=== Login Armor ===
Contributors: wpformation
Donate link: https://wpformation.com
Tags: login security, hide login, brute force, limit login, activity log
Requires at least: 6.8
Tested up to: 6.9
Stable tag: 2.1.11
Requires PHP: 8.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Eight security modules in one lightweight plugin: hide login, brute force lockout, 2FA, audit log, hardening. No bloat, no upsells, GPL.

== Description ==

**Eight security layers. One lightweight plugin. Zero compromise.**

Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way.

Stop juggling Wordfence's bloat, Solid Security's upsells, and Limit Login Attempts' gaps. Login Armor delivers eight independent modules in under one megabyte, with the discipline of an enterprise plugin and the licensing of free software.

= Why Login Armor =

* **No upsells, ever.** No "premium" tier, no "Pro" buttons greyed out in your admin. Every feature is GPL.
* **No external services to sign up for.** No API keys, no remote dashboards, no third-party telemetry. Two optional integrations (Have I Been Pwned for breach detection, Slack/Discord/webhook for notifications) only fire when you explicitly enable them.
* **Built to be invisible.** Sub-megabyte ZIP, lazy-loaded modules, indexed queries. The plugin's footprint stays under 2 ms on a normal login flow.
* **Multisite-aware, PHP 8.1-native.** Network-activate on a fleet, configure per-site, manage from the shell with a complete WP-CLI command suite.
* **Production-grade defaults.** Every toggle ships with the value an experienced admin would pick anyway. Zero-config gets you 80 percent of the protection.

= Eight independent modules =

**1. Hide Login** - Replace `wp-login.php` with a custom slug. Anyone hitting the old URL gets a 404 from your theme - no leakage that WordPress is even installed. Compatible with multisite, password-protected posts, reverse proxies, and password recovery flows. The branded pre-activation modal lets you pick or generate the slug before flipping the switch, and emails it to you so you can't lock yourself out.

**2. Brute Force Protection** - Cascading lockouts after repeated failed logins. Locked attackers see a branded 429 landing page with a live countdown. Repeated lockouts escalate to a 24-hour ban. Lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, so attackers can't pivot. Subnet blocking handles distributed attacks. Trusted X-Forwarded-For for sites behind Cloudflare or a load balancer.

**3. Hardening** - Thirteen one-click toggles across surface reduction, credential hardening, and request filtering. Disable XML-RPC, the theme/plugin file editor, the WordPress version exposure (including `?ver=` on assets, even for WP 6.5+ ES modules), application passwords, author enumeration, and more. Block reserved usernames with Unicode-confusable detection. Add an invisible login honeypot. Block PHP execution in uploads and directory listing via atomic-write `.htaccess` rules.

**4. Two-Factor Authentication** - Enterprise-grade 2FA in three flavours: TOTP via any authenticator app (Google Authenticator, Authy, 1Password, Bitwarden), one-time codes by email, and printable backup codes. Trusted devices remembered for thirty days so you only verify once per browser. A recovery flow lets a user reset their second factor by email when the authenticator is lost, without a support ticket. Per-role enforcement, configurable grace period, and a session-aware logout.

**5. Detection and Incidents** - A real-time detection engine groups raw events into six attack patterns: brute force, credential stuffing, distributed scan, post-compromise activity, lockout cascade, and protocol abuse. Each incident has a drill-down view with timeline, source IPs, target users, severity, user-agent fingerprint, and one-click resolution actions (reset password, block subnet, mark resolved).

**6. Activity Log** - Compliance-ready audit trail of admin actions: plugin installs, settings changes, role updates, user creation, content publishing, theme switches, 2FA enrollment events. Filter, search and export to CSV with configurable retention. Seven logger domains, all togglable independently.

**7. Login Page Security Headers** - Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy and X-Content-Type-Options on `wp-login.php` and the lockout page. Two presets (standard and strict) with an optional CSP report-uri.

**8. Breach Check** - Detect users logging in with a password that appears in public data breach corpora, using privacy-preserving k-anonymity lookups against Have I Been Pwned. Only the first 5 hex characters of a SHA-1 prefix leave the server, the password and full hash never travel. Optional opt-in email lookup against XposedOrNot. Fail-soft: a HIBP outage never blocks login.

= Plus =

* **Notifications** by email, Slack, Discord, or generic webhook with built-in SSRF-safe URL validation, severity threshold and rate limiting.
* **WP-CLI command suite** - `wp login-armor reset-slug`, `unblock`, `whitelist`, `incidents resolve`, `purge-logs`, `2fa reset`, `2fa devices`, `hardening blacklist`. Full scripted operations and emergency recovery from the shell.
* **Dashboard widget** - at-a-glance protection status from any admin page, with a 14-day sparkline and the six headline metrics.

