they reside
Tweak: Improve files pruning mechanism, by not repeating already-done ones when resuming deletions
Tweak: Improve the Handlebars templates of the Google Drive, Dropbox and UpdraftVault remote storage modules by taking PHP code out of them
Tweak: Improve widget layout when decrypting a backup
Tweak: Remove Bootstrap CSS in Restore Wizard and replace with Flexbox CSS
Tweak: Add multisite subsites header information to the database backup file that will be used for converting a network subsite to a standalone normal WordPress site
Tweak: Add the UpdraftPlus plugin slug header to the database backup file
Tweak: Include next-level-up directory path along with deleted folder's name when deleting a folder
Tweak: Update seasonal notices
Tweak: Make common logic for getting backup history from the database
Tweak: Remove usage of the file_get_contents() function from WebDAV remote storage without chunking upload
Tweak: Pass through some previously unhandled Dropbox error codes
Tweak: Added the "non-core" word to the WordPress database tables excluded warning.
Tweak: Remove WordPress core tables from the non-core WordPress database tables excluded list in restoration step 2
Tweak: When migrating the www site, the search replace will be performed in database tables on the non-www domain too, and vice versa

1.23.3 - 16/Mar/2023

Changes

SECURITY: This release fixes an important security defect - please update. Full details: https://updraftplus.com/updraftplus-1-23-3-2-23-3-important-security-release/. Sites are affected if there are WordPress users (i.e. people who can login) who can reach the back-end (i.e. wp-admin) dashboard (but we recommend everyone updates in any case).

1.23.2 - 15/Mar/2023

Changes

Fix: Automatic backups before updating a plugin, theme, or WP core were not working (regression in 1.23.1)
Fix: A database backup couldn't be taken from WP-Optimize and All-In-One Security (AIOS) (regression)
Tweak: Add a user capabilities check when downloading a backup (this is not believed to have any security implications, as the download operation already requires knowledge of a further nonce that there is no mechanism for a non-administrator to obtain).
Tweak: Improve the Handlebars template of the UpdraftVault remote storage by taking PHP code out of it
Tweak: Prevent making a nonce available to logged-in users who could not manage UpdraftPlus (this did not give access to any unauthorised actions)
Tweak: Improve the Handlebars template of the UpdraftVault remote storage by taking PHP code out of it
Tweak: Improve the Handlebars template of the pCloud remote storage by taking PHP code out of it

1.23.1 - 08/Mar/2023

Changes

Feature: Support Cloudflare R2 as a generic S3 storage provider (always use v4 signature)
Feature: Added the ability to get an accurate row count for all tables in the advanced tools
Feature: Expose an option in the UI to disable chunked uploading when using WebDAV remote storage (previously required a constant)
Feature: Add the ability to anonymize WooCommerce order data when cloning a site
Fix: An over-ride enforcing use of V4 signatures on Aliyuncs S3 storage was no longer working
Fix: pCloud error handling in chunked uploading did not pass the error message up to the logging layer
Fix: Backups started under WP-CLI could not backup the database only without any files
Fix: Couldn't add any file/directory inclusion for "Other" entity due to access to one directory up from the current (ABSPATH) isn't permitted
Fix: Atomic restore is not renaming a few tables when not restoring specific tables by using the filter `updraftplus_restore_this_table`.
Fix: Sometimes the "delete old directories" notice displayed even though the actual `-old` directory didn't exist
Fix: The restore point date time was incorrect in the restore screen when restoring the incremental backup, and the WordPress site has a non-GMT timezone set.
Tweak: Improve manual rescanning and deletion of backup sets by setting up a time limit to a value defined in UPDRAFTPLUS_SET_TIME_LIMIT constant to minimise chances of getting fatal error (maximum execution time exceeded)
Tweak: Add a filter updraftplus_mysqldump_arguments to allow changing of arguments passed to the mysqldump binary when that is being used
Tweak: Include PHP version in default S3 user agent to aid debugging
Tweak: Disable Gravatar on UpdraftClone
Tweak: Cleanup .list.tmp files when a cloud backup completes
Tweak: Use the function that lists our own cron schedules to simplify the way backup intervals are prepared and to avoid schedules mismatch
Tweak: Improve manual deletion of backup sets by setting up a time limit to a value defined in UPDRAFTPLUS_SET_TIME_LIMIT constant to minimise chances of getting fatal error (maximum execution time exceeded)
Tweak: Improve the Handlebars template of the S3-Compatible (Generic) remote storage by taking PHP code out of it
Tweak: Increase max_recursion value to 20 in class-search-replace.php
Tweak: Add a new function that lists our own cron schedules so that it can later be used as schedules sorting purpose also as a main source from which our schedules list is originated
Tweak: Display Google drive email address along with account holder name
Tweak: Fixed WebDAV PHP 8.1+ deprecated warnings
Tweak: Updated text message displayed on Web Server - Localhost UC Dashboard Key Creation.
Tweak: Use nonce in every part of a restoration process to prevent direct access that has allows an unwanted log file to be begun. On sites running on end-of-lifed PHP versions (<8.0) it was possible to read the beginning of the log file, causing an unintended information disclosure about the server environment, e.g. Apache version, PHP version and available memory (but current PHP versions are not vulnerable).
Tweak: Use nonce when starting a new restoration and strengthen the continuation process to prevent direct access that has the potential of being file and/or log abuse
Tweak: Improve the WebDAV storage module API in regard to the way it handles uploading and writing files
Tweak: Replace the word "Directory" with "Folder" in UI notices
Tweak: UpdraftVault: select storage class intelligently

1.22.25 - 16/Dec/2022

Changes

Fix: Resolves a fatal error that occurred if a user had one specific add-on and not another (i.e. paid versions only)

1.22.24 - 14/Dec/2022

Changes

Feature: Support PHP 8.2 in UpdraftClone
Feature: pCloud protocol support (Premium)
Fix: Add missing support for custom Dropbox app refresh tokens
Fix: After sending email report, other emails that follow would contain leftover data from the previous email report
Fix: Javascript hook that is used to show "Automatic backup before update" dialog box when pressing "Install Update Now" button on the WP Plugins page had made the same button on WP Updates page not respond to a press
Fix: Potentially not storing the size of new files in the backup history
Fix: Pressing "Rescan remote storage" using WebDAV can show an error message
Fix: Prevent a fatal error when logging PHP events using the exported "central" folder on the remote site
Fix: Prevent an error that occurs on WordPress 6.1 when managing and creating post/page from UpdraftCentral
Fix: Prevent fatal error when rescanning if internal directory was unusable
Tweak: Ability to permanently dismiss Litespeed warning
Tweak: Add admin notice to inform the user to upgrade their PHP to version 5.3 or higher due to changes in phpseclib requirements in future releases
Tweak: Add "#[\ReturnTypeWillChange]" attribute to Google Drive API for suppressing PHP 8.1 deprecation notices
Tweak: Add the ability to anonymize personal data in the database backup when using migrator
Tweak: Advise users if files in the plugin are missing
Tweak: Discourage page caches from caching UpdraftClone intermediate pages
Tweak: "Dismiss from main dashboard" button sometimes doesn't work
Tweak: Fix missing FTP admin notices when clicking on other remote storage method
Tweak: Hive off the AWS S3 SDK into a separate plugin (UpdraftPlus now always uses its own, more lightweight, SDK) - https://github.com/DavidAnderson684/updraftplus-aws-sdk
Tweak: Improve the Handlebars template of the Amazon S3 remote storage by taking PHP code out of it
Tweak: Improve the Handlebars template of the DreamObjects remote storage by taking PHP code out of it
Tweak: Improve wording in plugin by removing ambiguous wordings
Tweak: Increase the Google Cloud (Premium) downloading minimum chunk size for faster downloads
Tweak: In Premium / Extensions tab add notices for AIOS and Easy Updates Manager
Tweak: Log the list of blocks that failed to re-assemble in Microsoft Azure.
Tweak: Make the Google Drive downloading algorithms adapt to available memory - cut the total download time by 2/3 in testing
Tweak: Prevent a PHP notice upon UpdraftClone startup
Tweak: Prevent deprecation notice on PHP 8+ if opening a zero-size zip file
Tweak: Replace the use of $_SERVER['SERVER_NAME'] variable with network_site_url() function because the array key is not defined in WP-CLI and might not be defined on some server-side cron tasks, resulting in a PHP log message
Tweak: Set a global context for $wp_file_descriptions context so that it gets assigned to correctly, preventing a subtle visual change in the theme editor
Tweak: Use built-in logging for WebDAV
Tweak: WP Rocket - disable CDN upon migration completion for multisite since key will be invalid

1.22.23 - 29/Sep/2022

Changes

Fix: Fix "More Files" tracking on resumption
Fix: Parse error when loading plugins and themes in UpdraftCentral. Error occurs when UpdraftPlus is installed in a system with PHP 5.6 or older.
Fix: BinZip did not handle out-of-tree directory symlinks. These are now backed up as expected.
Fix: When expired tokens occur during Vault uploads, reschedule and resume, to avoid incomplete pruning of backup history
Fix: Inconsistent WebDAV host field behaviour where there are multiple WebDAV storage locations
Fix: The Exclusion rule link text was broken when "uploads" and "wp-content" exclusion settings were initially in an unchecked state
Tweak: Create IAM call methods in UpdraftPlus_S3
Tweak: Add a select all / deselect all selector to the table list when restoring
Tweak: Do not write `SET @@GLOBAL.GTID_PURGED` statements
Tweak: Improve the upload after create status reporting in the progress widget
Tweak: If a symlink pointed to an inaccessible location, this was silently skipped when using ZipArchive; it now generates a warning.
Tweak: Cast the service list to an array in upload_button() to avoid a potential PHP error with PHP 8
Tweak: Quadruple size of buffer when reading from files for S3 chunks

1.22.22 - 16/Sep/2022

Changes

Fix: Restrict the CSS scope for our jQuery to prevent conflicts
Fix: UI bug when unable to download a database for restoration and then retrying before refreshing the page
Tweak: Add basic design to confirmation window when adding a site to UpdraftCentral
Tweak: Prevent a PHP coding deprecation warning on PHP 8.1
Tweak: Feedburner URLs now are case-sensitive
Tweak: Improve the Handlebars template of the Rackspace Cloud Files remote storage by taking PHP code out of it
Tweak: WP Rocket - disable CDN upon migration completion since key will be invalid.
Tweak: Improve the UpdraftClone user-visible feedback and logging on delay or failure conditions
Tweak: WebDAV refactor part 2: Eliminate the stream-wrapper layer

1.22.21 - 09/Sep/2022

Changes

Fix: Infinite recursions/loops appeared to happen in restoration during the search-replace operation especially when some tables had a circular reference in their serialised data
Fix: Prevent PclZip from restoring empty/corrupt archives
Fix: Zip file sizes had ceased to be recorded in the backup history
Fix: Fix fatal error when loading the "Advanced Tools" section for UpdraftCentral
Tweak: Log intermediate unzip errors before proceeding with different method

1.22.20 - 05/Sep/2022

Changes

Feature: Restore the "upload immediately after creation" Feature that was turned off whilst misbehaviour was investigated; fixes have been applied.
Fix: Prevent premature removal of zip manifest files
Tweak: Improve the Handlebars template of the OpenStack (Swift) remote storage by taking PHP code out of it
Tweak: Do not run out-of-place "SET @@GLOBAL.GTID_PURGED" statements upon restore

1.22.19 - 29/Aug/2022

Changes

Tweak: The "upload immediately after creation" Feature has been disabled whilst reports of incorrect behaviour are investigated
Tweak: Replace require_once to include_once and use the UpdraftCentral path constant when loading the UpdraftCentral host class.
Tweak: Modify the "overdue crons" message for greater clarity

1.22.18 - 26/Aug/2022

Changes

Tweak: Suppress pre-loading of phpseclib libraries, which has exposed fatal-error inducing bugs in a handful of unmaintained third-party plugins and themes
Tweak: Increase the number of conditions for which attempts to access an S3 bucket will result in more logging

1.22.17 - 23/Aug/2022

Changes

Fix: Ensure jobdata is saved before attempting a partial cloud upload, preventing potential omission of an archive
Feature: Restore the "upload immediately after creation" Feature that was turned off in 1.22.16 whilst misbehaviour was investigated
Tweak: Add log information as to why DB stored routines couldn't be included in the backup if that should be so
Tweak: Declare some implicitly-declared class variables to avoid warnings in PHP 8.2

1.22.15 - 22/Aug/2022

Changes

Feature: Each archive created will now be uploaded immediately directly after creation, to save disk space (prior behaviour was to first create all archives)
Fix: Improve parsing of HTTP response code header with generic S3 providers to avoid incorrectly interpreting status code
Fix: When an S3 service returns a RequestTimeTooSkewed error, make sure this is passed up to the user and not lost
Fix: Do not prematurely trigger upload_complete message when performing immediate file upload during clone operation
Fix: Database views don't get restored or are not restored correctly when in atomic mode
Fix: After sending email reports, other emails that follow used the same From address/name taken from the previous email
Fix: Database views don't get included in the backup
Tweak: Improve the Handlebars template of the Microsoft Azure remote storage by taking PHP code out of it (Premium)
Tweak: Update WebDAV library used for WebDAV remote storage (Premium) - N.B. This now requires PHP 5.5+.
Tweak: Improve the Handlebars template of the Google Cloud remote storage by taking PHP code out of it (Premium)
Tweak: Improve the Handlebars template of the Microsoft OneDrive remote storage by taking PHP code out of it (Premium)
Tweak: Detect and break absurdly-future locks
Tweak: Restrict the CSS scope for our jQuery to prevent conflicts
Tweak: Work around consequences of a backup history save failure
Tweak: Add a twice-daily cron to clear temporary files so that they are cleared even in the absence of new backups beginning and prior backup completion failure
Tweak: Tweak UpdraftCentral abstraction classes
Tweak: Separate custom font rules when retrieving styles from remote sites
Tweak: Prevent PHP deprecation notice when using Google libraries on PHP 8.1+
Tweak: Simplify Dropbox SDK by removing unused "response format" code

1.22.14 - 07/Jul/2022

Changes

Fix: Selective table restore
Fix: Fix restore button JS issue when importing single site to multisite
Tweak: Allow charset to be set during a WP_CLI restore
Tweak: Use similar charset if one is not set and not supported during a WL_CLI restore
Tweak: Add bulk process handler for UpdraftCentral's plugin and theme modules
Tweak: Return previous plugin and theme states before installation or activation
Tweak: Improve the Handlebars template of the Backblaze remote storage by taking PHP code out of it (Premium)
Tweak: Improve the Handlebars template of the WebDAV remote storage by taking PHP code out of it (Premium)
Tweak: Improve the Handlebars template of the SFTP/SCP remote storage by taking PHP code out of it (Premium)
Tweak: Avoid using 'phpmailer_init' action when setting up sender name and sender email address, as some SMTP plugins override the 'wp_mail()' function and they don't bother to call the 'phpmailer_init' action
Tweak: Prevent increments being added to backups from other sites

1.22.13 - 25/May/2022

Changes

Feature: Added the ability to create a clone from WP-CLI (Premium)
Tweak: Free version – Improve the Handlebars template of Azzure, OneDrive, WebDAV, SFTP/SCP, Blackblaze, and Google Cloud remote storage by taking PHP code out of them
Tweak: Update notice class
Tweak: Escape URL used in remote storage connection modal
Tweak: A Label being incorrectly displayed when creating a clone
Tweak: Update class-udrpc
Tweak: Don't show database selective restore UI if no tables are found in the database scan
Tweak: Allow drag-dropping of backup anywhere, not just on target area
Tweak: Add "echo" to display the premium link properly in some templates
Tweak: Update the posts class to support theme.json config file for theme styles and block settings
Tweak: Extract from plugin's data rather than relying on its key when retrieving the plugin slug
Tweak: Increase likelihood of using experimental upload-sooner Feature from 1% to 5%

1.22.12 - 29/Apr/2022

Changes

Feature: Added the ability to select which themes and plugins to Restore
Feature: Allow existing local backups to be sent to a remote site when migrating
Tweak: Tweak to allow the Amazon S3 setup wizard to run if the internal S3 library is active
Tweak: The WordPress sidebar menu overlaps the popover tour box
Tweak: Attempt to upload a zip file after it's been created to save on storage space
Tweak: Add MySQL maximum packet size to Advanced Tools -> Site Information
Tweak: Only output the expected table rows when starting to process the table
Tweak: Fix get_users parameter that has been deprecated on WP 5.9 in UpdraftCentral posts controller.
Tweak: Do not call escapeshellarg() for SCP if we know it is unnecessary (prevents problems on hosts lacking the function for trivial use cases)
Tweak: Detect change of run-time environment on first resumption and re-set previously detected resumption interval if likely to be helpful
Tweak: Improve the FTP Handlebars template by taking PHP code out of it
Tweak: Convert HTTP error codes to their meanings
Tweak: Some plugins are loading their own incomplete mcrypt_* functions try and detect this and recover
Tweak: Ensure the local backup file is cleaned up if an earlier failed remote storage upload later succeeds
Tweak: Include plugin version when getting details from UpdraftPlus Vault to allow features that depend upon a sufficiently up-to-date version

1.22.11 - 15/Mar/2022

Changes

Fix: Internal S3 library did not correctly construct canonical query string with v4 signatures if there were multiple parameters, leading to wrong signatures and failed authorisation
Fix: Fix a recent regression that caused DNS hostnames to not be preferred when using Amazon S3
Tweak: Prevent deprecation notice on PHP 8.1 if opening a zero-size zip file
Tweak: Introduce filter updraftplus_dropbox_fetch_curl_options for easier debugging/experimentation

1.22.10 - 11/Mar/2022

Changes

Fix: Fix a regression in the 1.22.9 adjustment to the internal S3 library's evaluation of when to use a Host: header
Fix: Fix a long-standing issue whereby if S3-related credentials were being tested via the front-end UI, and multiple back-end instances were present, then the wrong settings could be used in making decisions on Host: headers

1.22.9 - 10/Mar/2022

Changes

SECURITY: Fixed a failure to sanitise printed URLs properly, leading to a targeted XSS opportunity (if an attacker persuades a logged-in admin to follow a link personally crafted for their site, he may be able to run JavaScript inside the browser - but on our testing, this ability is limited due to the sanitisation that was there - we have not been able to confirm that a payload causing damage is possible). Reported by Taurus Omar - https://taurusomar.com.
Tweak: Adjust internal S3 library's evaluation of when to use a Host: header (improves compatibility with buckets with minimal access rules)
Tweak: Adjust algorithm concerning likelihood of switching S3 libraries to accelerate deployment
Tweak: Prevent PHP notice when using S3 with particular bucket naming and SSL

1.22.8 - 03/Mar/2022

Changes

Fix: Do not attempt to use S3 DNS-style bucket naming in alternative library if SSL validation will fail due to AWS certificate wildcard policies or other bucket naming-related reasons
Tweak: Add version number to alternative S3 library requests

1.22.7 - 01/Mar/2022

Changes

Fix: Internal S3 library was missing a method for using session tokens together with Vault
Fix: Various UI issues with the S3 IAM Wizard
Tweak: Use AWS SDK/Guzzle for S3 operations if Curl is not available
Tweak: Prevent coding deprecation notice during S3 upload on PHP 8.1

1.22.6 - 26/Feb/2022

Changes

Fix: Internal S3 library had regressed in its ability to detect bucket location on AWS when using v4 signatures
Tweak: When using S3 APIs, log the class used for easier debugging
Tweak: Change S3 SDK selection algorithm

1.22.5 - 24/Feb/2022

Changes

Fix: An issue that prevented being able to browse the contents of an already downloaded backup zip file
Fix: Add previously unbundled AWS SDK file for IAM service description which prevented S3 wizard in the Premium version working correctly
Fix: Prevent a fatal error when handling some S3 errors, caused by a format change
Tweak: When loading AWS SDK at upload time, apply some work-arounds for plugins with buggy or old versions of related libraries
Tweak: Update to latest AWS SDK toolkit, fixing an error with error-reporting in some situations in the previous version
Tweak: Remove vendor/aws/aws-crt-php/run_tests.bat from build (apparently one user's hosting does not allow .bat files), plus other unnecessary files from that package
Tweak: Enable PHP 8.1 in UpdraftClone (N.B. not yet officially supported by WordPress, so, made available for testing/development purposes)
Tweak: Prevent error emitted on the browser console when 'Images' filter is selected on UpdraftCentral's media module

1.22.4 - 17/Feb/2022

Changes

Tweak: Prevent a couple of possible fatal errors when printing autobackup options on PHP 8
Tweak: Work around a bug in the JetPack autoloader that was triggered when projects using that also used Guzzle in a different namespace

1.22.3 - 15/Feb/2022

Changes

SECURITY: Thanks to Marc-Alexandre Montpas of Automattic for this report (CVE: CVE-2022-23303). All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups. If your site does not have non-admin users, or if your non-admin users are all trusted (and your site does not allow users to sign up themselves), then you are not vulnerable (but we always recommend updating to the latest version in any case). Please see https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/ for more details.
Fix: Unexpected 'Backup History' array structure during the rescanning of the new backup sets that changed the type of the database associative keys from string to array format
Fix: Failure in excluding and wiping out jobdata during backup and restore causing the same backup to repeat under certain circumstances
REFACTOR: Upgrade AWS SDK from version 2.8 to 3
Tweak: Improve how log file and backup file attachments are handled through mail-related functions, so they don't get omitted by some 3rd party SMTP plugins
Tweak: Overcome PHP 8 'Only the first byte will be assigned to the string offset' warning when rescanning local folder and/or remote storage for new backup sets
Tweak: On Windows, when mysqldump.exe binary is in use for backing up database, it failed to exclude updraft_jobdata_* entries due to 'escapeshellarg' function that replaces % char to white space
Tweak: Switch to official jstree release now that our patch is included
Tweak: Update updater library in paid version to current release
Tweak: In the multisite add-on, store the last log message separately to perform better with binary logging together with large backups
Tweak: Add Google branding to the Google Drive authentication link
Tweak: Change complex formatting string to avoid translator errors resulting in PHP errors

1.22.1 - 14/Jan/2022

Changes

Tweak: New versioning scheme; the second part of the version number was previously not used very meaningfully/systematically; together with the third, it now indicates the year of release and number within that year
Tweak: Adjust run-time performance check, removing one test that was no longer appropriate
Tweak: Adjust next resumption display message if there isn't one
Tweak: Cache the UpdraftVault quota to reduce the amount of network calls made during long backups

1.16.69 - 27/Dec/2021

Changes

Fix: A bug that prevented a final resumption from attempting to split the zip to make progress
Fix: Handle LOCK TABLES statements produced by some mysqldump versions properly in case of atomic restores
SECURITY: Fix a non-persistent XSS error allowing an attacker to once run JavaScript in your web browser if you clicked on a link crafted personally for you whilst logged into your site (very similar to that fixed in 1.16.65/6). A packaging error meant that this was not properly fixed in the 1.16.67-68 releases.
Tweak: Search and replace ABSPATH if it's changed, non-trivial and stored in the DB by a bad plugin/theme
Tweak: Make whole label for "UpdraftPlus temporary clone user login settings" clickable
Tweak: Change wording for an advanced tool for clarity
Tweak: Include UD in user agent for S3 calls when using the AWS SDKs
Tweak: Make sure WP_Error is passed up during specific plugin update failure case

1.16.66 - 29/Nov/2021

Changes

SECURITY: The Fix made in 1.16.65 was faulty; this release corrects it.

