Changelog

Release history for the VistoShield platform — WordPress plugin, cloud dashboard, Linux daemon, and control panel integrations.

2026 — Production Release

Version 2.0.3 Latest

Released: April 19, 2026

Bug fixes and settings reliability improvements.

WordPress Plugin

  • Fix: All 13 module settings pages now correctly load saved boolean values
  • Fix: Duplicate events eliminated (traffic, login alerts, scanner)
  • Fix: Active modules count now shows 14/14 (was miscounting sub-settings)

Cloud API

  • Fix: Event and traffic deduplication in push endpoints
  • Fix: Login lockout fires once per threshold crossing

Version 2.0.2

Released: April 7, 2026

Critical WAF compatibility fix and security hardening.

WordPress Plugin

  • Fix: WAF no longer blocks Elementor, Divi, WPBakery, Beaver Builder, Bricks, Oxygen, and other page builders when saving pages
  • Fix: WAF now skips all logged-in users (admins, editors, shop managers) and the entire WordPress REST API
  • Fix: WAF whitelists 30+ AJAX actions for WooCommerce checkout/cart, contact form plugins (CF7, WPForms, Gravity Forms, Ninja, Formidable, Fluent), and cache plugins (WP Rocket, LiteSpeed, W3TC, WP Super Cache)
  • Fix: XSS, SQLi, and RCE rules narrowed to query strings only — no more false positives on legitimate POST body content
  • Fix: Bot detection no longer blocks WP Rocket, LiteSpeed, Stripe webhooks, Zapier, and backup services
  • Fix: php://input scan limit increased from 8KB to 64KB for large Elementor pages
  • Fix: Plugin sync endpoint now rate-limited (10 req/min per IP) against brute force
  • Fix: Site connection state can no longer become inconsistent

Cloud Dashboard

  • Fix: Iframe session expiry — re-authenticates via postMessage instead of redirecting to login page
  • Fix: Auto-refresh interval restarts when switching between sites (no more stale data from previous site)
  • Fix: Concurrent 401 requests now share a single token refresh (prevents race conditions)

Cloud API

  • Security: 7 SQL injection vulnerabilities fixed (LIMIT/OFFSET parameterized in admin endpoints)
  • Security: Admin actions now logged with audit trail (assign, flag, force-complete, refund)
  • Security: Admin role moved from environment variable to database column
  • Security: Site secret stripped from all API responses except creation
  • Fix: 5 Rescue service bugs (notification methods, enum values, rate limit logic)
  • Fix: Error responses no longer leak internal database details
  • New: Health endpoint returns DB and Redis latency metrics
  • New: X-Request-ID header on all responses for debugging

Version 2.0.1

Released: April 6, 2026

Bug fixes and reliability improvements across the platform.

WordPress Plugin

  • Fix: HMAC authentication now tries both site_secret and site_key for backward compatibility with pre-2.0 installations
  • Fix: Heartbeat reliability — cloud ping cron now reaches all active sites regardless of last heartbeat time
  • Improved: Cloud-to-agent sync stability and error handling

Cloud Dashboard

  • Fix: Security score now consistent between sites list cards and site overview page

Cloud API

  • Fix: Agent authentication middleware accepts both site_secret and site_key signatures for seamless backward compatibility
  • Fix: Cron ping-sites now pings all active sites, not only those with recent heartbeats
  • Fix: Rescue service controller endpoint corrections
  • Fix: Rescue monitoring endpoint 500 error resolved

Version 2.0.0

Released: March 29, 2026

Cloud Dashboard & Architecture

  • Launched the EU-hosted VistoShield cloud dashboard at app.vistoshield.com
  • Single lightweight WordPress plugin (~150 KB) connects to the cloud dashboard via API key
  • All 14 security modules built into one plugin, managed from the cloud dashboard
  • Multi-site management — control all connected WordPress sites from one place
  • Centralized licensing system with Free, Pro, and Max plans

