full change log for this version on link
https://wpsecurityninja.com/changelog/
* FIX: 2FA login redirect – After completing 2FA, users (including admins) are now redirected to the dashboard or requested URL instead of the front page. Redirect logic now matches WordPress core: uses wp_validate_redirect() and the login_redirect filter.
* FIX: 404 Guard – IPs whose monitoring window has expired are no longer shown in "Being Monitored". Expired count transients are excluded from the list and deleted to avoid DB bloat, so stale entries no longer appear.
* IMPROVED: 404 Guard – First 404 from an IP is no longer logged; logging starts from the 2nd 404 onward to reduce log noise. Approaching-threshold, final-warning, and block events are unchanged.
* IMPROVED: Visitor Log – Country flag is now shown next to the IP when country is known, matching Event Log behavior. A geolocation fallback is used for older entries where country was not stored.
* FIX: Visitor Log – Fixed undefined variable ($allowed_html) when formatting log row details (wp_kses).
* NEW: MainWP – Remote "force create database tables" action for incomplete installations.
* FIX: Resolved fatal error when Security Ninja and AR for WooCommerce (or other plugins using chillerlan/php-settings-container) were active together; our copy is now loaded early and aliased in admin to prevent duplicate class declaration.
* FIX: Secure cookies fix now writes ini_set lines before any closing PHP tag in wp-config.php, preventing "headers already sent" and cookie/login issues. Thanks to Olga for the detailed report that made this fix possible.
* NEW: Core Scanner – You can now open a printable report when the scan finds issues. Use "Print / Download report" to open the report in a new window and print or save as PDF for your records or support.
* IMPROVED: Core Scanner – The report button is always visible; when no issues are detected it shows a short notice so you know the option is available after the next scan with findings.
* IMPROVED: Core Scanner – Original WordPress core files are cached for one day when restoring or comparing, so repeat operations are faster and put less load on external servers.
* IMPROVED: Core Scanner – "View differences" now opens in the same unified File Viewer layout as "View File", with consistent styling, file metadata, and shared security validation instead of a separate standalone page.
* FIX: Firewall enable modal – "Send email" (activate and send unblock link) now works. The unblock-email AJAX action was not registered and the handler expected the email in GET; the action is now registered and all unblock-email requests use POST only.
* TECH: All internal script and style references now use non-minified JS and CSS only; minified copies have been removed to simplify the codebase.
* FIX: Fixed PHP 8.1 deprecation notice "Implicit conversion from float to int loses precision" in Cloud Firewall IPv6 CIDR matching. Thanks to Lesford for the report.
* NEW: Added compatibility with temporary login plugins ("Temporary Login Without Password", "One Time Login", "Magic Login", "Login Links"). Temporary login links are now automatically whitelisted from suspicious query detection when the corresponding plugin is active. Detection is logged for audit purposes. Other plugins can extend this compatibility using the `securityninja_temporary_login_params` and `securityninja_is_temporary_login_link` filters - more info on website.
* FIX: Fixed fatal error "Object of class WP_Error could not be converted to string" in Overview tab when displaying event details containing WP_Error objects. The code now properly checks for WP_Error objects before passing them to esc_html() and displays the error message instead.
* FIX: Fixed fatal error preventing WooCommerce logins via public forms when SN_Geolocation class was not loaded. Code now checks for class existence before use.
* IMPROVED: Litespeed servers - Added documentation and in-app notices for all security headers (CSP, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, Permissions-Policy). LiteSpeed users can add headers directly to .htaccess using the examples in each test description. Thank you Tom for the feedback.
* FIX: Events Logger, Overview, and Visitor Log – Country flags now correctly show the event/visitor IP's country instead of the logged-in admin's IP when the site is behind Cloudflare or similar proxies.
* Improved: Core Scanner - Interface loads faster with tabs lazy-loading content in different tabs.
* IMPROVED: Firewall – When "Block IP Network" is enabled, known social and link-preview crawlers (e.g. Facebook, LinkedIn, Twitter) are no longer blocked by default. Link previews when you share your site on social networks now work without having to whitelist IPs.
full change log for this version on link https://wpsecurityninja.com/changelog/
* FIX: Fixed wpdb:😛repare() error during plugin uninstallation when dropping database tables.
* FIX: Vulnerability scanner no longer blocks wp-admin after deactivating and reactivating the plugin. If the vulnerability data files are missing or unreadable (e.g. after reactivation or server changes), the plugin now recovers automatically: it shows the vulnerability count as zero until the data is restored in the background, and the dashboard continues to load normally.
* IMPROVED: Vulnerability module now recreates and re-downloads its data files when they are missing, so you no longer need to reinstall the plugin to fix a "JSONL file not readable" error.
* FIX: Hardened vulnerability JSONL file handling: guard fclose() on stream and catch all errors when counting records, so missing or unreadable files never cause a fatal in wp-admin.
* FIX: Login Protection - "Failed login warnings" toggle now correctly saves when disabled (was reverting to enabled because unchecked checkbox is omitted from form POST).
* FIX: 2FA – Disabling 2FA in settings now persists correctly; toggle uses a hidden input so unchecked state is saved.
full change log for this version on link
https://wpsecurityninja.com/changelog/
* Fixed: 2FA - Changed key name format from "site_url (username):email" to "site_url:username" - Thank you Davina.
* Fixed: Compatibility warning with WordPress 6.7 regarding translation loading timing
* Fixed: Server security restriction warning when checking wp-config.php file location
* Fixed: Fixed critical bug where database prefix changer added an extra underscore when updating wp-config.php, causing WordPress to look for non-existent tables with double underscores (e.g., wp_12345__posts instead of wp_12345_posts). Thank you Tchai.
* Fixed: Database prefix changer to properly update option names and meta keys when changing from custom prefixes (not just "wp_").
* IMPROVED: Database prefix changer now works with any prefix, not just the default "wp_". Can now rename tables when changing from one custom prefix to another. All plugin tables are automatically included in the renaming process.
* NEW: Failed login email warnings - administrators receive email notifications when someone attempts to log in with their username and fails. Can be enabled in Login Form Protection settings.
* NEW: Admin IPs are automatically whitelisted on plugin activation and successful admin login to prevent administrators from being blocked. Thank you Val.
* FIX: Fixed country blocking to respect "only block backend" setting when enabled. Thank you Guru for the tip.
* IMPROVED: Secret access URL processing has been moved up in the request cycle to make sure IP whitelisting happens before any ban checks, so blocked visitors should be able to get back on the site more reliably.
* IMPROVED: wp-config.php backups are stored in encrypted format (AES-256-CBC) to ensure data security. Each backup uses a unique encryption key and initialization vector. This was introduced in a previous release, but was not added to the changelog.
* Update 3rd party libraries - Freemius SDK 2.13.0 among others.