* Fixed: An issue where TOTP codes starting with a 0 were not properly recognized.
* Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
* Changed: Various improvements to authentication flow.
* Fixed: Resolved an issue where “Prevent login feedback” could show a ghost username on the login retry screen.
* Fixed: Prevented “Failed to send buffer of zlib output compression” notices when using the Mixed Content Fixer with zlib.output_compression enabled.
* Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
* Fixed: Support for `wss://` URLs in CSP `connect-src`.
* Fixed: MemberPress login compatibility with Limit Login Attempts.
* Changed: event logging by generating messages dynamically instead of storing translated text.
* Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
* Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
* Fixed: compromised password check compatibility with Thrive Architect
* Fixed: fatal error on multisite subsite profile pages with passkeys enabled
* Fixed: user role demotion issue on multisite
* Fixed: passkey settings appearing twice on profile page
* Fixed: 2FA users list not displaying all users
* Fixed: Cloudflare cache not clearing after SSL activation
* Fixed: passkey strings not translatable
* Fixed: uploads .htaccess using incorrect Apache syntax for some versions
* Changed: deferred header detection on activation to prevent timeouts
* Changed: improved deactivation process
* Changed: more robust firewall code generation
* Fixed: JavaScript error when using custom roles with 2FA
* Fixed: fatal error caused by hosts class being instantiated twice
* Fixed: Limit Login Attempts now blocks both username and email address
* Fixed: fatal error when upgrading from older plugin versions
* Fixed: security headers set outside the plugin now correctly appear disabled
* Fixed: text domain loaded too early warning when logging in with blocked username
* Fixed: reinstated reset_2fa [id] WP-CLI command
* Fixed: WP-CLI activate_ssl command now works correctly on first attempt
* Changed: removed two unused files from the plugin
* Changed: improved feedback when logging in with a passkey
* Changed: updated readme to align with standards
* Fix: an edge case where authentication validation could behave unexpectedly.
* Fix: an issue where an undefined array key 0 could occur on the login page if a user had 2FA enabled but no WordPress user roles
* Fix: prevent a potential fatal error by returning early when an empty wp-config.php path is detected
* Improvement: added the LOCK_EX flag to file_put_contents() operations for .htaccess and wp-config.php to prevent race conditions
* Improvement: the Limit Login Attempts lockout period now respects the original block duration and is no longer extended when logging in during the blocked period
* Improvement: when passkeys are enabled, logging in with a username/password now automatically triggers the correct passkey prompt
* Improvement: updated the .htaccess "No index" comment to a clearer "Disable directory indexing" comment
* Improvement: replaced site_url() with home_url() in the 404 resource check on the homepage
* Improvement: added additional checks to prevent certain functions from running during cron jobs and in cli environments
* Improvement: the final step of the Let’s Encrypt wizard now only displays an Activate SSL button instead of the entire onboarding
* Improvement: added a license.txt file
* Fix: Added a fix for WP_CLI commands
* Fix: blocking a username now blocks both lower- and uppercase variants
* Fix: readme now displays correctly in WordPress updates screen
* Fix: added a fallback for when an empty get_user_totp_key was empty
* Fix: removed an unused translation that could cause a textdomain loaded to early warning
* Fix: prevent an error when an IP address is undefined
* Fix: empty sections are now correctly cleared from the firewall
* Fix: deactivation modal now always displays
* Improvement: added a notice when using a custom login URL with plain permalinks
* Improvement: added a check if WPFC_SERVE_ONLY_VIA_CACHE is already defined before defining it
* Improvement: updated the mixed content notice text
* Improvement: refactored the onboarding code
* Fix: the 2FA reset fix now correctly calls the 2FA reset service