GD Security Toolbox Pro 2.0 is a major update to the plugin with several new addons included (total of 14 now), huge changes to some parts of the plugin, many more new features, updates and fixes.
This is a huge release that brings many new features and makes major changes to some of the existing features. The plugin celebrates the third birthday today.
Security Headers
This version brings major changes to the handling of the HTTP security headers. Previous versions had two set of settings: in Tweaks and in “.HTACCESS”. Now, we have two new addons: X-XSS Protection and Security Headers. As the name says, X-XSS header is moved to own addon with the added Report element and the reports panel (GD Security Toolbox Pro now can gather reports sent from browsers when the attempted X-XSS was prevented on the client side), and all other headers are moved to Security Headers addon. Both addons have the option to enable “.HTACCESS” integration, and if that is disabled, headers will be added to each page built.
CSP Addon (Content Security Policy) has been updated, and the new panel of CSP reports is added. Both CSP and XSS header reports are stored in own database tables (both added in this plugin version). This will make the analysis of the reports easier, and separated from the Events Log. CSP extras include support for Google Translate.
Malware Scanner
The plugin has a major new addon: Malware Scanner. This scanner uses plain text patterns and regular expressions to scan all PHP files on the website to find potential malware. I say potential because when you deal with patterns, false positives are always a possibility, so make sure to inspect files that are marked as malware. The plugin can’t clean up the malware, because that is not quite that easy, and that would require manual changes to the website: reinstallation of WordPress, reinstallation of plugins and/or themes where malware is found.
The plugin includes plain text files with patterns and regular expressions used for scanning. These files can trigger false positive detection from the anti virus software. If you are testing plugin on local machine, make sure to add these files into exceptions for the antivirus.
Other Updates and Fixes
One important update is added to Integrity Scanner: it now uses WordPress.org endpoint to get the hashes for all the WordPress.org plugins. Dev4Press Pro plugins and WordPress.org themes hashes still come from the Dev4Press API endpoint. The plugin has a new dashboard with the overview of the events, reports and banned IP’s with quick access links for various plugin panels and settings.
Logs cleanup tools are improved and expanded to clean the new reports database tables. There are a lot of changes in the plugin core and several bugs are fixed and overall.
If you notice any problems with the plugin, stop by the support forums to report it. Let me know what you think about the new version, and as always, suggestions are welcome.