=== AuthDock — Login Security, 2FA, Social Login & Brute Force Protection ===
Contributors: rakibantor
Donate link: https://degird.com
Tags: login security, two-factor authentication, social login, brute force protection, access control
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

All-in-one WordPress authentication: social login, magic links, 2FA, brute force protection, session management & security hardening.

== Description ==

**AuthDock** is a professional-grade WordPress authentication and user access management plugin that replaces 5–7 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API, and zero bloat.

Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet — AuthDock gives you full control over how users log in, stay safe, and interact with your site.

= 🔑 Social Login =

Let users sign in with one click using their existing accounts. No more forgotten passwords.

* **Google OAuth 2.0** — Sign in with Google using OAuth 2.0 authorization
* **Facebook Login** — Authenticate via the Facebook Graph API
* **GitHub OAuth** — Developer-friendly sign in with GitHub
* **X (Twitter) OAuth 2.0** — Uses OAuth 2.0 with PKCE (S256) for maximum security
* **Button Style** — Choose between icon + text, icon only, or text only button styles
* **Button Layout** — Display buttons vertically or horizontally
* **Button Order** — Drag and drop to reorder provider buttons
* **Default Role** — Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)
* **Auto-Registration** — Automatically create WordPress accounts from social profiles
* **Domain Restriction** — Restrict social login to specific email domains (e.g., `company.com`, `university.edu`)
* **Avatar Integration** — Automatically set user profile pictures from social account avatars
* **Account Linking** — Users can link/unlink social accounts from their WordPress profile page
* **Shortcode** — Place social login buttons anywhere using `[authdock_social_login]`
* **Developer Filters** — `authdock_allow_social_account_linking` and `authdock_allow_social_registration` for custom control

= ✉️ Magic Link Login =

Passwordless authentication — users receive a one-time login link via email. No passwords to remember or leak.

* **Enable/Disable** — Master toggle for passwordless login
* **Link Expiry** — Set how long each magic link stays valid (default: 10 minutes)
* **Rate Limiting** — Max magic link requests per email per hour (default: 5/hour) to prevent abuse
* **Allowed Roles** — Restrict magic login to specific user roles (e.g., Subscribers, Editors)
* **Force Magic Login Mode** — Hide the standard WordPress password form and show only the magic link form
* **Custom Email Subject** — Personalize the magic link email subject line
* **Custom Email Body** — Customize using merge tags: `{user_name}`, `{magic_link}`, `{expiry_time}`, `{site_name}`, `{ip_address}`
* **One-Time Use** — Each magic link is cryptographically random and single-use
* **Token Invalidation** — Magic links are automatically invalidated when a user changes their password
* **Anti-Enumeration** — Generic success messages prevent attackers from discovering valid email addresses
* **Shortcode** — Display the form anywhere with `[authdock_magic_login]` and optional `redirect` attribute

= 🔐 Two-Factor Authentication (2FA) =

Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.

* **Enable/Disable** — Master toggle for two-factor authentication
* **TOTP Method** — Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.
* **Email Method** — Receive a 6-digit numeric verification code via email
* **Enforced Roles** — Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA
* **Grace Period** — Give users configurable days to set up 2FA before enforcement kicks in (default: 3 days)
* **Trusted Devices** — Allow users to skip 2FA on recognized devices for configurable days (default: 30 days)
* **Backup Recovery Codes** — Generate 10 one-time-use backup codes for account recovery if the authenticator is lost
* **Brute-Force Protection** — Rate-limited to 5 verification attempts per session to prevent code guessing
* **Encrypted Secret Storage** — TOTP secrets encrypted with AES-256-CBC before storing in the database
* **Replay Protection** — Each TOTP code can only be used once per time window (RFC 6238 §5.2)
* **Clock Drift Tolerance** — Accepts codes from ±1 time step (30 seconds) to handle minor clock differences
* **Interstitial Challenge Screen** — Clean, WordPress-native verification screen after primary authentication
* **Admin Management** — Administrators can view and disable 2FA for any user from the profile page

= 🛡️ Brute Force Protection (Login Limiter) =

Stop brute-force attacks with intelligent lockout rules that escalate automatically.