= Built by =

Login Armor is built and maintained by [WPFormation](https://wpformation.com/login-armor/), a French WordPress agency obsessed with sites that are clean, fast, and audit-ready. We use this plugin on every site we ship.

* [Plugin overview and roadmap](https://wpformation.com/login-armor/)
* [WordPress security guides](https://wpformation.com/securite-wordpress/) on WPFormation

GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies.

---

**Huit couches de securite. Un seul plugin leger. Zero compromis.**

Login Armor est une stack complete de securite WordPress concue pour les agences, les freelances et les pros qui livrent des sites prets a passer un audit. Pas de version premium, pas de tableau de bord marketing integre, pas de telemetrie. Chaque module tourne en local, embarque des reglages par defaut securises, et reste discret.

Fini de jongler entre la lourdeur de Wordfence, les fenetres d'upsell de Solid Security et les angles morts de Limit Login Attempts. Login Armor regroupe huit modules independants en moins d'un mega-octet, avec la rigueur d'un plugin entreprise et la licence d'un logiciel libre.

= Pourquoi Login Armor =

* **Aucun upsell, jamais.** Pas de niveau "premium", pas de boutons "Pro" grises dans votre admin. Tout est en GPL.
* **Aucun service externe a activer.** Pas de cle API, pas de tableau distant, pas de telemetrie tierce. Les deux integrations optionnelles (Have I Been Pwned pour la detection de fuites, Slack ou Discord ou webhook pour les notifications) ne se declenchent que si vous les activez explicitement.
* **Concu pour etre invisible.** ZIP de moins d'un mega, modules charges a la demande, requetes indexees. L'empreinte sur un flux de connexion normal reste sous 2 ms.
* **Compatible multisite, natif PHP 8.1.** Activation reseau possible sur une flotte, configuration par site, pilotage depuis la ligne de commande via une suite WP-CLI complete.
* **Reglages par defaut prets pour la production.** Chaque bascule arrive avec la valeur qu'un admin experimente choisirait. Sans configuration, vous avez deja 80 % de la protection.

= Huit modules independants =

**1. Masquer la connexion** : remplace `wp-login.php` par une URL personnalisee. Toute tentative sur l'ancienne URL renvoie une 404 du theme, sans reveler la presence de WordPress. Compatible multisite, articles proteges par mot de passe, reverse proxies, et flux de recuperation de mot de passe. La modale de pre-activation vous laisse choisir ou generer le slug avant d'activer le module, et vous l'envoie par e-mail pour eviter tout verrouillage.

**2. Protection contre la force brute** : verrouillages en cascade apres plusieurs echecs. Les attaquants verrouilles voient une page 429 brandee avec un compte a rebours en direct. Les verrouillages repetes montent a un bannissement de 24 h. Les pages lostpassword, register, XML-RPC et l'endpoint REST users sont egalement bloques pour les IPs verrouillees, pour empecher le pivot. Blocage de sous-reseaux pour les attaques distribuees. Support de X-Forwarded-For pour les sites derriere Cloudflare ou un load balancer.

**3. Renforcement** : treize bascules en un clic, regroupees en reduction de surface, durcissement des identifiants et filtrage des requetes. Desactivation de XML-RPC, de l'editeur de fichiers theme/extension, de l'exposition de la version WordPress (y compris le `?ver=` sur les assets, meme les modules ES de WP 6.5+), des mots de passe applicatifs, de l'enumeration des auteurs. Blocage des identifiants reserves avec detection des homoglyphes Unicode. Pot de miel invisible sur le formulaire de connexion. Blocage de l'execution PHP dans `wp-content/uploads/` et desactivation du listing de repertoires via des regles `.htaccess` ecrites en mode atomique.

**4. Authentification a deux facteurs** : 2FA prete pour la production avec trois methodes : TOTP via n'importe quelle application authenticator (Google Authenticator, Authy, 1Password, Bitwarden), codes a usage unique par e-mail, codes de secours imprimables. Appareils de confiance memorises pendant trente jours, vous ne validez qu'une fois par navigateur. Une procedure de recuperation laisse l'utilisateur reinitialiser son second facteur par e-mail en cas de perte, sans ouvrir de ticket. Application par role, periode de grace configurable, et deconnexion qui ferme proprement les sessions actives.

**5. Detection et incidents** : un moteur en temps reel regroupe les evenements bruts en six patterns d'attaque : force brute, credential stuffing, scan distribue, activite post-compromission, cascade de verrouillages et abus protocolaires. Chaque incident dispose d'une vue detaillee : chronologie, IPs sources, comptes cibles, severite, empreinte user-agent et actions de resolution en un clic (reinitialisation de mot de passe, blocage de sous-reseau, marquage resolu).