1.16.65 - 25/Nov/2021

Changes

SECURITY: Fix a non-persistent XSS error allowing an attacker to once run JavaScript in your web browser if you clicked on a link crafted personally for your site whilst logged into it. Discovered by Krzysztof Zając.
Tweak: Premium - add review link at bottom of admin

1.16.64 - 24/Nov/2021

Changes

Fix: Do not create a zip manifest file if the zip is still potentially incomplete
Tweak: Improve Dropbox downloading performance by reducing round-trips, by eliminating unnecessary chunking
Tweak: Update certificate store to current list
Tweak: Increase precision of previous check-in record in log

1.16.63 - 25/Oct/2021

Changes

Fix: Use correct zip file name when creating manifest
Tweak: Tweak the response data of UpdraftCentral's plugin and theme handlers to add additional error information
Tweak: Moved the raw backup history command so it can be accessed via UpdraftCentral
Tweak: Optimise away unnecessary file open/read/close cycle on null gzip files when writing the final database dump (should help on enormous sites with thousands of tables)
Tweak: Cleanup .list.tmp files when a local backup completes
Tweak: Refactor WebDAV addon code for future improvements

1.16.62 - 30/Sep/2021

Changes

Fix: Fix UpdraftCentral error when installing plugin or theme on a slow connection
Tweak: Support wildcard (asterisk char) exclusions not just for the first/top-level directory but also for the 2nd level directories and below
Tweak: Fix deprecation warning on UpdraftCentral's comment settings
Tweak: Algorithm improvement with small tables with individually large rows not triggering the existing over-sized rows algorithm, to reduce fetch size quicker
Tweak: Implement the newly abstracted host plugin usage/process within the UpdraftCentral client code
Tweak: Improve backtrace logging
Tweak: Add admin and log warning messages regarding the planned shutdown of Microsoft Azure and OneDrive Germany
Tweak: Output UpdraftVault quota recount link if needed
Tweak: Introduce constant: UPDRAFTPLUS_LOG_BACKUP_SELECTS: Defining this to true will cause the SQL SELECT commands used when fetching data for a database table backup to be logged in the UpdraftPlus backup log
Tweak: Don't change SQL modes if a null value is returned
Tweak: Existing backups paging logic to avoid a confusing rescan user experience
Tweak: Refactor the search and replace engine

1.16.61 - 28/Aug/2021

Changes

Fix: If MySQL performance was very fast on large tables, and if fallback fetch mode was being used (which should not occur on any WordPress core table, but can be triggered on recent Oracle MySQL 8.0 versions), then when increasing rows fetched on large tables, some rows could be unintentionally skipped.
Tweak: Oracle MySQL 8.0 from somewhere after 8.0.17 has removed the display width from the response to SHOW CREATE TABLE, resulting in failure (prior to this Tweak) to detect a primary key type that can be used with faster fetching
Tweak: Use 'wp_mail_failed' action hook to improve logging of email delivery failures caused by a PHPMailer exception
Tweak: Add additional log information to themes and plugins modules

1.16.60 - 23/Aug/2021

Changes

Fix: An issue that prevented the more files restore UI appearing if it was part of an incremental backup
Fix: Add an extra check to prevent incremental backups from being run after a migration, if incremental backups are not enabled.
Tweak: Add method to check whether an image editor is available for UpdraftCentral's image media editing Feature.
Tweak: In the reporting add-on accept URLs, if the address is a URL then instead of emailing it, POST it to that URL using the format used by Slack
Tweak: Add a link to the create clone UI to explain the various clone package sizes
Tweak: Record ABSPATH in the summary
Tweak: Prevent a couple of unwanted logging notices on PHP 8
Tweak: Catch and deal with various WebDAV exceptions
Tweak: Create a zip file manifest and read from it if available

1.16.59 - 16/Jul/2021

Changes

Feature: (Paid versions) New WP-CLI command (connect) to connect plugin with the user's associated account/licence on updraftplus.com
Fix: Each time the 'Upload Backup' dialog is opened, '(already uploaded)' text is appended one more time for the same remote storage resulting in it being nearly impossible to have the two buttons shown at the bottom
Tweak: Enhanced over-sized row-detection to include any table with a primary key and a LONGTEXT
Tweak: Log file now includes max packet size
Tweak: Properly handle port numbers included in DB_HOST when using mysqldump
Tweak: Handle UNIX socket paths included in DB_HOST when using mysqldump
Tweak: Increase default mysqldump maximum packet size
Tweak: Change WebDAV request library to HTTP_Request2
Tweak: Add custom category sorting on post module using uasort due to deprecation warning emitted on UpdraftCentral
Tweak: Added an icon within the top-right of the log widget allowing user to toggle that part between its current size and full-screen of the restoration log section
Tweak: Prevent an error in the phpinfo advanced tool when handling non-string constants
Tweak: Escape remote storage IDs in output templates
Tweak: Suppress unwanted error logging related to Gravity Forms
Tweak: Clear Elementor cache at the end of restoration process (if possible) giving an opportunity for Elementor to regenerate CSS files on the next page load request
Tweak: Clear Avada/Fusion-related CSS cache at the end of restoration process (if relevant)
Tweak: Catch and recover from errors and exceptions when clearing third-party caches
Tweak: Prevent a PHP logging notice when an SCP server is scanned for files
Tweak: Remove unused CloudFront methods from S3 library
Tweak: Added missing anonymisation.png graphic and detail of Anonymisation addon in the addons list table
Tweak: Added Update URI header field to avoid accidentally being overwritten with an update of a plugin of a similar name from the WordPress.org Plugin Directory.
Tweak: Improvements in finding a working mysqldump binary during a backup operation
Tweak: Start on larger chunk sizes when fetching *meta table contents, and scale up chunk sizes on all tables dynamically (less SQL queries; but testing shows it makes little difference to overall speed)
Tweak: Adjust Google Drive to retry once after a UDP_Google_IO_Exception, as was done in Google Cloud - intended to help with intermittently buggy Curl versions
Tweak: Show a notice when attempting to download a backup from email remote storage explaining nothing can be downloaded
Tweak: Update shop links and upgrade prompts

1.16.58 - 27/May/2021

Changes

Fix: UpdraftVault storage settings saving issue on multisite
Fix: Translation undefined index issue while running updates on UpdraftCentral
Fix: Do not retain SFTP/SCP connection object between upload and prune stages, fixing a multi-instance bug that could cause deleting of obsolete archives to be skipped when backing up the same backup to multiple SCP servers
Tweak: When a link points to an unreadable file, include information in the log about the original reference
Tweak: Do not compress and recompress intermediate table files when stitching together the final database dump (increases speed and reduces resource usage)

1.16.57 - 08/May/2021

Changes

Fix: Backblaze infinite loop when listing on buckets with huge numbers of objects
Tweak: Minor improvements to the organisation of the S3-provider classes (abstract per-backend logic more cleanly)
Tweak: Add --no-tablespaces switch to mysqldump invocation (required on MySQL 8.0+)

1.16.56 - 29/Apr/2021

Changes

Fix: Revert changing of Amazon S3 authentication error handling in 1.16.55, which broke support of S3-compatible providers
Tweak: Remove some unnecessary methods from the UpdraftPlus_S3 class

1.16.55 - 28/Apr/2021

Changes

Fix: Wrong prefix being used on non WP tables during an atomic restore
Fix: Issue that prevented generic (non-UpdraftPlus) SQL databases being restored
Tweak: JSTree file selector: list folders first, and list entities in alphabetical order
Tweak: Increase efficiency when listing Backblaze files during multi-delete operation
Tweak: Integrate UpdraftVault storage with the scheduled destination backups Feature
Tweak: Added bucket access style field to S3-Compatible (Generic) to allow user to choose preferred access style (Path or Virtual-host)
Tweak: Improve handling of Amazon S3 authentication error messages to avoid misunderstanding concerning "wrong bucket region" that occurs after trying further methods
Tweak: Make modal dialogs resizable
Tweak: During the Database scan if the amount of tables found exceeds the PHP max input vars limit then truncate the list, to prevent restore options being lost
Tweak: Update seasonal notices
Tweak: Track the amount of restore options being sent and warn the user if this exceeds the PHP max_input_vars limit

1.16.54 - 05/Apr/2021

Changes

Fix: Undetected build system error on free version omitted jstree library
Tweak: Reduce plugin size by removing 9 languages that are now fully available from the wordpress.org on-demand system

1.16.53 - 03/Apr/2021

Changes

Fix: Incorrect final table name being used during an atomic restore when restoring using a different table prefix
Fix: Fix variable re-use issue in Backblaze multi-delete code which halted deletion
Tweak: Prevent unnecessary logging when testing data for serialization on PHP 8.0 during migration
Tweak: Update jsTree library to version 3.3.12-rc0 to work around deprecated jQuery functions
Tweak: Add an extra check for whether it looks reasonable to reduce the resumption time, increasing efficiency
Tweak: On the posts table, detect over-sized rows in advance, and fetch them one at a time.

1.16.51 - 01/Apr/2021

Changes

Fix: Backup before updating dialog was not working on the inline informational pop-up on the Plugins page
Tweak: Refactor how translatable texts are being handled and displayed within the UpdraftCentral client code
Tweak: Fix parameter passing for UpdraftCentral multiplexed request
Tweak: Exclude/skip very large files from the backup operation if the first and second attempt at backing them up didn't succeed
Tweak: Backblaze multi-deletion code did not properly handle files that were already deleted (could abort deletion of others)
Tweak: Replace the table prefix in the constraint name if it is found
Tweak: Don't perform an atomic restore on tables with constraints
Tweak: Add atomic restore support for non-WordPress tables

1.16.50 - 16/Mar/2021

Changes

Fix: An issue with refreshing Dropbox access tokens
Tweak: Reduce and log memory usage in Google upload methods
Tweak: Catch Dropbox HTTP 401 errors and refresh the access token

1.16.49 - 10/Mar/2021

Changes

Fix: Don't perform an atomic restore for non-WP-prefix tables backed up (Premium Feature) - fixes a bug that resulted in the final table being dropped
Tweak: Dates/times shown in the "next scheduled backup(s)" are now translated into the user's locale

1.16.48 - 09/Mar/2021

Changes

Feature: If needed database permissions are available then perform an atomic restore to improve chances of successfully restoring the database
Feature: Added the ability to manually complete authentication with Google Drive (Avoids issues where security modules/plugins break the authentication flow)
Feature: Added the ability to manually complete authentication with OneDrive (Avoids issues where security modules/plugins break the authentication flow)
Feature: Google Drive and Google Cloud now allow boosting chunk size for faster transfers
Fix: Files/Directories Exclusion not saving correctly when adding numeric directory/file names into the exclusion list
Fix: Different PHP versions generate different suffixes length in the temporary ZIP filename resulting in a chance of overlapping runs
Fix: an issue with mysqldump password character escaping
Tweak: Avoid unnecessary database writes caused by redundant jobdata updating during backup of files
Tweak: Add "anywhere in their names" syntax option to the exclusion UI
Tweak: Bump the requirement for the S3 enhanced module, and for using the official AWS SDK, up to PHP 5.5 (in preparation for updating the SDK version later)
Tweak: Fix a bug of report emails for incremental backups displaying incorrectly in many email apps
Tweak: Update Select2 library to version 4.1.0-rc.0 to work around deprecated jQuery isFunction
Tweak: Update jQuery-serializeJSON library to version 3.2.0 to work around deprecated jQuery isArray
Tweak: Handle hosts that have disabled some of the PHP functions thus causing a fatal error on PHP 8
Tweak: Correct under-calculation of used memory in verify_free_memory()
Tweak: Fix (inconsequential to this point) double-use of identifier for SQL statement type
Tweak: Remove some compatibility code in Dropbox downloading pertaining to a folder selection bug eliminated ~8 years ago.
Tweak: Remove unneeded sub-site tables when performing a restoration/migration (Multisite)
Tweak: Improve the exclusion UI by adding new "wildcards" option thus allowing the user to add a set of patterns for excluding files/directories
Tweak: Integration of the new files that were previously added for abstracting UpdraftCentral's client code
Tweak: Excluded items (Files or Folders) that are not readable should not trigger a warning about being unreadable
Tweak: Fix some RTL CSS issues
Tweak: OneDrive 4xx error reporting
Tweak: Update the Dropbox SDK to use refresh tokens (long lived token support ends September 2021)
Tweak: implement a multi-delete capability when deleting from Backblaze
Tweak: On UpdraftClone display the image ID in the advanced tools tab for easier debugging
Tweak: Make it more clear in the restore log that we are starting an AJAX restore
Tweak: The download backup HTML so that there is only one download button per archive type

1.16.47 - 25/Jan/2021

Changes

Feature: added the ability to anonymise personal data in database backups from the "Backup Now" dialog (Premium / add-on)
Feature: Add page management module for UpdraftCentral
Fix: 1.16.42 Introduced a regression (truncation) when listing files from Dropbox when there were multiple pages of results
Tweak: Force host-style bucket access when backing up via S3 generic to Alibabacloud
Tweak: Remove unneeded Google SDK files from our fork of the SDK taking the size from 6MB to 800KB
Tweak: Incorrect jQuery UI dialog extended filename
Tweak: Change some class names to improve compatibility with other plugins using the Google SDK and auto-loading their version unconditionally
Tweak: Update the delete file Dropbox API call to version 2
Tweak: Change the S3 test settings form names to match the saved setting names
Tweak: Check the Content-Type on the response from an S3-compatible provider slightly less strictly, improving compatibility with at least one otherwise-working implementation
Tweak: Update the Dropbox SDK to use scopes
Tweak: Handle hosts that have removed disk_free_space() (now that on PHP 8 disabling functions removes them)

1.16.46 - 05/Jan/2021

Changes

Fix: Prevent some deprecation-related errors when backing up to some remote storage locations in PHP 8
Fix: Adding new remote storage instance (Premium) doesn't bring up the UI
Tweak: Fix some modal dialog alignment/resizing issues

1.16.45 - 04/Jan/2021

Changes

Fix: Prevent some fatal errors due to language behaviour changes when running under PHP 8
Tweak: Replace deprecated calls to jQuery fn.focus(), fn.ready(), fn.submit(), fn.click() and fn.blur() methods in internal libraries
Tweak: Replace deprecated calls to jQuery (:first) and (:eq) pseudo-classes in internal libraries
Tweak: Prevent several PHP deprecation log notices on PHP 8
Tweak: Rename some further classes in our fork of the Google SDK to prevent conflicts
Tweak: When running under cron, do not combine schedules when there are no schedules
Tweak: Revert a jQuery change in 1.16.44 which made notices on the 'updates' page appear multiple times.

1.16.43 - 17/Dec/2020

Changes

Tweak: Replace deprecated calls to jQuery.trim(), jQuery.fn.change(), jQuery.fn.bind(), jQuery.fn.unbind(), jQuery.fn.keyup(), jQuery.fn.removeAttr() and `jQuery.fn.removeProp() in internal libraries
Tweak: Reduce excessive vertical margin above the header within Autobackup dialog box
Tweak: Improve user experience in the case of some rare UpdraftVault conditions
Tweak: Fix the exclude fields, which were unable to switch their mode from read-only to edit mode
Tweak: Added new files needed for abstracting UpdraftCentral's client code
Tweak: Update the review notice
Tweak: When attempting to delete a Backblaze file and discovering it does not exist, do not log that as an error (presumably already deleted)
Tweak: Fetch history log data in the popup using AJAX, instead of using embedded data attributes.
Tweak: Be less quick to switch to PclZip when BinZip has not completed the job

1.16.42 - 10/Dec/2020

Changes

Feature: Added the ability to manually complete authentication with Dropbox (Avoids issues where security modules/plugins break the authentication flow)
Tweak: Replace BlockUI's deprecated jQuery functions and/or shorthand events with the appropriate method accordingly
Tweak: Replace /2/files/search Dropbox API calls with /2/files/search_v2
Tweak: Replace Labelauty's deprecated jQuery functions and/or shorthand events with the appropriate method accordingly
Tweak: Fix broken multiple range selection's highlighters due to the absence of jquery-migrate in the WordPress core on version 5.5
Tweak: Add the latest jQuery UI CSS framework for compatibility with WordPress 5.6 and all ongoing versions of WordPress
Tweak: Add support for PHP 8.0 in UpdraftClone
Tweak: Prevent a couple of PHP coding notices on PHP 8.0
Tweak: Tweak in the backing up of tables to reduce PHP memory use when working with very long row contents
Tweak: Prevent a PHP warning when starting a backup
Tweak: Fix a UI issue in the "send backup to remote site" options

1.16.41 - 27/Nov/2020

Changes

Tweak: Don't repeat sending the 'upload_complete' command to a remotesend destination after it succeeded the first time
Tweak: Update the udrpc library
Tweak: In UpdraftClone, delay the temporary_clone_ready_for_restore signal until the browser connection is closed (preventing a loss of response)

1.16.40 - 25/Nov/2020

Changes

Tweak: Cycle Dropbox API client ID (old one has been cycled and no longer works)

1.16.37 - 23/Nov/2020

Changes

Fix: Scheduled backups to remote storage not being correctly sent in 1.16.35/36 in the absence of the "More Storage" add-on
Tweak: Wording Tweak to clarify the effect of the conditional logic settings
Tweak: Add a warning to the restore page to inform the user if JavaScript is broken and as a result the restore won't start
Tweak: Replace intval() with casting to (int)
Tweak: If the first fetch from a table failed, then the algorithm to fetch fewer rows failed to reduce the fetch size more than once

1.16.36 - 20/Nov/2020

Changes

Tweak: During a restore or migration, detect if the backup was affected by the key issue fixed in 1.16.35, and automatically unselect by default such tables from the list of those to be restored. On a migration advise the user to take a fresh backup on the source site with a current version.

1.16.35 - 19/Nov/2020

Changes

Feature: Backup destinations with conditional logic rules for scheduled backups (Premium)
Fix: A regression in 1.16.30 meant that the term_relationships table could have rows missing in the backup if mysqldump was not present/used; this meant that items with multiple terms were only having one relationship backed up (e.g. multiple tags being assigned to one post)
Tweak: Adding remote block assets support when editing post from UpdraftCentral
Tweak: Rename UpdraftCentral's main and listener classes
Tweak: Improve error message when encrypted key given by user for SFTP/SCP remote storage method
Tweak: Enhance the algorithm when dumping large tables via PHP, by also consulting the size of the current uncompressed data and passed time and resumption state
Tweak: When there are no backups in existence, display some help text explaining how to upload one for restoration
Tweak: Prevent composer 2 run-time platform checks
Tweak: Update bundled cacert.pem file
Tweak: When fetching less rows due to previous failures, make this persist across resumptions when on the same table
Tweak: Raise the default for UPDRAFTPLUS_MAXBATCHFILES
Tweak: Improve handling of the situation when the source database has no table prefix (which is officially unsupported by WordPress, but people have them)
Tweak: When fetching the site name from the database, process it via wp_specialchars_decode() to remove HTML encodings that WP applied before storage
Tweak: Replace uses of php_uname() function with PHP_OS constant when the server where PHP is running on disables the function for security reasons
Tweak: When the definition of a VIEW cannot be fetched, report this nicely, do not let it be flagged as a fatal error, and log it in the backup file and log
Tweak: Integrate UpdraftPlus and WordPress 5.5 core's automatic update settings
Tweak: When a backup resumed, the last successful resumption was incorrectly set as the last successful resumption when an 'alive' event was recorded, rather than a 'useful' one; this deferred some mitigations when there was insufficient progress
Tweak: Add another Tweak to paid versions' update checking time algorithm
Tweak: Add "Select all" and "Deselect all" link texts for bulk selecting/deselecting tables from the database table list on the manual backup dialog
Tweak: Ensure all code paths use internal ud_parse_json function for decoding JSON in JavaScript
Tweak: When using UpdraftVault, only cache results of a vault_getconfig call conditionally (retry on potentially transient errors)
Tweak: Prevent a PHP coding notice if running an UpdraftVault backup on the CLI
Tweak: Reduce the on-disk logging of entity base directories containing vast numbers of entries
Tweak: When we first save the backup schedule set the scheduled time randomly between 9PM and 7AM
Tweak: During a remote storage rescan correctly update the backup file sizes to prevent incorrect 'may have changed' warnings

1.16.34 - 30/Oct/2020

Changes

Tweak: On sites with enormous numbers of tables (e.g. very large multisites), counting the already-backed-up tables when resuming took unnecessarily long since 1.16.30
Tweak: Update jQuery document ready style to the one not deprecated in jQuery 3.0
Tweak: While using the file tree browser return an error if we are unable to open a directory

1.16.33 - 20/Oct/2020

Changes

Fix: Fatal error when doing a backup with no storage in the short-lived 1.16.32 (free version)
Tweak: Cookie policy changes in the Chrome family of browsers broke the embedded checkout; hence, this is now disabled (goes directly to updraftplus.com instead).
Tweak: Exclude All In One WP Migration-related archive files when backing up plugins and/or others from the UpdraftPlus backup process
Tweak: Add downloadable backup links in the Backup Report email (Reporting Addon)
Tweak: Rename some classes in our fork of the Google SDK to prevent conflicts
Tweak: Improve automatic backups output when 'UPDRAFTPLUS_NOAUTOBACKUPS' constant is defined.
Tweak: Remove the now-redundant concept of inner loops from the database table backup routine

1.16.31 - 20/Oct/2020

Changes

Fix: A regression in 1.16.30 meant that tables with integer primary keys which used signed integers omitted the first row of the table from the backups. This is not common (e.g. it does not affect any core WP tables; most plugins adding tables follow WP core in using unsigned integers for primary keys).

1.16.30 - 15/Oct/2020

Changes

PERFORMANCE: Where a table has a numerical primary key, extract its data using that index. This results in a substantial performance increase when fetching large tables using PHP. (The filter updraftplus_can_use_primary_key_default can be used to de-activate this behaviour).
Fix: Remove incorrect decodeURIComponent() parsing when importing settings, which could prevent import of settings containing some special characters
Fix: An issue where database tables that were not selected to be backed up in a "Backup Now" backup would get added to the backup during a resumption (i.e. if it did not finish in a single run)
Tweak: Catch errors from Google Cloud when the bucket is not found
Tweak: Fix undefined variables instead of expected values in message prior to settings import
Tweak: Strip the redundant WHERE for the --where parameter to mysqldump (which modern versions strip out, but a version was found that didn't)
Tweak: Handle hosts that have disabled the session_id() function
Tweak: Provide SQL mode information in the 'Site Information' section under the 'Advanced Tools' tab and in the database backup's header
Tweak: Show a notification of UpdraftPlus plugin updates even if the associated user account is not connected to the UpdraftPlus website
Tweak: Add mechanism to detect what hosting provider is being used and use it to make UpdraftPlus comply with Kinsta's backup limit policies (thus removing it from the list of disallowed plugins)
Tweak: When booting a clone if it's claimed from the clone queue then update the token being used
Tweak: Tweaked downwards the minimum time in the future for rescheduling a resumption

1.16.29 - 08/Sep/2020

Changes

Fix: Added Africa (Cape Town), Asia Pacific (Hong Kong) & Asia Pacific (Osaka-Local) to AWS
Fix: Fix bug where incorrect function call prevented backup file downloads from the WP dashboard
Tweak: Removed LinkedIn and Google+ links
Tweak: Choosing email remote storage method in the free version will automatically tick the "Email" field setting, making the UI meaning clearer
Tweak: Work around the invalid file paths if found in some key-value pairs in the PHP user.ini file or Apache .htaccess file when restoring

1.16.28 - 02/Sep/2020

Changes

Feature: Support backing up and restoring MySQL/MariaDB routines (stored procedures and functions)
Feature: Added the ability to search and replace the database via WP-CLI
Fix: Bit fields in a table don't necessarily get backed up correctly due to the difference in the output of mysql_query() and mysqli_query() for the bit-field type
Fix: Allow single multisite sub-sites to be restored when there is a http/https mismatch between the site and database backup
Tweak: Update plugin updates checker dependency (in paid versions) to the 4.10 series, improving compatibility with WP 5.5+'s updates management
Tweak: Suppress message about how to upgrade an already-installed plugin when on WP 5.5+ (where it is no longer relevant)
Tweak: Internal refactoring to allow more flexibility when creating database backups
Tweak: Force the turning off of ANSI_QUOTES in the active SQL mode when creating a backup, for better compatibility
Tweak: Add the ability to configure the 'max_allowed_packet' option in the binary mysqldump command via the 'UPDRAFTPLUS_MYSQLDUMP_MAX_ALLOWED_PACKET' constant
Tweak: The Google Drive options exist condition to prevent a false positive saved settings error
Tweak: Improve the UpdraftPlus get_outgoing_ip_address method in finding user webserver's IPv6 address
Tweak: Removed MetaSlider notice in the notices collection

1.16.27 - 23/Jun/2020

Changes

Fix: In the free version configured remote storage locations were not selected by default in the backup now modal
Fix: On newer versions of Curl uploads to Dropbox can fail with a bad request, we now retry with a better request
Feature: Improve support for enormous tables when outputting via PHP via batching of the dump
Tweak: Add site_url to load_plugins and load_themes requests
Tweak: Catch PHP fatal errors when executing UpdraftCentral commands
Tweak: Tweak the version that gets added to CSS and JS filenames to work with addons
Tweak: Prevent an internal UpdraftVault message displaying in the UI when Vault is not in use
Tweak: Stop displaying the 'licence expires soon' warning if an active subscription is detected on the account
Tweak: Catch Google_IO_Exception during upload to Google Cloud to prevent further unwanted errors
Tweak: Date/time indicator in the UI now gets updated via the WP heartbeat API
Tweak: On large databases the database file scan can time-out; an option has been added to allow the restore operation to include tables that are missing from the list
Tweak: Use the administration email address (if possible) as the email sender address when sending a backup report email
Tweak: Catch new OneDrive access token has expired message during a backup
Tweak: Cleanup failed OneDrive uploads to prevent repeated failures that will never succeed
Tweak: Add a warning alert when the remote scan button is pressed to explain this Feature to prevent support requests
Tweak: On large databases the amount of database tables can exceed the php_max_input_vars value; an option has been added to allow the restore operation to include tables that are missing from the list
NOTE: The free version 1.16.27 was released as 1.16.26; i.e. if confused about 1.16.26 went, then the answer is that they are the same thing.

1.16.25 - 23/May/2020

Changes

Fix: Dropbox since 1.16.24 was only deleting one backup files archive out of the set. i.e. Excess archives remained on Dropbox. These have to be deleted manually.
Tweak: Add version to CSS and JS within filenames to prevent old versions being served after update on sites which have customisations to remove the query string
Feature: Added the ability to create UpdraftCentral keys from WP-CLI

1.16.24 - 15/May/2020

Changes

Feature: Support migration between different "generate columns" syntaxes of MySQL and MariaDB
Feature: Added the ability to choose the remote storage locations you want to send your backup to in the "Backup Now" modal
Fix: If non-WordPress tables are selected in the advanced 'Backup Now' options, then back them up (even if the saved setting to back them up is off). i.e. "Backup Now" over-ride options should have been taking priority.
Fix: Failure to restore database 'view' in some rare circumstances due to the nonexistent DEFINER account and lack of privileges
Tweak: Handle binary data during backup
Tweak: Add strack_st to the lists of large logging tables and tables not requiring search/replace
Tweak: Make search and replace case insensitive when operating on URLs
Tweak: The incremental backup notice logic
Tweak: Update bundled updater class (YahnisElsts/plugin-update-checker) (paid versions) to version 4.9
Tweak: Add another Tweak to paid versions' update checking time algorithm
Tweak: Add the options_exist() method to backup modules that did not have it
Tweak: During manual backup uploads, check if the last 4 bytes are string "null" (caused by an error in uploading to Dropbox) and if so remove them. Prevents an unnecessary message about unexpected data.
Tweak: Show the backup label (if specified) in the UI backup progress indicator
Tweak: Added the facility to clear the list of existing migration sites
Tweak: Create default instance labels
Tweak: Bring list of debugging plugins up to date
Tweak: Add support for the AWS Milan and Cape Town endpoints (and correct a couple of existing endpoints that had wrong references)

1.16.23 - 01/Apr/2020

Changes

Feature: Post module handler for UpdraftCentral
Feature: Added the ability to select which database tables you want to restore
Fix: An apparent change in Dropbox API behaviour at a recent date was causing uploads to Dropbox to be corrupted in some circumstances in versions 1.16.21-22.
Tweak: The "Backup now" options were all unselected after trying to take a manual incremental backup with no possible entities for increments
Tweak: When importing a single site into a multisite remove UpdraftPlus options and cron to prevent unwanted backups
Tweak: Auto select clone package based on size of the selected backup
Tweak: Prevent PHP notice when logging a Google Drive account full condition
Tweak: Prevent a PHP notice when Azure is deleting files on PHP 7.4
Tweak: Prevent potential PHP notice if returned OneDrive quota is zero
Tweak: When restoring a single site that is part of a multisite only put that single site in maintenance mode not the entire network
Tweak: Remove filesize warning from the log if we successfully added the file to the zip to prevent user concern
Tweak: Add page_visit_history table to list of those with low-priority data and search/replace unnecessary
Tweak: Add a warning message when restoring/migrating from an older PHP version to a newer version
Tweak: Set 'NO_AUTO_VALUE_ON_ZERO' sql mode on restorations, for better compatibility with MySQL 8
Tweak: Add WordFence logging tables to list of optional tables
Tweak: If the Google Cloud revoke call fails try again once
Tweak: Catch file closed errors during uploads to Dropbox to prevent unwanted errors in the backup log and prevent user concern
Tweak: Get list of supported UpdraftClone regions from updraftplus.com
Tweak: Logging in backup modules will now correctly pass on arguments to main log function
Tweak: Change OneDrive 'account full, expected to fail' error message to a recoverable warning
Tweak: Detect non-homepage 404s and provide FAQ link after a restore
Tweak: Add paging to the existing backups table to prevent long loading times for sites with a large amount of backups
Tweak: Remove unwanted padding on some buttons

1.16.22 - 17/Feb/2020

Changes

Fix: Fix a regression with some S3-compatible providers caused by a previous switch to virtual-hosted style bucket referencing
Tweak: Integrate input credentials from UpdraftCentral's zip install Feature
Tweak: Add information to the log file about what type of addresses (sub-domain/sub-folder) the multisite is configured to use
Tweak: Fix potential race condition affecting settings page notifications on very fast or very slow sites
Tweak: Some PHP notices that could be output during a restore
Tweak: Automatically resume a timed-out restore operation during the uploads stage
Tweak: If the database connection dies during a restore operation, try to reopen it
Tweak: Adjust the UpdraftClone dashboard notice text
Tweak: If the Google Drive revoke call fails try again once
Tweak: The incremental backups label showed the incorrect time for different timezones
Tweak: Update the WP-Optimize notice
Tweak: Extend the auto resume restore to themes, others and more file backups

