=== MyFast Login Guard – Login Protection & Server Info ===
Contributors: myfastwebhosting
Tags: login protection, limit login attempts, brute force, server info, error log
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.3.6
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

MyFast Login Guard renames your login page, blocks brute-force attempts, and lets you inspect your full server environment — all from one lightweight plugin.

== Description ==

MyFast Login Guard provides two things hosting clients actually need:

**Login protection**

* Rename your login page to a custom URL — direct access to /wp-login.php returns a 404
* Limit login attempts — lock out an IP after a configurable number of failures
* Configurable lockout duration (default: 5 attempts, 30-minute lockout)
* IP whitelist — your own IPs are never locked out
* Optional email notification when a lockout is triggered
* Manual unlock from the Lockout Log page

**Server information and error log**

* Full PHP environment: version, memory, OPcache, extensions, disabled functions, error log path
* WordPress environment: version, debug flags, memory limits, active plugin count
* Server details: software, IP, document root, HTTPS status, OS
* Database: MySQL/MariaDB version, database size
* Disk usage: total, used, free
* Scheduled cron events with overdue detection
* Error log viewer: reads WordPress debug.log (or PHP error log), filterable by Fatal / Warning / Notice, with one-click clear

**Design principles**

* No external API calls
* No cronjobs
* No .htaccess rewriting
* No front-end database queries
* Assets load only on the plugin's own admin pages

== Installation ==

1. Upload the `myfast-login-guard` folder to `/wp-content/plugins/`
2. Activate the plugin through the Plugins screen in WordPress
3. Go to **MyFast Login Guard** in the admin menu to configure

== Frequently Asked Questions ==

= Will renaming my login page break anything? =

No. WordPress internal redirects (logout, password reset, registration) continue to work. Only direct access to /wp-login.php returns a 404 for logged-out visitors.

= What happens if I forget my custom login slug? =

You have two options:

1. Visit /wp-admin/ — WordPress will redirect you to the login page at the correct URL.
2. Add `define( 'MFLG_DISABLE_LOGIN_SLUG', true );` to your wp-config.php to temporarily restore /wp-login.php access without deactivating the plugin.

= What happens if I lock myself out? =

Add your IP address to the Whitelist IPs field in Settings. If you are already locked out, connect via FTP/SSH, open wp-config.php, and add:
`define( 'MFLG_DISABLE_LOGIN_SLUG', true );`
Then log in normally, unlock your IP from the Lockout Log page, and remove the constant.

= Does this replace a firewall or security plugin? =

No. It is a lightweight complement — it stops brute-force login attempts and gives you visibility into your server environment. It does not scan files, block requests at the firewall level, or monitor for malware.

= How are IP addresses detected? =

The plugin uses `REMOTE_ADDR` (the actual TCP connection IP) as the primary source. If the site is behind Cloudflare, the `CF-Connecting-IP` header is trusted only when the connection originates from a verified Cloudflare IP range. Forwarded headers such as `X-Forwarded-For` that can be spoofed by clients are intentionally ignored.

= Is the lockout data cleaned up on uninstall? =

Yes. Uninstalling the plugin removes all plugin settings and lockout records from `wp_options`.

== Screenshots ==

1. Settings page — login page rename and brute-force protection
2. Server info panel — PHP, WordPress, server, database, disk, cron events
3. Error log viewer — filterable by type with one-click clear

== Changelog ==

= 1.3.6 =
* Renamed: Plugin renamed to MyFast Login Guard & Server Info with new slug myfast-login-guard and mflg_ prefix throughout.
* Fixed: All CSS class names updated from lssi- to mflg- prefix for uniqueness compliance.
* Fixed: Inline <script> block removed from lockout log page — now uses enqueued lockouts.js.
* Fixed: Removed unused lockouts database table — lockout data stored cleanly in wp_options.
* Fixed: Activation/deactivation hooks converted from anonymous closures to named functions.
* Fixed: Transient cleanup queries now use $wpdb->prepare() for full PHPCS compliance.
* Fixed: Cloudflare cache purge hook removed entirely per WP.org reviewer requirement.
* Fixed: wp_cache_delete() added before wp_localize_script() to guarantee fresh settings on page load.
* Fixed: Login slug reserved-word validation added client-side with clear error message.
* Fixed: Emergency escape hatch constant renamed to MFLG_DISABLE_LOGIN_SLUG.
* Improved: Error log path detection now checks ini_get('error_log') as first candidate.
* Improved: Server info table stacks label above value on mobile instead of horizontal scroll.
* Improved: Export for Support button min-height corrected on mobile.

