=== Lunexia .htaccess Shield ===
Contributors: lunexiait
Tags: security, hardening, htaccess, protection, firewall
Requires at least: 5.0
Tested up to: 7.0
Stable tag: 3.0.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Professional website security hardening by applying proven .htaccess security rules automatically and safely.

== Description ==

Lunexia .htaccess Shield is a comprehensive security plugin that helps harden your website by automatically applying proven .htaccess security rules. The latest release includes a modern WordPress 7.0-ready admin interface, a polished dashboard, and premium workflow improvements for Firewall and Malware Scan access.

**Key Features:**

* **Redesigned Security Dashboard**: Four separate protection score widgets for rule coverage, module coverage, malware scanning, and threat monitoring.
* **Premium Admin Tabs**: Firewall and Malware Scan tabs now display premium badges like Advanced Settings.
* **Plugin Layout Centering**: Admin screens are centered at 80% width for a clean, modern WordPress 7.0 experience.
* **Enterprise Protection Status Cards**: View active/inactive protection modules such as bot protection, rate limiting, live traffic monitoring, and quarantine system status.
* **Security Statistics Panel**: Track successful logins, failed logins, blocked IPs, pending approvals, and firewall protection status in one place.
* **One-Click Security Rules**: Enable or disable security rules with a simple toggle interface.
* **Security Score**: Visual protection score meter for instant status awareness.
* **Automatic .htaccess Management**: Safely apply rules without manual editing.
* **Backup & Restore**: Create backups before changes and restore if needed.
* **Admin Approval Workflow**: Require admin approval for new Administrator/Editor accounts before login.
* **OTP Login Protection**: Add one-time password verification for selected user roles.
* **Backend Access Protection**: Restrict access to `wp-admin` and `wp-login.php` for blocked IPs.
* **Feature Preview**: Preview recommended premium hardening features before enabling them.
* **System Status**: Monitor your server's security readiness.
* **Malware Scanner and Quarantine Manager**: Premium scanner with quarantine controls, findings refresh, and scan actions.
* **WordPress 7.0 Compatible**: Designed to look great in the new Modern admin theme.

**Security Rules Included:**

* Disable directory browsing
* Protect wp-config.php and .htaccess files
* Block access to sensitive files
* Disable XML-RPC for improved security
* Prevent PHP execution in uploads folder
* Malicious query string protection
* Security headers (XSS, CSRF, HSTS, etc.)

**Safe & Reliable:**
* Uses core functions for .htaccess manipulation
* Creates automatic backups before changes
* Checks file permissions before applying rules
* Non-destructive - rules are wrapped in markers for easy removal

== Installation ==

1. Upload the `lunexia-htaccess-shield` folder to the `/wp-content/plugins/` directory
2. Activate the plugin through the 'Plugins' menu
3. Navigate to 'Lunexia .htaccess Shield' in the admin menu
4. Review and enable desired security rules
5. Click "Save & Apply Rules" to harden your site

== Frequently Asked Questions ==

= Is this plugin safe to use? =

Yes, Lunexia .htaccess Shield is designed with safety in mind. It:
- Creates backups before making changes
- Uses core functions for file operations
- Checks file permissions before applying rules
- Wraps all rules in identifiable markers

= What if something goes wrong? =

If you encounter issues:
1. Use the restore function to revert to a backup
2. Manually edit your .htaccess file to remove Lunexia .htaccess Shield rules
3. Deactivate the plugin if needed

= Does this replace my security plugins? =

No, Lunexia .htaccess Shield complements other security plugins by focusing specifically on .htaccess hardening. It works well alongside plugins like Wordfence, Sucuri, or iThemes Security.

= Will this slow down my site? =

The .htaccess rules are lightweight and optimized for performance. Most rules have minimal impact on site speed.

== External Services ==

This plugin connects to external services as follows:

**Google Sheets API Service**
This plugin uses the Google Sheets API (via Google Apps Script) to validate license keys when users activate a license. This is an optional feature and is only used when a user voluntarily attempts to activate a license key.

- **Purpose**: Validates license key authenticity and domain binding
- **When it's used**: Only when users click "Activate License" in the plugin settings
- **What data is sent**: License key and website domain name
- **Service provider**: Google (Google Sheets / Google Apps Script)
- **Terms of Service**: https://policies.google.com/terms
- **Privacy Policy**: https://policies.google.com/privacy
- **Data retention**: License validation data is stored only on the user's Google Sheet, which they control

== Screenshots ==

1. Main dashboard showing security score and available rules
2. Rules management interface with toggle switches
3. Backup and restore functionality
4. System status information

== Changelog ==

= 3.0.0 =
* Redesigned dashboard with four separate protection score widgets and modern admin visuals.
* Added premium badges to Firewall, Malware Scan, and Advanced Settings navigation tabs.
* Centered plugin layout with an 80% width wrapper for a cleaner WordPress 7.0 admin experience.
* Improved dashboard spacing, card alignment, and responsive behavior for the new WP 7 Modern theme.
* Updated compatibility metadata for WordPress 7.0 and PHP 7.4+.

= 1.2.1 =
* Added admin approval workflow for pending Administrator and Editor accounts
* Added OTP login protection for selected user roles
* Added backend access protection for blocked IPs on `wp-admin` and `wp-login.php`
* Added recommended feature preview modal for premium hardening features
* Fixed invalid .htaccess rule generation that could cause server errors
* Ensured blocked IP rules use modern rewrite-based access control
* Preserved activity logging for failed logins and blocked IP events
* Improved compatibility with Apache/LiteSpeed and PHP error handling

== Upgrade Notice ==

= 3.0.0 =
Upgrade to 3.0.0 for a refreshed WordPress 7.0-compatible dashboard, improved premium workflow, and updated plugin metadata.

= 1.2.1 =
Update to 1.2.1 to resolve plugin activation issues caused by malformed .htaccess rules and improve failed login blocking visibility.

== Support ==

For support, please visit the plugin forum or check the documentation.

== License ==

This plugin is licensed under the GPLv2 or later.

== Credits ==

Developed with security best practices in mind.