1.16.21 - 10/Dec/2019

Changes

Fix: Correctly search and replace database views when importing on a site with a different table prefix
Fix: A bug that prevented the restore modal opening on the migrate/clone tab
Fix: Dropbox cURL issues on connection are resolved for PHP 7.4
Tweak: Change the way the "Disabled Cron" warning appears on the administrative settings page
Tweak: Improvements to error messages return for UpdraftCentral's plugin and theme installation process
Tweak: Updates to credentials validation for UpdraftCentral's plugin and theme modules
Tweak: Add media request handler for UpdraftCentral media module
Tweak: On paid versions, again possibly adjust the daily update check time to further favour overnight hours
Tweak: Mask classified information in WebDav URL settings
Tweak: Add multiple range selection on certain backup using ctrl and shift buttons
Tweak: Hide incremental backup link if the backup directory is not writable
Tweak: Make Updraft_Restorer_Skin compatible with WP 5.3
Tweak: Added Linode object storage link to list of supported S3 providers and updated existing links
Tweak: Ensure some variables are defined to prevent unwanted warnings

1.16.20 - 04/Nov/2019

Changes

Feature: Add support for PHP 7.4 in UpdraftClone
Feature: Added the ability to restore "more files" backups
Feature: Add OneDrive Germany compatibility
Fix: Failure to send existing translation version with update checks (on paid versions) resulted in redundant translation updates
Fix: Deal with a BackBlaze "first chunk too small" error correctly when doing chunked uploading
Tweak: Block any updates from occurring during a restore
Tweak: Force the predecessor Amazon S3 SDK to use virtual-hosted style bucket identification instead of path style
Tweak: Refactor the remote storage logging code in Addon base v2
Tweak: Removed the Keyy notice (Keyy now has a new owner)
Tweak: Add WP 5.3 support in UpdraftClone
Tweak: On paid versions, possibly adjust the daily update check time to favour overnight hours
Tweak: Get UpdraftClone supported WordPress versions during authentication
Tweak: Added the ability to use backups stored in remote storage for UpdraftClone
Tweak: Small PHP 7.4 deprecation tweaks in the Google and legacy AWS SDKs
Fix: Prevent trying to download files that have no remote storage and don't exist locally

1.16.19 - 04/Oct/2019

Changes

Fix: GoogleDrive and WebDAV remote storage methods now correctly report if remote files failed to be deleted
Fix: Issue in cloudfiles-enhanced addon that breaks translations when the user language is different from the site language
Fix: Regression: add missing restore options
Tweak: Improve restoration modal on mobile devices
Tweak: Support the new Amazon S3 Middle East (Bahrain) region when removing a backup set
Tweak: Improvements to the dashboard to allow for better screen-reader access
Tweak: Ensure phpseclib Crypt_Blowfish is loaded over PEAR's version
Tweak: Add time zone and expiries in to the UpdraftClone scheduled removal time
Tweak: Add a multi-delete capability for OneDrive to prevent PHP timeouts during deletes

1.16.18 - 20/Sep/2019

Changes

Fix: Select2 instance visiblility in restoration modal when selecting blog on multisite
Fix: Remove unsupported WordPress versions (3.6 and older) from the UpdraftClone selection list
Feature: Ability to resume interrupted database restores
Tweak: Add filesystem error data when FTP input validation fails in UpdraftCentral
Tweak: Enable appropriate SQL mode to ensure the database restoration compatibility
Tweak: Add a link to the Backblaze configuration guide

1.16.17 - 12/Sep/2019

Changes

Feature: Added the ability to use UpdraftClone with sub-folder based multisites
Feature: Catch duplicate entries in a corrupt DB upon restoration and handle/Fix them automatically
Fix: Some more complicated triggers (see in CiviCRM) that were not previously handled correctly are; and SQL backup format for triggers is now mutually compatible with mysqldump/mysql binaries
Fix: Reset internal state upon beginning backup_resume(), in case WP cron called us multiple times in the same process
Fix: Provide compatibility functions on WP < 3.7 for mbstring_binary_safe_encoding() and reset_mbstring_encoding()
Fix: Correct the Azure China storage endpoint in options
Tweak: Re-designed restore process
Tweak: Prevent cosmetic error if WP_Filesystem call fails when deleting old folders
Tweak: Fix escaping that caused a problem in some translations with a dismissal notice
Tweak: Update bundled cacert.pem file
Tweak: Include a DROP command for any triggers about to be created in the backup
Tweak: The BackBlaze module (Premium Feature) can now cope with BackBlaze losing uploaded chunks
Tweak: Cast file IDs in Backblaze to strings to prevent possible API error
Tweak: Do not attempt to perform search/replaces in tables of ARCHIVE type
Tweak: Introduce the constant UPDRAFTPLUS_SQLEXEC_MAXIMUM_ERRORS to aid debugging
Tweak: log message when checking which files need uploading on a incremental backup job
Tweak: Don't send external DB backups to UpdraftClone
Tweak: Reset the UpdraftClone UI if the clone is not created before it expires
Tweak: Automatically detect a stalled restore and offer a resumption on the restore page
Tweak: Remove some unused restore code
Tweak: Prevent a PHP deprecation log notice with WebDAV on PHP 7.3
Tweak: Catch exceptions and errors during recursive search/replace and recover from them
Tweak: CSS Tweak to prevent other plugins from breaking the style of pop-up close buttons
Tweak: Ensure the error is logged on the final remote send complete call if it fails
Tweak: BackBlaze terminology updated to match their changes
Tweak: Update seasonal notices for next year

1.16.16 - 23/Jul/2019

Changes

Tweak: Adding support for installing plugin and theme through zip files in UpdraftCentral
Feature: Added the ability to launch a blank WordPress clone
Feature: Add --collate= parameter to WP-CLI (Premium) to allow substitution of locally unknown collations when restoring
Fix: Switched to wp_insert_site() from insert_blog() and install_blog() method when importing single-site into a multisite network on WP 5.1+. Fixes 'Already Installed' error when importing on newer WP versions
Fix: Issue where (rare) foreign key constraints aren't updated upon restore when table prefix changes
Fix: Improve parsing of backed-up triggers when restoring preventing possible unnecessary errors
Fix: If an upload to Google Drive starts to fail due to an OAuth token refresh error, the backup will re-bootstrap the Drive client and try again
Fix: JSON-reparser to prevent unwanted RINFO data being output to screen
Fix: Triggers were still included in a backup for tables that were excluded because of lack of WP prefix
Fix: Resuming restores could resume at an unnecessarily early stage
Fix: Issue with Dropbox account information call that could make it fail
Tweak: In cases where there were duplicate Google Drive folders (which is possible if there are multiple network communications failures when looking up the folder), these are now detected and merged automatically
Tweak: Add option to start 250GB Vault subscription as in-app purchase
Tweak: Regression: backup checksums were not being recorded in the backup log file
Tweak: Remove UpdraftClone when the backup is cancelled by the user
Tweak: Send the backup log during the creation of UpdraftClone for easier support when a clone fails to receive the backup
Tweak: Detect OneDrive Graph token expiries and initiate swift resumption
Tweak: Reduce the permissions requested for the UpdraftPlus Google Drive app (this now means that backups manually uploaded to Google Drive can not be deleted through the UpdraftPlus UI)

1.16.15 - 31/May/2019

Changes

Feature: Added the ability to use already existing local backups with UpdraftClone
Fix: Prevent PHP fatal error (regression) when WP_Filesystem credentials were needed and wrong ones were supplied
Fix: Issue where you could not delete old directories from the restore progress page
Fix: Issue where restore would not run over AJAX if wrong credentials were entered when WordPress requested filesystem credentials
Fix: Fix incorrect refusal to accept valid email addresses in the UpdraftCentral wizard
TRANSLATION: The Italian translation is now complete and supplied from wordpress.org, so can be removed from the free plugin zip (saves 424KB disk space - if your mother tongue is not English and you want to improve UpdraftPlus, take a look at: https://translate.wordpress.org/projects/wp-plugins/updraftplus).
Tweak: Update UpdraftCentral theme module handler to support themes without a name header
Tweak: Prevent PHP log notice when fetching available theme updates via UpdraftCentral
Tweak: Add more scheduling options to the built-in list (you can still further add whatever other arbitrary options you like: https://updraftplus.com/faqs/how-can-i-add-any-new-scheduling-interval-to-updraftplus/)
Tweak: Abstract the code for handling maintenance mode to allow future improvements
Tweak: Fix a potential wrong file path in an error message
Tweak: If there is more than one Google Drive folder of the same name, now the selection is deterministic: the oldest one is always used
Tweak: Infer phpseclib class path from the class name, instead of hard-coding it
Tweak: Some lines that were meant to include HTML bold in the browser output had lost that effect
Tweak: Add what entity caused the automatic backup to the logfile
Tweak: Upon restoration, a couple of known plugin cache directories will be emptied to prevent serving up an intermediate page
Tweak: Fix a bug in the "fail on resume" error-trapping logic which could cause it to resume too many times
Tweak: Prevent a bogus error message being logged at the end of a successful direct site-to-site transfer
Tweak: Add backup size information when hovering at the backup data buttons (excluding database button)
Tweak: Allow the plugin to connect to account and activate Premium licence if no more UpdraftCentral Cloud licences remain and the user enables the 'Add this website to UpdraftCentral' option in the Premium/Extensions tab
Tweak: During a restore send structured data to the front end. This is preparing the way for future UX improvements.

1.16.14 - 30/Apr/2019

Changes

Tweak: Make UpdraftVault trial more discoverable
Tweak: Fix stray JavaScript in the short-lived version 1.16.13
Tweak: Add support to translation updates
Tweak: Add WP 5.2 support in UpdraftClone
Tweak: Prevent PHP notice in remotesend method
Tweak: Restorations are now started over AJAX instead of in-page. This is preparing the way for future UX improvements.
Tweak: Upgraded the 'site-to-site' remote sending code to use the more recent UDRPC message format
Tweak: Make the UpdraftClone suggestion sentences dismissible
Tweak: Improve JSON-reparser to cope with even more exotic junk from some setups with problems elsewhere in their stack

1.16.12 - 16/Apr/2019

Changes

Fix: Regression which caused PclZip unzips to be very slow
Tweak: Add stream_meta to the list of log tables and tables not requiring search/replace

1.16.11 - 08/Apr/2019

Changes

Fix: Issue which prevented the downloader UI being removed during a manual entity download (regression)
Fix: Regression in 1.16.10 whereby restore resumptions did not correctly resume because the jobdata had not been loaded
Tweak: Update UpdraftCentral description and internationalize strings
Tweak: Handle HTTP/2 responses from Dropbox on some operations
Tweak: Add a timeout on Dropbox quota look-up operations during backup, in response to cases of faulty outgoing HTTP proxies
Tweak: The backup_finish() method should not have been private; could cause a harmless PHP abort when manually stopping a backup
Tweak: Wrong variable context could cause failure of SFTP progress recording

1.16.10 - 23/Mar/2019

Changes

Feature: Added support for backing up and restoring SQL triggers
Fix: Prevent the downloader UI being removed before it's complete in the case of multi-archive sets (regression)
Tweak: Refactor the restore code and use jobdata to save information about the restore rather than using $_POST data
Tweak: Automatically show the UpdraftClone admin UI for UpdraftClone developers for easier debugging
Tweak: Prevent a PHP notice with certain exclusion settings
Tweak: Add a mention of UpdraftClone in WP's PHP version notice and WooCommerce's "untested extensions" notice
Tweak: Add 5.1 to the built-in list of available UpdraftClone WP versions

1.16.8 - 13/Mar/2019

Changes

Fix: If requesting clone credentials that were not ready, the loop could rapidly repeat instead of waiting the intended time
Tweak: Some background updates checks (paid versions) that were intended to be suppressed, weren't being.

1.16.7 - 11/Mar/2019

Changes

Feature: Add support for bucket-specific application keys in Backblaze
Feature: Added the ability to take incremental backups via UpdraftCentral
Fix: Dropbox authorisation setting getting lost after saving UpdraftPlus settings in the free version
Fix: Issue where an error wasn't thrown if you tried to restore a backup with no valid components
TRANSLATION: Norwegian (Bokmål) and Polish translations are now complete and supplied from wordpress.org, so can be removed from the free plugin zip (saves 900KB disk space - if your mother tongue is not English and you want to improve UpdraftPlus, take a look at: https://translate.wordpress.org/projects/wp-plugins/updraftplus).
Tweak: Ride a polling status check on the regular heartbeat check, thereby reducing the need for stand-alone polls
Tweak: If FTP settings were removed and an attempt was made to download a backup, then a zero-sized file would be created and then an unclear error shown, instead of just showing a clear error.
Tweak: For premium users: Added the option to connect to UpdraftCentral Cloud at point of connecting a license to a site
Tweak: If on PHP 5.3 or later, then register our Google SPL auto-loader with the 'prepend' flag, so that we can avoid loading incompatible Google SDKs registered (but not yet used) by other components
Tweak: Clear settings visuals after wipe settings
Tweak: Improve UpdraftPlus news layout on dashboard
Tweak: Handle a case seen where the updates checker failed to load
Tweak: Prevent a possible PHP notice when requesting a rating
Tweak: Update to the current series (4.5) of yahnis-elsts/plugin-update-checker (paid versions)
Tweak: The "follow this link to refresh your (licensing) connection)" (paid versions) link was not functioning
Tweak: Alert the user in the UI if they have activated a storage destination without any settings
Tweak: Refactor the remote storage logging code in the S3, Email, Remote send, Backblaze, WebDAV, UpdraftVault, FTP, Google Cloud and Azure modules
Feature: Ability to purchase UpdraftVault subscriptions, including a new 5GB 1 month trial, directly from the UpdraftVault settings
Tweak: If a directory is not found during a restore but the parent directory is then, where relevant, UpdraftPlus will automatically try to create the missing directory
Tweak: Use the correct nonce name when requesting filesystem credentials if needing the WP_Filesystem API to delete old directories
Tweak: Regression in 1.16.6 - certain types of final errors stopped being shown in the final report and had to be read from the log file
Tweak: Refactor the remote storage logging code in all remote storage modules
Tweak: Prevent the download entities UI becoming uglified from multiple button presses

1.16.6 - 14/Feb/2019

Changes

Feature: Added new S3 intelligent tiering class
Feature: Ability for user to buy Premium without leaving the plugin's settings pages
Feature: UpdraftPlus can now catch backups that don't complete because of errors that kill PHP and make sure a report is still sent about them
Fix: If a very large UpdraftVault upload took more than an hour, then the token could expire without being refreshed (Fix in version 1.16.0 was incomplete)
PERFORMANCE: Modify a condition in the zip-batching algorithm so that greater acceleration in the zip-batching algorithm is allowed on setups allowing very long PHP run times on the initial (zero-eth) resumption
PERFORMANCE: UpdraftClone now sends larger chunks over the network, leading to faster sending of data
PERFORMANCE: Force UpdraftClone to use a 100MB split size for better performance (previously intended, but not always working)
Tweak: Upon restoration, WP's cache directory will be emptied (by default it is not included in backups, so in theory this is a no-op, but the occasional case has been seen where it got populated during the restore process)
Tweak: Add support for the new Europe (Stockholm) (eu-north-1) AWS region in Amazon S3
Tweak: Advise the user if they changed the plugin's slug (and so won't be able to get updates) (paid versions)
Tweak: Make use of wp_get_themes rather than relying solely to get_themes which is already deprecated
Tweak: Regression: When a user aborted a fatal error occurred before all clean-up actions were complete

1.16.5 - 28/Jan/2019

Changes

Feature: If a restoration is interrupted (e.g. PHP timeout), then the "Continue" Feature can now resume not just at the most recent zip file, but within the zip file at the point it had reached (https://updraftplus.com/auto-resuming-interrupted-restores-part-2/)
Feature: Added command in WP-CLI which gives a list of incremental backups restore points.
Fix: Regression: When a Dropbox upload failed to complete, UpdraftPlus would log this but fail to retry
Fix: Again update phpseclib to the latest version which should now Fix the 'SSH2 Server Host Key Algorithm Mismatch' on all installs
Tweak: Correct a wrong variable reference in an error message
Tweak: Only add the JavaScript for the incremental schedule selection on the UD settings page
Tweak: Replace incidental use of ipinfo.io now that it requires a paid API key
Tweak: The print_delete_old_dirs_form method should have been public to allow painting if the user clicked through the previous message

1.16.4 - 17/Jan/2019

Changes

Fix: Regression: Properly mark backups picked up via "Rescan remote storage" as non-native (preventing unwelcome side-effects such as being pruned by another site)
Fix: Correctly update the OneDrive refresh token to prevent expiry
Fix: Again work around an issue with 'SSH2 Server Host Key Algorithm Mismatch' occurring with the current phpseclib release by temporarily reverting to an earlier one as it still does not work on all installs
Fix: When restoring an incremental backup set via WP-CLI, the selected restore point was ignored
Fix: If the remote storage settings were for multiple instances of a single backend-type (e.g. two Dropbox accounts), and if the entire backup and send operation completed in a single PHP process, then the local copy of the files would not be deleted
Tweak: Show the error message if mbstring.func_overload is turned on in php.ini while creating migration key
Tweak: Added Azure China endpoint
Tweak: Resolve "dashicons" CSS conflict
Tweak: Add 'blogmeta' to the list of core tables (in readiness for WP 5.1)
Tweak: Remove unnecessary deprecated (in PHP 7.3) parameter to define() in WebDAV HTTP library
Tweak: Prevent a potential PHP notice in UpdraftPlus Premium when installed without network access
Tweak: Enhance the updraftplus_exclude_file and updraftplus_exclude_directory filters to also pass the stored names
Tweak: Add a new constant UPDRAFTPLUS_ZIP_BATCH_CEILING that can Tweak internals of the zip backup engine

1.16.3 - 10/Jan/2019

Changes

Fix: Prevent extraction regression (in 1.16.1) when using PclZip (N.B. php-zip is always preferred if installed) on zero-sized files
Fix: Prevent the incremental backup cron from being incorrectly scheduled

1.16.2 - 07/Jan/2019

Changes

Fix: wp_doing_cron() was used when unzipping, but requires WP 4.8+ (regression in 1.16.1, which was never released on wordpress.org)
Tweak: Updated phpseclib to the latest version after the previous work around to Fix the 'SSH2 Server Host Key Algorithm Mismatch' issue
Tweak: Check-in with the clone during the backup process to make sure it is not prematurely purged

1.16.1 - 01/Jan/2019

Changes

Fix: If a very large UpdraftVault upload took more than an hour, then the token could expire without being refreshed
Fix: Version 2.16.0 could write invalid or incomplete JSON when creating the manifest file on an incremental backup under certain circumstances
Fix: When restoring an incremental backup set via WP-CLI, the restore order could be wrong
Tweak: Accept and parse the invalid JSON when restoring an incremental archive created on 2.16.0
Tweak: When running an incremental backup, the backup report would report the time taken to run the backup wrongly
Tweak: Make the logging on the state of zip extraction more fine-grained (at least every 100MB, 1000 files or 15 seconds)
Tweak: Re-factoring of zip extraction code to allow for future improvements
Tweak: Re-factoring of the restore routines to share more code between different entry points, and allow future improvements
Tweak: Differentiate between failures to JSON-decode an incremental backup manifest file and other types of failures

1.16.0 - 19/Dec/2018

Changes

Feature: Added the ability to create and restore Incremental Backups (Premium version)
Fix: Work around an issue with 'SSH2 Server Host Key Algorithm Mismatch' occurring with the current phpseclib release by temporarily reverting to an earlier one
Tweak: Improve performance by aggregating separate SQL SELECT queries (previously one for each backup) when loading the settings page
Tweak: internal backup extradata parameter to prevent unwanted PHP notices
Tweak: Fork a method UpdraftPlus_Filesystem_Functions::unzip_file() to allow for future enhancements
Tweak: Periodic purging of obsolete job data that didn't get cleaned when expected was not happening on multisite
Tweak: Improve logging when the initial call to jobdata_set_multi fails
Tweak: Any stored backup/restore progress log files will now be deleted after 40 days. (Since they are attached to email reports, you can keep and retrieve them from those if needed). Over-ride this with the filter updraftplus_log_delete_age if desired.

1.15.7 - 06/Dec/2018

Changes

Fix: a method call on an incorrect class which caused a fatal error

1.15.6 - 06/Dec/2018

Changes

Feature: Added WordPress 5.0 support to UpdraftClone
Feature: Added the ability to choose the UpdraftClone server location
Feature: Cut a step from the activation procedure on paid versions, improving reliability on some installs that did not detect available updates
Tweak: The UpdraftClone video is inserted after clicking a link (prevent unwanted call to the video server)
Tweak: Replace a 'continue' with a 'break' to prevent a PHP notice on PHP 7.3
Tweak: (Paid versions) Simplify the constants involved in defining a custom/over-ride licensing server; and show in the 'Extensions' tab if an over-ride applies.
Tweak: (Paid versions) Remove a library versioning assumption in the processing of results from a licensing claim
Tweak: (Paid versions) A regression had caused the current UD install version to be sent in an updates check
Tweak: Re-factoring of scheduling methods into their own class
Tweak: Tweak the scheduling engine to separate the next resumption time from the maximum run time in the case of overlapping runs, in order to prevent unnecessary large gaps between resumptions in cases where the server allows very long run times

1.15.5 - 19/Nov/2018

Changes

Tweak: Include the backup set ID in clone ready state file
Tweak: For Premium users with grand-fathered lifetime updates (i.e. purchased before August 2013), a regression had caused support entitlement expiries to no longer be notified
Tweak: For Premium users with who have downgraded from unlimited licences to another package, a licence expiry message could show when in fact the real situation was that they just needed to specifically allocate a licence to the site. The relevant message has been adjusted to improve this.
Tweak: Track "more files" incremental backup locations
Tweak: Don't show individual add-ons that have not been bought in the account add-ons page if the user has Premium.
Tweak: Include the raw updates check response information in the internal/advanced dump
Tweak: Added the UpdraftClone video
Tweak: Ability for user to buy Premium without leaving the plugin's settings pages

1.15.3 - 29/Oct/2018

Changes

Feature: UpdraftPlus now has an option to auto-update
Feature: Azure for Government endpoint support (Premium)
Fix: SSL verification settings were not allowing verification to be turned off for generic S3 storage
Fix: In some situations in which a user had defined UTF8 as their character set but WordPress was using UTF8MB4, UpdraftPlus was not detecting this
Fix: Prevent particular a SQL text pattern wrongly triggering detection of database features when it is within content
Tweak: Marked as supporting WordPress 5.0
Tweak: Automatically re-scan for presence of database backup after restoring it, to prevent confusion over its status
Tweak: Change logic that controls whether the minified or full JavaScript is used
Tweak: Improve Settings tab UI on mobile
Tweak: Improve UpdraftClone UI
Tweak: Improve UpdraftClone temporary page UI
Tweak: Change method used to record the MySQL version to deal with how MariaDB can report when using a non-MariaDB client library (see: https://github.com/joomla/joomla-cms/issues/9062)
Tweak: Replace Base64 encoded logo by image file
Tweak: Hide guided tour on UpdraftClone
Tweak: Fixed broken automatic backup modal layout
Tweak: Auto rescan after restoring the remote database
Tweak: Explicitly set the backup history option to not autoload, as it can get non-trivial in size
Tweak: Improve UI of excluding things from the backup
Tweak: Prevent a possible PHP debug notice in methods/backup-module.php
Tweak: Show progress in browser view port instead of modal dialog when we delete the backup(s).
Tweak: Added a --db-dummy-restore option to WP-CLI which will run a dummy restore of the database (under an unused prefix) and then drop the tables after it finishes. This option can be useful for testing.
Tweak: Update the UpdraftClone UI when site information becomes available
Tweak: Curl errors when interacting with Backblaze B2 will now be passed up for easier debugging
Tweak: Re-factor add-on remote storage credential testing to make passing debugging information easier
Tweak: Implement non-default SSL options with Backblaze B2 (previously the defaults were always used)
Tweak: UpdraftClone: redirect to admin page after using the auto login link
Tweak: Improve internal more files backup location tracking
Tweak: Send a single request to download a backup set not for each file entity
Tweak: Fix a DOM element whereby multiple nonces had the same id
Tweak: Automatically build the more files backup location tracking on local rescan
Tweak: Refactor the remote storage logging code in Onedrive module

1.15.2 - 19/Sep/2018

Changes

Fix: Asking the tour to cancel on the plugins page did not work
Fix: an issue where some jobdata did not get set which resulted in the backup email not being sent
Fix: a regression whereby network-activated plugins could get deactivated on multisites when restoring
Fix: When database encryption was active, UpdraftClone would fail
Tweak: There is now a 'Rescan remote storage - log results to console' link in 'Advanced Tools' to aid with debugging
Tweak: Fixes Migrate / clone tab contents showing on the Advanced tools tab
Tweak: Attempt to catch, work-around and log when the backup history cannot be saved due to too long a history relative to the MySQL server's maximum packet size
Tweak: Re-factor and introduce the UpdraftPlus_Storage_Methods_Interface class
Tweak: Introduce the UPDRAFTPLUS_ENABLE_TOUR constant for power users; set it to false as part of your automated WP installation process (or manually) if you wish to disable all tour functionality.

