Changelog

What’s new in PowerSEC

Security hardening, backups, AI improvements, and platform updates — shipped continuously.

  1. Jul 16, 2026
    securityv1.4.146
    Tamper-evident audit log

    Your security audit log is now tamper-evident. Every recorded event is cryptographically hash-chained to the entry before it, and the head of that chain is anchored at PowerSEC Central — off your server. If an entry is edited or removed directly in the database, or the log is truncated, the chain no longer verifies and PowerSEC flags it, so a security event you did not make cannot be quietly deleted. The plugin Audit Log page shows a live "Verified" status you can re-check anytime, and PowerSEC raises an alert if the chain changes unexpectedly (a database restore is a benign cause, and the alert says so).

  2. Jul 15, 2026
    fixv1.4.143
    Honest data across the board: Database Health scores, AI wording, and plan details

    A round of accuracy fixes so every number and label reflects reality:

    • Database Health never shows an impossible over-100% table overhead, and a perfect 100/100 score is no longer displayed while there are still recommended cleanups.
    • PowerSecAI describes scanner findings as candidates to review — it will not call them a confirmed infection or tell you to delete files without review. Its action links always stay inside your PowerSEC dashboard.
    • Backup guidance now reflects your most recent off-site copy, so it will not report cloud backups as healthy when the newest ones are still local-only.
    • Plan and pricing details are consistent: the plan comparison, add-on limits, trial billing, and Agency (5 sites, not per-site) all match; notification channels are listed accurately.
    • Accessibility improvements for form fields, switches, and icon buttons across the plugin and dashboard.
  3. Jul 15, 2026
    fixv1.4.144
    Accuracy & clarity fixes across the dashboard and plugin
    • The account overview assistant now uses your effective plan limits, including add-ons — a site with the Long-Term Retention add-on is no longer described as "exceeding" its restore-point limit.
    • Add-ons on the site page now show their friendly names (Hourly Backups, Long-Term Retention) instead of internal codes.
    • Security summaries no longer double-count the same flagged files as both "malware" and "webshells."
    • Per-site alert feeds now show only your own alerts (internal operations notes are no longer surfaced to site owners).
    • Plugin (v1.4.144): "time ago" labels in the WordPress admin now read as consistent English (e.g. "3 hours ago") on right-to-left (Persian/Arabic) admins, instead of a mixed, out-of-order label.
  4. Jul 14, 2026
    securityv1.4.142
    Uploads protection is now verified, not just applied

    When you enable uploads PHP execution protection, PowerSEC now actively checks that a PHP file genuinely cannot run in your uploads folder — instead of only confirming the protection file was written.

    • The status shows PROTECTED — verified only when execution is truly blocked.
    • On servers that ignore the rule file (for example, Nginx), PowerSEC now shows the exact server rule to add — so you are never left with a false sense of security.

    The uploads hardening status is now honest on every server.

  5. Jul 13, 2026
    featurevcentral-2026.07.13-scan
    Free WordPress scan now recognizes non-WordPress sites

    Our free security snapshot (powersec.io/free-wordpress-security-scan) now checks whether the address you enter is actually a WordPress site before it reports.

    • If it is not WordPress, you now see a clear notice and a basic transport & security-header check instead of a WordPress-specific report.
    • If your WordPress signals are hidden behind a firewall or CDN (for example Cloudflare), we tell you we could not confirm it and show partial results — we never wrongly claim your site is not WordPress.
    • The scan stays passive, external, and safe: it never logs in, exploits, or changes your site.

    This makes the snapshot more accurate and honest about what it can and cannot see from the outside.

  6. Jul 13, 2026
    featurev1.4.139
    Works behind Cloudflare and strict firewalls: detection, guidance, and pull mode

    Some sites sit behind Cloudflare or a strict firewall that can block PowerSEC's requests — the site stays online and keeps reporting in, but actions sent to it (scans, backup runs, list refreshes) could silently fail. This release fixes that end to end.