* **Enable/Disable** — Master toggle for login attempt limiting
* **Max Attempts** — Set the number of failed login attempts before lockout (default: 5)
* **Lockout Duration** — Initial lockout period in minutes (default: 15 minutes)
* **Progressive Lockout** — Lockouts escalate: 15 min → 1 hour → 24 hours for repeat offenders
* **Auto-Blacklist** — Permanently ban an IP after a configurable number of lockouts (e.g., after 5)
* **IP Whitelist** — Allow trusted IPs to bypass login limits (supports exact match, CIDR ranges like `192.168.1.0/24`, and wildcards like `10.0.0.*`)
* **IP Blacklist** — Permanently block specific IP addresses, CIDR ranges, or wildcard patterns
* **Notify Admin on Lockout** — Email alerts when an IP gets locked out
* **Notify Threshold** — Configure after how many lockouts the notification triggers (default: 1)
* **XML-RPC Integration** — Automatically block XML-RPC authentication from locked-out IPs
* **Login Page Warnings** — Display remaining attempt count and lockout timers on the login page
* **Log Retention** — Configure how long failed login data is retained (default: 30 days)
* **Trusted Proxies** — Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers

= 🔄 Dynamic Login & Logout Redirects =

Send users exactly where they need to go — based on their role, or if it is their first login.

* **Role-Based Login Redirects** — Set a custom URL per WordPress role after login (e.g., Editors → `/editorial-dashboard`, Subscribers → `/members-area`)
* **Role-Based Logout Redirects** — Set a custom URL per WordPress role after logout
* **First-Login Redirect** — Redirect new users to a welcome page, onboarding wizard, or setup screen on their first login
* **Relative & Absolute URLs** — Supports both relative paths (`/dashboard`) and full URLs (`https://example.com/welcome`)
* **Open Redirect Prevention** — Redirects validated via `wp_safe_redirect()` and `wp_validate_redirect()` to prevent open redirect attacks

= 📋 Audit Logging =

Keep a complete, searchable record of every authentication event happening on your site.

* **Enable/Disable** — Master toggle for audit logging
* **Tracked Events** — Login success/failure, logout, password reset/change, user registration, profile updates, social login/linking, magic link requests/usage, 2FA changes, session termination, access blocked, lockout events
* **Event Details** — Each entry records: user ID, event type, IP, user agent, JSON context, and timestamp
* **Retention Period** — Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited
* **Auto-Cleanup** — Daily WP-Cron job removes expired entries in batches of 1,000 to prevent database locks
* **Filter by Event Type** — View specific event categories (e.g., only failed logins)
* **Filter by Date Range** — Narrow results by `date_from` and `date_to`
* **Filter by User** — View all events for a specific user ID
* **Search by IP** — Find all events from a particular IP address
* **Full-Text Search** — Search across event types, IPs, and context data
* **CSV Export** — Download audit logs as a CSV file with formula injection protection
* **JSON Export** — Export logs in JSON format for integration with external tools
* **Purge All Logs** — One-click purge to clear all historical log data
* **Admin UI Viewer** — Built-in admin page with paginated table, filters, and export buttons
* **Custom Database Table** — Logs stored in a dedicated `authdock_audit_logs` table with proper indexes for fast queries

= 🏰 Security Hardening =

Close common WordPress security holes without installing another plugin.

**Custom Login URL**
* **Custom Slug** — Replace `wp-login.php` with your own secret URL (e.g., `/my-secure-login`)
* **Block Action** — Choose what happens when someone visits `wp-login.php`: return a 404 error or redirect to the homepage
* **Recovery Key** — Access the login page via a secret query parameter even when the custom URL is active

**XML-RPC Control**
* **Disable XML-RPC** — Completely disable XML-RPC to block remote brute-force attacks
* **Partial Disable** — Remove only authentication methods while keeping pingbacks functional

**REST API Restriction**
* **Restrict to Authenticated Users** — Block all REST API access for unauthenticated visitors
* **Namespace Whitelist** — Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain public