1.15.0 - 12/Sep/2018

Changes

Feature: Introducing UpdraftClone. Create a live copy of your site with a button press. Great for testing changes, testing updates (e.g. WordPress core, plugins, PHP versions) and anything else you can think of. More information: https://updraftplus.com/updraftclone/
Fix: Fix the logic for claiming and activating licences/add-ons.
Fix: Fixed OneDrive for Business Germany authentication tenant issue
Tweak: WP-CLI - use dash (-) instead of underscore (_) to separate words, in order to match WP-CLI standards.
Tweak: Adds close_browser_connection capability for servers using phpfpm
Tweak: Change multiple backups selection and actions UI
Tweak: Prevent PHP debug message on backup from UpdraftCentral when processing the service list
Tweak: Improves manual backup feedback
Tweak: Fix an out-of-date 'lost password' link
Tweak: Add filter updraftplus_disk_space_check to allow over-riding disk space check result
Tweak: Re-factor some of the restore code to enable future enhancements
Tweak: In the case of an 'always keep' backup, it was possible for the wrong log message to be logged concerning the reason for it being kept
Tweak: Add log warning and WP Admin notice regarding DreamObjects objects-us-west-1.dream.io endpoint shutting down
Tweak: Refactor the remote storage logging code
Tweak: Clean up some confusing UI when dealing with remote send backups

1.14.13 - 15/Aug/2018

Changes

Feature: WP-CLI - add a 'get_latest_full_backup' command
Fix: An issue when deleting multiple backups could result in a backup set not found error
Fix: Polling during a backup when called from outside UpdraftPlus
Fix: Plugin activation check was running at the wrong point in the restore process
Fix: The WP-CLI "restore" command returned an unnecessary error if the incremental shim was not present
Tweak: Multisite tweaks for UpdraftCentral's plugin and theme module handlers
Tweak: Prevent potential PHP notice on page load when no backup storage is selected
Tweak: Add scoping to some CSS rules that were too general.
Tweak: A new "Backup / Restore" tab, which consists of backup status and existing backup with rid the "Current Status" tab and the "Existing Backups" tab
Tweak: Remove the possibility of a false-positive warning of a migration-rather-than-restoration if the WordPress home_url setting has legitimate oddities
Tweak: Improve UI of more database delete button (Premium)
Tweak: Removed Gold column and redesigned Premium page
Tweak: Improve UC factoring and introduce a UPDRAFTCENTRAL_COMMAND constant to allow context detection
Tweak: Tweaked downwards the minimum time in the future for rescheduling a resumption
Tweak: Deal with a possible issue in automatic collation selection in restoration when all character sets are supported and a collation is not supported
Tweak: Replace absolute URLs in place of relative URLs in anchor links
Tweak: Update error code URL for binary zip errors
Feature: Added OneDrive for Business Germany compatibility

1.14.12 - 17/Jul/2018

Changes

Feature: Added Plugin guided tour for new users
Feature: Added UpdraftCentral's theme management module handler
Feature: User can mark any backup as "do not delete", and it will then not be deleted even when retention limits are hit
Feature: WP-CLI - add a 'restore' command
Feature: WP-CLI - Add an option 'delete-during-restore' in the 'restore' command
Feature: Add optional 'fingerprint' configuration for sftp/scp remote storage, allowing the connection to be halted if the server's fingerprint does not match what was entered
Feature: Added the ability to take an incremental backup via WP-CLI (note: incremental backups are still considered an experimental/work-in-progress Feature)
Fix: If a user gave the wrong key to decrypt an encrypted database, the "Decryption failed" message did not display
Fix: The Migration was not changing an unsupported database table engine with the MyISAM engine automatically
Fix: Issue with the Dropbox account API call on some installs
Fix: The web server disk space refresh link of the existing backups is not working
Fix: The UpdraftPlus News couldn't print first time when the news cache was not made
Fix: Activating the "all addons" licence did not remove the corresponding 'activate on this account' link in the "Premium / Extensions" tab
Fix: When set names query character set hadn't support from the current MySQL server, the restoration process wasn't giving the option to replace the character set
Tweak: Updated the plugin.php handler for UpdraftCentral's new plugin management module
Tweak: Update posts handler to Fix and update pagination in UpdraftCentral
Tweak: Refresh UpdraftCentral keys upon successful login or registration using the UpdraftCentral Cloud wizard
Tweak: Correct admin page URL in WP-CLI 'restore' command when on multisite without multisite add-on
Tweak: Prevent PHP notice when checking non-existent files in relation to an extraneous whitespace warning
Tweak: Prevent PHP notices in add-ons with non-present settings
Tweak: Add the "Migrate / Clone" tab in place of the "Migrate / Clone" dialog
Tweak: Prevent call to the the wp_get_sites() deprecated function on WP 4.6 and newer
Tweak: Prevent a potential PHP debugging notice when displaying the 'Connect with your UpdraftPlus.com' form
Tweak: Do not show the confusing JetPack 'backup' notice on the 'Updates' page
Tweak: Added clone notices and commands for when UpdraftPlus is running on a UpdraftClone
Tweak: Move 'Log all messages to syslog (only server admins are likely to want this)' into the 'expert' settings section
Tweak: Replace a missing class constant in the Dropbox SDK (only relevant to people upgrading from Dropbox API v1 tokens - indicates upgrading UpdraftPlus from a very old version that previously used Dropbox APIv1 but never v2)
Tweak: It's "backup", not "back up"
Tweak: Prevent potential PHP debugging notices in restoration step 2
Tweak: Allow non-Super Admins to access UpdraftPlus Premium if they have 'manage_network_plugins' capability and the updraft_user_can_manage filter is used
Tweak: Improved code in a way that prevents continuous polling in the themes page, the plugins page and the updates page

1.14.11 - 25/May/2018

Changes

Fix: Revert a change in 1.14.9 that could cause backups to not be sent to remote storage (Fix in 1.14.10 was not 100% complete (but worked for almost everyone))

1.14.9 - 24/May/2018

Changes

Feature: Make it more seamless to sign up to UpdraftCentral Cloud
Feature: Microsoft Azure storage (Premium) compatibility with Azure Germany
Feature: Added the ability to create migration keys from WP-CLI (Premium)
Fix: A backup icon/storage shows for a storage type even if all instances were disabled
Fix: WP CLI updraftplus command was not running on few environments like the Windows command line
Fix: A PHP fatal error was occurring when a user try to restore an encrypted DB when defining the "UPDRAFTPLUS_DECRYPTION_ENGINE" constant
Tweak: Added the ability to schedule incremental backups (Note you can not yet take incremental backups)
REFACTOR: Completed factoring for tabs of the settings page.
Tweak: Some re-factoring and tidying of the restoration code for easier maintenance
Tweak: Add a longer timeout on SFTP logins to cope with a 'long delay, but then worked' situation seen in the wild
Tweak: An "Incremental backups" extension was displayed in the Premium / Extensions tab, causing confusion since it is not yet finished/launched
Tweak: Displays a Byte Order Mark (BOM) warning by giving the file names along with the path in the "Existing Backups" tab, if a BOM is detected at the start of common files that people tend to edit
Tweak: A WP CLI Existing backup command didn't display a date time in the "job_identifier" column
Tweak: Add links to the relevant app privacy policies within the settings sections for storage methods using OAuth authorization apps
Tweak: Log user and group IDs of process and file/folder, when permissions for an operation is denied
Tweak: Prevent a potential PHP debugging notice when showing the 'Upload' button
Tweak: Update an out-of-date "wrong password" link
Tweak: Added the "Web-server disk space in use by UpdraftPlus" information to "Site information" section in the "Advanced Tools" tab; it won't show in the 'Existing Backups' tab if you are using less than 100MB.
Tweak: When a Google Cloud token was invalid, a PHP Fatal could result instead of catching the error and informing/logging nicely
Tweak: If php-xml (SimpleXMLElement) is not installed, then show an appropriate warning in the Azure configuration section
Tweak: If the user tries to install another version of UpdraftPlus, then Tweak the default error message that they are shown by WP, which is too obscure/cryptic for many users
Tweak: If a fatal error occurred during uploading a backup, try to recover it and process the upload further

1.14.8 - 12/May/2018

Changes

Fix: Resuming of a partially uploaded backup archive in the new 'OneDrive for Business' module was not working
Tweak: When testing SFTP settings, if debug is activated, activate debug logging and pass the results back in the event of test failure (previous attempt was incomplete)
Tweak: OneDrive SDK cleaned up to remove the obsolete Live 5.0 API

1.14.7 - 25/Apr/2018

Changes

Fix: Fix incompatibility with loading the dashboard on WP 4.6 and older. If you have this problem, then you cannot visit /wp-admin/ - you will need to update via another tool (e.g. if you have a multiple site management tool), or via FTP (download the https://downloads.wordpress.org/plugin/updraftplus.1.14.7.zip , unzip it on your PC, log in to your site via FTP into the folder wp-content/plugins, remove the existing folder 'updraftplus' and then upload the unzipped 'updraftplus' folder). Many apologies!

1.14.6 - 25/Apr/2018

Changes

Feature: Added the option to upload locally-available backups to remote storage
Feature: Add post management module for UpdraftCentral (client-side; UC-side still pending)
Feature: Added WP-CLI "rescan-storage" subcommand to the WP-CLI add-on rescan either remote storage or local storage
Feature: Compatibility of the (paid) OneDrive module with 'OneDrive for Business'
Fix: Multisite restoration did not display single site restoration option when URLs were different but clearly the same site (http/https difference)
Fix: WebDAV uploads could fail if the user defined the constant UPDRAFTPLUS_WEBDAV_NEVER_CHUNK
Fix: If UpdraftVault remote had failed, UpdraftVault couldn't recover without settings wipe
Tweak: Handle a DreamObjects server that was not sending an application/xml content-type header
Tweak: Handle a case where the root cause of an error from DreamObjects was not being clearly shown
Tweak: Alert the user of their mistake if they try to enter a URL instead of a folder path in the OneDrive settings folder field
Tweak: Adjust the PclZip log message to clarify the implications of using PclZip (i.e.: it's significantly slower)
Tweak: Add support for the upcoming objects-us-east-1.dream.io DreamObjects endpoint
Tweak: Prevent potential PHP notice in WP-CLI subcommand for existing backups
Tweak: Add UpdraftPlus news in admin dashboard "WordPress Events & News" widget

1.14.5 - 3/Apr/2018

Changes

Feature: Add a "Database only" option to the UpdraftPlus email backup options
Feature: An UpdraftPlus add-on (paid) to run the backup process through WP CLI
Fix: Restoration did not display the decryption passphrase input (but always used the saved one)
Fix: Browse content download file was not working in Windows hosting
Fix: The wrong default for the 'Delete local backup' setting was applied if you had never saved your settings
Tweak: Prevent a PHP notice showing when testing S3 storage
Tweak: Prevent a PHP notice when downloading from Dropbox
Tweak: Improved the migrate UI
Tweak: Update bundle cacert bundle to latest (2018-01-17) release
Tweak: Ajouter soutien pour le nouveau region AWS Paris (eu-west-3)
Tweak: Handle short filesystem reads when sending data to Google Drive
Tweak: Improve handling of PHP errors and exceptions during back-end calls
Tweak: Update internal OneDrive SDK for compatibility with 'OneDrive for Business' (not yet fully supported)
Tweak: Internal refactoring and improvements to the UpdraftPlus.com form
Tweak: Job ID is now separate from the file nonce
Tweak: Show increments in the UI
Tweak: Add visibility controls to functions of a stream wrapper class for WebDAV access
Tweak: Handle errors when getting folder ID from Google Drive more patiently
Tweak: Displays more descriptive error when google drive authentication error occur

1.14.4 - 19/Feb/2018

Changes

Feature: Now supports AWS v4 signatures (allowing use of new AWS regions) with old S3 SDK (which is used on PHP 5.2)
Fix: WebDAV options filter was not correctly saving any human-chosen description
Fix: Regression: Rackspace 'new user' wizard was not functioning
Fix: For chunked storage APIs that require a method to finally re-assemble chunks, if the first attempt failed, then a subsequent failed attempt could be incorrectly marked as having succeeded
Fix: First instance of each remote storage object was not using its internal default options
Tweak: Added the ability to restore incremental backup sets (N.B. currently you cannot create incremental backup sets; this is part of our development of that Feature)
Tweak: Edit welcome banner
Tweak: If 'lock admin' functionality (Premium) has been disabled by the site administrator, then include a line to that effect in the relevant section.
Tweak: Allow UpdraftCentral classes to have boiler-plate pre and post-call methods
Tweak: Do a bit more logging for Backblaze B2 uploads
Tweak: Add a sanity check to prevent some PHP debug notices being logged in an upgrade situation
Tweak: Resolved unwanted WebDAV remote storage JavaScript console message

1.14.3 - 24/Jan/2018

Changes

Feature: OneDrive and Google Cloud deauthorise link provided after authentication
Feature: Added the ability to label remote storage instances (Premium)
Tweak: Handle a combined error/timing condition seen on DigitalOcean Spaces that could lead to UD thinking that an upload that actually succeeded, did not
Tweak: Add functions to pull backup status and log for UpdraftCentral
Tweak: Add command multiplexer function for UpdraftCentral
Tweak: Audit and regularise use of slash-handling code in AJAX layer
Tweak: A couple of remote storage error paths were not returning the error information to the upper level correctly
Tweak: Prevent phpseclib from throwing a fatal upon autoload if mbstring.func_overload is set (see: https://github.com/phpseclib/phpseclib/issues/762); instead, log, or handle in some other way appropriate to the context
Tweak: Some minor code-styling and linting ignore tweaks
Tweak: (Regression) After filling the UpdraftVault connect form, pressing Enter was no longer triggering submission
Tweak: If counting up the total "More files" data when none are configured to be backed up, show "None configured" instead of "Error"
Tweak: Improve UI of notice when claiming an add-on
Tweak: Standardise the way OAuth remote storage methods authorise/deauthorise settings
Tweak: "Wipe Settings" button click event was not asking for confirmation
Tweak: Add Server Side Encryption (SSE) support to old S3 SDK
Tweak: Dropbox now uses the internal chunked download API

1.14.2 - 22/Dec/2017

Changes

Fix: Email backups not sending correctly
Fix: Buttons in the 'Migrate' dialog box stopped working after you switched tabs (until you reload the page)
Fix: Unable to delete multi-storage S3 instances
Tweak: Remove duplicate DOM id for nonce fields
Tweak: Correct name of PutObjectAclVersion permission when requesting it in S3 wizard
Tweak: Improve S3 log message to make clear which back-end a message is coming from
Tweak: Improved migration warning message if migrator addon is available and restoration site url is slightly different than current site url
Tweak: New non-existent Backblaze B2 buckets are now created automatically
Tweak: Suppress expected (but confusing to some users) "404 not found" message in the log when WebDAV backup file is at 0% uploaded

1.14.1 - 12/Dec/2017

Changes

Feature: Backup to multiple remote storage accounts of the same type
Tweak: Remove all the lines "X is a great choice, because is supports chunked uploading..." from the UI. Almost everything did support it, but not everything mentioned it, which could cause confusion.
Tweak: Prevent a PHP log notice in some settings savings scenarios
Tweak: Add missing filter for processing changes to Google Cloud, OneDrive and Azure settings (Premium storage option) on multisite
Tweak: Minor internal re-factoring: move hard-coded storage back-end names out of options and multisite addon classes.
Tweak: Prevent a PHP log notice during backup on PHP 7.2

1.13.16 - 07/Dec/2017

Changes

Tweak: Remove Ukrainian translation files from wordpress.org zip (translation now complete, will download from wordpress.org separately)
Tweak: Adding V4 Signature properties and methods to old S3 SDK
Tweak: Migrator add-on: keep a log of tables as they are created
Tweak: Tweak wording on the 'Premium/Extensions' tab
Tweak: Change the order of classes in methods/cloudfiles.php to work around a PHP install bug seen in one instance
Tweak: Be less aggressive about logging a usually unnecessary internal message about settings
Tweak: Improve UI of migration notice in free version
Tweak: Resolve PSR4 autoloading conflict with older version of Composer
Tweak: Pruning will now prune backups from multiple storage destinations of the same type (not yet a user-visible Feature)
Tweak: Update the 'ifeq' handlebars helper to resolve a conflict with MainWP

1.13.15 - 28/Nov/2017

Changes

Fix: Updated OneDrive SDK to allow for PHP 7.2 (due for release soon) compatibility
Fix: When multiple remote backup destinations existed, pruning of old backup sets was not removing from all destinations (recent regression)
Fix: When re-scanning a Rackspace Cloud Files remote location, only the first 100 files were processed
Fix: Backups being downloaded twice from Dropbox during a restore which could cause unexpected results upon a site migration
Fix: The 'SCP' and 'Server-side encryption' checkboxes in the settings was always ticked in the browser upon reload, regardless of the saved setting (regression in 1.13.14)
Tweak: Improve export settings file name by appending site name to export download file
Tweak: Perform escaping of table names in SQL calls without using esc_sql()
Tweak: Site option is deleted before updating it in multisite
Tweak: Improve WebDAV remote method upload speed
Tweak: Improve WebDAV remote method download speed

1.13.14 - 21/Nov/2017

Changes

Fix: Search/replace checkbox was not appearing when migrating a multisite setup
Fix: WordPress 4.8.3 introduced a breaking internal change in the WordPress database API, which broke the search/replace of strings including percent signs. Updated Migrator code to handle this.
Fix: WebDAV remote storage settings not being loaded onto the settings page properly
Fix: Rewrite of legacy (PHP 5.2) S3 SDK Class to Fix pruning old backup sets when multiple storage back-ends that are all based on S3 are in use.
Tweak: Improve formatting of restoration warnings
Tweak: Add css classes to backup templates
Tweak: Standardise the way storage classes are internally stored/retrieved
Tweak: Remote storage modules configuration templates transition using handlebars.js
Tweak: Adjust message mentioning mcrypt which is not needed if php-openssl is installed
Tweak: Add UPDRAFTPLUS_USE_WPDB constant

1.13.13 - 02/Nov/2017

Changes

Fix: Google Drive Custom App authorisation and de-authorisation was not working
Fix: Rackspace new user creation had stopped filling the new credential fields automatically after successful creation of a new user
Tweak: When migrating, the detected search/replace terms now make sure that http and https variants are both included as search terms
Tweak: Make the internal error code with OneDrive auth failures more accurate
Tweak: Remote storage modules configuration templates transition using xamin/handlebars.php libraries
Tweak: Changed the Dropbox authentication flow to not send a GET request on large URLs
Tweak: Improve error message when invalid bucket name given by user for Backblaze remote storage method

1.13.12 - 25/Oct/2017

Changes

Tweak: Showing search/replace checkbox option only when needed.
Feature: Warn the user if their .htaccess seems to contain a redirect (or any other reference) to the old site after migration.
Feature: When importing a database, warn the user if the current MySQL server does not support a used collation, and offer to replace it
Fix: Saving of S3 settings had taken a dislike to buckets beginning with a capital 'B'
Fix: UpdraftCentral users' module was failing to handle loading a very large number of users
Tweak: Allows the installation and/or activation of the WP-Optimize plugin from UpdraftCentral
Tweak: Add multisite attribute to the error response object for the create user, delete user and edit user actions.
Tweak: All remote storage methods are ported over to using configuration templates internally
Tweak: Include a method to add a manifest file inside each backup archive
Tweak: All code relating to the now-dead Dropbox APIv1 removed (N.B. If you've not updated UpdraftPlus since November 2016 and were using Dropbox, it won't be working - https://blogs.dropbox.com/developers/2017/09/api-v1-shutdown-details/)
Tweak: Prevent a PHP log notice upon database backup restore when using Google Drive without a client ID
Tweak: Prevent the final 'Restore' button being pressed a second time
Tweak: Improvements to the UpdraftCentral wizard
Tweak: Update to trunk version of plugin updater (paid versions), restoring the ability to work on older WP versions (3.8 and before)
Tweak: Add lbakut_activity_log to the list of large log tables
Tweak: Updater in paid versions now requests JSON as response format for responses when claiming entitlements
Tweak: Resolve: Backup labels could end up with extraneous slashes in output
Tweak: Updater in paid versions can now receive and process update information in respond to entitlement claim - one less HTTP round-trip
Tweak: Improve Google Cloud authentication success message for bucket name is not defined
Tweak: UpdraftVault commands now pass an instance identifier
Feature: Backups can now be uploaded to multiple instances of the same remote storage but not yet possible to add multiple instances

1.13.11 - 27/Sep/2017

Changes

Fix: Fix a failure (regression in 1.13.8+) to download some backup sets which pre-date the existence of instances
Fix: Fix a failure to backup in the short-lived 1.13.10 (many apologies)
Tweak: When logging an Exception or Error, include a backtrace (WP 3.4+)
Tweak: Prevent a PHP warning during a save of the backup history
Tweak: Added a MetaSlider notice in the notices collection
Tweak: Put a try/catch block that will catch PHP exceptions/fatals (PHP 7.0+) during encryption phase, so that any issues can be logged

1.13.9 - 25/Sep/2017

Changes

Feature: Backblaze B2 (https://www.backblaze.com/b2/) support in UpdraftPlus Premium
Tweak: Port job data used by Azure, Google Cloud and OneDrive storage to being instance-local (now believed to all be ported)
Tweak: The automatic correcting of wrongly-input S3 and FTP settings had regressed in a recent version
Tweak: Various small fixes to the standards compliance of the HTML output in the remote storage settings area
Tweak: When deleting backups with multiple remote storage instances of the same type, order the attempts

1.13.8 - 21/Sep/2017

Changes

Feature: When importing a database, warn the user if the current MySQL server does not support a used character set, and offer to replace it (with a link explaining the risks)
Feature: Generic S3 storage module can now use non-default ports (specify by appending :(port number) to the host name)
Fix: Re-scanning of remote storage would fail to detect a file manually uploaded to a secondary remote storage location if not also present locally. Various other (unlikely) corner-case rescanning scenarios also tested and fixed.
Tweak: Some enhancements to the S3 internals, to make the "S3 Generic" module behave better (it already worked) with the forthcoming DigitalOcean Spaces (object storage) (see: https://updraftplus.com/use-updraftplus-digital-ocean-spaces/)
Tweak: UpdraftCentral will no longer show updates which WordPress core lists which appear to be of the same version number
Tweak: Handle trying to download a zero-sized file through the browser more elegantly
Tweak: When pressing 'Delete', the "also delete remote backup" checkbox was showing even for backups without remote storage
Tweak: Abstract history handling into a separate class, UpdraftPlus_Backup_History, for easier maintenance
Tweak: Remove a use of count() on a string to prevent a new PHP notice on PHP 7.2+
Tweak: Some changes to the UpdraftCentral connection tool to make it more user-friendly
Tweak: Clarified and documented the re-scanning code, and made it compatible with the increased flexibility needed for incremental backups in future
Tweak: Tweaked UpdraftCentral GA handler to support Tracking ID editing and disconnection.
Tweak: In the free version, if the only difference between backup and site URLs is http/https, then show a different message to make the situation clearer
Tweak: Make the UPDRAFTPLUS_IPV4_ONLY constant take effect more widely
Tweak: Do not duplicate remote instance ID records in the backup history when re-scanning
Tweak: Keep the remote instance ID list consistent with the remote service list when re-scanning
Tweak: Prevent a PHP notice that could appear for locally stored backups in UpdraftPlus::get_storage_objects_and_ids()

1.13.7 - 06/Sep/2017

Changes

Fix: UpdraftCentral connectivity for various operations restored (regression in 1.13.6)
Fix: No error message was being shown when a backup to local storage was missing upon restore
COMPATIBILITY: Replace uses of the deprecated (PHP 7.2+) each() function
TRANSLATION: Portuguese (Portugal) and Romanian translations are now complete and supplied from wordpress.org, so can be removed from the free plugin zip
Tweak: Fix some wrongly-called translation functions, and pull more known strings into the Premium version
Tweak: Remove the legacy parameter for setting storage upload job status data (only useful for version downgrades of more than 1 release during in-progress backups)
Tweak: Exclude some unnecessary build and unused files from the release zip (reduce disk space and download size)

1.13.6 - 05/Sep/2017

Changes

Feature: Google Drive authorisation now goes via an officially registered app for easier connections to Google Drive.
Feature: Include commands for UpdraftCentral's (https://updraftcentral.com) Google Analytics management facility (check the changelog.txt for the release)
Fix: Correct handling of OneDrive folder names featuring spaces (possibly a regression/change in the handling at OneDrive's end)
Tweak: Prevent messy layout when the last log message is very long
Tweak: Log catchable fatal errors and exceptions during backup in PHP 7
Tweak: Log catchable fatal errors and exceptions during restore in PHP 7
Tweak: Log catchable fatal errors and exceptions during backup download in PHP 7
Tweak: Reduce amount of database logging during existing zip analysis, database backup and pruning stages
Tweak: In AJAX/JSON responses, automatically detect and handle corrupted output (e.g. setups where PHP debugging notices are configured to come to the browser)
Tweak: Catches and more elegantly handles errors when a settings import file cannot be JSON-parsed
Tweak: Request list of available add-ons (paid versions) from the mothership in current format
Tweak: Added custom backup message parameter backupnow_message in function updraft_backupnow_inpage_go()
Tweak: General code tidy-up, making older code conform to our current standards
Tweak: Add the possibility of passing back associated data with test results, and log it in the browser console
Tweak: When carrying out a remote storage test, pass the state of the 'debug' setting
Tweak: When testing SFTP settings, if debug is activated, activate debug logging and pass the results back in the event of test failure
Tweak: Optimise away a database query in the case of no UpdraftCentral keys existing
Tweak: Removed "Reduced Redundancy" storage class from Amazon S3 remote storage options, because Amazon are deprecating it (and it now costs more, for inferior redundancy - https://updraftplus.com/forums/topic/amazon-is-phasing-out-reduced-redundancy-storage/)
Tweak: Backup files missing error message corrected
Tweak: Add the handlebars-js and xamin/handlebars.php libraries
Tweak: The FTP storage module has been ported to outputting its configuration via a template
Tweak: Introduce internal API and port all job data saved in storage modules to be instance-local

1.13.5 - 08/Aug/2017

Changes

Tweak: Manage phpseclib through composer
Tweak: Do less logging to database when resuming and noticing already-processed tables (saves resources)
Tweak: Returns comment status when updating comments from UpdraftCentral
Tweak: Update plugin-updates-checker library to current (4.2), and manage via composer, replacing bundled copy in the build source
Tweak: Replace uses of create_function(), which is deprecated on PHP 7.2
Tweak: Replace deprecated constructors (PHP 7+) in webdav module
Tweak: Documentation showing plugin developers how easy it is to add in-page backups to their plugin: https://updraftplus.com/add-take-backup-functionality-plugin/
Tweak: Make the UpdraftCentral updates checking able to cope with a wider range of third-party schemes
Tweak: General code tidy-up, making older code conform to our current standards
Tweak: Minor version updates of some bundled libraries
Tweak: Produce and use minified resources (CSS/JS) where available
Tweak: Update class-udrpc to latest (1.4.14) which removes a conflict with other code that may interact with CORS OPTIONS requests
Tweak: Escape log lines when sending for display (theoretically an XSS security issue, but to achieve a successful attack, someone would have to first get something malicious into the log file, which is difficult as there are not many places where foreign input can end up in the log file - e.g. hack into Dropbox and cause Dropbox to send you back malicious HTML in an error message - and then be able to persuade you to both take a backup triggering the problem and then view the log file in your WP dashboard)
Tweak: Update Google Cloud bucket locations

1.13.4 - 08/Jun/2017

Changes

Fix: Import function had a regression and was not coping with all formats
Tweak: When the import function failed, the error was not shown to the user

1.13.3 - 07/Jun/2017

Changes

Fix: Revert Dropbox authentication change in 1.13.2, which was not working on all sites

1.13.2 - 07/Jun/2017

Changes

Tweak: Marked as tested and compatible on WordPress 4.8
Tweak: Dropbox authentication flow can now use POST for the final step, side-stepping (arbitrary) parameter length restrictions on some Apache mod_security setups
Tweak: Prevent a possible PHP notice when curl is not present
Tweak: Point Clef users towards Keyy
Tweak: Do not open an alert box when the user changes their site ID in 'Advanced Tools'
Tweak: Fix parameters to updraft_check_overduecrons() JS function

1.13.1 - 09/May/2017

Changes

REFACTOR: Completed re-factoring of the remote storage modules, so that now all remote storage code has completed this current stage of re-factoring (more to come in future - laying the foundation for a significant new Feature)
Fix: Added a nonce to the Dropbox deauth link. This is a minor security issue - someone personally targeting you, who knew that you were logged in to your WordPress admin, and who could persuade you to visit a personally-crafted web page, could cause the connection between UpdraftPlus and your Dropbox to be broken. The only impact of this is that the sending of your next backup to Dropbox would fail, and you would be alerted about the need to re-connect.
Fix: Import settings now handle the new remote storage options format
Fix: The zip file browser was not working in free versions
Tweak: Added a version check when saving settings to prevent errors or lost settings
Tweak: 'Existing Backups' table now shows an icon for each remote destination that the backup was sent to
Tweak: Update SSL CA certificates file
Tweak: If, when uploading to S3, a file is not found, handle it slightly more elegantly
Tweak: Work with some WebDAV servers that previously sent empty responses to OPTIONS requests

1.12.40 - 01/Apr/2017

Changes

Tweak: The in-page log file display had stopped continuously updating in 1.12.32
Fix: In some circumstances, settings for the storage modules refactored in 1.12.37 could fail to show
Fix: The free version of 1.12.37/38 in some circumstances could fail to complete Dropbox authentication

1.12.38 - 31/Mar/2017

Changes

Tweak: Dropbox API v2 call to de-authorise a token was failing
Fix: Prevent a fatal error when attempting to use a backup method with no options set

1.12.37 - 31/Mar/2017

Changes

Feature: Browse the contents of a backup from within your WordPress dashboard, and (with Premium) download individual files from it
Fix: Fix an issue that could occasionally cause corruption of interrupted Dropbox backups. All Dropbox users are recommended to update asap.
Tweak: Remove debugging statement inadvertently left in 1.12.36
Tweak: Re-factored remote storage handlers via add-ons so that there was a cleaner and more consistent class hierarchy (preparation for future improvements). N.B. If you subsequently downgrade to an older version of UpdraftPlus, you will need to re-enter the settings for some remote storage options.
Tweak: List of checksum algorithms run over backups and logged now includes SHA256, and is filterable (SHA1 now considered deprecated)
Tweak: Allow chunked database encryption to try and resume in the event of an error
Tweak: Improve the premium/extension tab content
Tweak: Fix an issue whereby the UpdraftVault settings section could show a bogus problem with checking quota immediately after initial setup
Tweak: When requesting a download, work around buggy browser/server that continued after Connection: close
Tweak: Improve the UI experience when downloading a log file for display fails
Tweak: Prevent PHP notice if another plugin cancels a cron event
Tweak: Tweak semaphore handling and enhance logging

In this section

AIOS

5.4.7 – 27/Apr/2026

Changes

Feature: Added a dashboard widget for the top 5 failed login attempts by IP & username and a chart for the number of failed logins over the last 7 days.
Fix: WordPress 7.0 admin UI compatibility issues resolved.
Fix: Blacklist IP and User Agent firewalls could still be active when turned off.
Fix: Table sorting indicators not being shown on WordPress version 6.3 and above.
Fix: “Set up IP address detection settings” button not working in setup notice.
Fix: Bulk actions and filter missing from tables on mobile resolutions.
Fix: Resolved an issue where HTML tags were appearing in the “Rename Login Page” description.
Fix: 404 events no longer logged for genuine search bots (e.g. Google/Bing/Yahoo).
Fix: Used esc_url_raw() instead of sanitize_url() to resolve the deprecation notice in WordPress 5.0.
Fix: Fixed “ReflectionMethod::setAccessible is deprecated as of PHP 8.5” notice.
Fix: PHP Notice on WP < 5.5.0 when installing from zip. Undefined property: Plugin_Upgrader::$new_plugin_data
Fix: Resolved PHP warning – WPCF7_TagGenerator::add(): Use of tag generator instances older than version 2 is deprecated.
Tweak: Improved password strength tool readability by using zxcvbn library included in WordPress.
Tweak: Various text improvements/updates for better clarity and explanation of features.
Tweak: Updated the Googlebot IP range API URL.
Tweak: Updated the UI for the security points breakdown widget
Tweak: Hash HTTP Authentication password.
Tweak: Add a notice for PHP 7.3 and below end of support.

