Skip to content


April 11th 2024

  • Version 2.2.12
  • Added: error info if WP CLI activation fails.
  • Updated: a few documentation hyperlinks.
  • Updated: WordPress tested up to value.
  • Fixed: AJAX plugin activation error.
  • Fixed: potential fatal error during plugin activation.
  • Fixed: missing ) in text.
  • Fixed: reset API keys under certain conditions.

March 8th 2024

  • Version 2.2.11
  • Fixed: potential issue where uploading logs to our API would not work properly.

March 6th 2024

  • Version 2.2.10
  • Added: notice that plugin setting management will be removed in plugin on May 1st 2024.
  • Removed: cookie notice feature.
  • Removed: logs viewing through the plugin, must view through the App now.
  • Changed: initial landing page for API key activation.
  • Changed: post and comment activity logging activities is now opt-in.
  • Fixed: unnecessary software fetching call if plugin is not connected.
  • Fixed: logs will forcefully upload in batches of 100 now.

February 28th 2024

  • Version 2.2.9
  • Fixed: software upload gets called too often if un-activated state.
  • Fixed: force software upload if WP CLI.
  • Fixed: PHP warning on 8.1+.

January 30th 2024

  • Version 2.2.8
  • Added: command to unban all banned IP addresses from the firewall.
  • Changed: WP CLI command to accept both key-id formats.
  • Fixed: WP CLI command should load all options after activation.
  • Updated: GeoIP database.

January 17th 2024

  • Version 2.2.7
  • Changed: textual changes.

January 11th 2024

  • Version 2.2.6
  • Fixed: issue where an activation loop would occur when a certain variable is set internally.
  • Fixed: issue where some data remains after license is expired.
  • Fixed: do not run firewall during cronjob call.
  • Fixed: add no caching headers to login page rename, and change priority of execution.
  • Fixed: bug with the firewall engine that could throw a PHP error.
  • Changed: moved mu-plugin from patchstack.php to _patchstack.php for higher priority.
  • Changed: made all hardening features available to paid community users.

November 27th 2023

  • Version 2.2.5
  • Fixed: issue on license page where manage options would show to community users.
  • Fixed: issue where data is not logged properly under certain circumstances.
  • Fixed: issue where custom whitelist rules (legacy) were not working properly.

November 20th 2023

  • Version 2.2.4
  • Fixed: issue with the firewall engine processor that could result in a false positive.

November 13th 2023

  • Version 2.2.3
  • Changed: make sure the table creation migrations define a primary key.
  • Fixed: fatal error if a custom (legacy) rule with IP address matching was defined.

November 10th 2023

  • Version 2.2.2
  • Fixed: fatal error if a custom (legacy) whitelist was defined.

November 9th 2023

  • Version 2.2.1
  • Fixed: fatal error on multisite Patchstack settings page.
  • Fixed: styling issue on multisite Patchstack settings page.

November 8th 2023

  • Version 2.2.0
  • Added: a brand new firewall engine
  • Changed: many performance optimizations
  • Fixed: minor bugs regarding the UI

June 29th 2023

  • Version 2.1.25
  • Added: patchstack activate command to activate through WP CLI.
  • Fixed: Selectize library not loading.
  • Fixed: Fatal error due to wp-config.php salts not present on some environments.
  • Fixed: Execution order of country blocking feature.
  • Fixed: PHP version truncated in software sync.

May 2nd 2023

  • Version 2.1.24
  • Added: license check delayed message.
  • Added: implementation of new plan.
  • Added: ability to re-run migrations on multisite environments.
  • Added: support for new license key format.
  • Changed: UI of license activation/change page.
  • Changed: error code of login throttle limitation.
  • Changed: updated GEO2IP database.
  • Changed: "tested up to" value.

November 3rd 2022

  • Version 2.1.23
  • Added: no caching constant to avoid many caching plugins from caching our forbidden pages.
  • Added: encryption/decryption to the core.
  • Changed: bumped WordPress tested up-to value.
  • Fixed: not being able to change license key to a different value.

October 4th 2022

  • Version 2.1.22
  • Fixed: several multi-site related errors.
  • Fixed: incorrect block of wp-json endpoint.
  • Fixed: incorrect 2FA secret key generation.
  • Removed: broken code from activation process.

