=== SiteFort Security - Malware Scanner, Firewall, Login Security & Hardening ===
Contributors: securewpteam
Tags: security, malware scanner, firewall, 2fa, vulnerability
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.7.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Prevention-first WordPress security. Hardening closes weak points, firewall and 2FA lock down logins, malware scanning stays off your server.

== Description ==

Most WordPress hacks start with a door someone left open. An unpatched plugin, an exposed backup, a weak admin password. SiteFort works prevention-first. It closes these weak points before attackers find them, then backs that with a firewall and cloud malware scanning. An attack cannot exploit a door that is no longer open.

Malware analysis runs in the SiteFort cloud, not on your hosting, so full scans stay fast even on shared servers. The free plugin is real protection, not a trial; the protections most sites need are included without a paywall.

**[Try the Live Demo](https://demo.securewp.net/)** | [Features](https://securewp.net/wordpress-security-plugin/) | [Free Remote Scan](https://securewp.net/security-checker/)

### Comprehensive WordPress Protection

* **Cloud Malware Scanner:** Detects backdoors, web shells, injected code, and SEO spam, with the heavy analysis running in the cloud instead of on your server.
* **Verified Hardening:** Locks down XML-RPC, user enumeration, sensitive files, and PHP execution, then checks each rule is actually enforced, not just switched on.
* **Firewall & Bot Filter:** Country blocking, rate limits, a community IP blocklist, and bot filtering that never blocks real search engines.
* **Login Security & 2FA:** Custom login URL, CAPTCHA, brute-force lockouts, breached-password blocking, and role-based 2FA enforcement. No separate login plugin needed.
* **Backdoor Admin & Account Audit:** Finds admin accounts hidden from the WordPress users list, plus weak, breached, and suspicious accounts.
* **Vulnerability Checks:** Scans core, plugins, and themes against CVE intelligence and shows affected versions, severity, and fix guidance.
* **Repair & Quarantine:** Quarantine suspicious files (restorable if something breaks) or repair infected files from clean sources in one click.
* **Cloudflare Edge Sync:** Push IP, country, and bot rules to Cloudflare so attacks are blocked before they ever reach WordPress.

### WordPress Security Scanner

A single scan checks far more than files.

* **Malware Detection:** Known files clear instantly by local hash; only unknown or suspicious files go to deep cloud analysis for backdoors, web shells, injected code, SEO spam, and malicious redirects.
* **File Integrity Checks:** Catches tampered core, plugin, and theme files, and flags files that shouldn't exist on the site at all.
* **User Account Security:** Flags breached passwords, risky roles, suspicious user data, and administrator accounts that need review.
* **Ghost Administrator Detection:** Catches backdoor admin accounts, including ones hidden from the WordPress users list or created outside normal site workflows.
* **Content & Database Safety:** Checks WordPress data locally for injected content, suspicious options, unsafe URLs, spam injections, and malicious redirect indicators.
* **Domain & IP Reputation:** Checks your domain and server IP against blocklists and abuse feeds, so you learn about a listing before your visitors or your email deliverability do.
* **Sensitive File Exposure:** Finds exposed backups, logs, config files, debug files, and other files attackers commonly target.
* **Vulnerability Scanner:** Checks WordPress core, plugins, and themes for known vulnerabilities, affected versions, severity, and CVE references where available.
* **Server State Checks:** Reviews public paths, security headers, file exposure, and server settings that make a compromise easier.

*Cloud-assisted file scanning reduces server load. Content and database checks run on the site. Database content never leaves.*

### WordPress Security Hardening

SiteFort closes the exposure points attackers check first, then verifies each protection is actually enforced on the server, not just enabled in the dashboard.

* **XML-RPC Controls:** Disable XML-RPC, restrict authentication, or block pingback abuse.
* **User Enumeration Blocking:** Reduces username leaks from author archives, REST endpoints, and common discovery paths.
* **Sensitive File Protection:** Blocks public access to `.env`, backups, logs, debug files, `.git` metadata, lock files, sample configs, and server fragments.
* **PHP Execution Protection:** Blocks PHP execution in uploads and direct PHP access inside plugin and theme folders where supported.
* **Directory Listing Protection:** Reduces exposure from browsable upload, plugin, theme, or backup directories.
* **File Editor Protection:** Disables the built-in theme and plugin file editor to limit damage from compromised admin accounts.
* **REST & Application Password Controls:** Restricts risky REST access and application password behavior based on site needs.
* **Version & Metadata Cleanup:** Hides WordPress version output and reduces exposed generator and header signals.
* **Security Headers:** Analyze and manage CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and disclosure headers.
* **Verified Hardening:** SiteFort checks whether supported hardening rules are actually enforced; items that require manual hosting or server configuration are flagged separately.