    • PowerSEC now detects when Cloudflare or a firewall is challenging its requests and tells you — on the site's page, the backup page, and your fleet list — exactly what is happening and how to allow PowerSEC through (one-minute fix, step-by-step guide included).
    • You get a single calm notification when it starts, and it resolves itself when the path clears.
    • New in the plugin (v1.4.139): pull mode. When direct delivery is blocked, your site now fetches pending actions from PowerSEC Cloud in the background and reports results back — so scans and backups keep working even behind a restrictive firewall, with at most a minute or two of extra delay.
    • PowerSEC's requests now identify themselves clearly (User-Agent PowerSEC-Central/1.0), which most firewalls can allow with a single rule.

    Nothing changes for sites without a restrictive edge — direct delivery remains instant.

  7. Jul 13, 2026
    featurevcentral-2026.07.13
    A new design: dark & light themes across PowerSEC

    PowerSEC has a new look. The whole product — website, dashboard, and admin — now follows one design system: calm navy surfaces, a single orange accent, and the Geist typeface, with green/amber/red reserved strictly for security state.

    • Dark mode by default, with a light mode switch in the top bar of every page — your choice is remembered.
    • Clearer hierarchy on data-heavy screens: flat cards, hairline borders, and monospace labels for paths, CVEs, and checksums.
    • Consistent buttons and forms everywhere, with larger touch targets on mobile and tablet.
    • Security meanings are unchanged: scores, statuses, and thresholds read exactly as before — only the visual language is new.
  8. Jul 8, 2026
    fixv1.4.137
    Faster, more reliable off-site backups

    Completed backups now reach PowerSEC Cloud sooner. When a backup finishes on your site, PowerSEC registers it and begins uploading the off-site cloud copy right away — instead of waiting until you next open the Backups page. A new background safety-net also reconciles each connected site's backups on its own, so a completed backup reaches cloud storage even if you never open the page. This is a reliability improvement only: no change to what is backed up, to restore, to retention, or to your plan limits.

  9. Jul 7, 2026
    securityv1.4.135
    Security hardening and clearer security dashboards

    We strengthened authentication and session security across your account — plugin install tokens are now strictly limited to connecting sites, resetting your password now signs out existing sessions, and support-access handling was tightened. We also made your security views clearer and more honest: malware-scan results distinguish files “flagged for review” from confirmed threats, the AI Advisory panel now explains its status on eligible plans, and the plugin’s admin screens are no longer cluttered by unrelated third-party notices. No action is needed on your part.

  10. Jul 6, 2026
    securityv1.4.132
    Setup-token enforcement for connecting sites

    Verifying a site's connection to PowerSEC Central now requires a short-lived setup token. Your site receives that token securely over its existing authenticated connection and presents it when a connection check runs, with clear guidance if a fresh token is needed. The token is stored only temporarily and is never shown or logged. This adds a layer of protection to how sites confirm their connection, and connection checks no longer return long-lived signing material. No change to your site's security scanning, firewall, or backups.

  11. Jul 6, 2026
    securityv2026.07.05-verify-hardening
    Stronger site connection verification

    We improved how PowerSEC verifies a site's connection to Central. Connection checks now return only connection status and non-secret identifiers — they no longer include long-lived signing material. This reduces the exposure of sensitive credentials and complements the signed key-rotation delivery introduced with plugin 1.4.131. No action is needed; your connected sites are unaffected.

  12. Jul 6, 2026
    securityv1.4.131
    Improved connection security and key rotation

    Improved connection security and key-rotation handling for the PowerSEC plugin. When a connected site's Central signing keys are rotated, the new keys are now delivered securely over the site's existing authenticated connection and cryptographically verified before they are adopted. Diagnostic logs no longer include connection secrets. No change to your site's security scanning, firewall, or backups.

  13. Jul 5, 2026
    securityv1.4.130
    Security & reliability hardening

    This update rolls out a round of security and reliability improvements across backups, billing, and the malware scanner: tighter access scoping on backup actions, clearer and more honest scan-status reporting (a failed or stalled scan now shows plainly instead of appearing complete), a new notification when a backup's off-site cloud copy needs attention while your local backup stays available, and a WordPress plugin update (v1.4.130) with additional hardening. No action is needed on your part.

  14. Jul 4, 2026
    fixv1.4.127
    Compatibility fix for restricted hosting

    PowerSEC now loads correctly on hosts that disable PHP's disk-space functions (common on some shared hosting). Previously the dashboard could show a PHP error and stop syncing to PowerSEC Central on those hosts. We also corrected a case where the dashboard could briefly show a 'WordPress update available' notice before your site's version had finished syncing.