**6. Journal d'activite** : piste d'audit conforme des actions admin : installations d'extensions, modifications de reglages, changements de role, creations d'utilisateurs, publications de contenu, changements de theme, evenements 2FA. Filtrage, recherche et export CSV avec retention configurable. Sept domaines de loggers, activables independamment.

**7. En-tetes de securite de la page de connexion** : Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy et X-Content-Type-Options sur `wp-login.php` et la page de verrouillage. Deux presets (standard et strict) avec une option de CSP report-uri.

**8. Detection de fuites** : repere les utilisateurs qui se connectent avec un mot de passe present dans des fuites publiques, via des recherches preservant la vie privee (k-anonymat) sur Have I Been Pwned. Seuls les 5 premiers caracteres hexa d'un prefixe SHA-1 quittent votre serveur ; le mot de passe et le hachage complet ne sortent jamais. Verification e-mail optionnelle (opt-in, desactivee par defaut) via XposedOrNot. Fail-soft : une coupure de HIBP ne bloque jamais la connexion.

= En plus =

* **Notifications** par e-mail, Slack, Discord ou webhook generique, avec validation d'URL anti-SSRF integree, seuil de severite et rate limiting.
* **Suite WP-CLI** complete : `wp login-armor reset-slug`, `unblock`, `whitelist`, `incidents resolve`, `purge-logs`, `2fa reset`, `2fa devices`, `hardening blacklist`. Operations scriptees et recuperation d'urgence depuis la ligne de commande.
* **Widget Tableau de bord** : statut de protection en un coup d'oeil depuis n'importe quelle page admin, avec sparkline 14 jours et six metriques cles.

= Concu par =

Login Armor est concu et maintenu par [WPFormation](https://wpformation.com/login-armor/), une agence WordPress francaise obsedee par les sites propres, rapides et audit-ready. On utilise ce plugin sur chaque site qu'on livre.

* [Presentation et roadmap du plugin](https://wpformation.com/login-armor/)
* [Guides securite WordPress](https://wpformation.com/securite-wordpress/) sur WPFormation

GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zero dependance.

== Installation ==

1. Upload the `login-armor` directory to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Go to LoginArmor in the admin menu to configure

For multisite: Network Activate the plugin to apply it across all sites.

= Setting up Hide Login =

1. Go to LoginArmor > Settings > Hide Login section
2. Enter your desired login slug (e.g., `my-login`)
3. Save settings
4. **Bookmark your new login URL**: you will need it to access your admin

= Recovering access =

If you forget your custom login URL:

* Use the recovery email feature (configurable in settings)
* Connect to your database and delete the `login_armor_hide_slug` row from the `wp_options` table
* Use WP-CLI: `wp option delete login_armor_hide_slug`

== Frequently Asked Questions ==

= Will it lock me out of my own site? =

No. Hide Login always sends a one-time recovery URL to the admin email. If you lose the slug, check your inbox. The plugin also honors `wp-cli` fallback so you can reset anything from SSH.

= Does it slow my site down? =

No. Everything is lazy-loaded and indexed. On a normal login flow the extra SQL cost is under 2 ms.

= Is it compatible with Cloudflare / reverse proxies? =

Yes. IP detection honors trusted `X-Forwarded-For` headers; you pick the header in Settings.

= Does it work with multisite? =

Yes, subdomain and subfolder. Each site has its own modules, logs, and thresholds.

= Can I use LoginArmor alongside Wordfence / iThemes Security / Solid Security? =

Yes, but disable overlapping modules on one side to avoid double lockouts.

= Where is the data stored? =

Three custom tables in your own database: events, incidents, activity. Nothing leaves your server.

= How do I migrate my configuration? =

Settings are plain WordPress options. Export/import via WP-CLI or any standard options-sync tool.

= Is there a pro version? =

Not currently. LoginArmor is fully free and open source. GPL forever.

= Where can I report bugs or request features? =

Support forum: [wordpress.org/support/plugin/login-armor/](https://wordpress.org/support/plugin/login-armor/).

== Screenshots ==

1. Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.
2. Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks.
3. Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution.
4. Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag.
5. Events - complete login attempts log with filters and CSV export.
6. Activity Log - admin action audit trail across seven domains, filterable and exportable.
7. Settings - modular configuration with live security score and a sticky save bar.
8. Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch.
9. Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering.
10. Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification.
11. Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default.

== External Services ==

= Webhook Notifications (optional) =

When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks.