### Login Security & 2FA

Account takeover is one of the fastest ways to lose control of a WordPress site. SiteFort adds layered login protection without requiring separate plugins.

* **Custom Login URL:** Move your login page to a private address; anything hitting wp-login.php gets a redirect, a 403, or a 404, your choice.
* **Attack Prevention:** Brute-force lockouts, CAPTCHA, generic login errors, and XML-RPC/REST authentication controls.
* **Two-Factor Authentication:** Role-based 2FA enforcement with authenticator app codes, email codes, and recovery codes.
* **Password Policy:** Weak and breached password detection, role-based strength enforcement, and expiration rules.

### WordPress Firewall

SiteFort blocks unwanted traffic before it consumes server resources, with no custom rule syntax to learn.

* **IP & Country Rules:** Block or allow traffic by IP address, CIDR range, country, bot, crawler, or user agent.
* **Country Blocking:** Supports both block-selected and allow-only modes.
* **Sensitive File Protection:** Stops bots probing for `.env`, `.git`, `wp-config.php` backups, SQL dumps, debug logs, installer files, and other risky paths.
* **Cloudflare Sync:** Pushes supported IP, country, and user-agent rules to Cloudflare so high-volume blocks happen at the edge.
* **Temporary Edge Blocks:** Blocks repeat attackers at Cloudflare when Cloudflare Sync is configured.
* **Rate Limiting & 404 Controls:** Reduces abusive traffic spikes, repeated missing-page requests, and automated noise.
* **Community Threat Intelligence:** Blocks traffic from malicious IPs seen across the SiteFort network.
* **Vulnerability-Hunting Bot Protection:** Blocks bots probing for vulnerable plugins, themes, backup files, and configuration leaks.

### Bot Filter Policy

Not all bots are bad. Pick one of three protection levels; unwanted automation gets blocked while legitimate search crawlers always pass through safely, so bot filtering never puts your SEO at risk.

* **Basic:** Blocks known hacking tools and bots probing for vulnerable files.
* **Balanced:** Blocks hacking tools, scraping bots, and automated scripts. Recommended for most sites.
* **Maximum:** Blocks hacking tools, scrapers, automated scripts, and unrecognized bot traffic.
* **Block AI Training Crawlers:** Optional block for AI scrapers that harvest content for model training (GPTBot, ClaudeBot, CCBot, Bytespider). AI assistants and search crawlers stay allowed.

*Choose the level that fits the site, then adjust individual rules from the firewall dashboard.*

### Vulnerability Management

SiteFort checks installed WordPress core, plugin, and theme versions against vulnerability intelligence and shows affected assets, severity, CVE references where available, and the update that fixes each issue. While you apply updates, the firewall blocks the scanner bots that hunt for vulnerable components.

### One-Click Repair & Restore

**Pro:** Guided repair workflows let you act on scan findings without manually editing files over FTP or SSH.

* Repair or delete malicious files directly from scan results.
* Restore clean WordPress core, plugin, and theme files when a trusted clean source is available.
* Repair supported paid plugin and theme files when clean-source matching is available.
* Quarantine suspicious files safely, with one-click restore if something on the site breaks.

*For an active compromise, [Securewp expert cleanup](https://securewp.net/wordpress-malware-removal/) and managed security services are available when hands-on investigation, root-cause patching, blocklist help, or post-cleanup review is needed.*

### Audit Log & SiteFort Console

SiteFort keeps a security event history so you can quickly see what changed, what was blocked, and what needs attention.

