Force login to make the site private - Gozer — Full changelog

For each release, see the entries below. The latest version is always at the top.
The current release notes also live in readme.txt under "== Changelog ==".

= 2.0.0 =
* New: Minimum access level — require a minimum role for logged-in users on the front-end; lower roles get a 403 instead of the content. Independent from dashboard capabilities.
* New: Customizable 403 block screen (title + basic-HTML message) without editing the theme; a theme 403.php still wins.
* Improved: Page cache hardening — DONOTCACHEPAGE and no-cache headers on all block paths (login, custom URL, 403); public exceptions stay cacheable; known page caches purged on plugin (de)activation and when private mode or settings change.
* Improved: REST API, XML-RPC and AJAX exceptions now actually block logged-out visitors (previously they had no effect); /wp-json/ stops leaking content when off and XML-RPC is blocked by default. Logged-in users and IP/user-agent/token exceptions are respected.
* Fix: An "Allowed paths" entry of "/" opened the whole site instead of only the homepage; it now matches the homepage alone, also on subdirectory installs.
* Fix: Subdirectory installs doubled the site path in the post-login return URL (/site/site/), landing visitors on a 404 after signing in.
* Fix: The virtual robots.txt (served as /?robots=1 on "plain" permalinks) was blocked even with the robots exception on; both virtual and physical robots.txt are now recognized.
* Fix: "Allowed paths" were ignored on subdirectory installs; rules now also match with the install base prefixed, so "/contact/" matches "/site/contact/".
* Fix: IP whitelist wildcards (e.g. 192.168.*) matched no real IPv4 address; a trailing * now covers the rest of the address as the docs promise.
* Fix: "Redirect to custom URL" sent external addresses to wp-admin (wp_safe_redirect host allowlist); the configured host is now allowed so external redirects work.

= 1.0.4 =
* Fix: Security hardening of the access-control exceptions. Appending a query string such as `?x=wp-admin` or `?x=sitemap` to a protected URL could bypass the login requirement and expose the page to logged-out visitors. Login-page and sitemap detection now matches the parsed URL path only, never the raw request URI. Updating is strongly recommended for any site relying on Gozer to keep content private.

= 1.0.3 =
* Fix: Fixed promotional banner button alignment on WordPress 7.0 due to core CSS specificity changes
* Tested up to WordPress 7.0

= 1.0.2 =
* Improved: Better name to make it easier to find the plugin

= 1.0.1 =
* Improved: Tokens table layout for better responsiveness on smaller screens
* Improved: Copy tokens button moved to Actions column for a better user experience
* Improved: The recommendations banner now displays plugins and services randomly

= 1.0.0 =
* Initial release
* Force login functionality with configurable exceptions
* Admin bar indicator with quick toggle switch
* System exceptions (REST API, WP-Cron, WP-CLI, AJAX, XML-RPC)
* SEO exceptions (sitemaps, robots.txt, feeds, search bots)
* Technical exceptions (HEAD requests, static files)
* Custom exceptions (paths, IPs with CIDR/wildcards, user agents)
* Temporary bypass tokens with expiration
* Redirect options (login, 403, custom URL)
* Two-column settings layout