Platform Modules (All 14)

  • Firewall & WAF — 7 rule categories, learning and active modes, HTTP security headers
  • Security Scanner — Core integrity, malware scanning, vulnerability detection, quarantine
  • Bot Detector — 143+ signatures, behavioral scoring, rDNS verification
  • Login Guard — Brute force protection, TOTP two-factor, progressive lockouts
  • Activity Log — Full audit trail with alert rules and GDPR compliance
  • Password Policy — Role-based enforcement, breach detection, expiration rules
  • API Security — REST API lockdown, key management, rate limiting, CORS management
  • Vulnerability Patcher — Auto-detect and virtual-patch known vulnerabilities
  • Incident Response — Automated detection, 5 playbooks, notifications
  • CDN Connector — Cloudflare, Bunny CDN, Fastly, CloudFront, KeyCDN integration with edge blocking and cache management
  • DNS Monitor — DNS record change monitoring, SSL certificate tracking, and alerting
  • Live Traffic — Real-time HTTP request monitoring with bot/human classification
  • Uptime Monitor — Cloud-based HTTP, TCP, DNS, and ping monitoring with incident tracking and SMS alerts
  • Reputation Monitor — Domain blacklist checking against 12+ providers with remediation guidance

Linux Daemon & Control Panels

  • Unified dashboard spanning WordPress modules, Linux daemon, and control panel integrations
  • Pro plan extended to per-site pricing for all 14 modules
  • Max plan now includes all 14 Pro modules per site purchased with white-label branding

v1.1.0 — March 15, 2026

Compatibility update and UI improvements across the platform.

Platform Updates

  • WordPress 6.7 compatibility verified across all modules
  • Consistent admin UI styling and improved responsive layouts
  • Performance optimizations for database queries and AJAX handlers
  • Updated translation files for all supported locales

v1.0.2 — February 10, 2026

Bug fixes and performance improvements.

Security Scanner Module

  • Fixed false positives in core integrity checks on multisite installations
  • Improved scan performance for sites with large media libraries

Firewall & WAF Module

  • Resolved edge case where learning mode rules were not promoted correctly
  • Fixed HTTP header injection detection for non-standard headers

Bot Detector Module

  • Updated bot signature database (143+ patterns)
  • Fixed rDNS verification timeout on high-latency servers

Login Guard Module

  • Fixed TOTP secret generation on PHP 8.2+ strict mode
  • Improved progressive lockout reset timing

Activity Log Module

  • Fixed CSV export encoding for non-ASCII usernames
  • Reduced database write overhead for high-traffic sites

v1.0.0 — February 1, 2026 — New Modules

4 additional security modules added to the platform.

  • Password Policy module — Role-based password enforcement with configurable complexity rules per user role, password expiration with grace periods, breach detection via Have I Been Pwned (k-anonymity API), and password reuse prevention. Learn more →
  • API Security module — REST API lockdown with key management (create/revoke/rotate), per-key rate limiting, endpoint whitelist and blacklist, user enumeration prevention, XML-RPC protection, and CORS origin management. Learn more →
  • Vulnerability Patcher module — Detect plugin and theme vulnerabilities by syncing against public vulnerability databases. Apply virtual patches via WAF rules before official fixes are released. Smart auto-updates with pre-update backup and one-click rollback. Learn more →
  • Incident Response module — Automated incident detection from all VistoShield modules with 5 pre-built response playbooks. Plugin isolation, maintenance mode, IP blocking, email and Slack notifications, and post-incident reporting. Learn more →

v1.0.1 — January 20, 2026

Minor bug fixes across all modules.

  • Fixed activation hooks on servers running PHP 8.2 with JIT enabled
  • Resolved translation loading order issue on multisite
  • Corrected permission checks for non-admin roles with custom capabilities
  • Minor CSS fixes for WordPress admin dark mode

v1.0.0 — January 5, 2026

First stable release — Linux daemon, 5 WordPress security modules, and control panel integrations.