* **Login Activity:** Successful logins, failed attempts, lockouts, 2FA events, and account-related actions.
* **User & Site Changes:** User updates, plugin and theme changes, settings changes, and sensitive admin actions.
* **Firewall Activity:** Blocked IPs, country rules, bot blocks, rate-limit events, and suspicious request activity.
* **Scanner Results:** Malware findings, vulnerability findings, reputation checks, hardening issues, and scan history.
* **Hardening Changes:** Applied rules, failed rules, verified protections, and items needing manual review.

Site-level security features are available from the WordPress dashboard. SiteFort Console is optional for teams that need centralized visibility across multiple sites.

* Multi-site status for connected websites.
* Downloadable reports for clients or internal review.
* Team roles and support workflows.

### Hosting Compatibility

SiteFort is built for real WordPress environments including shared hosting, managed hosting, VPS, and Cloudflare-proxied sites.

* Works with Apache, Nginx, and LiteSpeed.
* Compatible with shared hosting, managed WordPress hosting, VPS, and dedicated servers.
* Cloudflare-friendly: supports proxied sites and optional Cloudflare rule sync.
* Cloud-assisted scanning reduces heavy scan work on lower-resource hosting plans.
* Verified hardening confirms whether key rules are actually enforced, not just toggled on.

### Free vs Pro

**Free includes** the firewall, bot filter, login security and 2FA, verified hardening, vulnerability checks, audit log, quarantine, and cloud malware scanning with 3,000 scan credits every month.

**Pro adds:**
* Unlimited cloud scanning with deep threat analysis
* Scheduled scans and automated vulnerability alerts
* One-click malware repair with clean-file restore for core, plugins, and themes
* Uptime and SSL expiry monitoring
* Slack, Discord, email, and webhook alerts
* Remote scan history, advanced reports, and white-label options for agencies
* Expert cleanup discounts

**Managed** adds hands-on monitoring, response workflows, and expert cleanup coverage by the Securewp team.

Looking for a market comparison? See the [WordPress Security Plugin Comparison](https://securewp.net/wordpress-security-plugin-comparison/).

== Installation ==

1. Install SiteFort from the WordPress plugin directory, or upload the plugin ZIP file.
2. For manual installation, upload the unzipped `sitefort` folder to `/wp-content/plugins/`.
3. Activate the plugin from the **Plugins** screen and open **SiteFort** in wp-admin.
4. Complete the setup wizard, or open **SiteFort > Settings > License and Plan**.
5. Activate with your email address or license key.
6. Review scanner, firewall, country blocking, bot policy, login security, 2FA, and hardening settings.
7. Connect Cloudflare from **Settings > Integrations** if you want edge-level firewall enforcement.
8. Run your first security scan and review malware, account, database, reputation, vulnerability, and hardening findings.

*Note: SiteFort requires outbound HTTPS for license activation, cloud malware analysis, vulnerability intelligence, firewall intelligence, community blocklist updates, reputation checks, clean-file repair, and optional Console sync.*

== Frequently Asked Questions ==

= Can I try SiteFort before installing it? =
Yes. You can explore the full SiteFort security dashboard in a live, disposable WordPress demo with no signup or install required. Launch it at https://demo.securewp.net/. The demo opens a private WordPress site with SiteFort preinstalled, drops you straight into wp-admin to try the scanner, firewall, login security, and hardening, and resets automatically when the session ends.

= How does SiteFort help secure my website? =
SiteFort adds practical protection layers for WordPress: firewall rules, bad-bot blocking, country controls, login security, 2FA, CAPTCHA, password protection, vulnerability checks, security hardening, audit logs, and cloud-assisted malware scanning.

The approach is prevention-first: close the weak points attackers look for, block the automated traffic that probes for them, and scan for anything that got through, all from your WordPress dashboard.

= What security risks can SiteFort find? =
SiteFort checks for malware, backdoors, web shells, malicious PHP scripts, injected scripts, SEO spam, suspicious redirects, exposed sensitive files, backdoor admin accounts, weak or breached passwords, vulnerable plugins and themes, reputation issues, unsafe database/content indicators, and weak hardening rules.

= How does SiteFort keep scans lightweight? =
SiteFort uses hash-first file checks so known files can be resolved quickly. Only unknown or suspicious files may be sent for deeper cloud analysis when needed. Database and content checks run on your own website, and scan results are cached where possible so unchanged files do not need the same work again.