5.4.6 - 27/Jan/2026

Changes

Fix: PHP Fatal error: Uncaught Error: Call to a member function get_user_otp_algorithm() on null.
Fix: Prevent redirection to settings when AIOS is installed through the onboarding wizard of another plugin.

5.4.5 - 05/Jan/2026

Changes

Feature: Added onboarding wizard on activation of the plugin.
Feature: Added reports function for UDC.
Feature: Added additional commands for interoperability with UDC
Fix: Logged in users table not correctly tracking multiple sessions.
Fix: Removed scrolling from the PHP Rules tab so that Internet Bot settings, WP REST API, and other options are visible.
Fix: Exempt UDC commands from brute force prevention.
Fix: Login lockout save command for UDC.
Fix: Update needed in spam protection command for UDC.
Fix: Resolved incorrectly displayed some privileges in the debugging report for database information.
Tweak: Updated the rename login page URL parser to prevent a deprecated error caused by passing null to the rtrim() function.
Tweak: Update scanner command to output last scan time at end of scan for UDC.

5.4.4 - 5/Nov/2025

Changes

Feature: Added new and improved existing modules for UpdraftCentral.
Fix: The theme's custom 404 page does not parse and instead displays the shortcodes for wp-login.php, due to the login page having been renamed.
Fix: 404 detection was not working when using a custom 404 template page.
Fix: PHP Strict Standards warning for AIOWPSecurity_Base_Tasks::run_for_a_site()
Fix: Changed slider control class name from `slider` to `aiowps_slider` and updated CSS to prevent conflict with other plugins.
Fix: Resolved deprecated error in fputcsv() by providing the required $escape parameter when exporting CSV files.

5.4.3 - 8/Sep/2025

Changes

Feature: Added a Feature to enforce the use of strong passwords by users
Fix: Bypass Cookie based brute force prevention using AJAX request.
Fix: PHP notice - the translation load text domain was called incorrectly.
Fix: Resolved call to undefined function disk_total_space in wp-security-debug.php when the hosting provider has disabled this PHP function.
Fix: Fatal error when accessing an array query parameter when the login page has been renamed.
Fix: Chrome console error where the maths captcha <label> referencing a missing input 'id', causing autofill and accessibility issues.
Fix: The AIOS translation .pot file does not include TFA labels.
Fix: When a user profile is updated, HIBP's 'Enforce on profile update' setting incorrectly triggers an error if the password has not been changed.
Tweak: Added 'aios_blocked_request_redirect_url' filter to allow permanently blocked IPs to be redirected to a custom URL rather than 127.0.0.1.
Tweak: Create new AIOS tables and update current AIOS tables to use the InnoDB engine.
Tweak: Moved the '6G firewall rules' Feature to the PHP rules tab
Tweak: Moved the 'Internet bots' tab into the PHP rules tab
Tweak: Resolved issue where IP detection status was always off for Debugging tab.
Tweak: The Manually approve registered users list should display the error message "You cannot block your own IP address".

5.4.2 - 15/Jul/2025

Changes

Feature: Ability to enforce checking passwords against the HIBP API when updating user profiles and resetting passwords.
Feature: Add ability to upgrade all unsafe http calls on the site.
Fix: Disabled application password link doesn't go back to the correct place.
Fix: Fatal in the firewall's message store.
Fix: Malformed URLs in User accounts tab.
Fix: Users are logged out on Contact Form 7 submit if salt postfix enabled
Fix: The 'Set Password' page does not load for the user when cookie-based brute-force protection is enabled.
Fix: Disallow unauthorized REST request is enabled, but the /wp-json/ shows the rest routes and rest api details
Tweak: Add AJAX message store helper
Tweak: Disable user enumeration error; aios_user_lists_forbidden should return a 403 response code instead of a 500.
Tweak: Rename the WP Admin menu item from 'WP Security' to 'AIOS' and update the icon to current version.
Tweak: Show AJAX table action response in popup modal
Tweak: Make the plugin more PCP compliant
Tweak: Add a notice for PHP 5.6 end of support.
Tweak: Change url from twitter.com to x.com
Tweak: Made changes to the advert links in the thank you dashboard notice.

5.4.1 - 21/May/2025

Changes

Fix: Call to undefined function AIOWPS\Firewall\sanitize_text_field() fatal error solved.
Fix: Resolved an issue where some information in the debugging report email was inconsistent with the information shown at Dashboard > Debugging
Fix: Fixed a “call to undefined function wp_strip_tags” error in wp-security-user-login.php
Fix: Resolved an issue where raw HTML was displaying in the info box under User Security > User Accounts > User Display Name
Fix: Renamed the login page when it was exposed via auth_redirect by other plugins (e.g., Gravity Forms preview)
Fix: Fixed an issue where the password reset functionality did not work with the renamed login page Feature
Fix: Resolved missing translations on the login page after enabling the “Rename login page” Feature
Fix: Updated the custom login page layout to match the new default WordPress login page design
Fix: Fixed the redirection issue occurring after plugin reactivation when the cookie brute force options are saved in the database
Fix: Fixed the undefined variable $error in wp-security-user-security-commands.php
Fix: Fixed the login lockout request issue
Fix: Bulk "Delete selected" action in the Audit Log list was not working
Fix: Corrected AIOWSPEC prefixes to AIOWPSEC
Fix: The 5G Firewall switch is behaving inversely, enabling it removes .htaccess rules, while disabling adds them.
Fix: Fixed the HTML code shown incorrectly on the .htaccess tab
Tweak: Updated links to point to our new website

5.4.0 - 27/Mar/2025

Changes

Fix: Replaced firewall URI parsers with non-WordPress methods
Fix: Resolved PHP 5.6 compatibility issue caused by the ?? operator in 5.3.10

5.3.10 - 26/Mar/2025

Changes

Feature: Added commenting capability to IP whitelists
Feature: Added diagnostics reporting
Feature: Added a whitelist and user role-based access limit to the REST API firewall
Fix: "Undefined index: path" error when front-end HTTP Authentication is enabled.
Fix: Resolved dashboard translation issue where text lacked whitespace and was not properly translated
Tweak: Remove uses of unserialize without restriction of allowed_classes
Tweak: Refactored IP commands class to use response helper
Tweak: Removed WP REST API tab
Tweak: Switched "Critical Feature Status" toggle buttons on the dashboard to a status light system
Tweak: Updated the security strength meter on the dashboard
Tweak: Improved the dashboard widget to display a chart showing the number of logins over the last 7 days
Tweak: Enhanced the maintenance mode switch on the dashboard for consistency with the rest of the plugin
Tweak: Converted Brute Force menu actions to use AJAX
Tweak: Updated seasonal notices

5.3.8 - 16/Dec/2024

Changes

Fix: Updated the plugin notices to Fix translation related fatal errors.

5.3.7 - 5/Dec/2024

Changes

Tweak: Change response code for blocked unauthorized REST requests to 403.
Tweak: Temporarily removed firewall logging

5.3.6 - 3/Dec/2024

Changes

Fix: Resolved an issue with the AIOS_Firewall_Resource class

5.3.5 - 24/Nov/2024

Changes

Fix: Custom .htaccess rules are now properly escaped, with backslashes removed.
Fix: Import settings failed when visitor lockout messages had text alignment or other formatting applied
Fix: The audit log filter for event type now works correctly, even when the event type is translated into languages other than English
Fix: Resolved text overflow in the blue box on the Settings > WP Version Info page
Fix: Some user meta keys were not being removed after uninstalling the plugin
Fix: Subsites no longer incorrectly detect the Database Prefix Feature as active
Fix: Prevented fatal errors from missing firewall resources, replacing them with debug log entries
Fix: WordPress database error: BLOB, TEXT, GEOMETRY, or JSON columns cannot have a default value set
Fix: The load_plugin_textdomain function is called during the init action, and translations are applied afterward
Fix: Renamed login page is now using the WordPress translations
Tweak: Added a filter for PHP firewall rules templates
Tweak: Updated the country code field for audit logs to be based on the IP address (Premium)
Tweak: Improved the text in the 404 detection tab
Tweak: Moved the allowlist into the blacklist tab, and renamed it to "Block & Allow Lists"
Tweak: Moved the WP REST API Feature to the PHP rules tab
Tweak: Refactored multiple command classes to use the new AJAX response helper method: Tools, File scan, Files, Settings, and Log commands classes
Tweak: Updated the UI for the .htaccess rules, Captcha settings and file protection tabs
Tweak: Added a note in Settings > Delete plugin settings tab
Tweak: Early calls to get_plugin_data() no longer require translations
Tweak: Refactored the firewall command class to use the response helper method
Tweak: Added a constant AIOS_DISABLE_HTTP_AUTHENTICATION. Define this in your wp-config.php to disable HTTP authentication

5.3.4 - 21/Oct/2024

Changes

Feature: Added a HTTP authentication Feature that allows protecting the site with a username/password login.
Fix: Added a new method to reset the firewall rules under general settings
Fix: Resolved the issue with post cache which caused an issue with comment spam prevention
Tweak: Added a helper class for API requests
Tweak: Removed whitespaces at end of sentences

5.3.3 - 16/Sep/2024

Changes

Feature: Added captcha option for WooCommerce classic guest checkout page.
Fix: Fixed responsive layout issues with dashboard notice logo on mobile devices.
Fix: Turnstile captcha widget showing multiple times
Fix: Solved memory issue for reading larger host system log file
Fix: Removed .htaccess options from the Settings menu on Nginx, IIS and unsupported web servers
Fix: Resolved UX popup issue and firewall allowlist sanitization
Fix: Resolved an issue where bulk table actions were still executed even if the confirmation dialog was canceled.
Fix: Added a null check to prevent PHP warnings in firewall rules
Tweak: Ajaxified the actions in the settings, filesystem security, spam prevention and user security menu
Tweak: Added Ajax support to list tables and the audit log
Tweak: Added CAPTCHA field to MemberPress forgot password and registration forms
Tweak: Excluded .htaccess tabs from settings if the server is not supported
Tweak: Updated the firewall rules UI and malware scanner description
Tweak: Tweaked the htaccess backup method to generate the random filename
Tweak: Removed 'prevent access to default WP files' from .htaccess and added 'license.txt' to deletion list.

5.3.2 - 06/Aug/2024

Changes

Fix: Bug that allowed subsite admins to delete audit logs of other subsites
Fix: Disabled blacklisting on subsites because the PHP-based firewall currently applies to the entire multisite
Fix: An issue with getting the google bot ip ranges
Tweak: Added extra protections in place before modifying the .htaccess file
Tweak: Actions in the tools, firewall and scanner menu are now processed via AJAX
Tweak: Trimmed leading and trailing whitespace from inputs in the WHOIS lookup tab
Tweak: Added a confirmation pop-up when users clear records in the Debug Logs table
Tweak: Added captcha support for the MemberPress plugin
Tweak: Improved the UX of the WP REST API options
Tweak: Internal code improvements to improve maintainability
Tweak: Updated the Feature manager to improve performance
Tweak: Fixed the issue of blank tables on mobile view

5.3.1 - 26/Jun/2024

Changes

Feature: Added CAPTCHA to password protected pages/posts
Fix: Captcha not showing on the BuddyPress registration page
Fix: WooCommerce logout issue when the renamed login page and login whitelist features are both enabled
Fix: Missing CAPTCHAs when multiple WooCommerce login and register forms are on the same page
Fix: Fixed an issue with the 404 detection actions
Fix: A UI issue with the 2FA QR code image
Tweak: Added the attribute data-cfasync="false" to the default captcha url to allow loading on Cloudflare Rocket Loader
Tweak: Purge login lockdown table records after 90 days to restrict size. The AIOS_PURGE_LOGIN_LOCKOUT_RECORDS_AFTER_DAYS constant has been added to change the default.
Tweak: Updated the malware scanner frequency text from daily to weekly
Tweak: Updated the password strength meter UI for the password tool
Tweak: Add a 'Lock IP' and 'Blacklist IP' link to the IP column of the audit log.
Tweak: Enhance fake Googlebot detection. In the case where gethostbyaddr fails, the firewall will fallback to checking against known Googlebot IP ranges
Tweak: Updated the column header for the "Permanent Blocked IP Addresses" table to be consistent with other tables
Tweak: Prevent warning when DISALLOW_FILE_EDIT has already been defined
Tweak: Fix instances of one translation function being used for multiple sentences
Tweak: Improved the UX during AJAX calls
Tweak: Removed Trash spam comments duplicated description

5.3.0 - 01/May/2024

Changes

Feature: Added bulk force logout features for logged in users
Fix: An issue with the WooCommerce my account page logout function when the cookie based brute force Feature is turned on
Fix: Warning undefined array key SCRIPT_FILENAME
Fix: Custom redirection after login not working if url contains the redirect_to parameter
Fix: List of administrator accounts not showing on the user security page
Fix: Issue with cookie based bruteforce prevention solved if salt postfix Feature is on.
Fix: Fixed country field not showing in the 404 event logs (Premium)
Fix: Fixed country field not showing in the smart 404 blocked IP log (Premium)
Tweak: Fixed translation issue not showing as per admin user set language instead of site settings
Tweak: Firewall upgrade changes are applied without access to the admin interface
Tweak: Change the labels for the switches to a more appropriate wording
Tweak: In the file scanner results show the file sizes in a human readable format
Tweak: Updated the default message for attempts to access wp-admin
Tweak: Internal refactor of the update code to improve code clarity.
Tweak: Port the 'Block fake Googlebots' Feature to the PHP-based firewall
Tweak: Remove requirement for at least one IP for 'Blacklist', 'Login whitelist' and 'Login lockout IP whitelist' to be enabled.
Tweak: Added error message when a user tries to block their own IP on registration approval
Tweak: Added method to update badge on AJAX call
Tweak: internal refactor of the AIOWPSecurity_Utility_File class to improve code clarity
Tweak: Seasonal notice content update for 2024

5.2.9 - 06/Mar/2024

Changes

Fix: Remove call to update_event_table_column_to_timestamp in update routine
Fix: Remove call to wp_timezone() which is only available in WP 5.3+

5.2.8 - 05/Mar/2024

Changes

Fix: The user check that affects the Duo authentication plugin
Fix: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
Fix: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
Tweak: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
Tweak: Debug log table existing datetime field converted to timestamp to be timezone independent
Tweak: Global meta table existing datetime field converted to timestamp to be timezone independent
Tweak: Permanent block table existing datetime field converted to timestamp to be timezone independent
Tweak: Refactor list item actions to further improve code clarity
Tweak: Removed blacklist admin menu as previously announced
Tweak: Removed miscellaneous admin menu as previously announced
Tweak: Removed various admin menu tabs as previously announced
Tweak: Store IP lookup result for other types of entries in the login lockdown table
Tweak: Update the footer review prompt
Tweak: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
Tweak: Improve comment spam detection to not interfere with other forms

5.2.7 - 06/Feb/2024

Changes

SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.

5.2.6 - 06/Feb/2024

Changes

SECURITY: Removed unnecessary use of the "tab" query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
Feature: Added logout event to the audit logs
Feature: Add ability to delete the default readme.html file and wp-config-sample.php file
Fix: Correct some translation calls that were using the wrong text domain
Fix: PHP notice caused by the file scanner being unable to read its data file
Fix: Unlock request button was not showing and redirects to 127.0.0.1
Fix: Database errors for the aiowps_login_lockdown table during plugin installation
Tweak: Refactor the 6G UI
Tweak: Added an option to set the Cloudflare Turnstile CAPTCHA theme
Tweak: Added CSS styling for audit log details column
Tweak: Dashboard critical Feature status links fixed and only show features that can be enabled in a multisite subsite
Tweak: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
Tweak: Display json string instead of null if json_decode does not work for audit log details
Tweak: Event table existing datetime field converted to timestamp to be timezone independent
Tweak: Various tweaks to get codebase up to coding standards
Tweak: Various tweaks to ensure multiple sentences are not passed to a single translation function
Tweak: Fix the broken UI for RSS and Atom firewall settings and added a more info box
Tweak: Fix the issue of unique ID in DOM
Tweak: Merge Username and Display Name tabs in User Security Settings
Tweak: Moved the '404 detection' tab to the 'Brute force' admin menu
Tweak: Moved the 'PHP file editing' tab into 'File Protection' tab
Tweak: Moved the 'User enumeration' tab into the 'User accounts' tab in the User Security Menu
Tweak: Moved the 'WP Rest API' tab into the Firewall Menu
Tweak: Moved the 'Copy protection' and 'Frames' tab into the Filesystem security menu
Tweak: Moved the 'Salt' tab into the User security menu
Tweak: Moved 'Blacklist Manager' tab into the Firewall menu.
Tweak: Password resets, removed and deleted users are now recorded in the audit log
Tweak: Stop 404 IP from being locked if there's a current lock on that IP
Tweak: Unify date and time conversion with users timezone support
Tweak: Changed how empty data in ip lookup result is stored in the database
Tweak: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
Tweak: Add captcha support for Contact Form 7
Tweak: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
Tweak: Enhance reset password email by adding IP info
Tweak: Remove defunct imagetoolbar meta tag
Tweak: Login lockout tables existing datetime field converted to timestamp to be timezone independent
Tweak: Code improvements - utilising WP_Error objects instead of arrays

5.2.5 - 25/Oct/2023

Changes

SECURITY: On a multisite install, if using the AIOS Feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the Feature. Thanks to Naveen Muthusamy for disclosing this defect.
Feature: Block POST requests that have a blank user-agent and referer
Feature: Added reverse IP Lookup data to the login lockdown notification email
Fix: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
Fix: Prevent the firewall message store from filling up with unused entries
Fix: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
Fix: An issue that prevented MainWP updates from being performed correctly
Fix: Prevent user enumeration via the REST API and oEmbed protocol
Fix: User agent blacklist not matching all strings correctly
Fix: Logged in user table not showing the correct information
Tweak: Improve comment spam detection by using hidden fields and cookies
Tweak: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
Tweak: The menu actions in the dashboard admin menu are now processed via AJAX
Tweak: Converted checkboxes in the admin menu pages to switches
Tweak: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
Tweak: Combined various user admin menus into a new 'User Security' admin menu
Tweak: Export configuration filename now reflects the local timezone.
Tweak: Improve the UI/UX of the file scanner making way for future improvements
Tweak: Redesign the Feature manager badges
Tweak: Removed various admin menu tabs as previously announced
Tweak: Add features that depend on other plugins to the Feature manager conditionally
Tweak: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
Tweak: Audit log date and time are now displayed in the sites timezone
Tweak: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
Tweak: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the "rename login page" setting is on.

5.2.4 - 16/Aug/2023

Changes

Fix: Ported firewall settings from disabling on upgrade

5.2.3 - 09/Aug/2023

Changes

Fix: Fatal error "set_value() on null" when the firewall config is missing
Fix: PHP notices when running under cron
Fix: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
Tweak: Add communication mechanism so that firewall can send data to WordPress
Tweak: Remove incorrect mentions of the .htaccess file on PHP Firewall rules

5.2.2 - 04/Aug/2023

Changes

Feature: An allow list of IP addresses which bypass the firewall rules
Fix: Fix get_class() on null fatal error when updating via ManageWP
Fix: No such file or directory notice generated by the firewall's config file
Fix: Only send the upgrade email if one or more of the ported rules had been enabled
Fix: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
Fix: Google reCaptcha now appears correctly on the WooCommerce checkout page
Fix: Prevent Woocommerce auto login if manual registration approval is turned on
Fix: Premium upgrade tab UI overlapping issue.
Fix: Allow maintenance mode to be controlled via WP-CLI (Premium)
Fix: Use the correct site id for login success events added to audit log table on Multisite
Fix: Added missing features to the Feature manager list
Fix: A warning when using the update all command via WP-CLI
Tweak: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
Tweak: Added 'aios_audit_log_record_event' filter to allow events to not be recorded
Tweak: Improve the Feature item manager code structure making way for future improvements
Tweak: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
Tweak: Move the 'Custom rules' tab from the 'Firewall' section to its own tab in the 'Tools' section
Tweak: Move the 'Prevent hotlinking' tab to the 'File protection' tab in the 'Filesystem Security' menu
Tweak: Moved all CAPTCHA settings to the 'CAPTCHA settings' tab in the 'Brute Force' menu
Tweak: Moved the 'Password tool' tab to the 'Tools' admin menu
Tweak: Moved the 'Visitor lockout' tab to the 'Tools' admin menu
Tweak: Moved the 'User registration honeypot' tab to the 'Brute force' admin menu
Tweak: Remove 'Account activity table' as these entries are also recorded in the audit log
Tweak: Removed the 'Failed login records' tab as previously announced, these are now recorded in the audit log
Tweak: Improve list table code performance
Tweak: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements

5.2.1 - 12/Jul/2023

Changes

Fix: Include helper class file from loader
Tweak: Conditionally load TFA block JavaScript

5.2.0 - 10/Jul/2023

Changes

SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users' passwords are. This information has limited value (an admin can already reset anyone's password) except insofar as the passwords may be re-used by users on other sites. In that "hostile admin" scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Fix: After editing a file reset permissions back to the original permissions
Fix: Corrected some broken links in the plugin
Fix: Fatal error: cannot declare class
Fix: Normalise all arguments in the stacktrace
Fix: Wrong login entries added to login activity table on multisite when user logs into subsite they don't belong to.
Fix: Too many redirects error for forced logout users solved
Tweak: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
Tweak: Reset password page missing translation and generate password button added for renamed login page
Tweak: Added 'aios_audit_log_event_user_ip' filter to allow filtering of IP addresses in the audit log
Tweak: Added action hook "aios_reset_all_settings" for reset all settings.
Tweak: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2

5.1.9 - 09/May/2023

Changes

Feature: IP addresses - Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
Feature: Detect spambots posting comments and discard it completely or mark as spam.
Feature: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
Feature: Added a "Delete all" and "Delete filtered" bulk action to the audit log table
Fix: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
Fix: Change where the audit log event handler is loaded to prevent an error on plugin deletion
Fix: Fix context class checks to support cli
Tweak: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
Tweak: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
Tweak: Change some nonce checks to use our internal function to check user capability and nonces
Tweak: User registrations and successful logins are now recorded in the audit log
Tweak: Added a commands class and refactored AJAX handlers
Tweak: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
Tweak: Improve database table prefix Feature UI.
Tweak: WordPress core updates are now recorded in the audit log
Tweak: Translation updates are now recorded in the audit log
Tweak: Add an entity changed event to the audit log when upgrader information is not available
Tweak: Automated emails sent by AIOS that failed to send due to from address

5.1.8 - 11/April/2023

Changes

Fix: 404 detection - Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
Fix: Uncaught fatal error on null 'set_value'
Fix: Remove audit log event handler actions on plugin deletion to prevent an error
Fix: Remove some audit log event handler on plugin deletion to prevent an error
Fix: Get correct wp-config path when installed in a subdirectory
Tweak: AIOS_Helper::request_remote timed out exception ignored.
Tweak: Requests_IPv6 class name deprecated in WordPress 6.2.
Tweak: Failed login attempts are now recorded in the audit log

5.1.7 - 24/March/2023

Changes

Fix: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
Tweak: Clarify dashboard notice title and change image.

