* Fix: an issue where an undefined array key 0 could occur on the login page if a user had 2FA enabled but no WordPress user roles
* Fix: prevent a potential fatal error by returning early when an empty wp-config.php path is detected
* Improvement: added the LOCK_EX flag to file_put_contents() operations for .htaccess and wp-config.php to prevent race conditions
* Improvement: the Limit Login Attempts lockout period now respects the original block duration and is no longer extended when logging in during the blocked period
* Improvement: when passkeys are enabled, logging in with a username/password now automatically triggers the correct passkey prompt
* Improvement: updated the .htaccess "No index" comment to a clearer "Disable directory indexing" comment
* Improvement: replaced site_url() with home_url() in the 404 resource check on the homepage
* Improvement: added additional checks to prevent certain functions from running during cron jobs and in cli environments
* Improvement: the final step of the Let’s Encrypt wizard now only displays an Activate SSL button instead of the entire onboarding
* Improvement: added a license.txt file
* Fix: blocking a username now blocks both lower- and uppercase variants
* Fix: readme now displays correctly in WordPress updates screen
* Fix: added a fallback for when an empty get_user_totp_key was empty
* Fix: removed an unused translation that could cause a textdomain loaded to early warning
* Fix: prevent an error when an IP address is undefined
* Fix: empty sections are now correctly cleared from the firewall
* Fix: deactivation modal now always displays
* Improvement: added a notice when using a custom login URL with plain permalinks
* Improvement: added a check if WPFC_SERVE_ONLY_VIA_CACHE is already defined before defining it
* Improvement: updated the mixed content notice text
* Improvement: refactored the onboarding code
* Fix: a TypeError in the 2FA query builder that could occur when updating from older plugin versions
* Fix: all users will now appear in the 2FA list
* Fix: paths for advanced-headers.php and firewall config are now correctly updated during site migration
* Fix: PHP 8.4 deprecation notices
* Fix: tasks will now always display on multisite
* Fix: skip/don't ask again is now hidden for users who already configured passkeys
* Improvement: the activate_ssl WP-CLI command can now be run with the --force argument to skip confirmation
* Improvement: passkeys can now be used as a stand-alone feature
* Improvement: standardized REST namespaces to really-simple-security
* Fix: activating the Pro and Multisite plugin at the same time will no longer throw a fatal error
* Fix: added a check for the getmyuid function to prevent errors in case this function was missing
* Fix: Right-To-Left CSS now works correctly when SCRIPT_DEBUG is enabled
* Fix: Prevented .htaccess from being overwritten with an empty file, auto-creation now requires explicit filter opt-in
* Fix: removed unnecessary call to install() in firewall constructor
* Fix: header_length_ok() now uses options instead of transients for caching
* Fix: user agent and 404 detection are now excluded on cron requests
* Fix: added a check to prevent a typeError in generating htaccess rules