= Does SiteFort send my database content to the cloud? =
No. Database and content safety checks run on your own website. Your database content never leaves your site. For file scanning, SiteFort sends file hashes first. Only files that cannot be verified by hash alone may be uploaded for deeper malware analysis. If `wp-config.php` requires analysis, sensitive configuration values are removed before upload.

= Does SiteFort include firewall protection? =
Yes. SiteFort includes firewall rules for IP addresses, CIDR ranges, countries, bots, crawlers, user agents, rate limits, suspicious requests, and bots looking for exposed files or weak points. SiteFort also supports community threat intelligence and optional Cloudflare Sync for supported firewall rules.

= Does SiteFort support country blocking and Cloudflare? =
Yes. Country blocking supports both block-selected and allow-only modes. Country detection can use Cloudflare country data for proxied sites, Cloudflare integration when configured in SiteFort, or a local MaxMind GeoLite2 database when a free MaxMind license is configured. SiteFort can also sync supported IP, country, and user-agent firewall rules to Cloudflare when the domain is proxied through Cloudflare and a scoped API token is configured.

= Will bot protection block Google or search engines? =
SiteFort’s bot filter policy blocks unwanted automation while allowing trusted search engines, social previews, and major crawlers. You can choose Basic, Balanced, or Maximum protection depending on how aggressively you want to filter bots, scraping tools, automated scripts, and traffic looking for vulnerable files. Google and Bing crawlers are confirmed by reverse DNS, so genuine search bots are always allowed while requests that fake their identity can be blocked.

= Can SiteFort block AI bots and AI training crawlers? =
Yes. SiteFort includes an optional control to block AI training crawlers that collect site content for model training, such as GPTBot, ClaudeBot, CCBot, and Bytespider. AI assistants that fetch a page on a visitor's request, and AI search crawlers that can send referral traffic, stay allowed, so you keep useful AI visibility while limiting bulk content scraping.

= Does SiteFort protect WordPress logins? =
Yes. SiteFort includes login security controls such as role-based 2FA, authenticator app codes, email codes, recovery codes, brute-force lockouts, CAPTCHA, custom login URL, generic login errors, weak-password detection, role-based strong-password enforcement, breached-password checks, and password expiration policies.

= What hardening protections are included? =
SiteFort reduces common WordPress exposure by protecting sensitive files, blocking PHP execution in risky locations, disabling directory listing, controlling XML-RPC, blocking user enumeration, hiding version output, restricting REST access where appropriate, disabling application passwords, disabling the theme/plugin file editor, and managing security headers. Where possible, SiteFort also checks whether hardening rules are actually enforced, not just enabled in the dashboard.

= How does SiteFort handle vulnerable plugins and themes? =
SiteFort checks installed WordPress core, plugin, and theme versions against known vulnerability intelligence. It shows affected assets, severity, CVE references where available, and recommended actions. SiteFort does not claim to virtually patch vulnerable code. It identifies vulnerable components and reduces automated discovery attempts while you update, replace, or remove affected software.

= Can SiteFort help after a site is already hacked? =
Yes. SiteFort can scan for malware, suspicious users, injected content, reputation issues, exposed files, vulnerable components, and weak hardening rules. Supported plans add one-click malware repair/restore. Expert cleanup and managed security services are also available when hands-on response is needed.

= What features require a paid plan? =
Paid plans add unlimited cloud deep threat analysis, scheduled scans, automated vulnerability alerts, one-click malware repair/restore, supported clean-file restoration, uptime/SSL monitoring, Slack/Discord/email/webhook alerts, advanced reports, white-label options, expert cleanup discounts, and managed security options.

= Do I need SiteFort Console? =
No. Site-level security features are available from your WordPress dashboard. SiteFort Console is optional for users who want centralized visibility, multi-site management, remote workflows, reports, alert routing, uptime/SSL monitoring, team access, and support workflows.

= Is SiteFort suitable for shared or managed hosting? =
Yes. SiteFort is designed for shared hosting, managed WordPress hosting, VPS setups, Apache, Nginx, LiteSpeed, and Cloudflare-proxied sites. Hash-first file checks, selective cloud analysis, on-site database checks, bot blocking, rate limits, and Cloudflare Sync keep server work low on lower-resource hosting.

