iThemes Security 4.0.18

iThemes Security was updated to version 4.0.18, from version 4.0.12. Changelogs:


  • Make sure unset admin user field remains if the other setting has been fixed
  • Removed admin user from settings table of contents
  • Make sure array input is trimmed in file change module
  • Correct input type on file change settings sanitization
  • Use full URL on file change warning redirect to prevent invalid target
  • Reduce erroneous hide backend change warnings
  • When accessing htaccess or wpconfig make sure opening settings changes are 664 instead of 644 to reduce issues
  • Update’s Agents blacklist
  • Make sure global settings save button matches others
  • Fixed link in locout email
  • Email address settings retain end of line
  • Sanitize email addresses on save and not just use
  • Make sure whitelist is actually an array before trying to process
  • Make sure rewrite rules show on dashboard when file writing isnt allowed
  • Added extra information to dashboard server information to help troubleshooting


  • Fixed bug preventing file change scanning from advancing when chunked
  • Don’t autoload file list on non-multisite installations
  • Make sure away mode settings transfer from 3.x or disable away mode
  • Better descriptions on save buttons
  • Admin use “Fix it” Correctly goes to advanced page


  • Execute permanent ban on the correct lockout count, not the next one
  • Updated quick ban rules to match standard ban rules (will work with proxy)
  • Fixed an NGINX rule that didn’t actually block XMLRPC.php
  • Updated rule order on ban users
  • Fixed a bug that could prevent away from from turning off in certain time configurations (this resulted in the return to homepage on login)
  • Updated some function doc