iThemes Security Pro 8.4.2

-Bug Fix: Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header.
-Bug Fix: Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory.
-Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
-Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
-Bug Fix: Removed warning that could happen when updating a user without changing their password.
-Enhancement: Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy.
-Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
-Enhancement: All links in Security that have target="_blank" now have added rel attributes to protect against tabnapping.
-Misc: Updated remaining ip-lookup.net links to instead link to traceip.net in keeping with other links that were previously updated to traceip.net.

3.1.0
Bug Fix: Fixed data save issue that could cause multiple notification emails to be sent in a short period of time.
Bug Fix: Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value.
Bug Fix: Removed redundant entries in the HackRepair blacklist.
Bug Fix: Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory.
Bug Fix: Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries.
Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value.
Bug Fix: Replaced static references to wp-includes with the WPINC define.
Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language.
Bug Fix: Added escaping to some translation strings.
Bug Fix: Removed unused files from the WordPress Tweaks module directory.
Bug Fix: Fixed the Daily Digest email reversing the user and host lockout counts.
Bug Fix: The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
Enhancement: Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests.
Enhancement: Updated the database backup email to a new design.
Enhancement: Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
New Feature: Added setting to block requests for PHP files in the plugins directory in System Tweaks.
New Feature: Added setting to block requests for PHP files in the themes directory in System Tweaks.

Bug Fix: Fixed issue that could prevent saving of File Change settings, resulting in an error messages of "A validation function for file-change received data that did not have the required entry for latest_changes."