CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file, per the Keep a Changelog standard. Moving forward, this project will (more strictly) adhere to Semantic Versioning.

Unreleased - TBD

7.6.1 - 2025-10-29

Fixed

• Ensure field data is set properly before we use it. Resolves a fatal error with Elementor (props @ktorktor, Vishal Patel, fatjester, @dkotter, @peterwilsoncc via #371).

7.6.0 - 2025-10-27

Added

• New setting allowing you to hide the WordPress admin bar on the frontend for specific user roles (props @sanketio, @fabiankaegy, @jeffpaul, @dkotter via #362).
• New RSA_NETWORK_MODE constant to define default setting for network mode for multisite (props @sanketio, @claytoncollie, @dkotter via #363).
• More details on how caching may impact the plugin (props @peterwilsoncc, @jakemgold, @jeffpaul, @dkotter via GHSA-jfqv-gvp2-qq5f).

Fixed

• Ensure IP addresses can be saved properly at the network level (props @dkotter, @peterwilsoncc via #367).

Security

• Prevent caching of page content when using an IP allow list (props @peterwilsoncc, @fabiankaegy, @joemcgill, @jakemgold, @jeffpaul, @dkotter via GHSA-jfqv-gvp2-qq5f).
• Bump cross-spawn from 7.0.3 to 7.0.6, @wordpress/scripts from 29.0.0 to 30.16.0 and http-proxy-middleware from 2.0.6 to 2.0.9 (props @dependabot, @iamdharmesh via #355).
• Bump tar-fs from 3.0.8 to 3.0.9 (props @dependabot, @faisal-alvi via #359).
• Bump brace-expansion from 1.1.11 to 1.1.12, on-headers from 1.0.2 to 1.1.0 and compression from 1.7.4 to 1.8.1 (props @dependabot, @iamdharmesh via #361).

Developer

• Update screenshots to reflect current state of plugin (props @iamdharmesh, @rickalee, @jeffpaul via #358).
• Ensure all our GitHub Actions workflow files have proper permissions (props @jeffpaul, @dkotter via #360).
• Fix issue with attaching release assets during release deploy action (props @jeffpaul, @dkotter via #364).

7.5.3 - 2025-05-19

Note that this version bumps the WordPress minimum supported version from 6.5 to 6.6.

Changed

• Bump WordPress "tested up to" version 6.8 (props @kmgalanakis, @jeffpaul, @dkotter via #349, #352).
• Bump WordPress minimum from 6.5 to 6.6 (props @jeffpaul via #351, #352).

Fixed

• PHP Notice that the function _load_textdomain_just_in_time was called incorrectly (props @kmgalanakis, @dkotter via #350).

Security

• Bump axios from 1.7.4 to 1.8.3 (props @dependabot, @iamdharmesh via #346).

Developer

• Update the number of tags in our readme (props @jeffpaul via #353).
• Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props @jeffpaul, @dkotter via #347).

7.5.2 - 2025-02-05

Note that this version bumps the WordPress minimum supported version from 6.4 to 6.5.

Changed

• Bump WordPress "tested up to" version 6.7 (props @sudip-md, @jeffpaul, @mehidi258 via #335, #336).
• Bump WordPress minimum from 6.4 to 6.5 (props @sudip-md, @jeffpaul, @mehidi258 via #335, #336).

Fixed

• Add missing textdomain to a few strings (props @NekoJonez, @dkotter via #338).

Security

• Bump axios from 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #326).
• Bump webpack from 5.90.0 to 5.94.0 (props @dependabot, @faisal-alvi via #327).
• Bump ws from 7.5.10 to 8.18.0 and @wordpress/scripts from 27.1.0 to 29.0.0 (props @dependabot, @faisal-alvi via #328).
• Bump express from 4.19.2 to 4.21.2, send from 0.18.0 to 0.19.0 and serve-static from 1.15.0 to 1.16.2 (props @dependabot, @peterwilsoncc via #340).
• Bump @wordpress/e2e-test-utils-playwright from 1.7.0 to 1.16.0, nanoid from 3.3.7 to 3.3.8, mocha from 10.2.0 to 11.0.1 and removes cookie (props @dependabot, @peterwilsoncc via #341).