**User Enumeration Prevention**
* **Block Author Archives** — Redirect `?author=N` enumeration queries to the homepage
* **Restrict User REST Endpoint** — Block `/wp-json/wp/v2/users` for non-logged-in users
* **Generic Login Errors** — Replace "username not found" or "wrong password" messages with a generic error

**Password Strength Enforcement**
* **Force Strong Passwords** — Master toggle for password policy enforcement
* **Minimum Length** — Set the minimum password length (default: 8 characters)
* **Require Uppercase** — Mandate at least one uppercase letter
* **Require Lowercase** — Mandate at least one lowercase letter
* **Require Number** — Mandate at least one numeric digit
* **Require Special Character** — Mandate at least one special character (e.g., `!@#$%`)
* **Enforced Roles** — Apply password rules only to specific roles

**Security HTTP Headers**
* **X-Content-Type-Options** — Prevents MIME-type sniffing (`nosniff`)
* **X-Frame-Options** — Blocks clickjacking by restricting iframe embedding (`SAMEORIGIN`)
* **X-XSS-Protection** — Legacy XSS filter for older browsers (`1; mode=block`)
* **Referrer-Policy** — Controls referrer information sent with requests (`strict-origin-when-cross-origin`)
* **Strict-Transport-Security (HSTS)** — Enforces HTTPS connections for 1 year (`max-age=31536000; includeSubDomains`)
* **Permissions-Policy** — Restricts access to camera, microphone, and geolocation APIs

**Role-Based Session Duration**
* **Per-Role Cookie Lifetime** — Set different authentication cookie durations per WordPress role (in hours)

= 📧 Email Notifications =

Stay informed about critical security events with real-time email alerts — for admins and users.

**Admin Notifications**
* **Multiple Failed Logins** — Alert every N failed attempts from the same IP (default: every 3)
* **IP Lockout** — Alert when an IP gets locked out
* **Admin Login Alert** — Notify when an administrator account logs in
* **New User Registration** — Alert on every new user registration
* **User Promoted to Admin** — Alert when any user is promoted to the Administrator role
* **Admin Password Changed** — Alert when an administrator's password is changed or reset
* **2FA Disabled** — Alert when any user disables two-factor authentication
* **Login from New IP** — Alert when a user logs in from a previously unseen IP address

**User Self-Notifications**
* **Password Changed** — Notify the user when their password is changed
* **Email Changed** — Notify at the OLD email address when a user's email is updated (security measure)
* **2FA Status Changed** — Notify the user when 2FA is enabled or disabled on their account
* **Social Account Linked** — Notify when a social provider is connected to their account
* **New Device Login** — Notify the user when a login is detected from a new IP address
* **Account Locked** — Notify the user when their account is locked due to failed attempts

**Notification Settings**
* **Custom Recipients** — Set custom email addresses for admin notifications (defaults to site admin email)
* **Throttle Period** — Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)
* **Digest Mode** — Option to batch notifications instead of sending them individually
* **Test Email** — Send a test notification to verify email configuration is working

= 🚪 wp-admin Access Control =

Restrict who can access the WordPress dashboard — by role, by IP, or both.

* **Enable/Disable** — Master toggle for access control
* **Blocked Roles** — Select which roles are blocked from accessing `/wp-admin` (e.g., Subscriber, Customer)
* **IP Restriction Mode** — Enable IP-based restrictions so only whitelisted IPs can access wp-admin
* **IP Whitelist** — Specify allowed IP addresses and CIDR ranges (e.g., `203.0.113.5`, `192.168.1.0/24`)
* **Hide Admin Bar** — Remove the WordPress admin bar from the frontend for blocked roles
* **Redirect Action** — Choose what happens when access is denied: redirect to homepage, custom URL, or show a 403 Forbidden page
* **Custom Redirect URL** — Set a specific URL for the access-denied redirect
* **Emergency Bypass Key** — Secret query parameter (`?authdock_bypass=YOUR_KEY`) to regain access if locked out
* **Smart Exceptions** — AJAX requests, WP-Cron, and `admin-post.php` always allowed through
* **Administrator Immunity** — Administrators are never blocked, regardless of settings

= ⏱️ Session Management =

Take control of user sessions — limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.

