Releases
adminbolt team4 min read

adminbolt 1.0.2 Released: WordPress UI, AI Hub, Security Hardening

adminbolt 1.0.2 Released: WordPress UI, AI Hub, Security Hardening

adminbolt 1.0.2 is now live. The release went out on May 14, 2026, and is available in the in-panel changelog as the current version. This post summarizes what's in it and which changes you should pay attention to.

Headline changes

Two product blocks are the main story:

  • WordPress - a new client-side management UI with single sign-on, async installer, plugins/themes/posts controls, conflict handling, shared WP-CLI helpers, and i18n. Walkthrough in the WordPress Management article.
  • AI Agent Hub - the AI Assistant widget on the client dashboard plus WhatsApp pairing. Walkthrough in the Manage Your Hosting via WhatsApp article.

The rest of the release is split across security hardening, platform services, UX cleanup, and refactors.

Security and hardening

The largest non-feature block in 1.0.2 is a sweep of security tightening across several subsystems.

  • phpMyAdmin - the deprecated admin endpoint has been removed. SSO into phpMyAdmin is now hardened with one-time tokens, hashing, POST-only validation, rate limits, and stricter checks on the request flow.
  • Command injection and shell safety - this is a multi-component fix. MLMMJ subscribe/unsubscribe and related paths now validate inputs. Cron entries go through stricter validation and safer command rebuild. Backup operations escape tar and mkdir arguments. The nmcli DNS inputs are validated and escaped. GoAccess paths are blocked from traversal. JetBackup SSO user, license key, and log reads are hardened. FTP paths are jailed and validated against directory traversal.
  • Databases - strict database-name rules with HTTP 422 returned for invalid names. Prevents a class of names that could collide with shell or query parsing.
  • Git - BoltGitService is aligned with the bolt-git tool: required Linux user, branches API, and safer cleanup semantics.

If you were running 1.0.1 in production, this is the section that justifies upgrading on its own.

Platform and services

  • Symlock - provisioning and health integration (AB-931). Symlock is the per-account symlink and ownership protection layer; the integration ties it into the agent health checks.
  • SSHD via Bolt Agent - SSH daemon provisioning and configuration is now handled through the Bolt Agent (bolt:manage-sshd, profiles command, service renamed to SSHD).
  • File manager - installer URL and version bump (0.0.7 mirror).

UX and admin

  • License page - the extra "license information" block was removed; the key UI is retained (AB-961). Cleaner page, same functionality.
  • Safari - Filament language switcher layout and z-index fixes. If you've seen the language dropdown render behind other elements in Safari, this is the fix.
  • Admin SSO CLI - generate now accepts an optional --expire duration (AB-452). Useful for handing out time-limited SSO access during support sessions.

Email and network

  • POP3 - added to the mail settings and defaults. POP3 and POP3S firewall ports are opened where appropriate (AB-514). The change reflects continued POP3 demand from legacy clients despite IMAP being the recommended default.

Cleanup and refactors

  • Removed Fail2BanBannedIpService - this service was not functional in the prior architecture and has been removed.
  • Removed the deprecated htaccess PHP-version rebuild job and path - domain updates now only rebuild the general .htaccess. Reduces unnecessary writes during routine domain changes.

Backwards compatibility

The 1.0.2 changes are backwards compatible with 1.0.1 panels in normal operation. Two items deserve attention during upgrade:

  • The phpMyAdmin SSO flow changed (one-time tokens, POST-only validation). If you have custom automation that uses the old SSO endpoint, it needs to be updated.
  • The removal of the deprecated htaccess PHP-version rebuild path means automation that triggered a PHP-version .htaccess rebuild explicitly will need to be adjusted. The general .htaccess rebuild handles the common case.

Upgrade

Production upgrades to 1.0.2 follow the standard adminbolt upgrade flow:

  • Backup before upgrading (the panel has built-in backup; if you have JetBackup, use that).
  • Run the upgrade from the admin panel or via the agent's bolt:upgrade command.
  • Expect under five minutes of panel service interruption on a typical VPS.

The detailed in-panel changelog is at /admin/change-log. The version selector lists all previous releases back to 0.4.x for reference.

What's next

The 1.0.2 release closes a large chunk of the "major product work" arc that began in late 2025: WordPress client management, AI Agent Hub, and the underlying SSO and pairing infrastructure. The next release cycle moves on to integrations on the public roadmap - Cloudflare, MailChannels, Upmind, HostBill are the named items.

Feedback on 1.0.2 is welcome on the Discord, the community forum, or via the contact form. Bug reports go to the same channels.

← Back to Blog