5.1.6 - 21/March/2023

Changes

Feature: Added an audit log
Feature: Add salt postfix option to improve your site's security
Feature: Shared library that can be used from the firewall.
Fix: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
Fix: Divi child theme conflict - Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
Fix: Captcha settings tab in multisite installation for subsites not showing
Fix: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
Tweak: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
Tweak: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
Tweak: Code clean up for disable cookie based brute force constant as rule moved to firewall
Tweak: Comment spam IP monitoring page UI
Tweak: Updated seasonal notices
Tweak: Improve internal code structure making way for future improvements
Tweak: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
Tweak: Added new internal function to check user capability and nonces
Tweak: Improve config code with inline saving.
Tweak: Allow audit log to be filtered and exported to CSV

5.1.5 - 13/February/2023

Changes

Feature: Added Cloudflare Turnstile CAPTCHA support
Fix: Notices about undefined array key HTTP_USER_AGENT solved.
Fix: New v5 features not saved in export file and not properly reset after uninstallation.
Fix: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
Fix: Fatal error 'Call to a member function contains_contents() on null'
Tweak: Removed wrong information about login whitelist being implemented via htaccess.
Tweak: Refactoring settings tasks for WP CLI AIOS premium commands.
Tweak: Page load performance issue due to incompatible tfa premium plugin active check improved.
Tweak: Make sure translation domain is registered before attempting to use it
Tweak: Replaced click with press in text because users could be on mobile etc and not using a mouse.
Tweak: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
Tweak: Improve the UI/UX for the 404 detection tab
Tweak: Improve internal code structure making way for future improvements
Tweak: PHP 8.2 deprecation warning for dynamic properties
Tweak: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the "view system log" Feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
Fix: Fatal error 'Call to a member function contains_contents() on null'
Tweak: Firewall gets constants from a single source.

5.1.4 - 14/December/2022

Changes

Feature: Add option to disable RSS and ATOM feeds.
Fix: The IP address blacklist manager wasn't working.

5.1.3 - 09/December/2022

Changes

SECURITY: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
Feature: Implement firewall events system
Fix: Protect subsites when firewall is loaded via plugins_hook
Tweak: Improve the UX for uploading import files
Tweak: Add a default CAPTCHA option making way for new CAPTCHAs in the future

5.1.2 - 07/December/2022

Changes

Feature: User Agent - Blacklist manager functionality should be based on PHP instead .htaccess rules.
Fix: Sorting by 'status' on the comment spam table
Fix: Copy protection Feature not working on iPhone
Fix: Cookie based brute force prevention locks out if plugin deactivated and activated again.
Fix: The notice to reapply .htaccess rules after reactivating the plugin is displayed on subsites.
Fix: Various WordPress command line notices about undefined $_SERVER indexes
Fix: Deactivate and reactivate plugin firewall settings file sync issue solved.
Tweak: 2FA setting page to show premium options for AIOS premium.
Tweak: Remove characters that should not have been on the scanner page
Tweak: Organise firewall rules into subdirectories
Tweak: Added GDPR question answer to the AIOS WP org plugin's FAQ section.
Tweak: Allow AIOS management permission to be filtered via `aios_management_permission` filter
Tweak: Make use of is_main_site() function.
Tweak: Copy IP to clipboard when clicking on it at WP Security -> Brute Force -> Login whitelist.
Tweak: Better context detection for the firewall

5.1.1 - 16/November/2022

Changes

SECURITY: Fixed a failure to check bulk action nonces, leading to a CSRF vulnerability. Exploitation would require an attacker to craft a link specifically for your site, and persuade you to click it whilst logged in; if you did so, this could result in bulk actions being carried out on AIOS list tables (e.g. delete entries from blocked IP address lists), with the attacker being restricted to deleting entries by database ID numbers that he cannot know directly (e.g. 15, 16, 17) and not IP address (e.g. 100.101.102.103).
Feature: Cookie-based brute force prevention implemented with the new PHP based firewall system.
Fix: AIOWPSecurity_WP_Loaded_Tasks::site_lockout_tasks() method visibility
Fix: Prevent the dismiss notice button removing all notices from page including notices that contained important information
Fix: Brute Force > Login Whitelist issue access password protected pages by user solved.
Fix: Force logout link not working in the currently logged-in users list.
Fix: Google reCAPTCHA site key and secret key are not verified immediately.
Tweak: Code style changes for scanner related pages and future item manager class.
Tweak: Capitalisation style reapply for firewall menu tabs.
Tweak: Instead login lockdown used login lockout word in UI and mail content. Changed constant AIOWPS_DISABLE_LOGIN_LOCKDOWN to AIOWPS_DISABLE_LOGIN_LOCKOUT.
Tweak: Update tabs, links to match capitalisation style of other UpdraftPlus plugins.
Tweak: Added the filter `aios_server_type` to override the `AIOWPSecurity_Utility::get_server_type()` method's return value.
Tweak: Notice - Account activity logs, 404 event logs older than 90 days cleared automatically to show.
Tweak: Premium upgrade page FAQs linked to correct URL.
Tweak: IP address lookup called only once in same page request. Visitor blocking called when user is not logged in. User online information updated on login only.
Tweak: User login lockout - minimum lockout time length should be less than maximum lockout time length validated.
Tweak: Take a backup of wp-config before inserting firewall contents.
Tweak: Ability to downgrade the firewall's protection which allows users to reverse the changes from setting up the firewall.
Tweak: Set a global context for $wp_file_descriptions context so that it gets assigned to correctly, preventing a subtle visual change in the theme editor
Tweak: Black Friday notice
Tweak: Update readme.txt file

5.1.0 - 12/October/2022

Changes

Fix: The login loader is visible infinitely on the login screen and administrators can't log in if the user has enabled maintenance mode and 2FA authentication simultaneously.
Fix: Pressing the "Disable Firewall" button didn't clear new 6G firewall rules.
Fix: The application password was disabled by default on the activation of the AIOS plugin.
Fix: The error occurred with the error message: Uncaught TypeError: fclose(): Argument #1 ($stream) must be of type resource, bool given in all-in-one-wp-security-and-firewall/classes/wp-security-utility-htaccess.php:164 in the server where the root folder is not writable.
Tweak: IP address lookup service whatismyipaddress removed, API for bot.whatismyipaddress.com is no longer available.
Tweak: The simple math captcha box was shown when the user was filling in the 2FA code at login time.
Tweak: Firewall max upload limit default value increased instead 10MB to 100MB.
Tweak: Google reCaptcha multilingual implemented to show in local language messages instead of English only.
Tweak: Update headings, labels and buttons to match capitalisation style of other plugins.
Tweak: Add premium upgrade tab.

5.0.9 - 06/October/2022

Changes

Fix: PHP Notice: Only variables should be passed by reference in /wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-notices.php on line 202.
Tweak: Auto disable the login whitelisting on upgrade for all server types and shown related notice.
Tweak : 2FA - Warning: Deprecated: Call get_controller('totp'), not get_totp_controller() in /includes/simba-tfa/simba-tfa.php on line 713.

5.0.8 - 29/September/2022

Changes

SECURITY/Feature: Fix IP address detection, and give IP address detection settings in the Admin Dashboard > WP Security > Settings > Advanced Settings, provide user guidance on how to use them, and notify the user if there any problem is apparent. Versions from 5.0.0 to 5.0.7 had a defect allowing an attacker to spoof their IP address, aiding them to avoid detection or locking out legitimate users. Thanks to Calvin Alkan for the responsible disclosure.
Fix: The 403 forbidden error was shown on the wp login screen if the login url contains the redirect_to parameter and the deny bad query strings firewall Feature is enabled on localhost.
Fix: The PUT request method was blocked when the user enabled the 6G firewall.
Fix: The login whitelisting didn't work on servers not supporting .htaccess files, without this information being displayed in the user interface. The Feature is now ported to PHP so that it works on all servers. Thanks to Calvin Alkan for identifying this issue.
Tweak: Add index keys to the login lockdown, failed_logins and the permanent block tables to prevent poor database reading performance in the event of vast numbers of rows being stored in these tables (see the "SECURITY" item above, since the defect described there can allow this). Thanks to Calvin Alkan for identifying this issue.
Tweak: Resolve a PHP-firewall 'Unable to locate workspace' log message.
Tweak: Added a constant AIOS_DISABLE_GET_EXTERNAL_IP. Define this in your wp-config.php to disable getting the IP address via an external API when the IP retrieval method fail to get a valid IP address.
Tweak: Replace deprecated jQuery(document).ready() calls.
Tweak: Disable cookie access via JS and HTTP for cookie-based brute force prevention.
Tweak: Enhanced cookie storage mechanism for cookie-based brute force prevention. Thanks to Calvin Alkan for identifying this improvement.
Tweak: Display notice alerting the user that the block spam comment doesn't work on non-apache servers in the block spam comment section. Thanks to Calvin Alkan for identifying this omission.
Tweak: Added a constant AIOS_DISABLE_LOGIN_WHITELIST. Define this in your wp-config.php to disable login IP whitelist.

5.0.7 - 08/September/2022

Changes

Fix: The Login URL was prefixed with the site URL instead of the home URL when the home URL is different than the site URL.
Fix: Rename login and cookie-based brute force protection couldn't work simultaneously when the permalink was set to plain.
Fix: Disabling the 5G Firewall Protection didn't remove the 5G rules from the .htaccess file.
Tweak: Add a 'Dismiss' button to the firewall setup notice.

5.0.6 - 07/September/2022

Changes

Fix: Stopped host cron job working in a specific situation.
Fix: A few setting options like enabling the honeypot Feature for registration page, disabling the application password, enabling move spam comments to trash after specified days, moving spam comments to trash after days, enabling remove database tables upon uninstalling, and enabling remove all plugin settings upon uninstalling the plugin were overridden on upgrading the plugin.
Tweak: Add a 'safe message' comment to the firewall's settings file.

5.0.5 - 05/September/2022

Changes

Fix: Cookie based brute force etc rules to be removed from .htaccess if set in older version 4.4.12.
Fix: The IP lock notification mail was sent out for the 404 lockdown event.
Tweak: Resolve a PHP-firewall 'Unable to locate workspace' log message.

5.0.4 - 03/September/2022

Changes

Fix: PHP coding warning in latest PHP version when handling email address parameter.
Tweak: Added a constant, AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION. Define this in your wp-config.php to disable cookie based brute force login prevention.

5.0.3 - 02/September/2022

Changes

Fix: An empty IP lock notification mail could be sent out after upgrading to the 5.0.0 version.
Fix: The PHP file couldn't be loaded via commandline if the rename login page is enabled.
Fix: When running WordPress from the command line, the warning Undefined index: REQUEST_METHOD was logged.
Tweak: Import latest TFA module, loading JS less aggressively to avoid potential for conflicts.

5.0.2 - 02/September/2022

Changes

Fix: The user can't login if the user set forced logout and the site's timezone is different than UTC.
Fix: Avoid an incompatibility with Wordfence Login Security by not loading our TFA module if that plugin is active

5.0.0 - 01/September/2022

Changes

Feature: Two-Factor Authentication (2FA) functionality & related settings.
Feature: Set up a mechanism to load the firewall PHP file early.
Feature: PHP firewall rule engine.
Feature: Add WHOIS lookup functionality.
Feature: Implement 6G firewall rules in the new PHP-based firewall.
Feature: Disable WordPress application passwords.
Feature: Remove the plugin's tables and options when uninstalling the plugin according to configuration settings.
Feature: Trash spam comments after n number of days as per configuration set in Admin Dashboard > WP Security > SPAM Prevention > the "Comment SPAM" tab > the "Comment Processing" section > the "Trash Comments After" settings.
Feature: Brute force Cookie-based Firewall Protection based on the PHP code instead of htaccess rules so that it also works with Nginx, IIS etc servers.
Feature: Allow multiple email addresses for the User Login > Notify By Email setting.
Feature: IPv6 range support in CIDR Format enabled.
Fix: The WooCommerce customer was redirected to the wp-login page after payment with an external payment gateway if forced logout configured after a specific number of minutes.
Fix: If the WordPress language was set to something other than English, then auto-update core, plugin, and theme emails sent in English instead of the configured language.
Fix: Database error for multisite when creating a new site solved.
Fix: Captcha options should not be autoloaded.
Fix: Database error for multisite cronjob column name.
Fix: The plugin clogs up the database with lots of rows. Delete old data after 90 days.
Fix: Rename Login issue with wp plugin list command solved.
Fix: Rename Login breaks logout functionality if WP_HOME is set to a different URL than the WordPress core files URL.
Fix: PHP Fatal error: Uncaught Error: Class 'AIOWPSecurity_Admin_Init' not found in html/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php:366.
Fix: The Spam comment blocked IP address remains blocked even after spammed comments are approved.
Fix: Admin Dashboard > WP Security > Security Points Breakdown Section piechart tooltips flickering.
Fix: The "Time Length of 404 Lockout" option doesn't do anything.
Fix: Search did not work for the 404 Event Logs list table.
Fix: Search did not work for Failed Logins list table.
Fix: Search did not work for the Account Activity list table.
Fix: Bulk deletions did not work for the Account Activity list table.
Fix: Warning when bots make malformed requests.
Fix: When the user had pressed the bottom bulk action button of the list table, the bulk action was confirmed by two confirm alerts.
Fix: Unblock link in 404 Event Logs list table redirected to wrong tab.
Fix: Temp Block, Blacklist IP and Delete links in 404 Event Logs list table didn't work.
Fix: Rename login page and Cookie based brute force login prevention configurations didn't work simultaneously.
Fix: Fatal error when activating using older PHP versions
Fix: If auto_prepend_file is already pointed to the firewall bootstrap file from php.ini manually, the bootstrap file try to include itself.
Fix: The custom logo wasn't displayed on the login lockdown unlock request form.
Tweak: Allow taking database backups via the UpdraftPlus backup plugin.
Tweak: Make lockout reasons more specific.
Tweak: Update notice class.
Tweak: If the user has not performed the cookie test, the brute force attack prevention configuration fields remain disabled in the Admin Dashboard > WP Security > Brute Force > Cookie Based Brute Force Prevention.
Tweak: Display locked IP addresses lockout date and release date in WordPress settings format.
Tweak: Improve success or messages when performing bulk actions on the table list.
Tweak: 404 events date is displayed in WordPress settings format.
Tweak: Account activity login date and logout date are displayed in WordPress settings format.
Tweak: Add a label for each setting field.
Tweak: JQMIGRATE: jQuery.fn.click() event shorthand is deprecated.
Tweak: Fix typos at Admin Dashboard > WP Security > Firewall > Basic Firewall Rules > Block Access to Debug Log File.

4.4.12 - 22/April/2022

Changes

Feature: Disable login lockdown Feature when the AIOWPS_DISABLE_LOGIN_LOCKDOWN constant with true value.
Feature: Implement lockout time multiplied on each lockout up to the maximum lockout time configured.
Fix: For multisite giving fatal error on settings and dashboard page Call to a member function on null.
Fix: Scores not updating correctly if a Feature activated and "Remove wp generator meta info" activated shows 5/5 for all.
Fix: Change hard-coded references of wp-content to WP_CONTENT_DIR constant.
Fix: The AIOS plugin should not be site-wide activated in a multisite WordPress setup.
Tweak: Get user IP Address using an external service in local server setup.
Tweak: Filter name changed to "aiowps_pre_add_to_permanent_block" from "pre_add_to_permanent_block".
Tweak: Filter name changed to "aiowps_filter_event_logger_data" from "filter_event_logger_data".
Tweak: Disables the "Secret Word" and "Re-direct URL" input fields when the "Enable Brute Force Attack Prevention" option is unchecked.
Tweak: Show nice error on activation if site php version is lower than 5.6.

4.4.11 - 29/March/2022

Changes

Feature: Reset all settings by clicking on the "Reset Settings" button on the Settings Page.
Feature: Verify the Google reCaptcha Site key before rendering and disable it if the Google reCaptcha site key is invalid.
Fix: PHP Fatal error: Cannot redeclare wp_install_maybe_enable_pretty_permalinks() in specific server.
Fix: throwing database error for creating debug log table in specific MySQL server.
Fix: Compatibility issue with WPML plugin for login and logout functionality.
Fix: Update email sent in English instead of setting language.
Fix: The Simple Math Captcha can't be validated when a third-party plugin clears transients more frequently.
Fix: The login lockdown unlock request was not working in a few specific server environments.
Fix: The warning headers already sent was displayed in a few specific server environments.
Fix: Handle invalid tabs appropriately in setting pages.
Fix: A Fatal error occurred when WooCommerce was activated, but it was disabled on the frontend by the Asset Cleanup Pro plugin.
Fix: Fix login lockout issue with different timezone.
Tweak: Add review notice.
Tweak: Improve functionality of fake google bot prevents to access the site.
Tweak: Remove IP address retrieval setting and detect IP address automatically.
Tweak: Verify Google reCaptcha site key before rendering the reCaptcha.
Tweak: Remove force logout checking from REST API Call.
Tweak: Made Admin Dashboard > WP Security > Settings tabs extensible.
Tweak: Add G2 review message in the admin footer.
Tweak: Format failed login date time according to WordPress general settings.
Tweak: Remove unused codes from AIOWPSecurity_Config.
Tweak: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > "Display Name" tab > "Modify Accounts With Identical Login Name & Display Name" section.
Tweak: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP's "Site Health" tool)
Tweak: The "Allow Login Lockout Request" checkbox is ticked by default.

4.4.10 - 21/Jan/2022

Changes

Feature: Send site login lockout emails by batch processing instead of sending them instantly.
Feature: Auto-purge failed login records after 90 days.
Feature: Change the debug log so it's stored in the database and not a file
Fix: Missing Plugin header fields are added.
Fix: PHP Warning Notice for finding IP Address appears when a dual proxy used.
Fix: Logout date-time shows 1000-10-10 10:00:00 for non-logged out user.
Fix: The notification for re-inserting the security rules in your .htaccess file appears after deactivating and activating the plugin to non-admin users.
Tweak: Replace obsolete variable reference style
Tweak: Sanitize $_REQUEST parameters in redirect function
Tweak: View debug logs from within the UI
Fix: Compatibility issues with PHP 8.1.
Tweak: Advertise All in One WP Security Premium Plugin instead of Addons.

4.4.9

Changes

Added Polish language translation file to the plugin. Thanks to Dariusz for submitting the language files.
Fixed a typo in the help text.
Allow the "redirect_to" parameter to be used on renamed login page when logged in. Thanks to @tvartom.
Fixed a Typo in the help text located in the "Custom Rules tab".
Added a new filter hook (aiowps_execute_backup_set_memory_limit) to allow overriding of the PHP memory limit setting when executing a backup.
WordPress 5.8

4.4.8

Changes

Fixed an issue with the rename login page Feature on WordPress v5.7.

4.4.7

Changes

Updated the renamed login page code to reflect the latest WordPress wp-login.php code.
Cleaned up/improved repeated code.
Translation string Fix in the rename login Feature.
Added action hook "aiowps_site_lockout_settings_saved" that is triggered after the site lockout configuration is saved.
Updated some queries to use $wpdb->prepare() or esc_sql() wherever possible.

4.4.6

Changes

Fixed potential vulnerability with the Banned User Agents Feature (in the blacklist menu). Thanks to WonTae Jang.

4.4.5

Changes

Fixed default DateTime to prevent DB error.
Added Korean language translation files. Thanks to Jonghyun Cho.
Reworked the code for the "Generate New DB Table Prefix" Feature to make it more robust. Thanks to @baddiedev.
Added translation ability to some strings.

4.4.4

Changes

Fixed bugs and improved functionality related to "logged in users" functionality.
Google recaptcha checks for WooCommerce product reviews
Replaced use of deprecated hook "wpmu_new_blog" with "wp_insert_site"
Fixed a potential XSS issue in the settings menu of the plugin for IE11 or older browsers.

4.4.3

Changes

Improved file change detection Feature to address DB backups failing silently in some cases due to very large serialized data stored in a single row.
Added new action hook (aiowps_rename_login_load) just before renamed login page is loaded.
Added a check to ensure that woocommerce captcha settings are displayed only if woocommerce plugin is installed/active.
Fixed recaptcha bugs.
Added configurable item for max file upload size in basic firewall rules.

4.4.2

Changes

Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)

4.4.1

Changes

Fixed bug where Apache directives were not being re-added into the .htaccess file after plugin re-activation.
Fixed bug related to account activity logout date not being set.

4.4.0

Changes

Added robustness to login lockdown Feature by replacing the strtotime function with DateTime/DateInterval.
Fixed bugs related to captcha features.
Fixed and improved "Logged In Users" functionality for multisite.
Always set valid dates, to avoid errors when strict mode is enabled on mysql. Thanks to Davide.

4.3.9.4

Changes

Removed whois Feature because it adds relatively little value and the third-party library used is not being maintained regularly.
Fixed "headers already sent" error when bulk action performed using aiowps list table.

4.3.9.3

Changes

Fixed another captcha bug related to comment form.

4.3.9.2

Changes

Fixed various captcha bugs: woocommerce lost password page, custom login form page, etc

4.3.9.1

Changes

Fixed rename login page Feature bug introduced after WP core change in version 5.2.

4.3.9

Changes

Fixed captcha bug.
Fixed PHP_EOL issue where some IPv6 and v4 addresses saved in settings were incorrectly deemed invalid.
Tightened file permission for wp-config.php to "640"
Fixed DB prefix change bug for cases where DB had tables of type "view".
Fixed some translation string issues.
Minor style Fix for wp list table pagination nav buttons.

4.3.8.3

Changes

Trying again - Fixed login captcha authentication bug.

4.3.8.2

Changes

Fixed login captcha authentication bug.

4.3.8.1

Changes

Minor bug Fix - added missing check to enqueue recaptcha script only if that Feature is enabled.

4.3.8

Changes

Added ability to hide secret rename login page link when sending emails to people asking for personal data export.
Fixed Google reCaptcha not showing on comment page.
Fixed activation handler and creation of DB tables to handle multi-site activations more robustly.
Improved reCaptcha code to prevent the occasional occurrence of "Uncaught Error: reCAPTCHA placeholder element must be an element or id" error.
Added extra check for PHP_OS value to prevent Apple "DARWIN" being interpreted as windows server.
Corrected some minor translation issues on rename login page.
Increased priority of authenticate hook for captcha check.
Updated the Dutch Language file.

4.3.7.2

Changes

More "get_home_path" fatal error preventions.

4.3.7.1

Changes

Fixed fatal error regarding "get_home_path" function.

4.3.7

Changes

Added Google reCaptcha Feature for login forms.
Improved code which checks if site is main for multi-site installations.
Removed the text domain string from the translation functions in the wp-security-rename-login-Feature.php file.
Changed .htaccess path location to use get_home_path().
Fixed minor woocommerce captcha bug

4.3.6

Changes

Added new tab called "WP REST API" in the Miscellaneous menu and created separate Feature which disables unauthorized REST access for non-logged in users independent of the users enumeration Feature.
Improved dashboard page widget area display.
Small translation string Fix in the rename login page Feature.

4.3.5

Changes

Fix - Error: Call to undefined function the_privacy_policy_link() in older versions of WordPress.
Added a check to disable file change detection Feature and prevent fatal errors when FilesystemIterator is not available due to old versions of PHP.
Improved get_login_fail_count method in the AIOWPSecurity_User_Login class which will Fix cases where login lockdown

4.3.4

Changes

Modified rename login page to handle GDPR Export/Erase Personal Data request.
Fixed woocommerce registration page captcha bug.
Improved users enumeration so that authenticated requests to the REST API are allowed but others are blocked.
Improved logic in Renamed Login Page settings such that unnecessary call of AIOWPSecurity_Utility_Htaccess::write_to_htaccess() function is avoided.

4.3.3.1

Changes

Fixed a typo with the newly added action hook - aiowps_before_wp_die_renamed_login

4.3.3

Changes

Fixed bug - aiowps will now allow access to admin-post.php from front-end when rename login Feature is active.
Modified login lockdown Feature so that the exact IP address is locked down and not the IP range.
Added new filter (aiowps_ip_blocked_output_page) which allows user to filter the complete output when someone's IP has been locked out.
Added new action hook (aiopws_before_wp_die_renamed_login) for the renamed login Feature which fires just before the wp_die event which produces the "Not available" behaviour.
Removed unused code.
Modified get_user_ip_address to get the first IP address in cases where there are multiple comma separated addresses provided - example X-Forwarded-For.

4.3.2

Changes

Added new IP address settings page which user the ability to configure which $_SERVER global the IP address will be retrieved from. (New setting found in WP Security >> Settings >> Advanced Settings)
Fixed bug in .htaccess rules caused when 6G and IP blacklist firewall rules were simultaneously enabled.
Fixed bug where captcha answer was being ignored on woocommerce login page.
Added support for unlock requests made from woocomerce account login page when rename login Feature is active.
Added useful debug code for troubleshooting in the fake googlebot function.
Some general code cleanup and improvement.
Added code to prevent direct access data leaks.
Added captcha settings for BBPress new topic form.
Fixed minor bug in dashboard page when checking if htaccess rules applied.
Added a check for Windows server installation in File Permissions Feature - this Feature is not applicable for Windows servers.
Added check to display comment captcha only when user not logged in.

4.3.1

Changes

Improved white list directives to cater for Apache 2.4 and earlier versions.
Added 3 filters for the manual account registration approval email: aiowps_register_approval_email_subject, aiowps_register_approval_email_msg, aiowps_register_approval_email_from_name
Added configuration option to allow custom firewall rules to be applied at beginning of all rules applied by aiowps.
Changed record insertions to DB table aiowps_failed_logins to store the full IP address instead of IP range.

4.3.0

Changes

Updated wp-security-rename-login-Feature.php to include latest WordPress core changes.
Added captcha for woocommerce login and registration forms.
Fixed "mixed line endings" warnings for whois library.
Moved DB cleanup task cron job from daily to hourly.
Updated the reapply htaccess function so it doesn't create the header already sent error.

4.2.9

Changes

Changed the parameter in current_user_can function to use an administrator capability instead of the "administrator" role name.
Added some new hooks to the AIOWPSecurity_WP_Loaded_Tasks called aiowps_wp_loaded_tasks_start and aiowps_wp_loaded_tasks_end.
Improved get_locked_ips() function and added $wpdb->prepare statement.
Added more missing translation domain parameters for translatable strings in the rename login page.
Deleted local copy of the Persian and Italian language files. These translations are available on translate.wordpress.org.
Domain path and text domain added to plugin header.
Changed the get_user_ip_address functions so that $_SERVER['REMOTE_ADDR'] is the primary method used to obtain IP address.
Added enumeration block via REST API (wp >= 4.7)

4.2.8

Changes

Improved "User Registration" Feature to bypass the pending approval status for new users created in admin side.
Fixed bug in whois library.
Added translation domain parameter for translatable strings in the rename login page.
Updated the chinese language file.

4.2.7

Changes

The PHPWhois library updated to their latest version to include a security patch.

4.2.6

Changes

Added new Login Lockdown whitelist Feature which allows immunity for IP address or ranges from being locked by the lockdown Feature.
Fixed bug - Replaced date_i18n with current_time to prevent cases where some localizations produce foreign characters in date stamp output.
Added a new Feature to add Honeypot to the WordPress's user registration form (this can help reduce registration attempts by robots).
Added "Export to CSV" buttons for 404 Event Logs, Account Activity Logs and Failed Login Records.
Minor update to 6G rules.
Minor spelling and wording fixes and changes.