* **Enable/Disable** — Master toggle for session management
* **Concurrent Session Limit** — Maximum simultaneous sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded
* **Idle Session Timeout** — Auto-logout after configurable inactivity period (in minutes, 0 = disabled)
* **Per-Role Session Duration** — Different session lifetimes for each WordPress role (in hours)
* **Admin Session Viewer** — View all active sessions via the REST API, including user details and last activity timestamps
* **Remote Session Termination** — Administrators can terminate all sessions for any user via a single API call
* **Throttled Activity Tracking** — Last-activity timestamps updated at most once per 5 minutes to minimize database writes

= ⚡ Performance & Infrastructure =

AuthDock is built for speed and follows WordPress best practices from top to bottom.

* **Conditional Asset Loading** — CSS and JavaScript files load only on pages where they are needed
* **Indexed Database Tables** — Custom tables use proper indexes for fast lookups
* **WP-Cron Maintenance** — Audit log cleanup runs via non-blocking WP-Cron
* **Transient-Based Tracking** — Brute force tracking uses transients (no additional DB queries per login attempt)
* **REST API Powered** — All admin data operations go through the `authdock/v1` namespace with 15+ endpoints
* **Hook-Based Architecture** — Centralized Loader class registers all hooks for clean dependency management
* **Custom Capabilities** — `authdock_manage_settings`, `authdock_view_audit_logs`, `authdock_export_audit_logs`, `authdock_manage_sessions`, `authdock_manage_lockouts`
* **Clean Activation** — Creates database tables, sets defaults, registers capabilities, and schedules cron
* **Clean Deactivation** — Clears cron events but preserves all settings for reactivation
* **Full Uninstall** — Removes everything: options, user meta, database tables, capabilities, and transients
* **Full i18n** — All user-facing strings use WordPress internationalization functions with the `authdock` text domain

= 🤔 Why Choose AuthDock? =

* **Replace 5–7 plugins** — Social login + magic links + 2FA + brute force + audit logs + session management + access control — all in one
* **WordPress-native UI** — Looks and feels like core WordPress, not a foreign dashboard
* **REST API powered** — Modern, secure data handling for all admin operations
* **Lightweight & fast** — Conditional loading, object caching, zero external frameworks in admin
* **Developer-friendly** — Extensive hooks, filters, and custom capabilities for extensibility
* **WordPress.org compliant** — No tracking, no encoded code, no forced upsells, full GPL-2.0+

= 🔗 Shortcodes =

* `[authdock_social_login]` — Display social login buttons (attributes: `layout`, `style`)
* `[authdock_magic_login]` — Display magic link login form (attributes: `redirect`)
* `[authdock_login_form]` — Display login form with 2FA support

== External services ==

* **Google OAuth** — [Terms](https://policies.google.com/terms) | [Privacy](https://policies.google.com/privacy)
* **Facebook Login** — [Terms](https://www.facebook.com/legal/terms) | [Privacy](https://www.facebook.com/privacy/policy/)
* **GitHub OAuth** — [Terms](https://docs.github.com/en/site-policy/github-terms/github-terms-of-service) | [Privacy](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement)
* **X (Twitter) OAuth** — [Terms](https://x.com/en/tos) | [Privacy](https://x.com/en/privacy)

== Installation ==

1. Upload the `authdock` folder to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Go to **AuthDock** in the admin menu to configure settings
4. Enable the features you want to use

Or install directly from the WordPress plugin repository:

1. Go to **Plugins → Add New** in your WordPress admin
2. Search for "AuthDock"
3. Click **Install Now**, then **Activate**

== Frequently Asked Questions ==

= Does AuthDock work with WooCommerce? =

Yes. Social login buttons appear on WooCommerce login and checkout pages when WooCommerce is active. Role-based redirects also work with WooCommerce customer roles.

= Is AuthDock multisite compatible? =

Yes. Each subsite in a WordPress multisite network has independent settings and its own audit log table.

= Will AuthDock slow down my site? =

No. AuthDock uses conditional asset loading — CSS and JavaScript load only where needed. Database queries use proper indexing, and brute force tracking uses lightweight transients instead of database writes.