Developer

• Support for the WordPress.org plugin preview (props @Sidsector9, @jeffpaul, @dkotter via #330).
• Fix typo in the changelog URL (props @chandrapatel, @jeffpaul via #333).
• Disable linting on external libraries (props @Sidsector9, @dkotter via #323).
• Add plugin banner image to README and update badges (props @jeffpaul, @dkotter via #329, #332).

7.5.1 - 2024-07-09

Note that this version bumps the WordPress minimum supported version from 5.7 to 6.4.

Changed

• Bump WordPress "tested up to" version 6.6 (props @sudip-md, @jeffpaul, @dkotter via #313, #318).
• Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @jeffpaul, @dkotter via #313, #318).

Security

• Bump tj-actions/changed-files from 32 to 41 (props @dependabot, @iamdharmesh via #297).
• Bump express from 4.18.2 to 4.19.2 (props @dependabot, @Sidsector9 via #312).
• Bump follow-redirects from 1.15.5 to 1.15.6 (props @dependabot, @Sidsector9 via #312).
• Bump webpack-dev-middleware from 5.3.3 to 5.3.4 (props @dependabot, @Sidsector9 via #312).
• Bump braces from 3.0.2 to 3.0.3 (props @dependabot, @iamdharmesh via #319).
• Bump pac-resolver from 7.0.0 to 7.0.1 (props @dependabot, @iamdharmesh via #319).
• Bump socks from 2.7.1 to 2.8.3 (props @dependabot, @iamdharmesh via #319).
• Bump ws from 7.5.9 to 7.5.10 (props @dependabot, @iamdharmesh via #319).

Developer

• Clean up NPM dependencies and update node to v20 (props @Sidsector9, @dkotter via #303).
• Update CODEOWNERS (props @jeffpaul, @dkotter via #300).
• Disabled auto sync pull requests with target branch (props @iamdharmesh, @jeffpaul via #307).
• Upgrade download-artifact from v3 to v4 (props @iamdharmesh, @jeffpaul via #309).
• Replaced lee-dohm/no-response with actions/stale to help with closing no-response/stale issues (props @jeffpaul, @dkotter via #310).
• Added a "Testing" section in the CONTRIBUTING.md file (props @kmgalanakis, @jeffpaul via #314).
• Removed ip dependency (props @dependabot, @Sidsector9, @iamdharmesh via #312, #319).

7.5.0 - 2023-12-14

Note: this release changes the default behavior for new installs in regards to IP detection. This shouldn't impact existing installs but there are two filters that can be used to change this behavior. See the readme for full details.

Fixed

• Update code snippet in the readme (props @dkotter, @jeffpaul via #291).

Security

• For new installs, ensure we only trust the REMOTE_ADDR HTTP header by default. Existing installs will still utilize the old list of approved headers but can modify this (and are recommended to) by using the rsa_trusted_headers filter (props @dkotter, @peterwilsoncc, @dustinrue, @mikhail-net, Darius Sveikauskas via #290).
• Bump axios from 0.25.0 to 1.6.2 and @wordpress/scripts from 23.7.2 to 26.19.0 (props @dependabot, @dkotter via #293).

7.4.1 - 2023-11-14

Added

• GitHub Action summary report for Cypress end-to-end tests (props @jayedul, @Sidsector9 via #258).
• Restricted_Site_Access::append_ips() method to add IP addresses programatically (props @Sidsector9, @faisal-alvi via #267).
• Repository Automator GitHub Action (props @iamdharmesh, @Sidsector9 via #273).

Changed

• Bumped WordPress "tested up to" version 6.4 (props @kirtangajjar, @Sidsector9, @qasumitbagthariya, @jeffpaul via #271, #288).
• WordPress compatibility validation library namespace (props @Sidsector9, @dkotter via #278).
• Documentation to clarify what the restricted site access & discourage search engine options do (props @lkraav, @jeffpaul, @helen, @dinhtungdu, @bmarshall511, @Sidsector9 via #262).
• Updates the Dependency Review GitHub Action to check for GPL-compatible licenses (props @jeffpaul, @Sidsector9 via #261).