August 9th 2022

  • Version 2.1.21
  • Fixed: Bug where some settings could not be saved or retrieved.

August 5th 2022

  • Version 2.1.20
  • Fixed: Bug where the components did not properly synchronize under certain circumstances.
  • Changed: Documentation URL structure.

February 22nd 2022

  • Version 2.1.18
  • Fixed: Changed how the no caching headers are sent in the response headers to avoid certain caching configurations from caching the blocked request page.

February 3rd 2022

  • Version 2.1.17
  • Fixed: An undefined index PHP error that could show up on specific hosting environments.

January 27th 2022

  • Version 2.1.16
  • Changed: The WordPress tested up to value.

January 19th 2022

  • Version 2.1.15
  • Added: The ability to turn on/off the theme editor, changed the description.
  • Fixed: An inconsistency with the custom whitelist option.

December 29th 2021

  • Version 2.1.14
  • Fixed: An issue with the hide login functionality where only one IP address could be whitelisted at a time.

December 21th 2021

  • Version 2.1.13
  • Added: The login rename feature has been added back and adjusted so it works differently under the hood.
  • Added: Option for us to get some debug information from the site, when needed and requested.
  • Fixed: PHP error when the plugin would be activated through the CLI.
  • Fixed: Logs synchronization issue on some environments.
  • Fixed: A prefix has been added to all AJAX actions in order to avoid potential collision with other plugins with the same AJAX action name.
  • Fixed: Custom .htaccess rules should not be sanitized to avoid breaking the .htaccess file.
  • Fixed: The minimized JavaScript and CSS files of the plugin will now get served instead of the beautified/larger files.
  • Fixed: Upon fresh install of the Patchstack plugin, the last synchronization identifier should be reset.

November 9th 2021

  • Version 2.1.12
  • Fixed: Logs synchronization issue on some environments.

November 5th 2021

  • Version 2.1.11
  • Fixed: Remotely saving options that hold arrays.

November 4th 2021

  • Version 2.1.8 through 2.1.10
  • Added: Ability to change the API keys.
  • Fixed: Cronjobs would not be set properly if someone upgraded from our previous plugin.
  • Fixed: Certain settings would not be retrieved remotely properly.
  • Fixed: Several PHP errors on certain environments.

November 3rd 2021

  • Version 2.1.2 through 2.1.7
  • Fixed: PHP 8 related errors.
  • Changed: The token verifier of the listener.
  • Changed: Migration from old Patchstack plugin to new plugin.
  • Changed: Some hyperlinks and text.
  • Removed: Login page rename feature.

November 1st 2021

  • Version 2.1.0 and 2.1.1
  • Added: New interface for free users.
  • Fixed: Software synchronization issue.
  • Fixed: Issue regarding App communication.
  • Fixed: Path issue of the image of the cookie notice.

June 21st 2021

  • Version 2.0.20
  • Added: Ability to remotely unblock blocked login IP addresses.
  • Added: Ability to remotely view the blocked login IP addresses.
  • Fixed: Bug in regards to auto-blocking login and firewall requests when the defined threshold condition was met.
  • Changed: Updated the .pot translation file.

May 18th 2021

  • Version 2.0.19
  • Added: Ability to remotely force an upload of all firewall and activity logs.
  • Added: Ability to create firewall rules which can ignore the whitelist.
  • Changed: Some references from WebARX to Patchstack.
  • Changed: Removed unused logged data from blocked requests. This means less data will be logged in the WordPress database and that uploads to our API will be faster.

March 16th 2021

  • Version 2.0.18
  • Fixed: A bug in regards to the login page rename feature.

March 12th 2021

  • Version 2.0.17
  • Fixed: Fatal error on PHP 8 installations.
  • Updated: The WordPress "tested up to" value to 5.7.

March 10th 2021

  • Version 2.0.16
  • Fixed: User role whitelist issue on multisite environments.
  • Fixed: Remote setting saving issue.
  • Changed: Interface has been changed to match the new Patchstack colors.

August 7th 2020

  • Version 2.0.14
  • Fixed: Undefined variable error that might show up in certain scenarios.

July 6th 2020

  • Version 2.0.13
  • Changed: Made a small performance improvement to code that runs on all requests.
  • Fixed: Issue related to custom LOG and REDIRECT firewall rules.
  • Fixed: Issue where IP whitelisting/unblocking did not work on the login settings page.
  • Removed: Backup feature.
  • The GeoIP database has also been updated.

