=== PureGuard — Bot Protection & Performance ===
Contributors: chanmyayaung
Tags: bot detection, security, firewall, traffic quality, waf
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 6.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Five security modes, branded challenge and block pages, a VPN-friendly filter, and a live Security/Performance dashboard for your WordPress site.

== Description ==

PureGuard is a simple, safe bot-protection plugin for WordPress. You pick **one** of five security modes — the plugin configures everything else for you. No confusing combinations, no accidental blocking.

Every visitor is sorted into one of three groups:

* **Humans** — proven real visitors (always allowed).
* **Suspicious** — not clearly a bot, but not clearly human either.
* **Bots** — confirmed bots.

**The five modes**

* **Off (Monitor only)** — Nothing is ever blocked or challenged, and no API call is made per visit. Use this when your traffic is already filtered upstream.
* **Medium (recommended)** — Confirmed bots are blocked. Humans and Suspicious visitors both pass freely. No challenge page.
* **High** — Confirmed bots are blocked and Suspicious visitors must pass a quick JavaScript browser check.
* **Strict (Humans only)** — Only proven humans get in. Bots AND suspicious visitors are blocked.
* **Lockdown** — Emergency mode: everyone sees the block page. Logged-in users and search engines are always excepted, so you never lock yourself out.

**Censorship-friendly VPN filter**

If your real audience browses through VPNs or proxies to escape censorship, turn on the censorship-friendly filter: a visitor flagged ONLY for VPN / proxy / hosting-network signals is never hard-blocked. In High mode they get the quick browser check instead (humans pass it, bots cannot). Visitors with real bot evidence are still blocked.

**Branded challenge and block pages**

Add your own logo, brand name, accent color, and dark or light theme. Customize the block-page heading and message, show blocked visitors their IP and an incident ID, and let real people report a mistake with one click ("I am human"). Preview both pages from the settings with one click before anything goes live.

**PureGuard Live dashboard**

A full statistics page with two views:

* **Security** — hourly traffic chart, visitor mix, top blocked IPs, top countries, top block reasons, visitor reports, and a live feed of the latest decisions.
* **Performance** — API latency (average and p95), cache efficiency, checks per hour, and the bot page-loads your server never had to render.

Data comes from a local, self-pruning event log in your own database (last 30 days). Nothing extra is sent anywhere.

**Multilingual challenge page**

The challenge page auto-detects the visitor's browser language. English, Thai, Bahasa Indonesia, Vietnamese, and Burmese (Myanmar) are built in, and every line is editable from the settings page.

**Engagement intelligence**

Optionally measures anonymous time-on-page and scroll signals so PureGuard can score traffic quality per site. No personal data is collected.

== Frequently Asked Questions ==

= Will this block my real visitors? =

In Off mode, never. In Medium mode, only confirmed bots. In High mode, uncertain visitors may briefly see a JavaScript challenge. In Strict mode, suspicious visitors are blocked too — use it only when you want humans-only traffic. Lockdown blocks everyone except logged-in users and search engines.

= My readers use VPNs. Will they be blocked? =

Turn on the censorship-friendly filter (Security Mode tab). Visitors flagged only for VPN/proxy usage are never hard-blocked — at most they see a quick automatic browser check that real people pass in seconds.

= Do I need a PureGuard account? =

Yes. Add your PureGuard API key under Settings → PureGuard. Get one at https://pureguard.io.

= Does it slow down my site? =

Verdicts are cached per visitor (default 1 hour), so the API is called at most once per visitor per cache window. Logged-in users and search engines are skipped. The Performance view of the Live dashboard shows you the exact latency and cache-hit numbers.

= Where is the traffic data stored? =

In a small table in your own WordPress database, pruned automatically to the last 30 days. You can turn the local log off in Settings → General.

== Screenshots ==

1. PureGuard Live dashboard — Security view
2. PureGuard Live dashboard — Performance view
3. Security mode selector (five modes)
4. Design & Pages — branding and block-page customization
5. The branded challenge page
6. The branded block page with incident details

== Changelog ==

= 6.0.1 =
* NEW: PureGuard Live now has two scopes — "This site" (visitors this plugin checked at your WordPress site) and "My PureGuard account" (every visitor across all your sites and traffic connectors). The account scope shows the same numbers as your pureguard.io/live dashboard, so the two never disagree.
* IMPROVED: Clear labels explain which checkpoint each number comes from.

= 6.0.0 =
* NEW: Two more security modes — Strict (Humans only) and Lockdown (block everyone, admins and search engines excepted).
* NEW: Censorship-friendly VPN filter — visitors flagged only for VPN/proxy/hosting signals are challenged instead of hard-blocked, for audiences that browse via VPN to escape censorship.
* NEW: PureGuard Live — a full statistics dashboard with Security and Performance views: hourly charts, visitor mix, top blocked IPs/countries/reasons, live feed, API latency and cache efficiency. Powered by a local, self-pruning 30-day event log.
* NEW: Branded gate pages — custom logo (Media Library picker), brand name, accent color, dark/light theme on both the challenge and block pages, with one-click admin previews.
* NEW: Customizable block page — heading, message, visitor IP + incident ID + time display, and an "I am human" report button; reports appear on the Live dashboard.
* NEW: Custom success message and optional redirect after a passed browser check.
* CHANGED: Each site now reports to PureGuard intelligence under its own domain as the traffic source (previously a shared "WORDPRESS" source), so your site gets its own reputation.
* FIX: Internal version constant and readme stable tag aligned.

= 5.0.7 =
* IMPROVED: Off mode now returns before any API call — zero added latency when monitoring is all you want.

= 5.0.4 =
* NEW: "Allow AI training crawlers" toggle (off by default). Search engines and social crawlers are always allowed.
* CHANGED: "Allow VPN" now applies to VPNs only — open / datacenter / TOR proxies stay blocked.
* IMPROVED: Plain-language labels (Humans / Suspicious / Bots) throughout.

= 5.0.3 =
* IMPROVED: The plugin forwards the visitor's browser headers (Sec-Fetch, client-hints, language) to the detection API for accurate trust scoring.

= 5.0.2 =
* NEW: "Allow VPN / proxy visitors" toggle.

= 5.0.1 =
* NEW: Burmese (Myanmar) challenge language. Default trust threshold aligned to 5.5.

= 5.0.0 =
* NEW: One security mode selector (Off / Medium / High) replacing the v4 multi-dropdown setup, per-site zone identity, multilingual challenge page, stats tab, fail-open API behavior.

= 4.0.1 =
* Compliance: challenge CSS/JS moved into enqueued assets per WordPress.org review.

= 4.0.0 =
* BREAKING: prefixes renamed to `pgperf_`. JS challenge with SHA-256 proof-of-work and browser integrity checks.

= 3.0.0 =
* Three-tier traffic classification.

= 2.0.0 =
* WAF security layer via the PureGuard detection engine.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 6.0.0 =
Big upgrade: five security modes (new Strict and Lockdown), censorship-friendly VPN filter, branded challenge/block pages with logo and previews, and the new PureGuard Live dashboard. Your existing settings are kept; review Settings → PureGuard after updating.