Fixed

• Issue with autovivification (props @mae829, @Sidsector9 via #281, @turtlepod via #281).

Security

• Add PHP environment compatibility checker (props @vikrampm1, @Sidsector9 via #268).
• Bump word-wrap from 1.2.3 to 1.2.4 (props @Sidsector9 via #266).
• Bump semver from 5.7.1 to 5.7.2 (props @Sidsector9 via #264).
• Bump tough-cookie from 4.1.2 to 4.1.3 (props @Sidsector9 via #270).
• Bump @cypress/request from 2.88.10 to 2.88.12 (props @Sidsector9 via #270).
• Bump postcss from 8.4.18 to 8.4.31 (props @Sidsector9 via #279).
• Bump @babel/traverse from 7.20.0 to 7.23.2 (props @Sidsector9 via #279).
• Bump Cypress version from 10.3.0 to 13.2.0 (props @iamdharmesh, @Sidsector9 via #276).
• Bump @10up/cypress-wp-utils version to 0.2.0 (props @iamdharmesh, @Sidsector9 via #276).
• Bump @wordpress/env version from 5.4.0 to 8.7.0 (props @iamdharmesh, @Sidsector9 via #276).
• Bump @babel/traverse from 7.20.0 to 7.23.2 (props @dependabot, @Sidsector9 via #282).

7.4.0 - 2023-04-18

Added

• Support for application passwords (props @kirtangajjar, @peterwilsoncc, @Sidsector9 via #247).
• Support for custom header based allow-listing (props @mikelking, @ravinderk, @dkotter, @jeffpaul via #242).

Changed

• Support Level from Active to Stable (props @jeffpaul, @Sidsector9 via #244).
• Bump WordPress "tested up to" version 6.2 (props @jayedul, @Sidsector9 via 251).
• Improve Github actions workflow (props @Sidsector9, @dkotter via #227, #253).

Fixed

• Plugin settings header UX (props @barryceelen, @Sidsector9 via #236).
• Issue that caused redirect loop (props @mikegibbons4, @Sidsector9, @cadic, @peterwilsoncc) via #221.

Security

• Run E2E tests on the final ZIP build (props @iamdharmesh, @jayedul via #249).
• Bump json5 from 1.0.1 to 1.0.2 (props @Sidsector9 via #241).
• Bump simple-git from 3.15.0 to 3.16.0 (props @Sidsector9 via #243).
• Bump http-cache-semantics from 4.1.0 to 4.1.1 (props @Sidsector9 via #245).
• Bump @sideway/formula from 3.0.0 to 3.0.1 (props @Sidsector9 via #246).
• Bump webpack from 5.74.0 to 5.76.1 (props @Sidsector9 via #248).

7.3.5 - 2022-12-14

Added

• Show an admin notice if our autoloader doesn't exist (props @dkotter, @pablojmarti, @shahzaib10up, @peterwilsoncc via #231).

Fixed

• Ensure we load our autoloader from the root of our plugin directory (props @dkotter, @pablojmarti, @shahzaib10up, @peterwilsoncc via #231).

Changed

• Improved performance of our E2E tests (props @Sidsector9, @iamdharmesh via #218).
• Release instructions and release ZIP building via GitHub Action (props @dkotter, @faisal-alvi via #232).

Security

• Bump loader-utils from 2.0.3 to 2.0.4 (props @dependabot via #226).
• Bump simple-git from 3.6.0 to 3.15.0 (props @dependabot via #230).

7.3.4 - 2022-11-01

Fixed

• Fatal error due to missing vendor directory.

7.3.3 - 2022-10-31

Added

• Support for IPv6 addresses (props @jeffpaul, @Sidsector9, @cadic via #217).
• Support for subnet range and pattern formats for IPv4 and IPv6 addresses (props @jeffpaul, @Sidsector9, @cadic via #217).
• WP VIP Coding Standards (props @peterwilsoncc, @faisal-alvi, @eflorea via #212).