May 1st 2020

  • Version 2.0.12
  • Added: Ping that will send a ping to our API every so often to determine the state of the plugin and firewall.
  • Added: Message indicating that the backup feature will be remove on June 1st, 2020.
  • Fixed: Some errors that would occur on older PHP versions.
  • Fixed: The cache-control header has been added to the firewall error page to make sure that caching plugins and servers do not cache the error page. (Cache-Control: no-store)
  • Fixed: Issue where disabling the firewall would not actually turn off the firewall.
  • The GeoIP database has also been updated.

March 11th 2020

  • Version 2.0.11
  • Added: Auto-update feature to automatically update WordPress core, plugins, themes or vulnerable software. The auto-update is executed next time WordPress searches for updates behind the scenes.
  • Fixed: Error in PHP 7.4
  • Fixed: Software data is synchronized more often with our API.
  • Fixed: 1 year cookie expiration was actually only a 1 month expiration.
  • Fixed: Many improvements to the upgrade handlers.

January 8th 2020

  • Version 2.0.10
  • Fixed: Prioritize the Cloudflare IP header and use it when it's available.
  • Fixed: Software information will be synchronized more often.
  • Fixed: The IP addresses on the custom IP block list will now be trimmed to get rid of any unexpected charaters.
  • Changed: Slightly optimized the performance of the firewall.

December 2nd 2019

  • Version 2.0.9
  • Fixed: The option to disable plugin/theme edit will no longer write to (or create) the wp-config.php file which could potentially cause fatal errors.
  • Fixed: Country blocking feature will no longer block Patchstack if USA is blocked as country.

November 19th 2019

  • Version 2.0.8
  • Fixed: Fatal error in plugin update checker library.
  • Version 2.0.7
  • Added: Country blocking functionality. You can find this on the firewall settings page. It also has an option to inverse block, which means the selected countries will only be able to visit your site.
  • Fixed: Minor optimization to the firewall engine.
  • Fixed: Rare condition in whitelist rules handling that would throw an error.
  • Fixed: Error with PHP 7.3 in the plugin update checker library.
  • Fixed: Changed the update checker library to run on any type of admin page so it will more often look for updates.
  • Fixed: Issue where turning "Disallow Theme Edit" off would not properly turn it off in the wp-config.php file.

October 17th 2019

  • Version 2.0.6
  • Fixed: Improved performance and reduced memory usage of the firewall.
  • Fixed: Added more exception handling to the backup code to prevent fatal errors from happening.

October 10th 2019

  • Version 2.0.5
  • Fixed: SQL error under a specific condition in the function that uploads activity logs.

October 8th 2019

  • Version 2.0.4
  • Fixed: Fatal error in backup function that (attempts to) delete old backup files.

October 7th 2019

  • Version 2.0.3
  • Fixed: Fatal SQL error in the activity logs synchronization function to the portal.

October 3rd 2019

  • Version 2.0.2
  • Fixed: Fatal error when you have custom firewall rules configured.
  • Version 2.0.1
  • Fixed: Fatal error when reCAPTCHA or 2FA is enabled.
  • Version 2.0.0
  • Added: Ability to turn off the readme.html deletion feature.
  • Added: Opt-in to log failed logins. The default will be turned off because usually it's of no value to you and us and it consumes 80-90% of the logs.
  • Added: Ability to view a list of banned IP addresses by the firewall and unban them remotely. (this feature will be added to the portal)
  • Added: Hardening feature to turn off the WP REST API (wp-json). This is disabled by default due to some people making use of it.
  • Added: The ability to specify patterns that will be checked against registration email addresses. If a match is found, the registration will be declined.
  • Added: Option to hide the Patchstack widget on the dashboard.
  • Fixed: Firewall block reason not showing properly in the firewall logs table.
  • Fixed: Issue where the login page rename feature didn't work in certain scenarios.
  • Fixed: Reduced the number of SQL queries executed when certain actions are executed in the plugin.
  • Fixed: Clicking the logon hours checkbox would check/uncheck a different checkbox.
  • Fixed: When you deactivate the plugin, it will no longer remove any settings or data. It will now only remove all settings and data when you uninstall the plugin.
  • Fixed: Fatal PHP error in software synchronization function when a theme is reporting invalid data.
  • Fixed: Several issues related to the .htaccess file writing: removed RewriteBase from our rules and added support for multisite.
  • Changed: Removed the need for writing to certain files in the data folder which also reduces the number of IO operations.
  • Changed: Refactored the entire plugin to better support multisite environments, optimize performance, fix several bugs and remove/fix redundant code.
  • Changed: Links to third-party sites in paragraphs of the Patchstack plugin will now open in a new tab.
  • Changed: Slightly optimized certain aspects of the backup functionality.
  • Removed: Several useless options that did not make a significant security impact on the site.
  • Removed: .htaccess backup/restore functionality.

