AIOS 5.0 is the first major release of ‘All-in-One Security’, since the popular WordPress Plugin was acquired by UpdraftPlus in August 2021. 

Joe Miles, Director at UpdraftPlus said:

“We’re thrilled to build on the good work already done with All-In-One Security (AIOS), the only five-star rated WordPress security plugin with more than 1 million active installs. Release 5.0 brings significant new features, tweaks and fixes to our loyal customer base.”

AIOS 5.0 includes the launch of a new PHP firewall. 

Previous versions used .htaccess files to provide firewall rules. This new release extends AIOS server compatibility beyond apache based servers. 

AIOS also includes the addition of Two-Factor Authentication (TFA). TFA supports TOTP + HOTP protocols and so supports Google Authenticator, Authy and various other authentication tools.

The UpdraftPlus team is also working on an AIOS Premium product which will bring active scanning for downtime and malware as well as response time monitoring, advanced two factor authentication, country blocking, smart 404 blocking and premium support at a competitive price point.

Looking to install the all new AIOS? Visit: https://en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall/

The full change log for AIOS 5.0 log is included below 

  • FEATURE: Two-Factor Authentication (TFA) functionality & related settings.
  • FEATURE: Set up a mechanism to load the firewall PHP file early.
  • FEATURE: PHP firewall rule engine.
  • FEATURE: Add WHOIS lookup functionality.
  • FEATURE: Implement 6G firewall rules in the new PHP-based firewall.
  • FEATURE: Disable WordPress application passwords.
  • FEATURE: Remove the plugin’s tables and options when uninstalling the plugin according to configuration settings.
  • FEATURE: Trash spam comments after n number of days as per configuration set in Admin Dashboard > WP Security > SPAM Prevention > the “Comment SPAM” tab > the  “Comment Processing” section > the “Trash Comments After” settings.
  • FEATURE: Brute force Cookie-based Firewall Protection based on the PHP code instead of htaccess rules so that it also works with Nginx, IIS etc servers.
  • FEATURE: Allow multiple email addresses for the User Login > Notify By Email setting.
  • FEATURE: IPv6 range support in CIDR Format enabled.
  • FIX: The WooCommerce customer was redirected to the wp-login page after payment with an external payment gateway if forced logout configured after a specific number of minutes.
  • FIX: If the WordPress language was set to something other than English, then auto-update core, plugin, and theme emails sent in English instead of the configured language.
  • FIX: Database error for multisite when creating a new site solved.
  • FIX: Captcha options should not be autoloaded.
  • FIX: Database error for multisite cronjob column name.
  • FIX: The plugin clogs up the database with lots of rows. Delete old data after 90 days.
  • FIX: Rename Login issue with wp plugin list command solved.
  • FIX: Rename Login breaks logout functionality if WP_HOME is set to a different URL than the WordPress core files URL.
  • FIX: PHP Fatal error:  Uncaught Error: Class ‘AIOWPSecurity_Admin_Init’ not found in html/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php:366.
  • FIX: The Spam comment blocked IP address remains blocked even after spammed comments are approved.
  • FIX: Admin Dashboard > WP Security > Security Points Breakdown Section piechart tooltips flickering.
  • FIX: The “Time Length of 404 Lockout” option doesn’t do anything.
  • FIX: Search did not work for the 404 Event Logs list table.
  • FIX: Search did not work for Failed Logins list table.
  • FIX: Search did not work for the Account Activity list table.
  • FIX: Bulk deletions did not work for the Account Activity list table.
  • FIX: Warning when bots make malformed requests.
  • FIX: When the user had pressed the bottom bulk action button of the list table, the bulk action was confirmed by two confirm alerts.
  • FIX: Unblock link in 404 Event Logs list table redirected to wrong tab.
  • FIX: Temp Block, Blacklist IP and Delete links in 404 Event Logs list table didn’t work.
  • FIX: Rename login page and Cookie based brute force login prevention configurations didn’t work simultaneously.
  • FIX: Fatal error when activating using older PHP versions
  • FIX: If auto_prepend_file is already pointed to the firewall bootstrap file from php.ini manually, the bootstrap file try to include itself.
  • FIX: The custom logo wasn’t displayed on the login lockdown unlock request form.
  • TWEAK: Allow taking database backups via the UpdraftPlus backup plugin.
  • TWEAK: Make lockout reasons more specific.
  • TWEAK: Update notice class.
  • TWEAK: If the user has not performed the cookie test, the brute force attack prevention configuration fields remain disabled in the Admin Dashboard > WP Security > Brute Force > Cookie Based Brute Force Prevention.
  • TWEAK: Display locked IP addresses lockout date and release date in WordPress settings format.
  • TWEAK: Improve success or messages when performing bulk actions on the table list.
  • TWEAK: 404 events date is displayed in WordPress settings format.
  • TWEAK: Account activity login date and logout date are displayed in WordPress settings format.
  • TWEAK: Add a label for each setting field.
  • TWEAK: JQMIGRATE: jQuery.fn.click() event shorthand is deprecated.
  • TWEAK: Fix typos at Admin Dashboard > WP Security > Firewall > Basic Firewall Rules > Block Access to Debug Log File. 

twitterlinkedinFacebook