Data sent: incident type, severity level, IP address, target username, event count, and site URL.

No data is sent unless the administrator actively enables and configures a notification channel.

* **Slack** - [Terms of Service](https://slack.com/terms-of-service) | [Privacy Policy](https://slack.com/privacy-policy)
* **Discord** - [Terms of Service](https://discord.com/terms) | [Privacy Policy](https://discord.com/privacy)
* **Custom Webhook URL** - User-configured endpoint (administrator's responsibility)

= Gravatar (Automattic) =

The Activity Log tab uses WordPress core's `get_avatar()` function to display user avatars. WordPress may send a hashed email address to [Gravatar](https://gravatar.com/) servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars.

* **Gravatar** - [Automattic Terms of Service](https://automattic.com/tos/) | [Privacy Policy](https://automattic.com/privacy/)

= Breach Check - Have I Been Pwned (optional) =

When the administrator explicitly enables the **Breach Check** module (LoginArmor > Settings > Breach Check), LoginArmor queries the public Have I Been Pwned Pwned Passwords API on each successful login and on password changes to detect user passwords that appear in public data breach corpora.

Data sent: the **first 5 hex characters** of a SHA-1 hash of the password (k-anonymity lookup). The full password and its full hash never leave the server. The API cannot determine which password is being checked - it only sees a 5-character prefix that is mathematically shared with ~500-900 other candidate hashes.

No API key or account is required. The endpoint is free and public.

* **Have I Been Pwned** - [Pwned Passwords privacy statement](https://haveibeenpwned.com/Privacy) | [Acceptable Use Policy](https://haveibeenpwned.com/AcceptableUse)

= Breach Check - XposedOrNot (optional email sub-toggle) =

When the administrator additionally enables the **Email check** sub-toggle inside the Breach Check module (off by default), LoginArmor queries the public XposedOrNot check-email API on new user creation and on email change to detect email addresses that appear in publicly disclosed data breaches.

Data sent: the user's email address (URL-encoded) and a plugin-identifying User-Agent string. This is unavoidable for the lookup - there is no k-anonymity variant for email breach checks. Because this call transmits an email address to a third party, it is opt-in and off by default.

No API key or account is required. The endpoint is free and public.

* **XposedOrNot** - [xposedornot.com](https://xposedornot.com/) | [Privacy Policy](https://xposedornot.com/privacy.html)

== Changelog ==

= 2.1.11 =

Bug fix release. Fixes a V2.1.9 regression on multisite + domain mapping setups (where sub-sites are mapped to external domains via WP MU Domain Mapping or native WP 4.5+).

* Fix - `HideLogin::build_login_url()` is now host-aware: chooses between `home_url()` and `site_url()` based on the request's `HTTP_HOST` header, instead of always returning `site_url()` (V2.1.9/V2.1.10 default). Resolves the case where a subsite mapped on an external domain would redirect immediately to `/wp-admin/` (404) when typing the slug, because `site_url()` pointed to the original network path while the request arrived on the mapped domain. Reported on the WP.org support forum by @graphandco. Standard installs (`siteurl == home`) and multisite headless setups (where the request arrives on the siteurl host) continue to work as in V2.1.9/V2.1.10.
* Fix - Slug detection in `intercept_request()` now matches against BOTH `home_url($slug, 'relative')` AND `site_url($slug, 'relative')` (instead of just one). Same dual-base matching extended to the `wp-login.php` and `wp-register.php` traps. No security change: relative paths only, no new hostnames accepted.
* Internal - Filter `login_armor_login_url_base` (introduced in V2.1.9) is unchanged and continues to wrap the final URL for advanced overrides (third-host scenarios, custom subdomain mapping plugins).

= 2.1.10 =

Cosmetic fix release. The 404 page served when an anonymous visitor hits `/wp-admin/` with Hide Login enabled now renders as a proper WordPress 404 instead of a half-bootstrapped theme page with a duplicated header.

* Fix - `block_access()` now routes through `serve_404_template()` so the response carries the proper `WP_Query::set_404()` state. Visible effect: body class `error404` is set, Yoast (or any SEO plugin) emits `<meta name="robots" content="noindex">`, the theme renders its real 404 template instead of a default page layout, and themes with sticky headers (Astra Pro, many FSE themes) no longer show a duplicated header. No security change, no functional change for the actual 404 status header (still 404).
* Internal - 30 lines of duplicated 404 rendering code removed from `block_access()`; both code paths now share `serve_404_template()`.

= 2.1.9 =

Bug fix release. Hide Login now uses `site_url()` instead of `home_url()` to build the rewritten login URL, matching what WordPress core does inside `wp_login_url()`.