Changed

• Improved adding IP user experience via settings (props @ankitguptaindia, @dhanendran, @Sidsector9, @dinhtungdu via #205).
• Replace Grunt with Webpack (props @cadic, @Sidsector9 via #202).

Fixed

• Missing textdomains to translatable strings (props @pedro-mendonca, @Sidsector9 via #214).

7.3.2 - 2022-08-29

Note: this release contains two new filters that we recommend using to further secure your site. See the readme for full details.

Added

• New filter - rsa_get_client_ip_address_filter_flags to modify the range of accepted IP addresses (props @dsXLII, @dinhtungdu, @Sidsector9 via #113).

Changed

• Avoid disjointed plugin settings (props @helen, @peterwilsoncc, @Sidsector9 via #200).
• Bump minimum WordPress version from 5.0 to 5.7 (props @vikrampm1, @Sidsector9, @faisal-alvi via #207).
• Bump minimum PHP version from 5.6 to 7.4 (props @vikrampm1, @Sidsector9, @faisal-alvi via #207).

Security

• New filters - rsa_trusted_proxies and rsa_trusted_headers have been added to help prevent IP spoofing attacks (props @dkotter, @peterwilsoncc, @marcS0H, @DanielRuf, @Sidsector9 via #198).

7.3.1 - 2022-06-30

Added

• PHP8 compatibility check GitHub Action (props @Sidsector9, dkotter via #183).
• Dependency security scanning GitHub Action (props @jeffpaul via #188).

Changed

• Admin settings HTML semantics for easier testing (props @Sidsector9, @faisal-alvi via #193).
• Bump WordPress "tested up to" version 6.0 (props @peterwilsoncc, @faisal-alvi, @cadic, @jeffpaul via #194, #196).
• Documentation, asset, and e2e test updates (props @Sidsector9, @iamdharmesh via #180, #201).

Fixed

• Check netmask range before IP is added (props @Sidsector9, @PypWalters via #178).

Security

• Bump minimist from 1.2.5 to 1.2.6 (props @dependabot via #185).
• Bump grunt from 1.4.1 to 1.5.3 (props @dependabot via #189, #199).
• Bump async from 2.6.3 to 2.6.4 (props @dependabot via #190).

7.3.0 - 2022-02-08

Added

• Ability to add, remove, and set IPs programatically (props @ivankruchkoff, @helen, @paulschreiber via #104).
• Cloudflare IP detection compatibility (props @eightam, @dinhtungdu via #110).
• WP-CLI option to modify and retrieve IP entry labels (props @Sidsector9, @dinhtungdu, @mikelking via #152).
• Acceptance and end-to-end tests (props @dinhtungdu, @helen, @jeffpaul, @Sidsector9, @cadic via #121, #132, #155, #169, #175).
• Issue management automation, JavaScript linting, and PHPUnit testing via GitHub Actions (props @jeffpaul, @Sidsector9, @dinhtungdu, @mitogh via #154, #161, #171, #177).

Changed

• Update WP-CLI code to use new API for add/remove/set IPs (props @paulschreiber, @dinhtungdu via #130).
• Bump WordPress "tested up to" version 5.9 (props @dinhtungdu, @jeffpaul, @ankitguptaindia, @BBerg10up, @sudip-10up via #120, #122, #141, #149).
• Improved Composer configuration and support (props @kopepasah, @dinhtungdu via #128).
• Improved documentation (props @jeffpaul, @dinhtungdu, @helen via #146).
• The default constant WP_TESTS_DOMAIN is replaced by a new constant PHP_UNIT_TESTS_ENV to allow testing correct redirections for restricted users by Cypress end-to-end tests (props @faisal-alvi, @Sidsector9, @dkotter via #159).

