Security Ninja Premium 5.263

* Improved bandwidth usage getting vulnerabilities for all users.
* Improved: Vulnerability scanner now reads vulnerability feeds in a streaming, memory-efficient way to reduce peak memory usage.

* Fixed: 2FA - Changed key name format from "site_url (username):email" to "site_url:username" - Thank you Davina.
* Fixed: Compatibility warning with WordPress 6.7 regarding translation loading timing
* Fixed: Server security restriction warning when checking wp-config.php file location
* Fixed: Fixed critical bug where database prefix changer added an extra underscore when updating wp-config.php, causing WordPress to look for non-existent tables with double underscores (e.g., wp_12345__posts instead of wp_12345_posts). Thank you Tchai.
* Fixed: Database prefix changer to properly update option names and meta keys when changing from custom prefixes (not just "wp_").
* IMPROVED: Database prefix changer now works with any prefix, not just the default "wp_". Can now rename tables when changing from one custom prefix to another. All plugin tables are automatically included in the renaming process.

* NEW: Failed login email warnings - administrators receive email notifications when someone attempts to log in with their username and fails. Can be enabled in Login Form Protection settings.
* NEW: Admin IPs are automatically whitelisted on plugin activation and successful admin login to prevent administrators from being blocked. Thank you Val.
* FIX: Fixed country blocking to respect "only block backend" setting when enabled. Thank you Guru for the tip.
* IMPROVED: Secret access URL processing has been moved up in the request cycle to make sure IP whitelisting happens before any ban checks, so blocked visitors should be able to get back on the site more reliably.
* IMPROVED: wp-config.php backups are stored in encrypted format (AES-256-CBC) to ensure data security. Each backup uses a unique encryption key and initialization vector. This was introduced in a previous release, but was not added to the changelog.
* Update 3rd party libraries - Freemius SDK 2.13.0 among others.

* IMPROVED: Made the dashboard widget visible when white label mode is enabled. Previously the widget was hidden instead. Thank you for the suggestion, Dmitry.
* IMPROVED: Added count-based limit (5000 entries) to visitor log pruning to prevent database bloat on high-traffic sites.
* IMPROVED: Removed deprecated X-XSS-Protection header from REST API - modern browsers ignore this header and Content-Security-Policy is the recommended replacement. Thank you Dmitry for the suggestions.
* IMPROVED: More information on CSP in our knowledgebase.
* FIX: Fixed typo in Permissions-Policy description (explitly → explicitly).
* FIX: Updated Permissions-Policy documentation link from Feature-Policy to Permissions-Policy URL.
* FIX: Corrected Nginx example in Content-Security-Policy test descriptions (was showing X-Frame-Options instead of CSP).
* Preparing for plugin rewrite -> improving the free version and streamlining the premium and free feature set.

* NEW: Enhanced username enumeration protection - Now prevents username discovery via REST API /wp-json/wp/v2/users endpoint and oEmbed API, in addition to existing ?author=N scan protection. Thanks Allen.