4.2.5

Changes

Fixed bug - added code which caters for mysql view definitions when DB prefix is changed.
Fixed a typo in the user login security menu.
Fixed storage of time stamp in lockdown table to match the local Wordpress server time and be consistent with the timestamp stored in the failed logins table.
Prevent direct access to wp-security-core.php
Updated the POT file.

4.2.4

Changes

Fix error on block_ip_if_locked(), doesn't exit with a wp_user. This is needed for other plugins that create the $user (aka ldap auth plugins).
Fix login error message for users with pending account approval.
Wordpress 4.7 compatibility.

4.2.3

Changes

Fixed bug when math captcha was displayed on Woocommerce registration page.
Fixed login page bug for cases where email address and captcha are used to submit login form (thanks to @chesio for Fix).
Logs directory now contains a .htaccess file with proper deny directives.
Small UX improvement: add for attribute to captcha label.
Added check for IIS server in get_server_type function.

4.2.2

Changes

Debug logger class improvements.
Added a message in the debug settings area to state that the log files are reset on every plugin update.
Always return an array from scan_dir_sort_date() to prevent PHP notices.
Improvements for Automated DB backups filling up space - old backup file will be deleted first.
Thanks to RIPS Analyzer for sending us the vulnerability report.

4.2.1

Changes

Improve output of .htaccess to include <IfModule mod_rewrite.c> checks and RewriteEngine On directives.
Fall back to default DB backup interval in case of invalid value.
The aiowps_delete_backup_files() function will produce a debug log message on every call (to help with troubleshooting when needed).

4.2.0

Changes

WPML plugin compatibility Fix for the renamed admin login page Feature.
Fixed a few potential XSS vulnerabilities.

4.1.9

Changes

Small improvement to the new "immediate blocking of specific usernames" Feature.

4.1.8

Changes

New Feature to allow immediate blocking of specific usernames.
Only activate copy (right-click) protection for non-admin users.
Fixed bug where logout link in admin bar does not get updated on after the $_POST submit to reflect the new rename login setting.
Fixed small bug in return_regularized_url function.
Improvement/bug Fix: When currently logged in user attempts to access renamed login page, redirect them to dashboard.
Removed Spanish language files so they can be automatically pulled from WordPress.org.
Drop unnecessary WHERE clause in some backend listings.
Improvement: do not schedule a cronjob, if it is already scheduled.

4.1.7

Changes

Added sanitisation for log file data in textarea.
Disabled autocomplete for Captcha field.

4.1.6

Changes

Added cleanup code for captcha string info transients.
Minor change to the username label in the renamed login page to keep it inline with the standard WordPress login page.
Fixed a potential vulnerability when viewing AIOWPS log files in the Dashboard menu. Thanks to Manuel LLOP for pointing this out.

4.1.5

Changes

Fixed bug where username is an email and captcha was being ignored.
Reduce memory footprint of database backup.
Improvements: Make hard-coded strings localizable.
Partial Apache 2.3 compatibility.
Improved: Hide WP version number by replacing it with a hash. This way, WordPress version number is not exposed, but browser caching is not obscured by missing version numbers.

4.1.4

Changes

Improved and tweaked the login captcha Feature to avoid some issues people had with the last modification.
Deleted reference to ini_get('safe_mode') to avoid fatal errors for newer versions of PHP where that setting has been totally removed.

4.1.3

Changes

Added new checkbox for XMLRPC to disable only pingback methods but leave other XMLRPC functionality accessible. This will be useful for people who use Jetpack or Wordpress iOS or other apps.
Updated the French language file.
Fix: decbin doesn't add leading zero. Comparing empty strings return bad results.
Fix: bugfix in the login captcha. Thanks to Sipke Mellema for pointing it out.

4.1.2

Changes

Fixed bug introduced by last file change scanner code changes.
Fixed bug in SPAM comment blocking functionality.
Fixed fatal error case when Divi theme and front end lockout is enabled.

4.1.1

Changes

Fixed Fatal error conflict between Rename Login Feature and Yoast SEO and some themes when attempting to access wp-admin page directly.
Added "Pending Approval" message when manual registration approval Feature is enabled and a user registers.
Fix (minor): No need to use strcmp to compare integer values.
Updated and simplified wp-security-stop-users-enumeration.php for bug (thanks to @davidegiunchidiennea)
Minor code cleanup (Thanks to @chesio for the following changes).
File scanner codebase cleanup.
Fix: properly report invalid email addresses in file scanner configuration.
Code clean-up in AIOWPSecurity_Scan::do_file_change_scan() method.
Tweak: Compare file scan data faster.

4.1.0

Changes

Fixed bug in Maintenance menu page when trying to attach a media file to the message text box.
Added a new filter (called "aiowps_ip_blocked_error_msg") which allows the modification of the error message displayed on the login page when an IP address has been blocked by the login lockdown Feature.
Updated French language translation. Thanks to Claude Ribaux for providing the translation files.
Thanks to @chesio for making the following two changes.
Replaced deprecated call to get_currentuserinfo() function.
Minor code fixes in the backup class file.
Fix: display correct (error) message when write_to_htaccess() fails.
Tweak: database backup filename is more human-readable.

4.0.9

Changes

Made file change scanner code more robust for cases when open_basedir restriction is in effect. (Thanks to Manuel Jeanne for pointing this out).
Added code which will remove WordPress version info during CSS and JS script loading if you have the "Remove WP Generator Meta Info" option checked. (Thanks to aldemarcalazans for pointing this out).
Fixed some potential SQL injection vulnerabilities. (Thanks to Julio Potier for pointing these out).
Changed the Feature category of blacklist manger from "Intermediate" to "Advanced".
Tweak: Remove "@" from list of characters blocked by advanced character string filter. (Because it is often used in retina-ready images).
Fix: Use home URL instead of site URL in lock notification email subject. Thanks to @chesio for fixing this.

4.0.8

Changes

Added ability to identify IP addresses during user registration and option to block selected IPs.
Added login form captcha functionality for sub-sites in a multi-site installation. (see the Brute Force menu)
Fixed multi-site bug related to manual user-chosen DB prefix change.
Added extra XSS protection inside admin menu pages for the "tab" query parameter.
Added a note to the features that has the potential to lock you out if it doesn't work correctly on your site.
Updated Brazil-Portuguese language file.
Fixed issue with firewall custom rules being corrupted by magic quotes. Thanks to @chesio for fixing this.

4.0.7

Changes

Added a new action hook "aiopws_before_set_404" which triggers just before the AIOWPS sets a 404. (handy for cases when rename login page is used which affects some themes when accessing "wp-admin" directly)
Fixed some potential SQL injection vulnerabilities.
Thanks to @chesio for submitting the following changes and applying the fixes.
Sub-directory install fixes.
Improve behavior of WP File Access tab.
Fix invalid nesting of HTML elements.
Do not block HTTP requests that contain "tag=" in query string.
Option to enable the 6G firewall.

4.0.6

Changes

Removed the viewing of contents of wp-config.php and .htaccess files in order to protect sensitive info.
Fixed more potential XSS vulnerabilities in some other settings pages. (Once again many thanks to Erin Germ for pointing these out)

4.0.5

Changes

Fixed some potential XSS vulnerability in the blacklist, file system and file change detection settings pages. (Many thanks to Erin Germ for pointing these out)

4.0.4

Changes

Added new Feature: Auto Block Spammer IPs. This Feature will automatically and permanently block IP addresses which are linked to comment SPAM. (see SPAM Prevention -> Comment SPAM IP Monitoring tab)
Added compatibility Fix for the qTranslate-X plugin in the rename login page Feature.
Added ability to send to more than one email address for file change detection Feature notification.
Fixed bug in whois library when searching ARIN registry.
Fixed the handling of display of longer IPV6 strings in dashboard summary table.
Added hook for WooCommerce login form to display unlock button.
Added Dutch language translation. Thanks to Jeroen van der Linde for providing the translation files.
Typo Fix in the "stop users enumeration" Feature.

4.0.3

Changes

Added urlencode to query strings in URLs to prevent unexpected behaviour. Thanks to @chesio for spotting the issue.
Added new Feature to stop users enumeration. Thanks to Davide Giunchi @davidegiunchidiennea for adding this.
Added a more robust code for check_user_exists function. Thanks to Christian Carey.
Added cron cleanup of the global meta table.
Added a title in each of the admin interface menu.

4.0.2

Changes

Added ability to enable/disable debug from the settings menu.
Fixed bug related to using IP ranges in the whitelist settings.
Added IPv6 support for the whitelist Feature.
Added check in file permissions Feature for cases where wp-config.php may be located outside of root.
Added wp cron DB cleanup events for various tables which may grow large over time.
Changed firewall rule for proxy comment prevention to reflect suggestion made by Thomas O. in forum (https://wordpress.org/support/topic/high-server-cpu-with-proxy-login)
Fixed CSS styling issue in admin pages for WordPrss 4.4

4.0.1

Changes

Renamed the language files to match the new textdomain slug to Fix the language translation bug.
Fixed bug related to the rename login Feature and force logout or logout expiry events.
Applied Fix for log being generated by events table DB insert.
Corrected a function call to static version of display error msg.

4.0.0

Changes

Updated text domain to match expected value for translate.wordpress.org translation system.
Fixed bug related to multi-site user_roles not being updated for child sites.
Fixed minor bug in rename login Feature.
Updated the Italian language file.

3.9.9

Changes

Fixed an issue with the rename login page Feature for WordPress 4.3
Added esc_attr() sanitization to some of the relevant parameters
Added the necessary changes to allow activation via wp-cli

3.9.8

Changes

Added guard against possible XSS in the unlock request Feature.

3.9.7

Changes

Added new Feature which allows custom .htaccess rules. (See "Custom Rules" tab in Firewall menu). You can now use this to add custom rules to block access to various resources on your site.
Added a new Feature to block access to the wp-content/debug.log file (WordPress creates this file if you enabled debug loggin option in the config file).
Removed the "v" from version number of the plugin.
Completed testing with WordPress 4.3.

3.9.6

Changes

Added Rename Login page Feature from the "Brute Force" menu to multisite sub-sites.
Removed invalid "length" attribute from input element in captcha code.
Fixed reset password Feature whereby the URL which is sent out in the email for cases when rename login Feature is enabled was not decoded properly.
Corrected the check for boolean false if returned from wpdb query result.
Added media button for wp editor in maintenance settings page.

3.9.5

Changes

Fixed minor bug - IP addresses blocked due to '404' were not being listed in the display table.
Updated the Russian language translation file.
The automatic database table prefix generation value will use a-z characters only.
Added esc_url sanitization to the add_query_arg/remove_query_arg function instances to prevent possible XSS.

3.9.4

Changes

The sort order and orderby parameters now use a whitelisting approach for sanitization.

3.9.3

Changes

Fixed the sort order not working in the 404 error logging and account activity page.

3.9.2

Changes

Added a check for registration captcha Feature to prevent errors when using another captcha plugin.
Improved a few SQL statements.

3.9.1

Changes

Added new "Force Logout" Feature which will instantly force a certain user to be logged out of their session. (See the "Logged In Users" tab in User Login menu)
Added more security protection for aiowps log files by creating .htaccess file and rules. AIOWPS log files can now only be viewed via dashboard menu, in new tab called "AIOWPS Logs". (NOTE:This security currently applies only for apache or similar servers)
Added backticks to SQL statement for DB prefix change to help prevent errors.
Added protection against possible SQL injection attacks.

3.9.0

Changes

Added some robustness to the file-scan code.
Added extra security to all relevant list table instances to prevent unlikely malicious deletion commands.
Fixed the user agent part of the blacklist settings code to allow user-agents to be cleared upon saving.

3.8.9

Changes

Fixed bug in the new Feature which allows permanent blocking of IP addresses that create 404 events.
Fixed minor bug for all instances where wpdb "prepare" was being used with order/orderby parameters.
Fixed a possible open redirect vulnerability. Thanks to Sucuri for pointing it out.

3.8.8

Changes

Added extra robustness and security for wp list table db commands by using wpdb "prepare" command.
Fixed minor bug with undeclared variable in rename login Feature page.

3.8.7

Changes

Added an improvement for login lockdown Feature - locked IP addresses will no longer be allowed to register.
Added a "view" link for each account in the pending registration approval table list.
Fixed 404 logging/lockout bug.
Added ability to permanently block IP addresses from the 404 event list for both bulk and single cases.
Added ability to do bulk temp blocking for IP addresses in 404 list.
Fixed a minor bug with validate_ip_list function.

3.8.6

Changes

DB cleanup cron event bug fixed.
Added Swedish language translation. The translation was submitted by Tor-Björn Fjellner.
Updated the Russian language translation file. Update submitted by Tor-Björn Fjellner.
The events table will automatically be cleaned up so it only keeps the last 5000 entries. You can override it using a filter (if you wanted to).

3.8.5

Changes

Added functionality to prevent the aiowps_events table from getting too large.
Added file change scan summary inside the alert email.
Fixed the unlock Feature so that it works correctly when the Rename Login Page Feature is active.
Added a check in the list logged in users file to prevent error when get_transient returns false.

3.8.4

Changes

Updated POT language file.
Tweaked the function which retrieves the IP address to handle cases where traffic is coming from cloudflare
The MySQL database will not be forced anymore at the time of creating the table. It also reads the characters set value from the system first.
Applied fixes to prevent remotely exploitable vulnerabilities.

3.8.3

Changes

Modified "Pingback Protection" .htaccess rules to prevent xmlrpc login attacks and to be compatible with more servers.
Made improvements to ensure that the rename login and white list features can be used together.
Added a check to force user to enter alphanumeric string for renamed login slug.
Improved the turn_off_all_firewall_rules() and turn_off_all_security_features() functions so that they also handle the updating of the htaccess file.
Added an alternative way to import settings via a text box (Thanks to Dave McHale). This is for people who might have issues using the config settings file uploader.
Added Fix to properly update options tables when changing DB prefix in multisite system.
Greatly improved the Renamed Login Page Feature by removing various potential vulnerabilities.
Added an if statement check to Fix bug with rename login page Feature - special case where user had non permalink structure was not working correctly in some rare scenarios.
Updated the Italian language file.
Fixed bug regarding wp_mail malformed header when "From" string was empty due to "site title" not being set.
Fixed bug in IP list validation function for blacklist Feature.
Removed strict filtering of IP addresses so as to allow internal IP address ranges.
Added stripping of orderby and order query parameters in the plugin.
Added search capability by IP address, URL or referer for the 404 events list table.

3.8.2

Changes

Fixed a CSS issue with the honeypot Feature.
Fixed a call to the login action handler static function.

3.8.1

Changes

Minor bug Fix for the honeypot Feature - loading of css style sheet was not occurring when main login page rendered.

3.8.0

Changes

Improved deactivation and re-activation tasks - AIOWPS will now gracefully clean up the .htaccess rules when the plugin is deactivated.
Tweaked code so that all login pages including custom ones will correctly load the CSS style sheet file needed for honeypot Feature.
Updated the Portuguese language translation.
Fixed the copy protection Feature so it doesn't interfere with iframes and shortcodes.
The plugin will now work fine even if your wp-config.php file is outside the wordpress root folder.

3.7.9.2

Changes

copy protection Feature JS code improvement

3.7.9.1

Changes

Added captcha functionality for custom login form which is produced by the WP function: wp_login_form()
Fixed a minor bug with the copy protection Feature's JavaScript code.
Tweaked file change scan algorithm to help prevent getMTime fatal runtime errors.
Added a link to the github repository in the readme.txt file for developers.

3.7.9

Changes

Fixed a small bug related to the cookie test in the Cookie Based Brute Force Feature.

3.7.8

Changes

Added new Feature called Login Honeypot which will help reduce brute force login attempts by robots. (This can be found in the Brute Force menu)
Added new Feature to prevent other sites from displaying your content via a frame or iframe. (This can be found in the Miscellaneous menu)
Added captcha Feature for BuddyPress registration form.
Added a new filter for the site lockout message so it can be customized.
Added a new filter for template include of the site lockout Feature.
Temporarily deactivated the "DB Scan" Feature.

3.7.7

Changes

Improved DB prefix change code to make it more robust.
Fixed a minor bug for the Rename Login page Feature.
Added check when processing rename login page to see if maintenance (lockout) mode enabled. Plugin will now display lockout message instead of 404 page if site lockout enabled.
Made the Cookie Based Brute Force Prevention Feature more secure by introducing a 10 digit random suffix to the test cookie name.

3.7.6

Changes

Added ability to insert captcha in WordPress Multi Site registration form.
Added a condition around the management permission constant. This will allow users to define a custom capability for this plugin's admin side via the wp-config file. This was submitted by Samuel Aguilera.
Fixed a bug with the hidden login page Feature.
Fixed a small settings bug with the "block fake google bot" Feature.

3.7.5

Changes

Added a new DB scan Feature. Go to the "Scanner" menu to use this new Feature.
Added new settings import/export Feature.
Modified user accounts Feature to alert administrator if one or both "admin" or "Admin" usernames are being used.
Added Persian language translation. The translation was submitted by Amir Mousavi Pour (me@ameer.ir).
Small change to get_mysql_tables function to prevent fatal error when mysqli query is unsuccessful.
Added Italian language translation. The translation was submitted by Marco Guglielmetti.

3.7.4

Changes

Added a new Feature to add copy protection for your front-end. You can find this Feature under the "Miscellaneous" menu.
Fixed comment captcha bug for multi-site. Now this Feature can be activated/deactivated for subsites of a multisite installation.
Added Hungarian language translation. The translation was submitted by Daniel Kocsis.
Moved the custom login page Feature's handling code to wp-loaded hook so other plugins that modify the login page can do their task before our one is triggered. This change was suggested by Mark Hudnall.
Added German language translation. The translation was submitted by Manuel Fritsch.
Updated the Brazilian language translation file.

3.7.3

Changes

Added Brazilian language translation. The translation was submitted by Sergio Siqueira.
Added two new action hooks for plugin activation and deactivation time.
Improved the get_user_ip_address() function so it handles cases when multiple addresses are returned due to proxy.
Fixed the mis-alignment of login page which was broken by WP3.9 when rename login Feature is used.
WordPress 3.9 compatibility

3.7.2

Changes

Added a PHP Info section in the system info interface to show some important PHP details of the server.
Added a filter to allow the user to have a custom translation in a place (which will be loaded instead of the default one from the plugin). This change was submitted by Samuel Aguilera.
Replaced myslqi fetch_all method with fetch_assoc to cover cases where some servers do not have the correct mysql drivers.
Added a new filter to allow manipulation of the htaccess rules from your custom code. The name of the filter is 'aiowps_htaccess_rules_before_writing'.
Added a "Delete All 404 Event Logs" button to purge all 404 logs from DB
Added code to automatically send an email to the registrant when an account has been manually "Approved" from the User Registration menu.

3.7.1

Changes

Fixed a minor bug: dashboard link was pointing to the wrong tab for the "Logged In Users" tab.
Fix a bug with the login page captcha. The captcha wansn't shown if the rename login page Feature was enabled at the same time.

3.7

Changes

Added new Feature - 404 detection. This allows you to log 404 events and block selected IPs. This Feature can be found in the Firewall menu.
Added new dashboard info box to display number of blocked IP addresses in the lockout table.
Fixed bug where user could not access login page when maintenance mode and rename login page features were both active.
Tweaked the hotlinking .htaccess directives to cover both http and https.
Fixed code to prevent mysql errors due to some variables not having default value in failed login and lockdown tables
Replaced deprecated PHP function mysql_query with mysqli.
Added language file for Spanish language. The Spanish translation was done by Samuel Montoya.
Added code to hide the "DB Prefix" menu for the non-main sites in multi-site installation

3.6

Changes

Added a new Feature to prevent image hot-linking. (See the "Prevent Hotlinks" tab in the firewall menu)
Added a check in the Rename Login Page Feature to prevent people from setting the slug to "wp-admin"
Fixed a small bug with Login Lockdown Feature.

3.5.1

Changes

Fixed a bug where the cookie-based brute force directives were not being deleted from the .htaccess file when the Rename Login Page Feature was being activated.

3.5

Changes

Added new Feature which will Block Fake Googlebots from crawling your site. Check the Firewall menu for this new Feature.
Added code to prevent users from having both the Rename Login Page and Cookie-Based Brute Force features active at the same time.
Added some useful info boxes in the dashboard: 1) to inform the user if the cookie based brute force or rename login page features are active, 2) last 5 logins to your site.
Fixed minor bug with .htaccess backup Feature.
Updated the from email address value used for sending backups and file change notification. Thanks to @TheAssurer for the tip.
Updated the warning message for the disable index view Feature.

3.4

Changes

Consolidated "Brute Force" features by moving all such features to the "Brute Force" menu.
Improved the file change detection scan Feature: Introduced a button allowing admin to view the file change results from the last scan and fixed small bug whereby the change detected flag was not being cleared for applicable cases.
Fixed a small bug with "rename login page" (hide admin login) Feature.
Made wp-config.php and .htaccess file backups more secure. Thanks to @TheAssurer for the tip.
Made the login code more robust by catering for cases where the "wp_login" action was not passing 2 parameters.

3.3

Changes

Added a brand new brute force prevention Feature - Rename Login Page. This Feature can be found in the new menu item called "Brute Force".
Modified the new unlock request Feature so that the locked out user will only have to enter email address when they submit an unlock request.
Replaced the deprecated PHP function "mysql_list_tables" with alternative code.
Added warning message regarding WordPress iOS app when pingback protection Feature in the firewall settings is active.
Added Malware scan tab and information.
Some minor html form and CSS corrections.

3.2

Changes

Added new Feature which allows users to generate an automated unlock request link via email when they get locked out because of the login lockdown Feature.
Added a check to ensure that user cannot enter 0 minutes in the Force Logout Feature.
Fixed translations so that various previously omitted strings can now be translated.
Added a new filter before locking down a user's IP address - aiowps_before_lockdown.
Generated a new translation (POT) file.

3.1

Changes

Added a new Feature that will allow you to add a captcha to the lost password form (useful if you are allowing user registration on your site).
Added ability to specify a system log file in the "Host System Logs" tab of the "File System Security" menu
Fixed a tab link bug. One link was going to the wrong menu tab.
Updated the POT file of the plugin.

3.0

Changes

Added a new Feature which allows you to add captcha to the Wordpress user registration page.
Added some more helpful comments and link to video tutorial in the brute force and white list features settings pages.

2.9

Changes

Added new Feature which automatically sets the status of newly registered wordpress user accounts to "pending" and allows manual approval by an administrator.
Improved robustness of file change detection iteration code.
WordPress 3.7 compatibility

2.8.1

Changes

Improved the login captcha implementation
Changed the management permission to manage_options

2.8

Changes

Added a Feature to insert a simple math captcha to the WordPress comment form (to reduce comment spam). Check the spam prevention menu for this new Feature.
Fixed a minor bug with bulk unlock/delete in user login menu
Fixed a minor bug with math captcha logic.

2.7

Changes

Added a simple math captcha functionality for the WP login page. This is another easy yet effective way to combat Brute Force Login Attacks. You can enable this new Feature from the user login security menu.

2.6

Changes

Added a new Login Whitelist Feature. This Feature enables you to specify one or more IP addresses in a special whitelist which will have access to your WP login page.
The IP address will also be included in the email that gets sent to the admin for the ip address lockout notification.
Language file loading Fix for Chinese language.
Tweaked the code which creates a .htaccess file in the backup directory to ensure it gets run even if the directory already existed.
Made DB backups more secure.
Added more useful debug logs for .htaccess file manipulation failure scenarios.

2.5

Changes

Added a new Feature which will list the currently logged in users who have been active within the last 15 minutes.
Added a new Feature in settings menu which will disable all firewall rules and clear all applicable directives in the .htaccess file.
Improved the way the wp-config.php file is handled when it contains an ending PHP tag "?>" (older sites that were using PHP4 earlier).

2.4

Changes

Added new Feature/checkbox which will instantly lockout IP address ranges which attempt to login with an invalid username.
Fixed a bug in the Comment SPAM IP Monitoring page where trying to block one or more IPs was failing.
Removed the word "config" from the list of bad query strings check (to add compatibility with a few more plugins)
Added a notice in the dashboard menu to show you if there are any recent file changes that the plugin detected.
Fixed bug with php File Editing Feature. Code now also handles older style wp-config.php files which have the php end tag "?>"
Fixed bug with "Disable All Security Features" button functionality. When clicked, this will now also make the appropriate changes to the .htacces and wp-config.php files if necessary.
Changed the storage of backup files from the plugin's directory to the uploads directory. Also added a .htaccess file for security.
Fixed the way user-agent strings were written to the .htacess file from the Blacklist Feature. The code now will correctly identify and represent spaces and escaped chars.
Fixed a bug related to sending backup to correct email address.

2.3

Changes

Added new menu called Scanner with a new Feature called File Change Detection. This Feature will alert you if any files have changed, added or removed from your system.
Fixed "Deny Bad Query Strings" rules to not break the ability to drag components in the WordPress "Appearance->Menus" page
Fixed an activation time warning (on sites with WP_DEBUG option enabled)
Re-implemented the wp-config.php file content backup Feature. It now directly downloads the contents of the file to your computer.
Multi-site enhancements: Suppressed access to configuration settings for features which are not allowed to be configured from subsites of multi-site installations.
Fixed a bug with login lockdown Feature.

2.2

Changes

Added a new Feature which will block some spambots from submitting comments.
Moved Comment SPAM IP monitoring interface to the new "SPAM Prevention" menu.
Fixed a bug with login lockdown Feature for both multi and single site.
Improved firewall Feature for multi-site by making the "Firewall" menu available only for the main site and not the sub-sites.
Added random prefix to backup file names.
Fixed a bug for WP multi-site install where DB tables do not get created when new blog are created in the network.

2.1.1

Changes

Fixed a version tagging issue.

2.1

Changes

Fixed an issue with install time error on some sites for WordPress 3.6
Fixed some WP Debug related errors for WordPress 3.6
Replaced the deprecated $wpdb->escape() function calls with esc_sql() calls

2.0

Changes

Fixed a bug for general DB backup functionality.
Fixed multi-site DB backup - the plugin will now backup only the tables relevant for the sub-site in question.
Added blank index.html files in various folders inside the plugin.
Disabled the wp-config.php file backup Feature until we find a more secure method of doing the backup.

1.9

Changes

Added new WordPress PingBack Vulnerability Protection Feature. This allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality.
Added a configuration item in the brute force login prevention Feature to allow ajax functionality to work properly when this Feature is enabled.
Added a POT file for language translations.
Made the DB Prefix Feature more robust by adding a check to ensure that plugin can write to the wp-config.php file. This will prevent user from losing access to their site in cases where the system changed the prefix but not the entry in the wp-config.php file.
Tightened the data validation for the cookie based brute force login Feature to ensure that the user must enter a secret word which consists of alphanumeric characters.
Added edit links to the user account list in the "User Accounts" menu.

1.8

Changes

Moved the front end site lockout Feature to a new menu called "Maintenance".
Added a Feature in the front-end lockout Feature to allow people to specify their own message which will be displayed on the front-end to visitors who try to access the site when it is in lock out state.
Fixed a bug in the front-end lockout Feature by adding some checks which ensure that the admin will not get locked if the Feature is still active and their login session expires or they log out.
Added a widget in the dashboard menu to show the status of the "maintenance mode" Feature.

