* Fixed: 2FA grace period reminder emails could be sent unexpectedly.
* Fixed: Content Security Policy now follows the setting toggle correctly.
* Fixed: PHP 8.4 deprecation warning.
* Fixed: DNS verification issue in the Let's Encrypt wizard.
* Changed: Vulnerability details now load only for the plugin or theme being activated.
* Changed: Improved rule writing with file locking to avoid race conditions.
* Changed: Uninstall cleanup now removes plugin options and transients more reliably.
* Changed: Added a login page notice for invalid login sessions.
* Changed: Improved 2FA user lookup performance on multisite.
* Changed: Improved license check reliability.
* Changed: Improved DirectAdmin Let's Encrypt certificate generation.
* Changed: Improved several interface texts.
* Changed: Event logs now support larger log tables.
* Changed: Added RSSSL_INFO_LOG for extra debugging details.
* Changed: Added more prerequisite checks before features can be enabled.
* Fixed: fatal error that could occur when a plugin uses admin_enqueue_scripts incorrectly.
* Fixed: a bug where the wrong settings value could be saved.
* Fixed: Undefined variable during cron.
* Changed: Updated 2FA login flow to address inconsistent verification behavior.
* Fixed: An issue that could cause a crash when activating alongside the Perfmatters plugin.
* Fixed: Some styling (CSS) issues to improve compatibility with WordPress 7.0.
* Changed: Removed an unused AJAX callback.
* Changed: Tested up to WordPress 7.0.
* Fixed: A fatal error that could occur when activating Pro in a multisite environment.
* Fixed: An issue where logging in with a username and password on multisite did not trigger a passkey prompt when using a standalone passkey.
* Fixed: Improved and future-proofed the plugin updater.
* Changed: Updated the event log cleanup cron hook.
* Changed: Reworked vulnerability detection and measures logic.
* Fixed: An issue where TOTP codes starting with a 0 were not properly recognized.
* Fixed: Prevent using "Do Not Ask Again" for user roles where 2FA is required.
* Changed: Various improvements to authentication flow.
* Fixed: Resolved an issue where “Prevent login feedback” could show a ghost username on the login retry screen.
* Fixed: Prevented “Failed to send buffer of zlib output compression” notices when using the Mixed Content Fixer with zlib.output_compression enabled.
* Fixed: scenario where users were stuck after an expired 2FA grace period due to missing authentication methods.
* Fixed: Support for `wss://` URLs in CSP `connect-src`.
* Fixed: MemberPress login compatibility with Limit Login Attempts.
* Changed: event logging by generating messages dynamically instead of storing translated text.
* Changed: Email 2FA user experience by making Enter submit the verification code instead of resending it.
* Changed: Simplified service bootstrapping by removing the Provider layer and registering all services directly in the App container.
* Fixed: compromised password check compatibility with Thrive Architect
* Fixed: fatal error on multisite subsite profile pages with passkeys enabled
* Fixed: user role demotion issue on multisite
* Fixed: passkey settings appearing twice on profile page
* Fixed: 2FA users list not displaying all users
* Fixed: Cloudflare cache not clearing after SSL activation
* Fixed: passkey strings not translatable
* Fixed: uploads .htaccess using incorrect Apache syntax for some versions
* Changed: deferred header detection on activation to prevent timeouts
* Changed: improved deactivation process
* Changed: more robust firewall code generation
* Fixed: JavaScript error when using custom roles with 2FA
* Fixed: fatal error caused by hosts class being instantiated twice
* Fixed: Limit Login Attempts now blocks both username and email address
* Fixed: fatal error when upgrading from older plugin versions
* Fixed: security headers set outside the plugin now correctly appear disabled
* Fixed: text domain loaded too early warning when logging in with blocked username
* Fixed: reinstated reset_2fa [id] WP-CLI command
* Fixed: WP-CLI activate_ssl command now works correctly on first attempt
* Changed: removed two unused files from the plugin
* Changed: improved feedback when logging in with a passkey
* Changed: updated readme to align with standards