=== NHR Secure – Login Security, Firewall, 2FA & Audit Log ===
Contributors: nhrrob
Tags: security, hide admin, login protection, debug log, 2fa
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.3.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A lightweight WordPress security plugin to protect your admin area with a custom login URL, hide debug logs, limit login attempts, and add 2FA.
== Description ==

Keep your WordPress site safe with minimal effort. NHR Secure helps you:

- Hide or protect your admin area from unauthorized access.
- Limit login attempts to prevent brute-force attacks.
- Hide debug logs to prevent sensitive information disclosure.
- Add 2FA to your WordPress site.
- Scan core files, plugins, and themes for known vulnerabilities.
- Monitor site health with one-click security recommendations.
- Protect against SQL injection, XSS, and LFI attacks.
- Block malicious IPs and entire countries.

### **Features at a glance:**

### 🔒 Limit Login Attempts
Stop brute-force attacks by temporarily blocking IPs after repeated failed login attempts.
- Configurable attempt limit (1-20, default: 5)
- Blocks based on IP + Username combination
- Auto-unblock after 2 hours

### 🔐 Custom Login Page
Hide wp-login.php and use a custom login URL.
- Default custom URL: `/hidden-access-52w`
- Blocks direct access to wp-login.php and wp-admin for guests

### 🛡️ Protect Debug Log File
Blocks direct access to `/wp-content/debug.log`
- Returns 403 Forbidden for all users

### ⚙️ Modern Settings Page
Configure everything from a beautiful React-powered interface.
- Located under **Tools → NHR Secure**
- **Dark Mode** support for comfortable viewing
- Enable/disable each feature

### 🔐 Two-Factor Authentication (2FA)
Enable two-factor authentication for users.
- Support for **Authenticator Apps** and **Email OTP**
- **Enforce 2FA** for specific user roles (e.g., Administrators)
- **Recovery Codes** for emergency access
- QR code setup for Authenticator Apps

### 🛡️ Vulnerability Checker
Automatically scan your installed plugins, themes, and WordPress core against a known vulnerability database.
- Daily automatic scans
- Alerts for critical security issues
- Check file integrity

### 🖥️ User Session Management
Monitor and control active user sessions to prevent unauthorized access.
- **View Active Sessions:** See IP, location, device, and login time for all logged-in users.
- **Remote Logout:** Instantly log out suspicious sessions or all other devices.
- **Idle Timeout:** Automatically log out inactive users after a set period.

### 🧱 Hardening & Firewall
Essential security hardening to lock down your WordPress site.
- **Disable XML-RPC:** Prevent remote attacks and brute-force attempts.
- **Disable File Editor:** Stop file modifications from the dashboard.
- **Hide WP Version:** Obscure your WordPress version from attackers.
- **Block User-Agents:** Prevent bad bots and scrapers from accessing your site.
- **Disable User Enumeration:** Stop attackers from harvesting usernames via REST API.

### 📝 Activity Audit Log
Keep a record of important security events on your site.
- Tracks logins, failed attempts, file changes, and settings updates.
- View user, IP, and event details.
- Configurable log retention policy.

### 🏥 Security Health Check & One-Click Secure
Get an instant overview of your site's security posture.
- **Security Score:** View your overall protection percentage and grade (A+ to F).
- **Health Dashboard:** See which security features are active and which need attention.
- **One-Click Secure:** Apply recommended security settings instantly.
- **11 Security Checks:** Comprehensive analysis of your security status.

### 🛡️ Advanced Firewall (IPS)
Proactive intrusion prevention system that blocks malicious requests in real-time.
- **SQL Injection Protection:** Detect and block SQLi attacks automatically.
- **XSS Prevention:** Stop cross-site scripting attempts.
- **LFI Protection:** Prevent local file inclusion attacks.
- **Pattern Matching:** Advanced regex-based detection for common attack vectors.
- **Automatic Blocking:** Suspicious requests are blocked before they reach WordPress.

### 🌍 IP & Country Management
Control access to your site with granular IP and geographic filtering.
- **IP Whitelist:** Allow trusted IPs to bypass all security filters.
- **IP Blacklist:** Block malicious IPs permanently from your site.
- **CIDR Support:** Use CIDR notation for blocking entire IP ranges (e.g., 192.168.1.0/24).
- **Country Blocking:** Block access from 90+ countries using GeoIP lookup.
- **Smart Caching:** GeoIP lookups are cached for 24 hours for optimal performance.
- **Private IP Detection:** Automatically skip local/private IPs.