* Fix - Hide Login URL base switched from `home_url()` to `site_url()` (14 callsites migrated to a new public static helper `HideLogin::build_login_url()`). Inherited from the WPS Hide Login fork, the previous `home_url()` base was invisible on the ~99 percent of installs where `siteurl == home`, but broke silently on multisite headless (siteurl on `admin.example.com`, home on `example.com`), WordPress installed in a subdirectory (`/wp/`), and reverse-proxy installs with `WP_HOME` not equal to `WP_SITEURL`. Reported on the WP.org support forum by @graphandco.
* Feature - New filter `login_armor_login_url_base` for exotic setups where neither `home_url()` nor `site_url()` matches the hostname that actually serves the login slug (third hostname behind a reverse-proxy, subdomain mapping plugin rewriting the admin URL, etc.). Receives `$url`, `$path`, `$scheme`, `$slug`.
* Internal - Strictly neutral on the standard install where `siteurl == home`. Fresh-install, multisite-headless and WP-in-subdir validation suite passed before tag.

= 2.1.8 =

Hygiene release issued from a full V2.1.7 audit. Three findings, all LOW severity, batched in a single update.

* Fix - `admin/views/tabs/settings.php` queries the V2.1.1 webhook queue table without an existence guard. On a fresh install where the Activity Log module was never enabled (table not created) or after `wp plugin install --force` (which doesn't re-fire activation), every Settings tab load emitted three DB warnings in `debug.log` (`Table 'X.wp_login_armor_webhook_queue' doesn't exist`). Non-fatal but log-polluting. Now wraps the SELECT in a `SHOW TABLES LIKE` guard and returns zero counts when the table is absent.
* Fix - `uninstall.php` cleanup list was missing the `login_armor_lockout_window` option (default 24h, used by `LimitLogin::trigger_lockout()` for escalation tracking). Plugin deletion previously left this single option behind. Now: zero residue.
* i18n - Five untranslated strings surfaced by `wp i18n make-pot` regen: the V2.1.1 Activity Log integrity badge `BROKEN`, the legacy-rows-not-covered amber notice (singular form), the Breach Check password-found message (singular), the Breach Check email-breach message (singular), and the plugin description meta. All translated to French in `languages/login-armor-fr_FR.po`, no em dash. `.mo` recompiled. `.pot` regenerated against the full source tree (1010 strings vs 990 in 2.1.7) to capture 20 strings that had been added to the code (V2.1.1 webhook + integrity UI) but never made it into the translation template.

= 2.1.7 =

Preventive release on the Email 2FA enrollment flow. Closes a self-lockout pattern reported by a user whose hosting silently dropped outgoing mail.

* Fix - Email 2FA enrollment no longer half-commits when `wp_mail()` fails. The `login_armor_2fa_method = email` user meta was previously written before the verification email was attempted, leaving a partially configured state behind on hosts where SMTP is broken (Wanadoo, mutualised hosts without SMTP relay, etc.). The order is now: send first, persist only on success.
* Feature - New pre-activation modal on the user profile page when a user clicks "Set up Email" 2FA. Forces a real `wp_mail()` round-trip with a Send-test-email button and a safety-net checkbox ("I have a second admin tab open") before the Enable button unlocks. Both gates must pass, eliminating the most common cause of admin-locked-out support tickets.
* Internal - New AJAX endpoint `login_armor_2fa_email_test` (nonce-protected) sends a one-shot test message without consuming the OTP cooldown.

= 2.1.6 =

Preventive release bundling V2.1.5 + post-tag cleanup findings. No bug observed in production — eliminates a latent V2.1.3-style fatal risk in the TwoFactor module and finishes the uninstall.php cleanup audit.

* Preventive - TwoFactor module now follows the always-require pattern (same as Activity Log V2.1.4 and BreachCheck). Class files are loaded unconditionally so any future hook callback that statically references TwoFactor classes survives fresh installs. Constructor and `register()` still gated by the enable option — zero-overhead contract preserved.
* Cleanup - `uninstall.php` now drops the V2.1.1 webhook queue table, deletes 14 leftover options (HSTS, login headers preset, activity auto-verify daily, V2.1.1 chain init flag + show-notice, 5 webhook), generalizes the transient SQL DELETE to `login_armor_*` (covering chain_verify_last and any future transient), and clears 3 V2.1.1 cron hooks (webhook dispatch + chain repair + chain auto-verify). Plugin deletion now leaves zero residual data.
* UX - Activity Log Integrity panel now surfaces "X rows before the integrity chain are not covered by Verify" when legacy or pre-init rows exist. The verify-chain coverage scope is now explicit rather than implicit.