= 1.3.1 =
* Fixed: Text domain reverted to login-shield-server-info to match plugin folder name (Plugin Check compliance).
* Fixed: Removed discouraged load_plugin_textdomain() call (auto-loaded by WordPress.org since WP 4.6).
* Fixed: Replaced fopen/fclose with WP_Filesystem in error-log.php and server-info.php.
* Fixed: Replaced parse_url() with wp_parse_url() in login-protect.php.
* Fixed: Added wp_unslash() to all $_SERVER reads in server-info.php.
* Fixed: Unescaped output — $status_label now uses wp_kses(), $icon uses wp_kses(), min() wrapped in esc_attr().
* Fixed: Ordered placeholders (%1$d, %2$s) and added translators comments in server-info.php and login-protect.php.
* Fixed: Added phpcs:ignore with justification for third-party hook names, read-only GET params, and socket fclose.
* Fixed: uninstall.php table variable renamed with lssi_ prefix.
* Fixed: Upgrade notices trimmed to under 300 characters.

= 1.3.0 =
* Updated text domain from login-shield-server-info to fastshield-security to match the approved WordPress.org plugin slug.

= 1.2.9 =
* Fixed: Updated "Tested up to" to WordPress 6.9.

= 1.2.8 =
* Fixed: Removed duplicate Plugin URI (was identical to Author URI) per WordPress.org submission requirements.

= 1.2.7 =
* Renamed plugin to MyFast Login Guard – Login Protection & Server Info to comply with WordPress.org naming guidelines.

= 1.2.6 =
* Security: Validate error log tab parameter against known tab whitelist before use in URL output (was sanitize_key only).
* Code quality: Added phpcs ignore with full justification comment for shell_exec inode check — path escaped via escapeshellarg(), output parsed as integers only.

= 1.2.5 =
* Fixed: Missing return statements after wp_send_json_error() in AJAX handlers — code after the error response could execute.
* Fixed: Uninstall now also removes the lssi_lockouts option from wp_options (previously only the DB table was dropped).
* Fixed: Removed dead lssi_utilities_page() function — the page was unreachable with no menu entry.
* Fixed: Removed wp-components from script dependencies (only wp-element is actually used).

= 1.2.4 =
* Fixed: Removed the Utilities submenu page which was causing 404 errors on some hosts. The AJAX cache clear remains available in Settings. Any bookmarked lssi-utilities URLs now redirect cleanly to Settings.

= 1.2.3 =
* Security: Rewrote IP detection to use REMOTE_ADDR as ground truth; CF-Connecting-IP is now only trusted when REMOTE_ADDR is a verified Cloudflare edge IP. X-Forwarded-For and X-Real-IP removed to prevent spoofing.
* Code quality: Moved login-page CSS from inline output to enqueued assets/css/login.css per WordPress coding standards.
* Usability: Added MFLG_DISABLE_LOGIN_SLUG constant as an emergency escape hatch for locked-out administrators.
* Docs: Expanded readme.txt FAQ with lockout recovery instructions and IP detection explanation.

= 1.2.2 =
* Mobile: Lockout log table now stacks as labelled cards on small screens.
* Mobile: Custom login slug and lockout email inputs stack full-width on mobile.
* Error log: Tabs moved inside the log card for discoverability on both mobile and desktop.

= 1.2.1 =
* Fixed: wp_login_failed hook signature made compatible with WordPress < 5.4.
* Fixed: authenticate filter now only runs on POST submissions, not every page load.
* Added: Attempts-remaining counter shown on the login page after a failed attempt.

= 1.2.0 =
* Added brute-force lockout engine: tracks failed attempts per IP, locks out after configurable threshold, sends email notification, auto-expires lockouts.
* Added Unlock and Clear All buttons to Lockout Log page.

= 1.1.9 =
* Fixed asset paths, admin menu parent slug, activation hook, and lssi_get() signature.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.3.6 =
Renamed to MyFast Login Guard with new mflg_ prefix. Deactivate and delete the old plugin before installing this version.

= 1.3.1 =
Plugin Check compliance fixes: escaping, WP_Filesystem, wp_parse_url, translators comments, uninstall cleanup.

= 1.3.0 =
Text domain updated to match plugin folder slug.

= 1.2.9 =
Updated Tested up to WordPress 6.9.

= 1.2.8 =
Removed duplicate Plugin URI header.

= 1.2.3 =
Security: IP detection now uses REMOTE_ADDR as ground truth. Spoofable proxy headers removed.