= How do I activate SiteFort Pro? =
Open **SiteFort > Settings > License and Plan** in your WordPress dashboard. You can activate with the email address used at checkout or a license key. If you already have a free license under the same email, the site can upgrade to Pro from the License and Plan screen.

== Screenshots ==

1. **Security Scanner:** Staged scan progress across files, malware, accounts, database/content safety, reputation, vulnerabilities, severity, detection type, and remediation actions.
2. **Firewall Controls:** Easy bot/crawler policy, rate limits, community blocklist, and Cloudflare Sync.
3. **Firewall Rule Builder:** IP rules, country blocking, and bot/crawler firewall rules.
4. **Login Security:** Custom login URL, lockouts, CAPTCHA protection, and password controls.
5. **2FA:** Role enforcement, authenticator app setup, email codes, recovery codes.
6. **Server Hardening:** Sensitive file protection, PHP execution controls, XML-RPC and security headers.
7. **WordPress Hardening:** REST API, user enumeration, file editor protection.
8. **Vulnerability Scanner:** Affected plugins, themes, WordPress core, CVE references, severity, and fix guidance.
9. **Security Headers:** Security header analyzer and configuration.
10. **Audit Log:** Searchable security events, user activity, firewall actions, scan results, and sensitive changes.
11. **SiteFort Console:** Multi-site status, scans, alerts, reports, uptime, SSL, team workflows, and support options.

== External services ==

SiteFort connects to external services only when needed for license activation, cloud-assisted malware analysis, vulnerability intelligence, firewall intelligence, optional Console sync, optional CAPTCHA, optional GeoIP, Cloudflare sync, and administrator-enabled notifications.

Optional integrations are not contacted unless they are configured or used.

= SiteFort Cloud =

* **Servers:** securewp.net, intel.securewp.net, console.securewp.net
* **Used for:** License activation, service metadata, cloud malware analysis, vulnerability intelligence, firewall intelligence, reputation checks, community blocklist sync, clean-file repair, and optional Console sync.
* **Data sent:** Email address, license key/token, site URL, WordPress/plugin versions, installed plugin/theme names and versions, file hashes, scan results, vulnerability findings, reputation status, firewall metadata, blocked IPs, and security configuration metadata.
* **Malware scanning:** File hashes are sent first. Only unknown or suspicious files may be uploaded for deeper analysis and are deleted after processing. Database and content checks run on your website. SiteFort does not upload your database or database-stored content to the cloud. If wp-config.php requires analysis, sensitive configuration values are removed before upload.
* **Temporary storage:** SiteFort Cloud may return temporary upload/download URLs on *.amazonaws.com for scan uploads or clean-file repair downloads.
* **Privacy:** https://securewp.net/privacy-policy/
* **Terms:** https://securewp.net/terms-and-conditions/
* **Storage provider policies:** AWS privacy https://aws.amazon.com/privacy/ and terms https://aws.amazon.com/service-terms/; Cloudflare privacy https://www.cloudflare.com/privacypolicy/ and terms https://www.cloudflare.com/website-terms/

= Optional integrations =

* **MaxMind GeoLite2** (download.maxmind.com) is used only when an administrator downloads or updates the local GeoIP database. It sends the configured MaxMind account ID and license key. Visitor IPs are resolved locally and are not sent to MaxMind during normal requests. Privacy: https://www.maxmind.com/en/privacy-policy Terms: https://www.maxmind.com/en/geolite2/eula
* **Have I Been Pwned Passwords** (api.pwnedpasswords.com) is used for breached-password checks when enabled. SiteFort sends only the first 5 characters of the SHA-1 password hash. Full passwords and full hashes are never sent. Privacy: https://haveibeenpwned.com/Privacy Terms: https://haveibeenpwned.com/TermsOfUse
* **Google reCAPTCHA** (www.google.com) and **Cloudflare Turnstile** (challenges.cloudflare.com) are used only when selected and configured for CAPTCHA protection. They receive the challenge token, site key, and visitor/browser data required by the selected provider. Policies: https://policies.google.com/privacy https://policies.google.com/terms https://www.cloudflare.com/turnstile-privacy-policy/ https://www.cloudflare.com/website-terms/
* **Cloudflare API** (api.cloudflare.com) is used only when Cloudflare Sync is enabled. It sends Zone ID, API token/credentials, zone details, blocked IPs, country rules, selected user-agent rules, and firewall rule data. Privacy: https://www.cloudflare.com/privacypolicy/ Terms: https://www.cloudflare.com/website-terms/
* **Notification webhooks** may send security alerts to Slack (hooks.slack.com), Discord (discord.com, discordapp.com), or a custom HTTPS webhook entered by the administrator. Webhook payloads may include site name, site URL, event type, severity, scan counts, vulnerability names, CVE identifiers, firewall counts, usernames, IP addresses, browser names, action URLs, timestamps, and event details. Slack policies: https://slack.com/trust/privacy/privacy-policy https://slack.com/terms-of-service/user Discord policies: https://discord.com/privacy https://discord.com/terms

