All-In-One Security Release 5.2.6: AIOS adds more UX features and fixes 2 vulnerabilities to CSRF and XSS functionalities

In our latest update, we’ve made several enhancements to AIOS. These additions make AIOS easier to use, and give you more control over your WordPress site. Additionally, we addressed two potential security issues to make your site even safer than before.

We made some improvements to the audit log by allowing admins to see which users are logged out and to keep track of password resets and deleted users. This is a useful feature for anyone monitoring site security or analysing user activity.

We’ve also added a tweak that allows you to set Cloudflare’s Turnstile CAPTCHA theme. Administrators can now customize the CAPTCHA theme, adjusting design elements like colors to align with their website’s design. This not only ensures a consistent user experience but also enhances security by making it harder for automated bots to bypass the CAPTCHA challenge.

Additionally, we’ve added CAPTCHA support for the Contact Form 7 plugin. This allows users of the plugin to add our CAPTCHA to their forms.

We’ve made some UX improvements by reducing, combining and moving several menus and items. We’ve also made some other small UX improvements (like converting dates and times to timestamps to be timezone independent). This has streamlined AIOS and made it easier to use.

In the first security fix, we added nonce (number used once) checks to various table list actions to prevent a cross-site request forgery – a type of attack which includes unauthorised and malicious commands being issued from a user that is trusted by the site. If an attacker was able to persuade a logged in admin who visited a specially-crafted link, they would be able to perform actions on the 404 records, putting the site at risk. Thank you to dhakal_anada for disclosing this vulnerability.

The second key fix removed unnecessary uses of the ‘tab’ query parameter on various admin menu pages in order to prevent a non-persistent cross-site scripting vulnerability. Cross site scripting allows for malicious users to inject unwanted scripts into your website, in this case through the AIOS admin page. Thank you to Matthew Rollings for disclosing the vulnerability.

For the full list of changes, please review the Changelog below:



* SECURITY: Removed unnecessary use of the “tab” query parameter on various admin menu pages to prevent a XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect.

* FEATURE: Added logout event to the audit logs

* FEATURE: Add ability to delete the default readme.html file and wp-config-sample.php file

* FIX: Correct some translation calls that were using the wrong text domain

* FIX: PHP notice caused by the file scanner being unable to read its data file

* FIX: Unlock request button was not showing and redirects to

* FIX: Database errors for the aiowps_login_lockdown table during plugin installation

* TWEAK: Refactor the 6G UI

* TWEAK: Added an option to set the Cloudflare Turnstile CAPTCHA theme

* TWEAK: Added CSS styling for audit log details column

* TWEAK: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite

* TWEAK: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out

* TWEAK: Display json string instead of null if json_decode does not work for audit log details

* TWEAK: Event table existing datetime field converted to timestamp to be timezone independent

* TWEAK: Various tweaks to get codebase up to coding standards

* TWEAK: Various tweaks to ensure multiple sentences are not passed to a single translation function

* TWEAK: Fix the broken UI for RSS and Atom firewall settings and added a more info box

* TWEAK: Fix the issue of unique ID in DOM

* TWEAK: Merge Username and Display Name tabs in User Security Settings

* TWEAK: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu

* TWEAK: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab

* TWEAK: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu

* TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu

* TWEAK: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu

* TWEAK: Moved the ‘Salt’ tab into the User security menu

* TWEAK: Moved ‘Blacklist Manager’ tab into the Firewall menu.

* TWEAK: Password resets, removed and deleted users are now recorded in the audit log

* TWEAK: Stop 404 IP from being locked if there’s a current lock on that IP

* TWEAK: Unify date and time conversion with users timezone support

* TWEAK: Changed how empty data in ip lookup result is stored in the database

* TWEAK: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules

* TWEAK: Add captcha support for Contact Form 7

* TWEAK: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings

* TWEAK: Enhance reset password email by adding IP info

* TWEAK: Remove defunct imagetoolbar meta tag

* TWEAK: Login lockout tables existing datetime field converted to timestamp to be timezone independent

* TWEAK: Code improvements – utilising WP_Error objects instead of arrays


Get peace of mind, install AIOS premium

The hard work you’ve put into your website deserves the best protection. AIOS Premium monitors your site for trojan horses, adware, worms, spyware and other malicious code that could have devastating consequences for your WordPress investment.

AIOS Premium customers also benefit from personalised, ticketed support from a team of security experts. Advanced two-factor authentication, a country blocking tool and smart 404 error blocking give your website the protection it deserves. 

Get Premium


Share This Post

More To Explore...


WordPress security audit checklist

Ensuring your WordPress website’s security is vital for protecting sensitive data, keeping customer trust, and safeguarding your online business. A