1.7

Changes

Added a new Feature which is a password strength tool which calculates how easy it is for your chosen password to be cracked using a desktop PC and the appropriate SW. This tool should help you create strong passwords.
Added a front-end general visitor lockout Feature. This Feature allows you to temporarily lock down the front end of your site while you do security investigation, site upgrades, tweaks etc.

1.6

Changes

Added a new option in the cookie-based Brute Force Login Attack prevention Feature to allow users to use this Feature together with the WordPress's post/page password protection Feature.
Fixed a bug in the 5G firewall rules to so that the printed rules include the correct number of '\' characters.
Fixed a minor bug in the "restore from backed up htaccess file" Feature.
Enhanced the "Save current wp-config.php file" Feature so it will continue to work with all of the firewall rules active on the site.
Added extra checks to account for some error scenarios caused on some servers when recursive file search is done.

1.5

Changes

Added new Feature - Cookie-based Brute Force Login Attack Prevention. Check under the "Firewall" menu for this new Feature.
Fixed bug related to setting of default configuration for first-time plugin activation.

1.4

Changes

Tweaked the "Deny Bad Query Strings" firewall rules so that plugin deletion and update operations from the WordPress plugins menu are not affected.
Fixed a minor bug related to scheduled database backups.
Added some extra default settings to be applied to the plugin's configuration pages upon activation for the first time.
Plugin will now display a recommendation message if user sets scheduled backup frequency to less than 24 hours.

1.3

Changes

Added a new Feature to remove the WordPress Generator Meta information from the HTML source of your site.
Tweaked the "Advanced Character String Filter" to Fix issue which was affecting plugins such as "Admin Management Xtended" and also pages with keywords such as "password" in the URL.
Updated one rule in the "Advanced Character String Filter" Feature to make it compatible with W3 Total Cache Plugin's minify Feature.
Added a "Delete All Failed Login Records" option in the "Failed Login Records" tab. This will delete all entries in the failed logins table and will make it less tedious for users who get a lot of brute force attacks on their site.

1.2

Changes

Moved the rules which disable index views from the "basic firewall" rules to the "additional rules" section. This will prevent any site breakage for

1.1

Changes

Added the following new Feature:
Prevent people from accessing the readme.html, license.txt and wp-config-sample.php files.

1.0

Changes

First commit to the WP repository.

In this section

WPO

4.5.3 – 29/Apr/2026

Changes

SECURITY: Prevented path traversal security risk. Thanks to Wordfence for the responsible disclosure.

4.4.0 - 12/Dec/2025

Changes

Feature: Added Onboarding Wizard
Fix: Ensured old cache purging cron job is scheduled successfully
Fix: Fixed a potential fatal error in the WPO_Page_Optimizer class
Tweak: Fixed the ability to disable caching menu in admin bar
Tweak: Updated file permissions for wpo-plugins-tables-list.json

4.3.1 - 14/Nov/2025

Changes

Fix: Prevent PHP fatal error occurring when cache is enabled and the "Aelia Currency Switcher for WooCommerce" plugin is active
Fix: Cache – Fixed compatibility issue
Fix: Database - Table Usage - Fixed the issue with incorrect table name detection in certain cases
Fix: Fixed UI Issue - Content cut off in "Review Actions" modal under WP-Optimize > Database
Fix: Fixed _load_textdomain_just_in_time trigger too early
Fix: Premium - Unused images - Fixed an issue with clearing the cache of unused images
Fix: Smush - Compressing an image larger than the reSmush.it service limit freezes the popup in the Media Library
Fix: Smush - Fixed issue with multiple images compression action
Fix: Undefined property: stdClass::$plugin_status bug fixed
REFACTOR: Database - Table Usage - enhanced variable names
REFACTOR: Using strict comparison throughout the codebase
Tweak: Improve detection of cloudflare handling browser cache
Tweak: Added validation for AJAX commands in the Premium version
Tweak: Convert already compressed images to webp format when possible
Tweak: Fix the compatibility issue with ALTCHA when using the ASE Pro Plugin
Tweak: Improve browser caching by adding max-age option
Tweak: Premium - Cache - Do not process the cache when the user cannot be identified
Tweak: Premium - Database - Tables usage report shows data only for active plugins
Tweak: Premium - Unused Images - Enhanced detection for Revolution Slider
Tweak: Premium - Unused Images - Improved detection of unused images in Oxygen Builder
Tweak: Premium - Unused Images - Recognize Oxygen 6 images
Tweak: Premium - Prevent PHP warnings from Table Usage Feature
Tweak: Remove unused jQuery 1.12.4 dependency
Tweak: Run database table optimization last
Tweak: Updated links
Tweak: Various tweaks and improvements to code

4.3.0 - 22/Sep/2025

Changes

Feature: Premium - Cache - Cache REST API requests
Feature: Premium - Further reduce CSS files sizes by removing unused CSS rules
Fix: Added backward compatibility for timezone and datetime functions and improved status report support for older WordPress versions like 4.9.
Fix: PHP Warning file_exists(): open_basedir restriction in effect
Fix: Prevented buffer initialization during wp-cron when HTML DOM is unavailable.
REFACTOR: Database - Table Usage - Refactored execute_query_analysis() function
Tweak: Added new UpdraftCentral endpoints
Tweak: Enhanced multisite support: added performance widget to Network Dashboard and fixed sub-site widgets to show only site-specific 404 request counts.
Tweak: Fix external loading of Gtag analytics script
Tweak: Moved the tooltip tag outside the <label> tag
Tweak: Performance - 404 Detector (Not Found Requests) added a button to clear all logs.
Tweak: Publishing a post or custom post type (CPT) no longer clears the cache of all posts of the same type.
Tweak: Removed return statements from constructors and added checks at the point of class instantiation.
Tweak: Smush - Enhanced compatibility and performance with EWWW Image Optimizer installed
Tweak: Premium - Added cache support for Nelio A/B Testing plugin
Tweak: Added a hook to trigger custom code when a page is not cached

4.2.4 - 30/Jul/2025

Changes

Fix: Potential PHP fatal error when no site is selected during database optimization in multisite
Fix: Issue where the database optimization spinner remained indefinitely active
Fix: PHP 8.4 compatibility warnings
Fix: Minify default exclusions fatal error
Fix: Premium - Potential PHP fatal error - type hinting error in the database table usage Feature
Fix: Premium - Page cache and lazy load meta boxes no longer display on post edit screen when their respective options are disabled
Fix: Only purge relevant files when a published post is saved; also purge the author archive cache upon post save
Fix: Premium - Fixed compatibility of Table usage with WordPress versions earlier than 5.3
REFACTOR: Premium - Database - Table Usage - added missed translation functions
Tweak: Purged content will preload only when cache is enabled, and the user-agent has been updated to a modern browser and OS version
Tweak: Update seasonal advert banner logos, texts and links
Tweak: Update plugin readme text and links
Tweak: Premium - Cache - Add UI element to ignore query variables
Tweak: Premium - Database - Table Usage - replaced loading state with native modal
Tweak: Removed seasonal discount ads except Black Friday

4.2.3 - 15/Jul/2025

Changes

Fix: Cache - Resolved PHP warning caused by excessively long cache file names
Fix: Corrected typo from `meta data` to `metadata`
Fix: Cron reschedule event error for hook `wpo_prune_404_log` when `is_minimum_requirement_met` is `false`
Fix: Premium - Fixed a rare PHP warning that could occur when saving a post
Fix: Unused image - incorrect image filtering in multisite
Fix: WP Remote sync conflict caused in v4.2.1 and v4.2.2 By replacing wp_salt with core PHP functions
Fix: YouTube lazy-load – Thumbnail image now falls back to JPG if browser doesn't support WebP
Fix: WebP images were not being served in Firefox on certain environments
Tweak: 404 detector logs URLs on mobile screens goes out of viewport fixed.
Tweak: CSS Improvements, better font size handling, remove duplication, and SASS instead of import
Tweak: Delay YouTube preview image cache purging
Tweak: Display notice when server does not allow database optimizations
Tweak: Enhanced database optimization compatibility with jQuery 4
Tweak: Fixed incorrect transients count in database optimizations UI
Tweak: Improved sanitization of incoming data in `Updraft_Smush_Manager_Commands`
Tweak: Minify - Improved compatibility with Divi theme's dynamically generated assets
Tweak: Multisite corrected site count in database optimizations UI.
Tweak: Preserve EXIF data is set to false by default in all places at codebase level.
Tweak: Update URLs of links and images to point to https://teamupdraft.com

4.2.2 - 02/June/2025

Changes

Fix: Cache - Resolved unwanted output in WP-CLI and fatal error related to WooCommerce's country-specific files, introduced in v4.2.0
Tweak: Premium - Cache - Compatibility with WordPress 6.8

4.2.1 - 05/May/2025

Changes

Fix: Cache - Compatibility issue with other plugins due to late start of output buffering
Tweak: Improved array handling in `get_active_plugins()`, potentially avoiding edge-case fatal error

4.2.0 - 01/May/2025

Changes

SECURITY: On multisite installs (only), a logged-in site administrator could use an unsanitised parameter to inject unwanted content into SQL queries. Thanks to Marc Montpas for the responsible disclosure.
Feature: Premium - Replace YouTube Iframes with preview images to improve page speed
Fix: Fix conflict with the WPML plugin
Fix: Smush - Fixed PHP warning on the Media Library page
Fix: Smush - Fixed issue where the Smush popup would freeze
Fix: WebP images not served after WP-Optimize reactivation
REFACTOR: Smush option removed from media upload modal
Tweak: Update advert banner logos, texts and links
Tweak: Add missing separator between compression items in media library
Tweak: Avoid PHP warning thrown by Page Speed Ninja plugin
Tweak: Cache - Start caching after plugins loaded
Tweak: Fix PHP deprecation warning in PHPSQLParser for PHP 8.4
Tweak: Fix deprecation warning in Updraft_Logger class for PHP 8.4
Tweak: Fixes absence of checkbox to remove all transients
Tweak: Premium - Support and feedback links in Help tab now point to getwpo.com

4.1.1 - 05/Mar/2025

Changes

Fix: Page builders not working with Delay JS option enabled

4.1.0 - 03/Mar/2025

Changes

Feature: Premium - Improve performance by caching Gravatar images locally.
Fix: Premium - Unused images - Fixed warnings when moving non existing image to trash

4.0.1 - 17/Feb/2025

Changes

Fix: File system usage issue

4.0.0 - 10/Feb/2025

Changes

Feature: Delay JavaScript execution
Fix: Cache - Fixed PHP warning "Cannot modify header information"
Fix: Minify - Unusual behavior occurs when the "Disable Google Fonts processing" option is enabled
Fix: Smush - Fixed image compression actions in Media Library
REFACTOR: Replacing jQuery Tablesorter with 'sortable-tablesort' package
Tweak: Cache - Enhance ActivityPub compatibility
Tweak: Fix PHP notice caused by subscriben plugin advert
Tweak: Minimum requirements were updated to PHP version 7.2 and WordPress version 4.9
Tweak: Remove uses of `unserialize` without restriction of allowed_classes
Tweak: Recognise Independent Analytics Pro plugin tables in database optimization

3.8.0 - 09/Dec/2024

Changes

Feature: Added a system status page
Feature: Logs frequent and highly recurrent 404 requests; introduces a new Performance tab.
Fix: Cache - Legacy Widgets visibility issue with WP-Optimize Cache enabled
Fix: Cache - UI issue: Preload "Cancel" option is gone after reloading the WPO settings page instantly
Fix: Database - optimizing any item also changes the status of other items
REFACTOR: Minify - Removal of the WPO_MINIFY_PHP_VERSION_MET constant
Tweak: Add a warning message before deleting post metadata or orphaned relationship data.
Tweak: Bailout early if the minimum PHP version is not met
Tweak: Introduced logging for cache purge operations, available under `uploads/wpo/logs/cache-*.log`
Tweak: Open CRON overdue guide in new tab
Tweak: Persist Analytics Tab when minification is disabled
Tweak: Premium - Unused Images - Improved detection of images not present in the Media Library, marking them as used
Tweak: UI improvements in Analytics section
Tweak: Wrapped checkboxes inside `label` tags in the confirmation popup that appears when clicking the "Remove" button on the Database > Tables tab.

3.7.1 - 20/Nov/2024

Changes

Tweak: Resolved a PHP notice caused by translation loading too early when caching is enabled, introduced in WordPress 6.7

3.7.0 - 21/Oct/2024

Changes

Feature: Added an option to automatically preload URLs immediately after cache content is purged
Feature: Premium - Gather data about table usage by filtering `query` event
Fix: Cache - Scheduled preloading wasn't working
Fix: Inconsistency in `smush_manager_send_command` function
REFACTOR: Smush - Popup styles, remove unused code
Tweak: Fix fatal implode error when updating to v3.5.0
Tweak: Image compression - Issue with cancelling smush image compression
Tweak: Improve module minification logic
Tweak: Premium - Unused images - Fixed popup when moving images to or restoring images from the trash
Tweak: Premium - Unused images - Placeholder images in unused images section
Tweak: Added `security.md` file with information to report security issues

3.6.0 - 12/Sep/2024

Changes

Feature: Premium - Auto-detect images lacking dimension attributes and add them to improve CLS
Fix: Fixed the issue that disabled WebP conversion due to checking all shell commands for WebP compression
Fix: Premium - Unused Images - The unused image size deletion functionality does not work when images are not in the /yyyy/mm/ folder
REFACTOR: Removed unnecessary static methods in WebP class
Tweak: Image compression - Rolled back to using popup error notices as in versions prior to 3.4.0
Tweak: Added a more descriptive error with resolution proposals for failed gzip compression and browser cache tests
Tweak: Fix broken unused image list thumbnails and download as csv link in Multisite
Tweak: Fix the singleton pattern in Heartbeat class
Tweak: Image compression functionality added to the Media Library page
Tweak: Premium - Cache - Added support for Aelia Currency Switcher plugin
Tweak: Premium - Unused images - improve clarity in UI for images in post revisions
Tweak: Added additional checks to the `implode()` function to mitigate the risk of fatal errors on certain instances

3.5.0 - 14/Aug/2024

Changes

Feature: Premium - Host Google and minimal analytics scripts locally
Fix: Premium - Cache - Single page cache purge/preload Feature isn't working
Tweak: Add logging for the WebP Feature
Tweak: Allow minification of script modules
Tweak: Cache - Purge the cache when the site is migrated
Tweak: Improvements to asset minification cache logic
Tweak: Improvements to reSmushIt curl error message
Tweak: Minify - Added an option to disable Google Fonts processing when it causes conflicts with other plugins
Tweak: Move all WPO files from the `uploads` folder to `uploads/wpo`
Tweak: Style improvement of the loading modals

3.4.2 - 03/Jul/2024

Changes

Fix: Removes unnecessary heartbeat calls for retrieving information about images

3.4.1 - 26/Jun/2024

Changes

Fix: Issue with bulk editing on the posts and pages edit screen

3.4.0 - 25/Jun/2024

Changes

Feature: Premium - Smush - Bulk compress / restore from media library
Fix: Deactivate the form for minifying JS/CSS settings when the corresponding option is disabled
REFACTOR: The functionality for the 'Unused Images' Feature in ACF has been moved to a separate class
Tweak: Add UpdraftCentral commands for the latest WP-Optimize features
Tweak: Adjusted the scheduled preload time for improved performance
Tweak: Auto-update advanced-cache.php settings during site migration
Tweak: Cache - Human-readable file names for the cache directory
Tweak: Caching related cron jobs are activated even though cache is disabled
Tweak: Image compression - Updated message for restoring images action
Tweak: Implement Heartbeat API for image compression progress updates
Tweak: Improving vendor autoload
Tweak: Introduces a hook (`wpo_force_webp_serve_using_altered_html`) for changing WebP serving method
Tweak: Minify - Exclude .min files from minification
Tweak: Minify - Improve list of processed files UI
Tweak: Optimization of the get_uncompressed_image query
Tweak: Persist script loading strategy when minifying JS files
Tweak: Premium - Compatibility with Curcy WooCommerce multi currency plugin
Tweak: Premium - Unused Images - Added an option to delete original images when scaled versions exist

3.3.2 - 16/Apr/2024

Changes

Fix: Ensure the admin bar is not cached when caching is enabled for both logged-in and guest users
REFACTOR: Remove unused code
Tweak: Cache - Prevent sitemaps being cached
Tweak: Display a notice when static browser cache is enabled but not working
Tweak: Premium - Added "Lost your password?" link on plugin's page
Tweak: Premium - Unused images - Detect Elementor's 'Video' widget's image
Tweak: Recognise Rank Math plugin tables as used in database optimization
Tweak: Reduce .htaccess file write operations when WebP is enabled
Tweak: Seasonal notice content update for 2024
Tweak: Unused Images - Unused tab displays multiple images for compressed images with WebP Conversion
Tweak: Prevent multiple AJAX requests being generated by repeated clicks on the "Purge Cache" button
Tweak: Call the `litespeed_finish_request()` function when attempting to close browser connection on LiteSpeed servers

3.3.1 - 06/Mar/2024

Changes

Fix: Cache - Compatibility issue with Jetpack's infinity scroll Feature
Fix: Cache - Don't cache activity stream (ActivityPub plugin compatibility)
Fix: Cache - Page not cached comment is added to `robots.txt`
Tweak: Fix PHP warnings when server variables are not available
Tweak: Fix Unexpected response alert and PHP warning when cache preloading is triggered manually
Tweak: Migrate from setInterval to WP heartbeat API to refresh information about backend tasks
Tweak: Optimization of the WebP Implementation
Tweak: Update dashboard notice to include all of our plugins
Tweak: Update the footer review prompt

3.3.0 - 31/Jan/2024

Changes

Feature: Premium - Ability to preload and purge caches from individual post/page
Fix: Premium - Unused Images - Recognise Elementor's Container, and Section widget background images
Fix: Avoid having repeated minified scripts in the same bundle, it breaks the code in some specific cases
Fix: Cache - TranslatePress compatibility - Post updates purges cache for all related translated languages
Fix: Only try to parse canonical URLs if there is a path or querystring, needed for WPML with multi-domain compatibility
Tweak: Add cron de-scheduling of all wpo_* events during plugin uninstall
Tweak: Cache - Always add source code comment about page not being cached, but only add details when WP_DEBUG is ON
Tweak: Cache - Fix issue with excluding encoded (non-latin) URLs
Tweak: Do not attempt to close browser connection when the context is not an AJAX action
Tweak: Minify - Logging more information about why minify static assets cache gets invalidated and regenerated
Tweak: Revert to the original `matthiasmullie/minify` repository after confirming resolution of previous issues
Tweak: Setup Cron job to clear failed smush tasks from DB
Tweak: Using clear text user agent strings instead of regular expressions to identify web browsers for improved clarity
Tweak: Updater library in the Premium version updated to the current release series

3.2.22 - 23/Nov/2023

Changes

Tweak: Cache - Show a notice in the admin if the config file is missing and caching is enabled
Tweak: Added support for new emoji styles related hooks introduced in WordPress 6.4
Tweak: Database - Fix "Optimize database tables" stuck loading state
Tweak: Premium - Cache - Style improvement for the select2 box from advanced cache settings
Tweak: Premium - Images - Fix issues with avif images in the unused images Feature
REFACTOR: Wrapping most of the external links in the WPO settings pages with the appropriate function
REFACTOR: Remove unused code

3.2.21 - 18/Oct/2023

Changes

Fix: Prevent PHP fatal error when updating from older versions of WP-Optimize

3.2.20 - 16/Oct/2023

Changes

Fix: WebP - Performance issue because of possible infinite loop
Fix: Cache purging occurred prior to the cache lifespan expiration
Fix: Premium - Smush - Do not consider images in trashed posts as unused
Tweak - Remove extra slash from plugin asset urls and paths
Tweak: Image - Add a tooltip next to the restore button on the edit media screen
Tweak: Premium - Prevent PHP deprecated warning when generating variations from attributes for new WooCommerce variable products
Tweak: Premium - Purge cache when the `Variation Swatches for WooCommerce` plugin settings get updated
Tweak: Premium - Settings - Style improvement for the `Purge cache permissions` select2 box
Tweak: Recognise LearnDash plugin tables in database optimization
Tweak: Remove empty `uploads/.htaccess` file and remaining cron events
Tweak: Smush - Disable server info in smush logs by default
Tweak: Smush - Resolve double log entries when compressing a single image from the media library metabox
Tweak: Prevent unwanted PHP notice upon update

3.2.19 - 15/Sep/2023

Changes

Fix: Cache - Relevant caches are now purged upon updating homepage display settings and posts per page settings
Fix: Minify - Multiline content inside textareas break after exporting and importing settings
Fix: Smush - Images are not compressed with default (image quality = 100) settings
Fix: Premium - Cache - Caching stops working when WordPress salt keys contain backslash (\) character
Fix: Premium - User per role cache not working when tables do not have `wp` prefix
Fix: Premium - When lazy loading is enabled, the picture tag in initial viewport is not visible
Tweak: Fixed date format and timezone in the cache last modification comment according to the site configuration
Tweak: Fixed spelling errors in the repository
Tweak: Minify - The process of purging cache for 3rd party caching solutions now works properly when multiple other solutions are present
Tweak: Premium - Lazy load - Added Jetpack, Optimole, Rocket Lazy Load, and Smush (WPMU Dev) plugins to the incompatibility notice
Tweak: Prevent PHP warning upon installing themes from the WordPress repository
Tweak: Update the composer package yahnis-elsts/plugin-update-checker for PHP 8.2 compatibility

3.2.18 - 11/Aug/2023

Changes

Fix: A bug in the v3.2.17 release that caused certain database optimization buttons to be disabled has been fixed
Tweak: Reset WebP serving method upon updating to version 3.2.18

3.2.17 - 08/Aug/2023

Changes

Fix: Automatically compress newly-added images Feature now works on multisite in case of attachment ID is the same in both sites
Fix: Minify - No separate try-catch blocks for same handle
Fix: Premium - Unused Images - Recognise Elementor Carousel, Slides, Flip Box, and Site logo widget images
Fix: Premium - Prevent memory exhausted PHP fatal error when using unused images Feature with Elementor
Tweak: External links will open in new tab/window
Tweak: Remove `htaccess-capability-tester` dependency
Tweak: Remove residue folders in `uploads/wpo`

3.2.16 - 06/Jul/2023

Changes

Fix: HTML minify should not remove `title` tag added by AIOSEO
Fix: Premium - Fetching unused images data is incorrect when previous task queue is not properly unlocked
Fix: Premium - Unused Images - Recognise Elementor background images
Tweak: Premium - Prevent conflicts between the minify Feature and the `YITH Point of Sale for WooCommerce` plugin
Tweak: Premium - Compatibility issue with Smart Slider 3
Tweak: Suppress PHP warnings caused by WebP converter
Tweak: Database optimization - Prevent duplicate AJAX requests, minor code improvements
Tweak: Smush - Add a cron job to run pending image compressions, ensuring completion of the process even if bulk image compression encounters interruptions or failures
Tweak: Clean up files on uninstall
Tweak: Added compatibility for `Custom Permalinks` plugin
Tweak: If minifying is enabled, then check that the purge cron event exists (not only upon plugin activation)
REFACTOR: Premium - Unused Images - Separate classes for Beaver Builder, Estatik, and Yoast SEO plugins
Fix: Premium - WP CLI commands permission issues solved

3.2.15 - 09/May/2023

Changes

Feature: Premium - Cache - Added compatibility with the "WooCommerce Multilingual & Multicurrency" plugin's multi-currency Feature
Fix: Premium - Above the folder elements should not be loaded lazily
Fix: Prevents minify cache invalidation when asset version is changed but content is same
Fix: Prevent PHP 8 uncaught exception `TypeError` when using CloudFlare
Fix: Add logging destination UI
Fix: Premium - Cache - Prevents a PHP fatal error that occurs when user cache is enabled on sites running on MariaDB with a version prefix of '5.5.5-' and PHP versions prior to 8.0
Fix: Serving WebP images only to supported browsers wasn't working properly when page caching is enabled
Fix: Minify - `inherit` Google fonts method is not working
Tweak: Prevent PHP deprecation notice when purging minify cache
Tweak: Cache - Prevent PHP warning when deleting cache
Tweak: Suppress PHP notice when cannot write to .htaccess file
Tweak: Add user capability check for smush task manager ajax handling method
Tweak: Minify - Do not send cache control and last modified headers if already present
Tweak: Smush - clean up log entries
Tweak: Correctly handle XX and T1 country codes in Cloudflare's IP country header
REFACTOR: Separate classes for activation, deactivation and uninstall actions

3.2.14 - 30/Mar/2023

Changes

Fix: Compatibility with WordPress 6.2 when using PHP 8.x
Fix: Divi builder's edit mode when WebP serving is using the "alter HTML" method
Fix: Premium - Unused images Feature - improve compatibility with Beaver Builder and its addons
Fix: Cache - Page caching wasn't working on the IIS webserver
Tweak: Update seasonal notices
Tweak: Prevent deprecation notices in PHP 8.2+

3.2.13 - 13/Mar/2023

Changes

Feature: WebP - Ability to convert to webp format from media library
Fix: Prevent PHP warning when minify-log files are missing or corrupted, also added appropriate error message
Fix: Delete webp files and uncompressed file when media is deleted
Fix: Polylang compatibility - now upon updating any post, caches for all translated languages are cleared
Fix: Prevent adding unsupported media types to the smush task list
Fix: WebP - Unsupported formats throws a fatal error
Fix: Compress image UI for webp images
Fix: Premium - WebP Images are marked as unused images
Fix: Resolved an issue where Beaver Builder's edit mode was not functioning properly when WebP conversion was enabled
Fix: Prevent creating multiple cache directories for URLs that contain non-English characters
Tweak: Preload allowed time difference is set to be the same as max execution time
Tweak: Premium - Unused images Feature - Add compatibility with Yoast SEO social images
Tweak: Prevent jQuery deprecation notices
SECURITY: Fixed a non-persistent XSS vulnerability that could occur on certain servers when the WebP conversion option was enabled. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser by tricking them into clicking on a specially crafted link. Thanks to Paolo Elia for reporting this.

3.2.12 - 06/Feb/2023

Changes

SECURITY: Today's 3.2.11 release (free version only - there was no 3.2.11 Premium release) checked nonces incorrectly, opening up the possibility of an attacker tricking an admin into clicking links crafted to perform unauthorised actions on the WP Optimize configuration on his site.

3.2.11 - 06/Feb/2023

Changes

Fix: Empty query string updates cache
Fix: Cache - Purge cache after string translation update in WPML
Fix: Cache - Preload stuck and fails to complete
Fix: Prevent PHP warning when `.htaccess` files don't have write permission
Fix: Premium – Fixed compatibility issue with WP Hide plugin
Fix: Minify - Less than 20KB stylesheets loading order
Tweak: Add cron event only if clear backup images is enabled
Tweak: Cache - Use WordPress GMT offset for cache comment
Tweak: Only allow image types that can be compressed
Tweak: Cached page is not served for sites that have own directory for WordPress files