NEW update to Solid Security – Basic 9.3.2 and Pro 8.4.1

This release takes a much more forceful approach to helping users understand and avoid insecure configurations of the IP detection method used by Solid Security to protect sites from malicious activities.

Changes to IP Detection Methods

Beginning in October, 2022 with the release of versions 7.2.2 (Pro) and 8.1.3 (Basic), Solid Security added an “Insecure” label to the legacy “Automatic” Proxy Detection option. This label was intended to help users avoid a configuration that would allow attackers to trivially bypass IP-based bans and lockouts by spoofing their IP addresses. 

In this release, Solid Security removes the “Automatic (Insecure)” Proxy Detection option. Any sites that had previously used this configuration will, after upgrading to this release, reflect that the Proxy Detection method is “Unconfigured” instead. Site administrators will see a prominent warning indicating that key Solid Security modules are disabled until the IP Detection method is properly configured. Disabled modules include:

• Ban Users
• Local Brute Force
• Network Brute Force

Other features, including the Firewall and CAPTCHA modules, will operate with reduced functionality until the IP Detection module is configured.

Why Disable Features or Reduce their Functionality?

All of the affected components of Solid Security rely upon accurately determining the IP addresses of site visitors. Sites that had been using the now-removed “Automatic (Insecure)” Proxy Detection method appeared to have been benefiting from those components, but for all but the least sophisticated attacks, this was security theater.

The latest changes now more accurately reflect the actual state of site security and will hopefully encourage the adoption of more secure configurations.

Onboarding Changes to Solid Security Basic

Users of Solid Security Basic will see some additional changes when installing the plugin for the first time on a given site. Explanations of relevant options that have been updated for additional clarity, and the interface has been enhanced to hopefully make the choices easier to understand. If the user chooses not to enable Security Check Pro (the feature which automatically detects the correct IP detection method for the site’s hosting setup), a new question will appear which requires the user to make a decision regarding the site’s server setup. 

The onboarding process for new installations of Solid Security Pro is unchanged in this release. This is due to the fact that Security Check Pro is enabled by default in Solid Security Pro installations.

Learn More About Changes to IP Detection Options

To learn more about these changes, check out Why Are Some Features Not Available? in Solid Security product documentation.

Other Enhancements & Bug Fixes

This release also incorporates visual enhancements, including tweaks to the alignment of some table headings, and an adjustment to the way the “Solid Security Pro” title image appears in certain email clients in messages sent after a site scan is complete.

This release also squashes a few bugs:

• reCAPTCHA v3 can no longer be bypassed when responses from the Google reCAPTCHA API omit key parameters.
• A fatal error will no longer be thrown when the plugin is unable to determine the charset of a database table under certain conditions.