=== Check Login Lite ===
Contributors: dynamokh
Tags: email, discord, slack, chatwork, security
Requires at least: 5.0  
Tested up to: 6.9  
Requires PHP: 7.4  
Stable tag: 1.0.2  
License: GPLv2 or later  
License URI: https://www.gnu.org/licenses/gpl-2.0.html  

A powerful security plugin to monitor login attempts, restrict access by IP or country, and receive alerts via email or Discord.

== Description ==

Check Login Lite enhances your WordPress login security with multiple protective features:

- ✅ **IP whitelist / blacklist management**
- 🌍 **Country-based access restrictions (up to 5 countries allowed)**
- ✉️ **Email alerts when unfamiliar IP logs in**
- 💬 **Discord webhook notification support**
- 🔐 **Pseudo Basic Authentication system** for emergency lockdown
- 🧠 **Automatic country list update**
- 📜 **Login history log**

No need for advanced setup. Simple UI inside WordPress admin dashboard.

== External Services ==

This plugin uses third-party services only to provide the features you configure.

= 1. countriesnow.space (country list generation) =

- Service URL: `https://countriesnow.space/api/v0.1/countries`
- Used for: Building and refreshing the selectable country list used in admin settings.
- Data sent: No personal data is intentionally sent by the plugin for this request.
- When sent: On activation and when refreshing the country list file.
- Terms: `https://github.com/MartinsOnuoha/countriesNowAPI/blob/master/LICENSE`
- Privacy: A dedicated privacy policy URL is not publicly provided by this service provider as of March 23, 2026.
- Additional references: `https://countriesnow.space/` / `https://documenter.getpostman.com/view/1134062/T1LJjU52?version=latest`

= 2. freeipapi.com (IP geolocation) =

- Service URL pattern: `https://free.freeipapi.com/api/json/{IP}`
- Used for: Determining country from IP for admin access restriction and login alert context.
- Data sent: The IP address being checked (current request IP).
- When sent: During admin access checks, settings page rendering, and login alert evaluation.
- Terms: `https://freeipapi.com/terms`
- Privacy: `https://freeipapi.com/privacy`

= 3. Notification providers (optional, admin-configured) =

- Services: Discord Webhook, Slack Webhook, Chatwork API
- Used for: Sending security alert messages and emergency authentication credentials.
- Data sent: Site URL, username, login IP/country, emergency token/URL, and configured message body.
- When sent: Only when an alert/security event occurs and the corresponding provider is configured.
- Discord Terms/Privacy: `https://discord.com/terms` / `https://discord.com/privacy`
- Slack Terms/Privacy: `https://slack.com/terms-of-service` / `https://slack.com/privacy-policy`
- Chatwork Terms/Privacy: `https://go.chatwork.com/en/terms.html` / `https://go.chatwork.com/en/privacy.html`

This plugin does not include behavioral tracking or analytics for end users by default. Notification delivery is administrator-configured and event-driven.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/check-login-lite`  
2. Activate the plugin through the 'Plugins' menu in WordPress  
3. Go to **Settings > Check Login Lite** in the admin panel  
4. Configure IP whitelist/blacklist, country restrictions, and alert destinations.

== Frequently Asked Questions ==

= Will this block me from logging in if I make a mistake? =  
No. The plugin always allows access from IPs in your whitelist, regardless of country settings.

= What if I forget my Basic Auth credentials? =  
The pseudo Basic Auth expires automatically in 24 hours or after successful login.

= Does it work on multisite? =
Currently, this plugin is tested only in single-site installations.

= Does this plugin support Slack or Chatwork notifications? =
Yes. In addition to email and Discord, you can configure Slack Webhook and Chatwork API to receive login alerts and emergency authentication credentials.

= What is the Pseudo Basic Authentication feature? =
It is an emergency lockdown feature that adds a login form in front of wp-login.php and wp-admin when triggered. All users are forcefully logged out and a temporary token/password is sent via your configured notification channels. It expires automatically after 24 hours or upon successful login.

== Changelog ==

= 1.0.2 =
* Improve email subject encoding and UTF-8 handling when mbstring is unavailable.

= 1.0.1 =
* Avoid fatal errors when WP_Filesystem initialization fails.
* Show an admin warning notice when country list initialization cannot be completed on activation.

= 1.0.0 =
* Initial release

== Upgrade Notice ==

= 1.0.2 =
Improves notification email encoding compatibility on environments without mbstring.

= 1.0.1 =
Fixes WP_Filesystem initialization failure handling to avoid fatal errors and adds an admin warning notice.

= 1.0.0 =
Initial stable version.