Linux Daemon

  • Dual firewall backend support (nftables and iptables) with automatic detection
  • Full IPv4 and IPv6 dual-stack protection
  • Per-IP rate limiting with configurable thresholds and burst allowance
  • Login Failure Detection (LFD) for SSH, FTP, IMAP, POP3, SMTP, DirectAdmin, cPanel, Webmin, and ModSecurity
  • Bot detection with User-Agent signature matching (143+ patterns) and rDNS verification
  • Connection tracking with per-IP limits
  • SYN flood and per-port flood (PORTFLOOD) protection
  • Country-based blocking via GeoIP
  • Allow and deny list management with CIDR support
  • Testing mode with automatic block clearing for safe deployment
  • CLI management tool with full command set
  • Email alert notifications
  • Automatic log rotation

WordPress Modules

  • Security Scanner — Core integrity checks, malware scanning, vulnerability detection, quarantine, and baseline snapshots
  • Firewall & WAF — 7 rule categories (SQLi, XSS, LFI, RFI, RCE, scanner detection, comment spam), security hardening checklist, HTTP security headers, learning and active modes
  • Bot Detector — 143+ signatures, behavioral scoring engine (0–100), rDNS verification, inline action switching (block/challenge/monitor/allow)
  • Login Guard — Brute force protection with progressive lockouts, TOTP two-factor authentication, hidden honeypot, login attempt logging with CSV export
  • Activity Log — Authentication, content, plugin/theme, settings, and system event tracking. Alert rules with email, Slack, and webhook channels. GDPR-compliant with configurable retention.

Control Panel Integrations

  • DirectAdmin — Admin and user-level plugin with dashboard, configuration editor, blocked IP management, allow/deny lists, bot signatures, log viewer, exec wrapper, and DirectAdmin hooks
  • Webmin — Full module with config editor (comment-preserving), daemon control, blocked IP management, allow/deny lists, bot signature management, and color-coded log viewer

Installation

  • One-line installer with OS and panel auto-detection
  • Support for Ubuntu 22.04/24.04, Debian 12, AlmaLinux 8/9, CentOS Stream 9
  • Automatic web server configuration (Nginx and Apache)
  • Dry-run mode for previewing changes before installation

2025 — Public Beta & WordPress.org Submission

v1.0.0-rc2 — November 20, 2025

Bug fixes and hardening from beta tester feedback.

  • Fixed WAF false positives on WooCommerce checkout and REST-based page builders
  • Resolved TOTP QR code rendering issue on Safari and iOS browsers
  • Improved installer compatibility with CloudLinux and LiteSpeed Enterprise
  • Fixed Activity Log database migration failing on MySQL 5.7 strict mode
  • Hardened nonce verification across all AJAX endpoints

v1.0.0-rc1 — October 8, 2025

Release candidate — security audit completed, final stabilization.

  • Passed independent security audit by a third-party penetration testing firm
  • All SQL queries converted to parameterized $wpdb->prepare() calls
  • CSRF protection verified on every admin action across all modules
  • Performance profiling completed — all admin pages load under 200ms
  • Full WordPress coding standards compliance (PHPCS with WordPress-Extra ruleset)

v0.9.9 — August 15, 2025

WordPress.org plugin submission preparation.

  • Refactored all modules to meet WordPress.org plugin directory guidelines
  • Added complete readme.txt with FAQ, screenshots, and changelog
  • Removed all external CDN dependencies — all assets bundled locally
  • Implemented uninstall hooks for clean removal of all database tables and options

v0.9.8 — May 22, 2025

Webmin integration and cPanel preparation.

  • Released Webmin module with config editor, daemon control, blocked IP management, and log viewer
  • Began cPanel/WHM plugin development with UAPI integration
  • Added color-coded log viewer with severity filtering to Webmin and DirectAdmin
  • Improved daemon restart reliability on systemd-based distributions

v0.9.5 — February 10, 2025

Public beta release and DirectAdmin panel integration.