= Local site checks =
Some requests are loopback checks against the protected site’s own public URL, such as security-header checks, public-file exposure checks, and homepage link collection. These contact the site being protected, not a third-party service.

== Changelog ==

= 1.7.1 =
* Moved verified search crawler and Cloudflare safe-network ranges to the SiteFort Intel feed with signed updates, bundled fallback data, and migration from the old crawler-range cache.
* Improved verified crawler handling so Google, Bing, and Cloudflare ranges never fall back to an empty set, while custom safe ranges can still be cleared from the feed.
* Added standby signing keys for safe-network feeds and scanner hash-cache proofs.
* Removed the unused firewall WHOIS/RDAP lookup endpoint so the plugin no longer makes direct RIPE or ARIN IP ownership lookups.

= 1.7.0 =
* Fixed scans appearing stuck on "Initializing" while checks were completing in the background; scan progress now shows as soon as the first check runs.
* SiteFort now detects when the host cannot run background scan processing, shows a notice explaining the reduced-speed mode and how to fix it with a server cron job, and stops sending wake-up requests that cannot succeed.
* Scans in reduced-speed mode now run several checks per status refresh instead of one, so they finish much sooner on affected hosts.
* Background worker dispatch failures are now logged with the failure reason instead of failing silently.
* Added the sitefort_scanner_worker_ack_timeout filter for slow hosts that need a longer worker dispatch timeout.

= 1.6.9 =
* Fixed Server-Level WAF updates on hosts with incompatible SiteFort data directory permissions.
* Improved Server-Level WAF errors and file-permission diagnostics for the SiteFort data directory.

= 1.6.8 =
* Updated search crawler IP verification to Google's new published range location and bundled the complete Google and Bing range lists, so genuine crawlers are recognized from the moment of installation.
* Fixed database table creation on hosts with a MyISAM default engine or legacy index size limits; installation now completes on all supported MySQL and MariaDB configurations.
* SiteFort tables now use the InnoDB engine where the server provides it, and existing installations are converted automatically.
* The Tools diagnostic now reports schema migration status, the last migration failure, and table engine details instead of a plain table count.

= 1.6.7 =
* Scan notices such as background task errors and skipped items no longer count as security findings or trigger scan alerts.
* Files too large to scan now appear as a low-severity finding with an option to delete the file.

= 1.6.6 =
* Added a configurable notification for custom login URL changes, delivered to your chosen email and webhook recipients.
* "Block AI training crawlers" now also adds Google-Extended and Applebot-Extended opt-out rules to robots.txt, covering Google and Apple AI training that cannot be blocked by user agent.
* SiteFort now registers your site over HTTPS when it is served over TLS, even if WordPress reports an http Site Address (for example behind a proxy or CDN).

= 1.6.5 =
* Improved search-engine crawler verification: Google and Bing crawlers are now also confirmed against their official published IP ranges, refreshed automatically, so genuine crawlers are recognized reliably even when a host's reverse DNS is slow or unavailable.
* Scan preflight now runs once per scan instead of repeating mid-scan, preventing needless scan-cache resets that slowed large first-time scans.

= 1.6.4 =
* Fixed ghost administrator detection being skipped during automated background scans, so hidden admin accounts are now caught on scheduled and remote scans, not just manual ones.

= 1.6.3 =
* Fixed quick scans dropping unknown and modified plugin or core file findings that a deep scan had detected; these integrity findings now persist across both scan types.
* Improved ghost administrator detection to catch admin accounts hidden from the WordPress Users list, and made suspicious admin username findings clearer.