August 28th 2019 & August 29th 2019

  • Version 1.4.7
  • Fixed: Issue on lower PHP versions where the firewall script would cause a memory exhaustion error.
  • Version 1.4.5 & 1.4.6
  • Fixed: Make sure that the Patchstack JavaScript files for the backend are only loaded on the Patchstack pages.
  • Version 1.4.4
  • Added: Option on firewall page to override which IP header to use from the $_SERVER array when we grab the IP address of the visitor.
  • Fixed: Firewall authentication check has been improved to reduce the number of false positives of when you are logged in but still blocked by the firewall.
  • Fixed: Text for 2FA not displaying on the user profile page.
  • Fixed: PHP error "Can't use function return value in write context" on lower PHP versions that we officially don't support.
  • Fixed: .htaccess file handler will no longer mess up any comments made by yourself or other plugins. Additionally it will now only alter the file if there's actually a change.
  • Fixed: Multisite sites overview table header being displayed under the table.
  • Fixed: The whitelist textarea option will no longer be deleted if you deactivate the plugin.
  • Fixed: Issue when activating sites on multisite environment.
  • Changed: Backup feature is now available on multisite. We still recommend to use a dedicated backup service by your host since they do not impact your sites performance and are much faster.
  • Changed: The scheduled task function to assign a unique time of the day to your site of when to run the Patchstack scheduled tasks. This will reduce load on both your site and our servers.
  • Changed: Blocked comment spam attempts are no longer stored on the portal, but will still show on the logs page of your site.
  • Removed: The need of mu-plugins folder and the firewall.php file inside this folder.

August 8th 2019

  • Version 1.4.3
  • Fixed: IP proxy issue on certain hosts.

August 5th 2019

  • Version 1.4.2
  • Added: Multisite network functionality.
  • Added: Strict-Transport-Security security security header.
  • Fixed: Issue related to the hardening tab on the portal.
  • Fixed: Several issues related to backups.
  • Fixed: Several PHP errors.
  • Removed: License expiring message.

May 27th 2019

  • Version 1.4.1
  • Added: Button to disable the backup feature.
  • Added: Textbox to specify maximum number of backup copies to keep in Google Drive.
  • Added: Better errors when a file cannot be written to.
  • Fixed: reCAPTCHA undefined variable error under certain conditions.
  • Fixed: Several backup related issues.
  • Fixed: Software synchronization between the WordPress site and our API has been optimized.
  • Fixed: The way the security headers are set in order to avoid certain PHP header errors.

April 29th 2019

  • Version 1.4.0
  • Added: Backup feature to backup your files and database to Google Drive. You can find this feature under the "Backup" tab on the Patchstack plugin settings on your site.

April 10th 2019

  • Version 1.3.9
  • Added: XML-RPC block option has been added and is enabled by default. If you would like to turn it back on, you can find the option on the "Hardening" tab.
  • Fixed: Bluehost IP address issue where the proxy IP address would get logged instead of the actual visitors IP address. This caused conflicts with the firewall banning feature.

April 5th 2019

  • Version 1.3.8
  • Fixed: Several PHP errors that would show up under certain conditions.

March 12th 2019

  • Version 1.3.7
  • Added: Functionality for old whitelisting structure has been re-added.
  • Fixed: Invisible reCAPTCHA error on login.
  • Fixed: Several errors related to the firewall regarding parsing the firewall rules.
  • Fixed: Issue where the session would be killed if you moderated or posted comments.
  • Removed: Referral input fields since it's no longer used.