= 2.1.4 =

Critical hotfix.

* Fix - Fatal error `Class "LoginArmor\ActivityLog\ActivityLog" not found` on every fresh install. The class file was loaded only when the Activity Log module was enabled, but the V2.1.1 chain initializer hooked at `init` priority 5 references the class unconditionally. On a fresh install (Activity Log option not yet set), every request to `wp-login.php` and the front end crashed with a 500. Existing sites that already had Activity Log enabled were unaffected. Fixed by always loading the class file (constructor still gated — zero-overhead contract preserved) and adding a defensive `class_exists` guard at the top of `maybe_initialize_activity_chain()`.

= 2.1.3 =

Critical hotfix.

* Fix - Hardening "Hide WordPress version" toggle was stripping the `?ver=` cache-buster from LoginArmor's own admin assets (admin.css, admin.js), in addition to WP core and 3rd-party plugin files. Combined with hosting providers that run a server-side static cache (LiteSpeed LSADC on o2switch PowerBoost, Cloudflare full-page cache, hosting CDNs) keyed on the canonical URL, every LoginArmor update past 2.1.0 was invisible to admins for up to a year of cache TTL — the browser kept fetching the old admin.css from the server-side cache because `admin.css` (no query) and `admin.css?ver=2.1.2` are different cache keys. Filter now whitelists `/plugins/login-armor/` paths so our own assets always carry their version-derived hash, while WP core and 3rd-party version disclosure are still stripped.
* Fix - Defense-in-depth `width="18" height="18"` HTML attributes on the Activity Log Integrity bar's shield SVG icon. Without these, if admin.css fails to reach the browser for any reason (CDN edge stale cache, content-blocker, proxy stripping CSS), the icon defaults to its intrinsic 300x150px and dominates the page layout. The CSS rule is still authoritative; HTML attrs are belt-and-suspenders.

= 2.1.2 =

Critical hotfix + UX polish.

* Fix - Settings tab fatal error on fresh installs that have not yet enabled the Activity Log module. The class `LoginArmor\ActivityLog\WebhookDispatcher` was referenced in the Settings tab without an explicit `require_once`, and the file is only loaded when Activity Log is on. Visiting the Settings tab on a default install crashed with `Class "LoginArmor\ActivityLog\WebhookDispatcher" not found`. Fixed by loading the file unconditionally before its first use.
* Fix - Save-confirmation toast (`Settings saved.`) was anchored top-right and overlapped the LoginArmor admin tabs nav, making the message unreadable behind the dark Réglages tab. Moved to bottom-right (Gutenberg snackbar convention), bumped z-index above sticky elements, and re-tuned the entrance animation to slide up from the bottom edge.

= 2.1.1 =

* Feature - Activity Log integrity: every row is HMAC-SHA256 signed and chained to the previous one. Detects any direct-SQL tampering, deletion or insertion. First-in-market for WP audit-log plugins.
* Feature - Signed webhook forwarding: optional async POST of every activity event to your SIEM, Slack, Datadog, Discord or any HTTPS receiver. `X-LoginArmor-Signature` HMAC header, adaptive retry policy, max 5 attempts.
* Feature - WP-CLI command `wp login-armor activity verify-chain` for scheduled audits and orphan repair (`--from`, `--to`, `--repair-orphans`, `--format`, `--verbose`).
* Feature - Admin UI: new compact "Activity Log Integrity" status bar in Activity tab + full Webhook configuration panel in Settings (URL, secret regenerate, send test event, queue stats).
* Feature - Login Page Security Headers (CSP + X-Frame + Referrer-Policy) now ON by default on fresh installs; REST public-namespace allowlist filterable via `login_armor_rest_public_namespaces`; auto-detection of 6 conflicting Hide Login plugins (Rename wp-login.php, WPS Hide Login, Defender, Solid Security, Wordfence, AIOS).
* Fix - Hardening: `mask_login_errors` no longer leaks remaining-attempt hint through LimitLogin filter (S-9), Honeypot switched to `<input type="hidden">` to survive theme stripping (S-22), User-Agent truncation cap reduced 500 -> 256 chars (S-19).

= 2.1.0 =

* Security (HIGH) - 2FA pending-verification token no longer travels in the URL. After the password step, the partially-authenticated session is held in a HttpOnly + SameSite=Strict cookie scoped to the login slug, signed with HMAC-SHA256 over `wp_salt('auth')`. Closes a leak surface that exposed the token via browser history, server access logs and the `Referer` header.
* Security (defense-in-depth) - The transient that backs the pending session is now keyed on `sha256(token)` instead of the clear token. The clear token never appears in `wp_options.option_name` either - DB-read attacks no longer yield a replayable token.
* Compat - URL token is still accepted as a fallback for one minor (V2.1.0). V2.2.0 will remove the fallback. Browsers that reject SameSite=Strict cookies fall through gracefully.
* Internal - One-shot upgrade hook purges any leftover V2.0.x 2FA pending transients from `wp_options` on first load. Idempotent.

