HTProtect
Changelog
What's new — short and clear.
Every notable change to HTProtect, newest first. Compact and free of jargon. The protection core stays rock-solid between versions — updates bring new detections, convenience and polish.
NewImprovedSecurityFixed
v2.4.142026-07-14Latest
- A gentle invitation to leave a review in the Joomla Extensions Directory — only once the shield has proven itself (all-green, after at least 7 days), never during an open warning, and dismissible anytime.
v2.4.132026-07-13
- Update-source guardian: if Joomla accidentally disables an extension's update source after a brief server hiccup, HTProtect switches it back on automatically — so you never silently miss update notices. Includes an exceptions dialog for sources you want left alone.
v2.4.122026-07-11
- Security: HTProtect's own update packages are now cryptographically signed and verified BEFORE installation — a tampered package is refused.
- New: a one-time welcome email after setup; recover backend password protection via a secure email link; optionally hold back big version jumps (major updates).
- Improved: attack signatures and the vulnerable-extensions list now refresh every 3 hours (was 6) — new attack waves are blocked faster.
- Gallery thumbnails work despite backend password protection; clearer texts and instructions.
v2.3.32026-06-22JED Edition
- Code cleanups for Joomla Extensions Directory conformance — no change to behaviour or protection.
Note: between the versions listed here there were sometimes quick internal iterations. What's shown is what matters to you as a user.
v2.2.542026-06-17
- Detects obfuscated JavaScript malware injected into legitimate files (e.g. the “jmtouch” campaign) — reliably and without false alarms.
v2.2.532026-06-17
- The malware scanner now also catches empty “probe” PHP files in /images and back-tick command shells; plus a few false-alarm refinements.
v2.2.522026-06-17
- No more “update available” after purely cosmetic changes; a discreet donation note on the Help page; the dashboard tile now appears reliably on all Joomla 5/6 setups; no false “password changed” alert on login.
v2.2.512026-06-17
- Detects PHP shells disguised as images; the “protection out of date” hint now only appears on real rule changes; a simpler one-button malware scan with honest progress.
v2.2.502026-06-16
- The PHP shield no longer wrongly flags non-existent .php paths; the malware scanner now runs in resumable chunks (no timeouts on huge sites) with delta re-scans and a progress bar.
v2.2.492026-06-16
- Recognises EasyCalcCheck Plus token protection as valid backend protection (status turns green).
v2.2.482026-06-16
- New rogue-admin check for the SP Page Builder campaign (planted Super Users); a new status tile on the Joomla home dashboard; fixed a rare save race condition.
v2.2.472026-06-16
- Blocks the SP Page Builder zero-day (unauthenticated icon upload → code execution) in real time — only guests are blocked, logged-in builders are unaffected.
v2.2.462026-06-15
- Added iCagenda < 4.0.8 (unauthenticated upload) to the warning list — existing installs see it via the live feed, no update required.
v2.2.452026-06-15
- Makes its .htaccess files read-only — blocking the common trick of malware rewriting them, without ever locking you out.
v2.2.442026-06-15
- Removed a redirect that could break AJAX calendars; the malware scanner finds PHP files disguised as images across the whole site.
v2.2.432026-06-15
- Akeeba Panopticon monitoring works out of the box on Joomla 3–6; the scanner reports .shtml includes and a known backdoor filename.
v2.2.422026-06-15
- Trusted paths now work across all protection layers; the rebuilt “URL test” checks a full URL against every layer and shows exactly what blocked it; a new entry-point integrity guard; many more malware detections (still false-alarm-free); new Super-User account monitoring; support for Joomla's public folder (5.1+).
v2.2.402026-06-13
- The deep malware scan is now an opt-in (button-only) feature under “Site Scan”; hacked JCE profiles can be removed with one click.
v2.2.392026-06-13
- A per-site whitelist (“mark as safe”) for the malware scanner; the Blogvault/MalCare connector folder is excluded from scans.
v2.2.382026-06-13
- A new deep scanner searches the whole webspace for malicious PHP — with a content preview and safe one-click removal.
v2.2.372026-06-13
- Reliable detection of the real malicious .htaccess artifact; the overview loads fast again.
v2.2.362026-06-13
- The malicious-.htaccess scan now runs recursively across the whole webspace, with one-click cleanup.
v2.2.352026-06-13
- Detects active traces of the JCE hack (a public upload profile) and the planted malicious .htaccess files, removable with a click.
v2.2.342026-06-13
- A safety net against redirect loops — automatically rolls back after a problematic rule.
v2.2.332026-06-13
- A calm “fully secured” success state on the overview instead of a permanent “secure now” button.
v2.2.322026-06-13
- After “secure now” it shows which of your custom .htaccess rules weren't carried over — with position-accurate one-click re-add; Joomla's SVG protection is preserved.
v2.2.312026-06-13
- Joomla 5/6: removed an empty toolbar bar; fixed umlauts in the page title.
v2.2.302026-06-13
- The Joomla up-to-date check now pulls the latest version live from the official Joomla API — always correct, no manual upkeep.
v2.2.292026-06-13
- Fixed the toolbar title display on Joomla 3–6 (short form on mobile).
v2.2.282026-06-13
- UI polish across Joomla 2.5–6 (light mode on old Joomla, dynamic on 5/6); fixed cramped fields on Joomla 3.
v2.2.272026-06-13
- Removed “paranoid mode”; the generic always-on protection signatures remain active.
v2.2.262026-06-13
- Real-time firewall greatly strengthened (also inspects POST data, multi-layer decoding, ReDoS-safe); exploit signatures are cryptographically signed; bilingual definitions in the live feed; anti-spam notifications.
v2.2.25
- Baseline of this changelog — the last previously released version.
HTProtect — server shield for Joomla. 100% free