Really Simple Security Pro 9.5.10

* Fixed: compromised password check compatibility with Thrive Architect
* Fixed: fatal error on multisite subsite profile pages with passkeys enabled
* Fixed: user role demotion issue on multisite
* Fixed: passkey settings appearing twice on profile page
* Fixed: 2FA users list not displaying all users
* Fixed: Cloudflare cache not clearing after SSL activation
* Fixed: passkey strings not translatable
* Fixed: uploads .htaccess using incorrect Apache syntax for some versions
* Changed: deferred header detection on activation to prevent timeouts
* Changed: improved deactivation process
* Changed: more robust firewall code generation

* Fix: an edge case where authentication validation could behave unexpectedly.

* Fix: an issue where an undefined array key 0 could occur on the login page if a user had 2FA enabled but no WordPress user roles
* Fix: prevent a potential fatal error by returning early when an empty wp-config.php path is detected
* Improvement: added the LOCK_EX flag to file_put_contents() operations for .htaccess and wp-config.php to prevent race conditions
* Improvement: the Limit Login Attempts lockout period now respects the original block duration and is no longer extended when logging in during the blocked period
* Improvement: when passkeys are enabled, logging in with a username/password now automatically triggers the correct passkey prompt
* Improvement: updated the .htaccess "No index" comment to a clearer "Disable directory indexing" comment
* Improvement: replaced site_url() with home_url() in the 404 resource check on the homepage
* Improvement: added additional checks to prevent certain functions from running during cron jobs and in cli environments
* Improvement: the final step of the Let’s Encrypt wizard now only displays an Activate SSL button instead of the entire onboarding
* Improvement: added a license.txt file

* Fix: blocking a username now blocks both lower- and uppercase variants
* Fix: readme now displays correctly in WordPress updates screen
* Fix: added a fallback for when an empty get_user_totp_key was empty
* Fix: removed an unused translation that could cause a textdomain loaded to early warning
* Fix: prevent an error when an IP address is undefined
* Fix: empty sections are now correctly cleared from the firewall
* Fix: deactivation modal now always displays
* Improvement: added a notice when using a custom login URL with plain permalinks
* Improvement: added a check if WPFC_SERVE_ONLY_VIA_CACHE is already defined before defining it
* Improvement: updated the mixed content notice text
* Improvement: refactored the onboarding code

* Fix: the 2FA reset fix now correctly calls the 2FA reset service