= 1.6.2 =
* Scanner now shows clear maintenance notices and improved messaging when cloud deep-analysis limits are reached.
* Firewall traffic log now records the real user agent for pre-WordPress blocks instead of a placeholder.
* Improved CSV export formatting for audit and firewall logs, made firewall log processing more resilient to unusual entries, and refined content scanning and header checks for better reliability.
* Added an option to block AI training crawlers (GPTBot, ClaudeBot, and similar) while keeping AI assistants and AI search crawlers allowed.
* Search-engine crawlers (Google, Bing) are now confirmed by reverse DNS; requests that falsely claim to be them are blocked on the Balanced and Maximum policies, while genuine crawlers and transient DNS hiccups are always allowed through.

= 1.6.1 =
* Performance: greatly reduced the number of database queries on every page load by reading all settings in a single cached query, autoloading small status flags, and loading background and cloud work only where it is actually needed.
* Fixed a fatal error that could occur when the dashboard loaded its site health and reporting statistics.
* Hardened encryption of stored secrets with authenticated encryption bound to each storage slot, and made credential recovery safer so a temporary decryption error can no longer clear a valid connection.
* Tightened the file permissions of the plugin's encryption key.

= 1.6.0 =
* Sensitive-data scanner now reports exposed archives and backups only in the site root and wp-content, not inside uploads/plugins/themes.
* Exposed-file findings are scored by severity and confirmed more accurately to reduce false positives.
* Strong-password enforcement can now target specific user roles (defaults to Administrators); removed the rarely-used password-reuse and role-promotion options.
* Two-factor enforcement now defaults to Administrators, and the role pickers list the site's actual roles, including custom ones.
* REST API restriction now allows anonymous reads of public content for better theme and headless compatibility, while still blocking user enumeration.
* Bundled PHP libraries are now namespace-isolated to avoid conflicts with other plugins that ship the same dependencies.

= 1.5.3 =
* Fixed a fatal error when the hidden login 404 block rendered themes like Avada/WooCommerce.

= 1.5.2 =
* Improved scanner compatibility with refreshed WordPress.org file baselines.
* Improved activation validation for invalid email addresses and license keys.

= 1.5.1 =
* Added an admin compatibility notice for security plugins that may overlap with SiteFort server hardening.

= 1.5.0 =
* Improved scanner worker wakeup reliability on hosts that interrupt one-second loopback requests.
* Improved scanner cloud queue utilization and final scan log hydration on managed hosting.
* Added a secure tool to rename the default admin username with locking, transactions, multisite handling, and audit logging.

= 1.4.0 =
* Improved scanner cloud upload reliability with streamed S3 batch uploads and safer fallback handling.
* Prevented SiteFort runtime data files from delaying scan completion while preserving malicious hash detections.

= 1.3.0 =
* Improved cloud wakeup handling so completed cloud scan jobs can securely resume site polling without requiring the admin console.

= 1.2.0 =
* Fixed scan finding notification actions to open the scanner page instead of the dashboard.
* Added concise contextual copy to SiteFort notification emails before scan, firewall, vulnerability, digest, and fallback event details.
* Improved scanner findings empty states and vulnerability remediation card updates during active scans.

= 1.1.0 =
* Improved scanner worker recovery and server-load interruption messaging.
* Optimized setup wizard two-factor loading with a consolidated overview request.
* Hardened command queue and login lockout cleanup to prevent stale database growth.

= 1.0.2 =
* Bundled shared timestamp parsing into the admin shared asset to avoid a separate time chunk.

= 1.0.1 =
* Hardened automated scan scheduling with scanner-owned cron intervals, boot-time reconciliation, site-time run alignment, and stale schedule cleanup.
* Fixed audit log, dashboard, and firewall timestamps to use UTC event time consistently.
* Fixed dashboard and report daily totals to respect the WordPress site timezone instead of the server or database timezone.
* Added site-time display and CSV export fields for audit events while keeping UTC as the canonical timestamp.
* Updated file logs to write ISO-8601 UTC timestamps and retain legacy UTC log parsing.

= 1.0.0 =
* Initial release