  • Opened public beta program with invite-only access for hosting providers
  • Released DirectAdmin plugin with admin and user-level interfaces
  • Added DirectAdmin hooks for automatic IP blocking and event forwarding
  • Improved installer with automatic panel detection (DirectAdmin, Webmin, cPanel)
  • First public documentation site launched

2024 — Linux Daemon & WordPress Development

v0.9.0 — December 15, 2024

Activity Log module and nftables backend support.

  • Activity Log module added to the platform with full audit trail for authentication, content, plugins, themes, and settings
  • Added nftables backend as an alternative to iptables for modern kernel support
  • Implemented automatic backend detection (nftables preferred when available)
  • Added GDPR export and erasure hooks to the Activity Log module
  • Introduced Slack and webhook notification channels in Activity Log alert rules

v0.8.0 — October 1, 2024

Bot Detector and Login Guard modules added to the platform.

  • Bot Detector module added with 60+ initial bot signatures and behavioral scoring engine
  • Login Guard module added with brute force protection and TOTP two-factor authentication
  • Added rDNS verification for search engine crawler validation
  • Implemented JavaScript challenge page for suspicious traffic
  • Added honeypot CAPTCHA with HMAC-signed timestamps to Login Guard

v0.7.0 — August 5, 2024

Security Scanner module added to the platform.

  • Security Scanner module added with core integrity checks against WordPress.org checksums
  • Built offline malware signature database with 40+ initial patterns
  • Implemented quarantine manager with safe file isolation and one-click restore
  • Added WP-Cron based scheduled scans with email alerts

v0.6.0 — May 18, 2024

WordPress module architecture and Firewall module.

  • Designed shared module architecture for consistent admin UI, settings API, and inter-module communication
  • Firewall & WAF module added to the platform with 30+ initial rule patterns across 7 categories
  • Implemented learning mode for safe WAF deployment on production sites
  • Added HTTP security headers configurator (HSTS, CSP, X-Frame-Options, etc.)
  • Built rules exporter for nginx, Apache, and VistoShield server formats

v0.5.0 — February 20, 2024

Linux daemon with systemd integration.

  • Rewrote firewall engine as a standalone Linux daemon (vistoshieldd)
  • Added systemd service files with automatic restart and watchdog support
  • Built CLI management tool (vistoshield-cli) for all daemon operations
  • Implemented configuration file format with hot-reload support
  • Added email alert notifications for blocked IPs and security events

2023 — Project Foundation

v0.4.0 — December 8, 2023

IP reputation and blocklist integration.

  • Integrated IP reputation scoring using public blocklist feeds (Spamhaus, AbuseIPDB)
  • Added automatic blocklist sync with configurable update intervals
  • Implemented CIDR-based allow and deny list management
  • Added country-based blocking via MaxMind GeoLite2 database

v0.3.0 — October 12, 2023

Bot detection with signature matching.

  • Built User-Agent signature matching engine with plain-text signature format
  • Created initial signature database with 30+ known malicious bot patterns
  • Added per-IP connection tracking and rate limiting
  • Implemented SYN flood and port flood (PORTFLOOD) protection

v0.2.0 — July 20, 2023

Login failure detection (LFD) added to the daemon.

  • Added log-parsing LFD module for SSH, FTP, and IMAP/POP3 authentication failures
  • Implemented configurable failure thresholds and temporary ban durations
  • Added DirectAdmin and cPanel login failure pattern recognition
  • Built automatic log rotation for daemon logs

v0.1.0 — April 3, 2023

Internal alpha — basic firewall for DirectAdmin servers.

  • Initial iptables-based firewall script for Vistoweb hosting servers
  • Basic allow/deny list management via configuration file
  • Per-IP rate limiting with configurable thresholds
  • Manual installation via Bash script on Ubuntu 22.04