### ⚡ Lightweight & Minimal
Designed to deliver maximum security with minimal code. No bloat, no complexity.
- Compatible with most WordPress themes and plugins.

== Installation ==

1. Upload the `nhrrob-secure` plugin folder to your `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Navigate to **Tools → NHR Secure** to configure settings.

== External Services ==

This plugin utilizes the [WPVulnerability](https://wpvulnerability.com/) API to check for vulnerabilities.
- **Service:** WPVulnerability
- **Data:** Only plugin slugs and versions are sent. No personal data is collected.

== Frequently Asked Questions ==

= How do I access the settings page? =
Navigate to **Tools → NHR Secure** in your WordPress admin dashboard.

= Does it limit login attempts? =
Yes. Repeated failed login attempts from the same IP will be temporarily blocked to prevent brute-force attacks. You can configure the limit (1-20 attempts) from the settings page.

= What is the default custom login URL? =
The default custom login URL is `/hidden-access-52w`. You can change this in the settings page under Tools → NHR Secure.

= How does 2FA work? =
2FA (Two-Factor Authentication) adds an extra layer of security to your WordPress site. When enabled, users must enter a code from their 2FA app (e.g., Google Authenticator, Authy) in addition to their username and password to log in.

= Can I disable specific features? =
Yes. You can enable or disable each feature from the settings page under Tools → NHR Secure.

== Screenshots ==

1. Failed login attempts are blocked.
2. Custom login page.
3. Debug log is hidden.
4. Modern React-powered settings page.
5. Modern React-powered settings page - part 2.
6. 2FA setup in user profile.
7. 2FA setup in user profile - Email OTP.
8. 2FA setup in user profile - Recovery codes.
9. Dark mode support.


== Changelog ==

= 1.3.2 - 09/05/2026 =
- WordPress tested up to version is updated to 7.0
- Few minor bug fixes & improvements

= 1.3.1 - 07/02/2026 =
- Fixed: Forced logout issue for 2FA users

= 1.3.0 - 28/01/2026 =
- Added: Security Health Check with scoring system (A+ to F grade)
- Added: One-Click Secure feature to apply recommended settings instantly
- Added: Advanced Firewall (IPS) with real-time protection against SQL Injection, XSS, and LFI attacks
- Added: IP Management with Whitelist and Blacklist (CIDR support)
- Added: Country Blocking for 90+ countries using GeoIP lookup with caching
- Improved: Dark mode styling for all components
- Improved: Overall security dashboard UI/UX

= 1.2.0 - 17/01/2026 =
- Added: User Session Management (View active sessions, remote logout, idle timeout)
- Added: Hardening & Firewall (Disable XML-RPC, File Editor, Version Hiding, User Enumeration)
- Added: User-Agent Blocking
- Added: Audit Logs for security events
- Fixed: Dark mode improvements
- Improved: UI enhancements

= 1.1.0 - 13/01/2026 =
- Added: Vulnerability Checker
- Added: File Scanner to check file integrity
- Improved: UI for scan results
- Few minor bug fixing & improvements

= 1.0.6 - 11/01/2026 =
- Fixed: Fatal error due to missing vendor files

= 1.0.5 - 11/01/2026 =
- Added: Email OTP feature
- Added: Recovery codes for 2FA
- Added: Enforce 2FA for specific roles
- Added: Dark mode support
- Few minor bug fixing & improvements

= 1.0.4 - 09/01/2026 =
- Added: Modern React-powered settings page under Tools → NHR Secure
- Added: Enable/disable all features from admin interface
- Added: Configurable login attempts limit (1-20)
- Added: Customizable login page URL from settings
- Added: Two-factor authentication (2FA) feature

= 1.0.3 - 05/01/2026 =
- Added: Custom login page.
- Added: Hide debug log.

= 1.0.2 - 04/12/2025 =
- Initial release. Cheers!!
- Added plugin assets (icons, banners & screenshot).
- Fixed fatal error related to function name.

= 1.0.1 - 30/11/2025 =
- Few minor bug fixing & improvements

= 1.0.0 - 23/10/2025 =
- Initial beta release. Cheers!


== Upgrade Notice ==

= 1.0.0 =
- This is the initial release. Feel free to share any feature request at the plugin support forum page.