=== PureGuard — Bot Protection & Performance ===
Contributors: chanmyayaung
Tags: bot detection, security, firewall, traffic quality, waf
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 6.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Five security modes, branded challenge and block pages, a VPN-friendly filter, and a live Security/Performance dashboard for your WordPress site.

== Description ==

PureGuard is a simple, safe bot-protection plugin for WordPress. You pick **one** of five security modes — the plugin configures everything else for you. No confusing combinations, no accidental blocking.

Every visitor is sorted into one of three groups:

* **Humans** — proven real visitors (always allowed).
* **Suspicious** — not clearly a bot, but not clearly human either.
* **Bots** — confirmed bots.

**The five modes**

* **Off (Monitor only)** — Nothing is ever blocked or challenged, and no API call is made per visit. Use this when your traffic is already filtered upstream.
* **Medium (recommended)** — Confirmed bots are blocked. Humans and Suspicious visitors both pass freely. No challenge page.
* **High** — Confirmed bots are blocked and Suspicious visitors must pass a quick JavaScript browser check.
* **Strict (Humans only)** — Only proven humans get in. Bots AND suspicious visitors are blocked.
* **Lockdown** — Emergency mode: everyone sees the block page. Logged-in users and search engines are always excepted, so you never lock yourself out.

**Censorship-friendly VPN filter**

If your real audience browses through VPNs or proxies to escape censorship, turn on the censorship-friendly filter: a visitor flagged ONLY for VPN / proxy / hosting-network signals is never hard-blocked. In High mode they get the quick browser check instead (humans pass it, bots cannot). Visitors with real bot evidence are still blocked.

**Branded challenge and block pages**

Add your own logo, brand name, accent color, and dark or light theme. Customize the block-page heading and message, show blocked visitors their IP and an incident ID, and let real people report a mistake with one click ("I am human"). Preview both pages from the settings with one click before anything goes live.

**PureGuard Live dashboard**

A full statistics page with two views:

* **Security** — hourly traffic chart, visitor mix, top blocked IPs, top countries, top block reasons, visitor reports, and a live feed of the latest decisions.
* **Performance** — API latency (average and p95), cache efficiency, checks per hour, and the bot page-loads your server never had to render.

Data comes from a local, self-pruning event log in your own database (last 30 days). Nothing extra is sent anywhere.

**Multilingual challenge page**

The challenge page auto-detects the visitor's browser language. English, Thai, Bahasa Indonesia, Vietnamese, and Burmese (Myanmar) are built in, and every line is editable from the settings page.

**Engagement intelligence**

Optionally measures anonymous time-on-page and scroll signals so PureGuard can score traffic quality per site. No personal data is collected.

== Frequently Asked Questions ==

= Will this block my real visitors? =

In Off mode, never. In Medium mode, only confirmed bots. In High mode, uncertain visitors may briefly see a JavaScript challenge. In Strict mode, suspicious visitors are blocked too — use it only when you want humans-only traffic. Lockdown blocks everyone except logged-in users and search engines.

= My readers use VPNs. Will they be blocked? =

Turn on the censorship-friendly filter (Security Mode tab). Visitors flagged only for VPN/proxy usage are never hard-blocked — at most they see a quick automatic browser check that real people pass in seconds.

= Do I need a PureGuard account? =

Yes. Add your PureGuard API key under Settings → PureGuard. Get one at https://pureguard.io.

= Does it slow down my site? =

Verdicts are cached per visitor (default 1 hour), so the API is called at most once per visitor per cache window. Logged-in users and search engines are skipped. The Performance view of the Live dashboard shows you the exact latency and cache-hit numbers.

= Where is the traffic data stored? =

In a small table in your own WordPress database, pruned automatically to the last 30 days. You can turn the local log off in Settings → General.

== Screenshots ==

1. PureGuard Live dashboard — Security view
2. PureGuard Live dashboard — Performance view
3. Security mode selector (five modes)
4. Design & Pages — branding and block-page customization
5. The branded challenge page
6. The branded block page with incident details

== Changelog ==

= 6.0.0 =
* NEW: Two more security modes — Strict (Humans only) and Lockdown (block everyone, admins and search engines excepted).
* NEW: Censorship-friendly VPN filter — visitors flagged only for VPN/proxy/hosting signals are challenged instead of hard-blocked, for audiences that browse via VPN to escape censorship.
* NEW: PureGuard Live — a full statistics dashboard with Security and Performance views: hourly charts, visitor mix, top blocked IPs/countries/reasons, live feed, API latency and cache efficiency. Powered by a local, self-pruning 30-day event log.
* NEW: Branded gate pages — custom logo (Media Library picker), brand name, accent color, dark/light theme on both the challenge and block pages, with one-click admin previews.
* NEW: Customizable block page — heading, message, visitor IP + incident ID + time display, and an "I am human" report button; reports appear on the Live dashboard.
* NEW: Custom success message and optional redirect after a passed browser check.
* CHANGED: Each site now reports to PureGuard intelligence under its own domain as the traffic source (previously a shared "WORDPRESS" source), so your site gets its own reputation.
* FIX: Internal version constant and readme stable tag aligned.

= 5.0.7 =
* IMPROVED: Off mode now returns before any API call — zero added latency when monitoring is all you want.

= 5.0.4 =
* NEW: "Allow AI training crawlers" toggle (off by default). Search engines and social crawlers are always allowed.
* CHANGED: "Allow VPN" now applies to VPNs only — open / datacenter / TOR proxies stay blocked.
* IMPROVED: Plain-language labels (Humans / Suspicious / Bots) throughout.

= 5.0.3 =
* IMPROVED: The plugin forwards the visitor's browser headers (Sec-Fetch, client-hints, language) to the detection API for accurate trust scoring.

= 5.0.2 =
* NEW: "Allow VPN / proxy visitors" toggle.

= 5.0.1 =
* NEW: Burmese (Myanmar) challenge language. Default trust threshold aligned to 5.5.

= 5.0.0 =
* NEW: One security mode selector (Off / Medium / High) replacing the v4 multi-dropdown setup, per-site zone identity, multilingual challenge page, stats tab, fail-open API behavior.

= 4.0.1 =
* Compliance: challenge CSS/JS moved into enqueued assets per WordPress.org review.

= 4.0.0 =
* BREAKING: prefixes renamed to `pgperf_`. JS challenge with SHA-256 proof-of-work and browser integrity checks.

= 3.0.0 =
* Three-tier traffic classification.

= 2.0.0 =
* WAF security layer via the PureGuard detection engine.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 6.0.0 =
Big upgrade: five security modes (new Strict and Lockdown), censorship-friendly VPN filter, branded challenge/block pages with logo and previews, and the new PureGuard Live dashboard. Your existing settings are kept; review Settings → PureGuard after updating.