February 19th 2019

  • Version 1.3.6
  • Added: Ability to match firewall rules against IP addresses.
  • Version 1.3.5
  • Added: Implementation of new enhanced firewall logic (which can be managed in the portal)
  • Changed: Patchstack is no longer shown as a menu option but now shown under the "Settings" menu as "Security".
  • Fixed: Bug that killed your session if you managed comments through wp-admin.
  • Fixed: Cookie notice would show briefly on the site with certain caching plugins.
  • Fixed: build_log_db PHP error.
  • Fixed: Undefined variable error.
  • Fixed: Security headers issue with the X-XSS-Protection header.

January 16th 2019

  • Version 1.3.4
  • Added: Functionality so the plugin settings can be remotely adjusted through the portal.
  • Fixed: Version 1.3.3 skipped due to minor bug that had to be fixed.

October 18th 2018

  • Version 1.3.2
  • Changed: Frequency of some scheduled tasks to reduce server load on both your site and our API.
  • Changed: Refactoring of some code.
  • Fixed: Force synchronization with the portal when the plugin is activated under certain conditions.

September 26th 2018

  • Version 1.3.1
  • Fixed: DISALLOW_FILE_EDIT PHP notice error.
  • Fixed: Blocked requests will now properly return a 403 forbidden error.
  • Fixed: Unauthenticated users doing actions on posts will not be logged.
  • Fixed: Cookie notice will no longer be affected by caching plugins.
  • Fixed: Show error on wp-login.php if login rename feature is enabled.
  • Fixed: If IP address header contains multiple IP addresses, use the first IP in the list.
  • Fixed: Fatal PHP error: nesting level too deep.
  • Fixed: Removed policy word from the cookie notice.
  • Fixed: Load reCAPTCHA script only if it is actually enabled.
  • Fixed: Fatal error when the plugin is activated on the multisite environment.

August 29th 2018

  • Version 1.3.0
  • Added: Activity logs.
  • Added: Ability to specify logon hours. For example 09:00-19:00 or 18:00-06:00 (uses server time).
  • Added: User-based 2FA (works with Authy and Google Authenticator)
  • Added: Option to make use of invisible reCAPTCHA.
  • Added: Ability to see which IP addresses are currently blocked from logging in.
  • Added: Ability to unblock blocked IP addresses from logging in and whitelist ability.
  • Added: Finetune when to block an IP addresses when firewall blocks a request.
  • Added: Finetune when to block an IP address when a login request failed.
  • Added: Comment form reCAPTCHA option.
  • Added: Ability to select which user roles are excluded from the firewall.
  • Changed: Re-designed the plugin to match the portal design
  • Changed: Ability to block IP addresses by range, CIDR notation, wildcard and single IP.
  • Changed: Refactored a bunch of code.
  • Removed: Old user login logs.
  • Removed: Old code that was no longer used.
  • Fixed: Several issues regarding plugin/license activation.
  • Fixed: Login brute force blocking not working properly.
  • Fixed: Permission error message.
  • Fixed: Patchstack styling overrides styling of other plugins.
  • Fixed: When you request a rescan of the site, it will block Patchstack and log it.

August 3rd 2018

  • Version 1.2.1
  • Added: The ability to control when to block an IP address depending on the number of failed login attempts and time span.
  • Fixed: Security headers checkbox not working properly.
  • Fixed: Prefixed cookie notice CSS class/id attributes so it doesn't collide with the theme or other plugins.

August 2nd 2018

  • Version: 1.2
  • Added: Added section separators to the settings page.
  • Added: Ability to tell Patchstack where to inject custom .htaccess code.
  • Added: Ability to tell Patchstack to never modify the .htaccess file again.
  • Fixed: Rewrote .htaccess related code to fix issues in certain environments.
  • Fixed: Removed and adjusted some CSS so it doesn't override CSS of other plugins.
  • Fixed: WP_Error on some environments when trying to login.
  • Fixed: Small adjustment made to reCAPTCHA processor to fix the issue on some environments.
  • Fixed: Patchstack icon on vertical menu's.
  • Fixed: Rename login page not working on certain environments.

July 28th 2018

  • Added: The Patchstack logo and text in the cookie notice can now contain your referral link.
  • Fixed: The firewall/user logs pagination styling has been improved.
  • Fixed: Firewall will not execute if the whitelist is non-existent to prevent false positives.
  • Fixed: In rare scenarios the plugin activation process would cause an infinite redirect loop, this has been fixed.