= 2.0.5 =

Security audit pass. Five fixes identified by an internal Phase 1 + Phase 2 audit against 2.0.4, each double-checked on production before patching. No functional regression.

* Fix (HIGH) - REST author-enumeration scope. The Hardening "Disable author enumeration" toggle now also gates `/wp-json/oembed/1.0/embed`, the `_embed=1` fanout on `/wp/v2/posts`, and `wp-sitemap-users-N.xml`. The lockout-side REST gate also denies oEmbed for locked IPs.
* Fix (HIGH) - Optional HSTS header for the Login Headers module. Off by default; opt-in 180-day or 1-year-with-subdomains modes. Only emitted on HTTPS requests.
* Fix (MED) - IPv6 subnet derivation. `subnet_of()` and `Detection\Classifier::compute_subnet()` now produce a re-parseable canonical /64 from compressed IPv6 (`2001:db8::1` → `2001:db8:0:0::/64`). Subnet block rules entered against IPv6 attackers now match.
* Fix (MED) - Self-DoS via `0.0.0.0` placeholder. `record_failed_attempt()` and `check_lockout()` skip the literal placeholder returned by `get_client_ip()` when the configured proxy header is misconfigured. Prevents site-wide lockout on the shared placeholder.
* Fix (MED) - "Block PHP in uploads" toggle off no longer wipes user-authored .htaccess rules. Only the LoginArmor block (recognized by `# BEGIN/END LoginArmor` markers, with a legacy fallback) is stripped.

= 2.0.4 =

Real fix for the lockout 429 page never appearing on hosts with a public page cache fronting the Hide Login slug.

* Fix - `LockoutPage::render_on_trigger` now performs a 302 redirect to `/[hide-slug]/?_la_locked=<timestamp>`. The unique query string defeats every public page cache (LiteSpeed Cache, WP Rocket, Cloudflare full-page, hosting reverse-proxy). Verified live with Playwright Firefox 150 + httpx HTTP/2.
* Fix - Branded lockout page logo now appears (path was referencing a file that did not ship).

= 2.0.3 =

Same-day hotfix on top of 2.0.2 for HTTP/2 stream termination.

* Fix - `LoginArmor::flush_response_and_exit()` now mirrors WordPress core's `_default_wp_die_handler` exactly (no `fastcgi_finish_request`). Under LiteSpeed/LSAPI, calling `fastcgi_finish_request()` after a 4xx with a custom body left HTTP/2 streams without END_STREAM, hanging Firefox/Chromium. HTTP/2 lockout response now arrives complete in 1.3 s.

= 2.0.2 =

Critical fix for the lockout 429 page.

* Fix - The branded 429 lockout page now actually reaches the browser when the lockout is triggered. Root cause: PHP's default output buffer (`output_buffering=4096` on most managed hosts) was capturing the body. `LoginArmor::flush_response_and_exit()` now discards every parent buffer before writing the response. Same helper is used by Hide Login's 404 renderer and Hardening's XML-RPC + access-denied responses, so all three paths inherit the fix.

= 2.0.1 =

Post-launch patch.

* Fix - Branded 429 lockout landing page is now rendered on the lockout-triggering attempt (#N), not the next one. New action `login_armor_lockout_triggered` fires after the lockout marker is committed; LockoutPage subscribes and renders inline.
* Feature - Two new "Reset" buttons in Settings: "Reset all events & incidents" wipes the events feed, brute-force counters, and incidents in one click; "Reset all activity entries" wipes the admin-action audit trail. Both are confirmation-gated.
* Assets - WordPress.org banner and icon replaced with the navy-blue / yellow-padlock variant matching the in-admin icon.

= 2.0.0 =

First WordPress.org public release of the V2 line. Bundles eight independent security modules in a single sub-megabyte plugin: Hide Login (custom URL slug + branded lockout page), Brute Force Protection (cascading lockouts, subnet blocking, X-Forwarded-For), Hardening (13 one-click toggles), Two-Factor Authentication (TOTP + Email OTP + backup codes + trusted devices + recovery flow), Detection and Incidents (6 attack patterns), Activity Log (compliance-ready audit trail), Login Page Security Headers (CSP / X-Frame-Options / Permissions-Policy presets), and Breach Check (HIBP k-anonymity + opt-in XposedOrNot).