  15. Jul 2, 2026
    fixv2026.07.02-legacy-restore
    Honest restore-readiness for older-format backups

    Backups created in our original backup format no longer show a "Needs new full backup" notice when nothing is actually wrong with them. Restore-readiness now recognises this older format directly: these backups are marked as needing attention only for real, evidence-based issues, and restore points that PowerSEC cannot assess from its records are shown as "Not evaluated" instead of raising a warning. Restores themselves are unchanged — every restore still runs its own integrity checks before anything is modified.

  16. Jul 2, 2026
    fixv2026.07.02-backup-status
    More accurate backup restore-readiness status

    We fixed an issue where the backups page could show a "Needs new full backup" notice and a "Needs attention" indicator on restore points that had simply not been evaluated yet. Restore points that have not been checked now show a neutral "Not evaluated" status instead of a warning, and warnings only appear when a real issue with a restore point has actually been identified. No backups were affected — this was a display issue only.

  17. Jul 2, 2026
    featurev1.4.121
    See how many files your malware scan reviewed

    Malware scan results now report scanner-reviewed file counts. Your dashboard's Findings → Malware scan-coverage box shows "Files reviewed in last malware scan" — the number of PHP and executable files the scanner reviewed during the last scan, whether pattern-inspected or checksum-verified against known-good baselines. The count is honest by design: user exclusions and large-file sampling may affect coverage (and are reported alongside it), and the number appears only after your site's next scan on plugin v1.4.121 or later. Counting only — nothing changed in what the scanner detects, how files are scanned, or your security score.

  18. Jul 2, 2026
    securityv2026.07.01-api-hardening
    Tighter API responses across the dashboard

    We hardened the PowerSEC platform's API responses to strict field allowlists. Site payloads returned to the dashboard and admin tooling now include only the fields each view actually needs — internal operational telemetry and internal signing credentials are never included in these responses. This was a proactive hardening pass verified across all customer and admin endpoints; no action is needed on your part.

  19. Jul 1, 2026
    fixv1.4.120
    More reliable backups on large sites

    We fixed an issue where a backup on a large site could get stuck and keep retrying without ever finishing. Behind the scenes, the plugin was keeping a growing per-backup file list inside your site's WordPress options table, which could make the database export run out of memory on hosts with a tighter PHP memory limit. Those file lists now live in small compressed files on disk instead, existing ones are moved out automatically when the plugin updates, and the database export now reads data in memory-bounded batches. The result: backups complete reliably within your host's limits, and a previously stuck backup is cleared cleanly so a fresh one can run. Your existing backups and restore points are untouched, and restore, checksum verification, and cloud upload work exactly as before.

  20. Jul 1, 2026
    securityv1.4.119
    Scanner scope expansion and webshell detection hardening

    PowerSEC v1.4.119 is a major scanner hardening release.

    This update expands file visibility across the full WordPress tree and promotes new webshell-family detection rules after staged canary validation.

    What changed:

    • The malware scanner and File Integrity Monitor now cover the full WordPress tree by default.
    • Uploads, cache, backup, security-plugin log folders, upgrade, languages, and custom WordPress directories are no longer skipped by default.
    • Existing user-defined exclusions are still honored.
    • File Integrity Monitoring now uses versioned baseline widening to avoid alert storms when newly visible files are first added to the baseline.
    • New webshell-family detection rules are now active for dynamic function dispatch, obfuscated function names, reverse-shell shapes, header-fed eval/assert patterns, tainted callbacks, decrypt/eval chains, dynamic superglobal construction, and raw superglobal extraction.
    • The rules were staged through log-only telemetry first, narrowed after a real false-positive candidate, and then promoted after fleet validation.
    • PowerSEC does not automatically delete, quarantine, or remediate files from this update. Findings are detection-only and remain reviewable.

    Security impact:

    This closes a scanner blind spot where PHP files placed in writable or non-standard WordPress directories could previously be missed by file-change monitoring. It also improves detection of modern PHP webshell families that use obfuscation, variable-function dispatch, HTTP-header payloads, or reverse-shell patterns.

    Compatibility:

    No billing, package, eligibility, or AI Advisory behavior changed in this release.