Fixed

• Issue with allowed IPs and associated comments being offset (props @adamsilverstein, @helen, @ivankruchkoff via #106).
• Prevents new users from getting WordPress setup email, new user flow in multisite installations now work as expected (props @dinhtungdu, @wkw, @jeffpaul, @ivanlopez via #116).
• Ensure assets are enqueued on correct screen only (props @kopepasah, @dinhtungdu, @paulschreiber, @n8dnx via #123, #131).
• Use correct variable for screen reader text (props @dinhtungdu, @lkraav via #126).
• Set the correct filter option value to site_public if RSA_FORBID_RESTRICTION is defined (props @pabamato, @dinhtungdu via #139).
• Prevent redirect loops when Redirect URL set on the same domain with or without Redirect to same path enabled (props @Sidsector9, @faisal-alvi, @cadic via #158).
• Undefined key "url" warning (props @Sidsector9 via #163).
• Redirect to same path setting screen-reader-text (props @pedro-mendonca via #168).
• No loading of JS admin scripts on the network admin page (props @Sidsector9, @dinhtungdu via #175).

Security

• Bump websocket-extensions from 0.1.3 to 0.1.4 (props @dependabot via #129, #166).
• Bump lodash from 4.17.15 to 4.17.21 (props @dependabot via #133, #145, #165).
• Bump rmccue/requests from 1.7.0 to 1.8.0 (props @dependabot via #143).
• Bump grunt from 1.0.4 to 1.3.0 (props @dependabot via #144).
• Bump path-parse from 1.0.6 to 1.0.7 (props @dependabot via #151).

7.2.0 - 2019-11-27

Added

• Warn and confirm before network disabling the plugin (props @pereirinha, @adamsilverstein via #29).
• WP Acceptance integration tests (props @dkotter, @adamsilverstein via #86).

Fixed

• Ensure comments associated with IPs stay associated correctly (props @adamsilverstein, @ivankruchkoff, @helen via #106).
• Don't show escaped HTML in page caching notice (props @adamsilverstein, @aaemnnosttv via #99).
• Multisite: Avoid a redirect loop when logging in as user with no role (props @JayWood, @adamsilverstein, @roytanck, @helen, @rmccue via #98).

Changed

• GitHub Actions workflow files to YAML format (props @helen via #100).
• Header and icon images (props @jenniferbourn via #91).
• Bump WordPress "tested up to" version (props @adamsilverstein via #84).

7.1.0 - 2019-04-11

Added

• IP whitelist: Add a Comment field next to each IP address to help identify IP addresses added to the whitelist.
• Add constants to force enable/disable restrictions. Set RSA_FORCE_RESTRICTION to true to force restriction or RSA_FORBID_RESTRICTION to disable restriction. RSA_FORCE_RESTRICTION will override RSA_FORBID_RESTRICTION if both are set.
• Unit tests accross plugin. Note that when the WP_TESTS_DOMAIN constant is set, plugin redirects are disabled. Only set this constant when running the tests.
• Deploy plugin from GitHub to WordPress.org using GitHub Actions.
• Various GitHub community files.

Fixed

• Disable individual site settings when network enforced mode is on to avoid confusion about why your settings are not being respected.
• Correctly load admin JS.
• Improve coding standards across plugin and introduce continuous integration linting against the WordPress coding standards. Update code to VIP Go coding standards.

7.0.1 - 2018-09-06

Fixed

• Avoid redirect loop when the unrestricted page is set to be the static front page.
• Fall back to the login screen if the unrestricted page is no longer published.

7.0.0 - 2018-08-30

Added

• WP-CLI support! 🎉 Try wp rsa to get started.
• Whitelist IPs via the RSA_IP_WHITELIST constant.
• Use WordPress.org-provided language packs instead of bundled translations.

Fixed

• Restrict "virtual pages" and allow them to be used as the unrestricted page, such as with BuddyPress.
• Hide settings properly when no published pages exist.
• Avoid double slashes in asset URLs that can lead to 404 errors.

6.2.1 - 2018-05-21

Fixed

• Don't redirect logged-in users viewing the site in a single site install.

6.2.0 - 2018-05-18

Added

• Alter or restore previous user permission checking with the restricted_site_access_user_can_access filter.

Changed

• Functionality change: Check user's role on a site in multisite before granting permission.

Fixed

• Avoid a fatal due to differing parameter counts for the restricted_site_access_is_restricted filter.