= What happens when I deactivate the plugin? =

Cron events are cleaned up, but your settings, database tables, and user data are preserved so you can reactivate later without losing configuration.

= What happens when I delete the plugin? =

All plugin data is completely removed: options, user meta (social IDs, 2FA secrets, trusted devices), custom database tables, capabilities, and transients.

= Can I use social login and 2FA together? =

Yes. When a user logs in via social login, they must still complete the 2FA challenge if enabled for their account or role. AuthDock ensures 2FA cannot be bypassed regardless of login method.

= What authenticator apps work with AuthDock 2FA? =

Any TOTP-compatible app works, including Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and FreeOTP.

= What if I get locked out by the custom login URL? =

AuthDock includes a recovery key parameter. Access your login page via `?authdock_recover=YOUR_KEY` to bypass the custom login URL block. The recovery key is set in your security settings.

= Does brute force protection work with Cloudflare or reverse proxies? =

Yes. Configure trusted proxy IPs in the login limiter settings, and AuthDock will correctly read the real client IP from `X-Forwarded-For` headers.

= Can I export my audit logs? =

Yes. Audit logs can be exported in CSV and JSON formats via the REST API or admin UI. CSV exports include formula injection protection for safe spreadsheet use.

== Screenshots ==

1. **Dashboard** — Overview of authentication activity with live stats and quick feature toggles.
2. **Social Login Settings** — Configure Google, Facebook, GitHub, and X OAuth providers with button style options.
3. **Magic Link Settings** — Configure link expiry, rate limiting, allowed roles, and force-magic mode.
4. **Two-Factor Authentication** — TOTP and email-based 2FA setup with QR code provisioning and backup codes.
5. **Login Protection** — Brute force settings with progressive lockout, IP whitelist/blacklist, and notification options.
6. **Dynamic Redirects** — Role-based login and logout redirect rules with first-login redirect.
7. **Audit Logs** — Searchable, filterable log of all authentication events with CSV/JSON export.
8. **Security Hardening** — Custom login URL, XML-RPC control, security headers, password policies, and user enumeration prevention.
9. **Email Notifications** — Admin and user notification settings with throttle control and test email.
10. **Access Control** — wp-admin restriction by role and IP with emergency bypass and admin bar hiding.
11. **Session Management** — Concurrent limits, idle timeout, per-role session duration, and remote termination.
12. **Social Login Buttons** — Clean social login buttons on the WordPress login page.

== Changelog ==

= 1.0.0 =
* Initial release
* Social Login with Google, Facebook, GitHub, and X (Twitter) via OAuth 2.0
* Magic Link passwordless login with configurable expiry, rate limiting, and force-magic mode
* Two-Factor Authentication — TOTP (RFC 6238) and email-based 2FA with encrypted secret storage, backup codes, trusted devices, and per-role enforcement
* Brute force protection with configurable attempts, progressive lockout escalation, IP whitelist/blacklist with CIDR and wildcard support, and auto-blacklist
* Dynamic login/logout redirects with per-role configuration and first-login redirect
* Comprehensive audit logging to custom database table with retention, filters, CSV/JSON export, and auto-cleanup
* Security hardening — custom login URL with recovery key, XML-RPC control, REST API restriction, user enumeration prevention, password strength enforcement, and 6 security HTTP headers
* wp-admin access control with role-based and IP-based restrictions, admin bar hiding, emergency bypass key, and smart AJAX/cron exceptions
* Session management — concurrent session limiting, idle timeout, per-role session duration, admin session viewer, and remote termination
* Email notification system with 8 admin triggers, 6 user self-notification triggers, configurable throttling, custom recipients, and test email
* REST API namespace `authdock/v1` with 15+ endpoints for all data operations
* 5 custom capabilities for granular permission control
* Full i18n support with `.pot` file
* WordPress.org compliance — GPL-2.0+, no tracking, no encoded code, third-party service disclosure

== Upgrade Notice ==

= 1.0.0 =
Initial release of AuthDock. Install to replace multiple security plugins with a single, comprehensive authentication solution.