Pre-release security audit:

* Security - Breach Check email lookup is opt-in by default (only the password lookup is enabled when the module is activated).
* Security - Reserved-username blacklist folds Unicode-to-ASCII before comparison, so homoglyphs collapse onto the same blacklist entry.
* Security - REST API gating for unauthenticated users now matches public namespaces by route prefix on the parsed REST path; substring-match query-string bypass closed.
* Security - "Hide WordPress version" also strips `?ver=X.Y.Z` from script and stylesheet URLs at `script_loader_src` priority 9999.
* Security - .htaccess writes (Block PHP in uploads, Disable directory listing) are atomic via temp file + rename, with admin notice on flush failure.

== Upgrade Notice ==

= 2.1.11 =
Bug fix release for multisite + domain mapping setups. Hide Login URL is now host-aware (picks home_url or site_url based on HTTP_HOST). Fixes a V2.1.9 regression where mapped subsites would redirect to /wp-admin/ (404) instead of serving the slug page. Standard installs and multisite headless continue to work.

= 2.1.10 =
Cosmetic fix. The 404 page served when an anonymous visitor hits `/wp-admin/` with Hide Login enabled now renders as a proper WordPress 404 (body class `error404`, SEO `noindex` meta, theme 404 template) instead of a half-bootstrapped page. No security or functional change.

= 2.1.9 =
Bug fix. Hide Login now builds the rewritten login URL from `site_url()` (matching `wp_login_url()` in WP core) instead of `home_url()`. Fixes silent breakage on multisite headless, WordPress in subdirectory, and reverse-proxy installs. Neutral on standard installs.

= 2.1.8 =
Hygiene release after a full V2.1.7 audit. Three LOW fixes batched: webhook stats query no longer warns on fresh installs, `lockout_window` option now cleaned on uninstall, five missing French translations added (Activity Log integrity badges, Breach Check messages). No code path change visible to end users.

= 2.1.7 =
Preventive: hardens the Email 2FA enrollment flow. Failed `wp_mail()` no longer leaves a half-committed 2FA state, and a new pre-activation modal forces a real test email + a safety-net check before the user can lock themselves out. Recommended for every install where Email-based 2FA is enabled.

= 2.1.6 =
Preventive release. Eliminates a latent V2.1.3-style fatal risk in the TwoFactor module. Finishes the uninstall.php cleanup (zero residual data). Surfaces Activity Log integrity coverage scope in admin UI. No new features, no DB migration.

= 2.1.4 =
Critical hotfix: 2.1.3 fatal-errored on every fresh install (Class "LoginArmor\ActivityLog\ActivityLog" not found). Sites with Activity Log already enabled were unaffected. Recommended for every install, urgent for new installs.

= 2.1.3 =
Critical hotfix: Hardening "Hide WP version" was stripping cache-buster from our own assets, so updates past 2.1.0 were invisible behind hosting CDNs (LiteSpeed LSADC, Cloudflare). Recommended for every install.

= 2.1.2 =
Critical hotfix: the Settings tab fatal-errored on every fresh install that had not yet enabled the Activity Log module (Class WebhookDispatcher not found). Recommended for every install.

= 2.1.1 =
Activity Log integrity: every row is HMAC-signed and chained, detects any tampering. Optional signed webhook forwarding (SIEM / Slack / Datadog / any HTTPS). New WP-CLI verify-chain. Bundles 6 hardening fixes. Migration automatic. Recommended for every install.

= 2.1.0 =
Security: 2FA pending token moved from URL query string to a signed HttpOnly + SameSite=Strict cookie. Closes URL-leak (browser history / Referer / access logs) and DB-leak (clear token no longer in wp_options). Recommended for every install with 2FA enabled.

= 2.0.5 =
Security audit pass: REST author-enum scope, optional HSTS, IPv6 subnet fix, 0.0.0.0 placeholder DoS skip, .htaccess admin-rules preservation. No regression. Recommended.

= 2.0.4 =
Real fix for the lockout 429 page on hosts with a public page cache (LiteSpeed Cache, WP Rocket, Cloudflare). Recommended after the 2.0.1-2.0.3 sequence.

= 2.0.3 =
Hotfix: HTTP/2 stream termination on LiteSpeed/LSAPI for the branded lockout page. Recommended.

= 2.0.2 =
Critical fix: 429 branded lockout page now reaches the browser. Recommended.

= 2.0.1 =
Branded 429 lockout page on the triggering attempt + Reset Stats UI + correct WP.org banner/icon. Recommended.

= 2.0.0 =
First WordPress.org release of the V2 line. Eight independent security modules. Recommended.
