Security: Don't disclose the login URL when using Hide Backend on a site with comments enabled and comment registration required. Thanks to Naveen Muthusamy for disclosing this issue.
Hardening: Check for the promote_user capability when using Privilege Escalation in addition to edit_user.
Tweak: Remove the iThemes Security is now Solid Security banner from admin-facing email notifications.
Bug Fix: Prevent the User Security page from crashing when "Show Avatars" is disabled in the WordPress discussion settings.
Bug Fix: Fix some filters on the User Security page not working as expected.
Bug Fix: Fix spacing on the Two-Factor form when backup methods are enabled.
Update: The lib/updater library has been updated to 1.8.1
Enhancement: Add a `wp ithemes-licensing set-licensed-url` WP-CLI command.
Bug Fix: Fix fatal error when there is an error retrieving Patchstack license information.
Bug Fix: Styling issues on WordPress 6.4.
Enhancement: Add pagination to the Firewall logs table.
Tweak: Various UI improvements.
Bug Fix: On sites with no logo, a broken image appeared in some emails.
Bug Fix: In some email clients, the Solid Security logo would stretch too wide.
News: iThemes Security is becoming Solid Security soon. Learn More: https://go.solidwp.com/security-wpadmin-ithemes-becoming-solidwp
Bug Fix: Username First login compatibility with WordPress 6.3.
Tweak: Start enabling encryption for existing iThemes Security sites. Read more: https://ithemes.com/?p=84653
Bug Fix: Fallback to the homepage when Enforce SSL encounters a non-safelisted redirect destination.
Bug Fix: IP Detection on sites behind Load Balancers that appended their IP address to X-Forwarded-For and did not provide a Real IP header.
Security Hardening: Prevent open redirects attacks against the Enforce SSL module. This attack requires spoofing the Host header which requires additional conditions to exploit. Thanks to nlpro for reporting the issue.
New Feature: Add support for CloudFlare Turnstile and hCaptcha. Learn More: https://ithemes.com/?p=82867
Enhancement: Add support for logging in with Discoverable Passkeys.
Bug Fix: Update Password Strength library to the latest version. This fixes discrepancies between the realtime password strength estimation and the enforced password strength.
Bug Fix: Upgrade the iThemes Updater to 1.7.2 to fix PHP 8 issues.
Note: Remove Grade Report.
Tweak: Add "All" tab to the Features page.
Tweak: Don't show Passkeys onboarding flow during front-end Passwordless Login attempts.
Bug Fix: Properly render the Passwordless Login block when not using a Full Site Editing theme.
Bug Fix: Prevent a redirect loop when logging in on sites that take more than 5 seconds to load the Dashboard.
New: Passwordless Login can now be setup from the frontend of your website. Use the new iThemes Security block in the Block Editor or the [itsec_passwordless_login_settings] shortcode.
Tweak: Don't show "Ban" buttons in Security Dashboard if the user won't be able to create a ban.
Bug Fix: Prevent Headers Already Sent warning when a lockout occurs during a WP Cron request on some server setups.
Bug Fix: Manually load Sodium Polyfill for servers that have an older version of libsodium installed.
Bug Fix: Error when saving the File Change settings when the "notify_admin" setting was set.