=== BBH Security Insight ===
Contributors: jahidshah
Donate link: https://www.buymeacoffee.com/jahidshah
Tags: security, security audit, security scan, wordpress security, site health
Requires at least: 6.7
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.txt

Lightweight, read-only WordPress security audits with risk scoring, security checks, and actionable recommendations.

== Description ==

BBH Security Insight runs a lightweight, read-only security audit on your WordPress installation and generates a professional Security Risk Report with color-coded risk levels (Critical, Warning, Safe), an overall security score (0–100), and detailed remediation recommendations.

This plugin is **completely read-only** — it never modifies files, never changes settings, and never sends data to external servers. It simply inspects your WordPress configuration and reports findings.

= Audit Checks Include =

* **WordPress Version Exposure** — Detects if your WordPress version is exposed via readme.html or generator tags.
* **Database Table Prefix** — Checks if you are using the default `wp_` prefix.
* **XML-RPC Status** — Reports whether XML-RPC is enabled or disabled.
* **DISALLOW_FILE_EDIT** — Verifies if the built-in file editor is disabled.
* **WP_DEBUG Status** — Checks whether debug mode is active on production.
* **Directory Browsing** — Checks whether directory listing appears to be disabled.
* **readme.html Exposure** — Checks for the presence of the readme file.
* **install.php Exposure** — Checks if the installation script is accessible.
* **wp-config.php Permissions** — Verifies file permissions on this critical file.
* **wp-content Permissions** — Checks directory permissions on your content directory.
* **User Enumeration Exposure** — Checks for common user enumeration exposure patterns.
* **Security Headers** — Scans for CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options.
* **Uploads PHP Execution** — Checks if PHP execution is blocked in the uploads directory.
* **Admin Username** — Detects if an administrator uses the default "admin" username.
* **Malware Heuristics** — Performs lightweight checks for suspicious code patterns in active plugin and theme PHP files.

= Features =

* One-click "Run Security Audit" button on the admin dashboard.
* Professional, color-coded Security Risk Report with score (0–100).
* Human-readable explanations and remediation recommendations for every check.
* Dismissible admin reminder notice.
* Fully internationalized — ready for translation.
* Secure AJAX with nonce verification and capability checks.
* WordPress Coding Standards compliant.
* No external dependencies — no Composer, no third-party APIs.
* Read-only — never makes changes to your site.

= Additional Resources =

Looking for additional WordPress security guidance? Visit [jahidshah.com](https://jahidshah.com) for documentation, security resources, and professional assistance.

== Installation ==

1. Upload the `bbh-security-insight` folder to the `/wp-content/plugins/` directory, or install directly from the WordPress plugin directory.
2. Activate the plugin through the 'Plugins' screen in WordPress.
3. Go to **Tools → Security Insight** in your WordPress admin menu.
4. Click the **"Run Security Audit"** button to generate your Security Risk Report.

== Frequently Asked Questions ==

= Does this plugin make any changes to my site? =

No. BBH Security Insight is completely read-only. It inspects your WordPress configuration, files, and settings but never modifies anything. It does not create files, change database records, or alter configurations.

= Does this plugin send data to external servers? =

No. All scanning is performed locally on your server. No data is sent to external services or third-party servers. The results are stored in your WordPress database and displayed only to logged-in administrators.

= How often should I run a security audit? =

We recommend running a security audit at least once a month, or after making significant changes to your site such as installing new plugins, updating themes, or modifying server configurations.

= Can this plugin fix the issues it finds? =

No. The plugin is designed as a diagnostic tool only. It provides detailed recommendations for each issue found, but you will need to implement the fixes yourself or consult with a WordPress security professional.

= What are the malware heuristics? =

The malware heuristics scan searches active plugin and theme PHP files for common code patterns that are often used in malicious scripts (e.g., base64_decode, eval, gzinflate). This scan has limitations — it can produce false positives from legitimate code, and it may miss sophisticated malware. This heuristic scan is informational only. It may produce false positives and cannot guarantee malware detection or site cleanliness.

== Screenshots ==

1. The BBH Security Insight dashboard with the Run Security Audit button and a completed Security Risk Report showing score, risk level, and detailed check results.

== Changelog ==

= 1.0.0 =
* Initial release.
* 15 read-only security audit checks.
* Professional Security Risk Report with color-coded risk levels.
* Security score (0–100) with overall risk assessment.
* AJAX-powered audit execution with nonce verification.
* Dismissible admin notices.
* Fully internationalized.
* WordPress Coding Standards compliant.

== Upgrade Notice ==

= 1.0.0 =
Initial release of BBH Security Insight. Run a security audit from Tools → Security Insight.

== Support & Contact ==

Need help or want to report an issue? Visit our support page or open a support ticket on the WordPress plugin repository.

* Website: https://jahidshah.com/
* Support: https://wordpress.org/support/plugin/bbh-security-insight/

== Other Plugins ==

* [BBH Custom Schema](https://wordpress.org/plugins/bbh-custom-schema/) - Add custom JSON-LD schema to your website
* [BBH SEO Toolkit](https://wordpress.org/plugins/bbh-seo-toolkit/) - Advanced SEO & Structured Data Engine
* [AJ FAQ Block](https://wordpress.org/plugins/aj-faq-block/) - Display FAQs with a beautiful block
* [AJ Card Element](https://wordpress.org/plugins/aj-card-element/) - Display content in beautiful cards
* [AJ Square Testimonial Slider](https://wordpress.org/plugins/aj-square-testimonial-slider/) - Showcase testimonials in a slider
* [AJ Category Posts](https://wordpress.org/plugins/aj-category-posts/) - Display posts by category
* [AJx Filter for WooCommerce](https://wordpress.org/plugins/ajx-filter-for-woo/) - Advanced product filtering for WooCommerce