6.1.0 - 2018-02-14

Changed

• Correct a PHP notice when running PHP >= 7.1.
• Refactor logic for checking ip address is in masked ip range.

6.0.2 - 2018-01-29

Added

• 'restrict_site_access_ip_match' action which fires when an ip match occurs. Enables adding session_start() to the IP check, ensuring Varnish type cache will not cache the request.

6.0.1 - 2017-06-13

Changed

• When plugin is network activated, don't touch individual blog visiblity settings.
• When plugin is network deactivated, set all individual blogs to default visibility.

6.0 - 2017-06-12

Added

• Use Grunt to manage assets.
• Network settings added for management of entire network visibility settings.
• Display warning if page caching is enabled.

5.1 - 2014-11-29

Changed

• Under the hood refactoring and clean up for performance and maintainability.
• Small visual refinements to the settings panel.

5.0.1 - 2013-01-27

Fixed

• Does not block user activation page in network mode

5.0 - 2012-11-02

Added

• WordPress 3.5 compatibility (3.5 eliminated the Privacy settings panel in favor of a refreshed Reading panel)

Changed

• Real validation (on the fly and on save) for IP address entries
• "Restriction message" now supports simple HTML and is edited using WordPress's simple HTML tag editor
• A bunch of visual refinements that conform better with WordPress 3.4 and newer (spacing, native "shake" effect on invalid entries just like the login form, etc.)
• A bunch of under the hood refinements (e.g. playing nicer with current screen Help API)

4.0 - 2011-07-16

Added

• New restriction option - show restricted visitor a specified page; use with custom page templates for great for website teasers!
• New filter hooks for other developers: 'restricted_site_access_is_restricted', 'restricted_site_access_approach', 'restricted_site_access_redirect_url', and 'restricted_site_access_head'
• Localization ready - rough Spanish translation included!
• Basic support for no JavaScript mode

Changed

• Major improvements to settings user interface, including hiding unused fields based on settings, easier selection of restriction type, and cleaner "remove" confirmation for IP address list
• Performance improvements - catches and blocks restricted visitors earlier in the loading process
• Optimized for PHP 5.2, per new WordPress 3.2 requirements (no longer supports PHP < 5.2.4)
• Assorted other improvements and optimizations to the code base

3.2.1 - 2011-03-25

Changed

• Restored PHP4 compatibility

3.2 - 2011-03-25

Changed

• More meaningful page title in "Display Message" mode (previously WordPress > Error)
• Code clean up, prevent rare warnings in debug mode

3.1.1 - 2010-07-17

Fixed

• PHP warning when debugging is enabled and redirect path is not checked

3.1 - 2010-07-11

Added

• Backwards compatibility with PHP < 5.1 (limited testing with earlier versions)

Changed

• Built in help on configuration page updated, clearer
• "IP already in list" indicator
• Optimizations to code that handles restriction behavior

Fixed

• Disappearing blocked access message text box on configuration page
• Login always redirects visitor back to correct page

3.0 - 2010-07-05

Added

• Indicates whether the site is blocked in the admin next to the site title (WordPress 3.0+ only)
• New action hook, restrict_site_access_handling, allowing developers to add their own restriction handling

Changed

• Integrates with Privacy settings page and site visibility option instead of adding a whole new page
• Simplified options: clearer instructions, removed unnecessary hiding / showing of some options, fewer lines
• Cleans up / removes settings when uninstalled
• Assorted under the hood improvements for best coding practices, sanitization of options, etc

2.1 - 2010-02-10

Changed

• Customize blocked visitor message
• Better display / handling of blocked visitor message

Security

• Stronger security (patched "search" hole)

2.0 - 2010-01-10

Added

• Support for IP ranges courtesy Eric Buth

Changed

• Major UI changes and improvements; major code improvements

1.0.2 - 2009-10-13

Fixed

• Login redirect to home; improve redirect handling to take advantage of wp_redirect function

1.0.1 - 2009-09-10

Changed

• Important fundamental change related to handling of what should be restricted

1.0 - 2009-08-17

Added

• Initial public release