=== Sitevorx ===
Contributors: inetcorp
Tags: optimization, security, smtp, cleanup, maintenance
Requires at least: 5.5
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.1.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

An all-in-one WordPress toolkit for site optimization, security hardening, SMTP configuration, disk cleanup, and maintenance monitoring.

== Description ==

**Sitevorx** is a lightweight, all-in-one WordPress plugin that helps you optimize performance, harden security, and manage your website from a single, modern dashboard. No bloat, no external dependencies — just the tools you need.

= Security Center (NEW in 1.1.0) =
* **Security Score Dashboard**: A single 0–100 score that summarizes the hardening state of your site, with prioritized recommendations.
* **Core Integrity Checker**: Compares every WordPress core file against the official `api.wordpress.org` MD5 checksums to detect modified, missing, or extra files.
* **HTTP Security Headers**: One-click enable `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, and `Permissions-Policy` on the frontend.
* **Login Honeypot**: Invisible bait field on `wp-login.php` that silently rejects spam bots without affecting real users.
* **User Enumeration Protection**: Blocks `?author=N` probing and the public REST `/wp/v2/users` endpoint for non-logged-in visitors.
* **Login Notification**: Emails the administrator whenever an account with `manage_options` logs in successfully (1-hour cooldown per IP).
* **Login Attempt Limiter**: Lock out IPs after repeated failed login attempts, with configurable threshold, lockout duration, and IP allowlist.
* **Secret Login URL**: Hide the default `wp-login.php` behind a custom keyword.
* **Google reCAPTCHA v2 / v3**: Protect the login form from bots, with a configurable v3 score threshold.
* **Disable XML-RPC** and **Disable File Editor**: Block DDoS / brute-force vectors and stop code editing from the dashboard.

= Speed Optimization =
* **Heartbeat Throttle**: Slows the Heartbeat API to 60 seconds instead of disabling it, preserving autosave and post-locking.
* **System Tweaks**: Lazy load images, limit post revisions, allow safe SVG uploads (with XXE-hardened sanitizer).
* **Database Cleanup**: Remove revisions, spam comments, and expired transients in one click.
* **Malware Scanner**: Scan your entire codebase and database for suspicious injections.

= SMTP Configuration =
* Send emails via **Gmail** (App Password) or a **custom SMTP server** (SSL/TLS).
* Built-in **Test Email** sender.
* Email delivery log with success/failure tracking.
* Force From Name and From Email to prevent address drift.

= Website Utilities =
* Inject tracking codes in **Header/Footer** (Google Analytics, Facebook Pixel, etc.).
* **Content Protection**: Disable right-click, text selection, and drag-and-drop.
* **Maintenance Mode**: Display a professional "under construction" page to visitors.
* **Custom Login Logo**: Replace the WordPress logo on the login screen with your own brand.

= Disk Space Manager =
* Recursively scan your hosting for large files (>50 MB).
* Auto-categorize files (backups, error logs, large media).
* Bulk delete to free up disk space instantly.

= Floating Contact Buttons =
* **Phone Hotline** button with animated icon.
* **Zalo** chat button (auto-opens Zalo app).
* **Messenger** chat button (m.me deep link).
* Fully responsive floating widget in the corner of your site.

= Import / Export Settings =
* **Export** all Sitevorx settings as a JSON file.
* **Import** settings from another site in one click.
* **Reset** all settings to factory defaults.

= Scheduled Cleanup (WP-Cron) =
* Automatic cleanup: daily, twice daily, or weekly.
* Clears temp files, auto-drafts, spam, and optimizes database tables.
* Activity log showing the last 20 cleanup runs.

= Maintenance & Update Monitor =
* Track plugins and themes that need updating.
* Check WordPress core, PHP version, SSL status, and WP_DEBUG.
* Maintenance health score with actionable recommendations.

= Server Info =
* View Web Server, PHP, MySQL, and WordPress versions at a glance.
* PHP limits: memory, execution time, input vars, upload size.
* List all loaded PHP extensions.
* Database size monitoring.

== External Services ==

= Google reCAPTCHA (v2 and v3) =
Sitevorx can optionally integrate with Google reCAPTCHA (v2 checkbox or v3 invisible / score-based) to protect the WordPress login form. This feature is disabled by default and only works when an administrator explicitly enables it, selects a version, and provides valid Google-issued API keys.

When enabled, the plugin loads the Google reCAPTCHA JavaScript on the login screen and sends the generated verification token to Google's verification endpoint (`https://www.google.com/recaptcha/api/siteverify`) during login validation. For v3, the configurable score threshold (filter `sitevorx_recaptcha_v3_score_threshold`, default `0.5`) is compared against Google's returned score.

This service is provided by Google:
* Service URL: https://www.google.com/recaptcha/
* Verification endpoint: https://www.google.com/recaptcha/api/siteverify
* Terms of Service: https://policies.google.com/terms
* Privacy Policy: https://policies.google.com/privacy

= WordPress.org Core Checksums API =
The **Security Center → Kiểm Tra Toàn Diện → WordPress Core Integrity** check (off by default; runs only when the admin clicks "Kiểm tra") fetches the official MD5 checksums for the installed WordPress version from WordPress.org so it can flag modified or missing core files.

* Verification endpoint: https://api.wordpress.org/core/checksums/1.0/
* Request payload: only the installed WordPress version string (e.g. `6.4.2`) and the locale `en_US`. No site URL, user data, or content is sent.
* Operated by: WordPress.org
* Terms of Service: https://wordpress.org/about/privacy/

== Highlights ==

* **All-in-one**: Replaces 5-7 single-purpose plugins (SMTP, Security, Optimization, Cleanup, Maintenance).
* **Modern UI**: Gradient banners, collapsible sidebar, toast notifications, fully responsive.
* **Secure by design**: Nonce verification, input sanitization, CSRF protection, prepared database queries.
* **Lightweight**: Modular architecture — only loads what you use. Zero frontend impact. No Composer or NPM required.
* **Localized**: Full Vietnamese (vi) translation included via .po/.mo files.

== Installation ==

1. Upload the `sitevorx` folder to `/wp-content/plugins/`, or install the ZIP file via **Plugins > Add New > Upload Plugin**.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Navigate to the **Sitevorx** menu item in your admin sidebar.

== Frequently Asked Questions ==

= Does this plugin conflict with WP Mail SMTP? =
Yes, both plugins hook into `phpmailer_init`. We recommend deactivating other SMTP plugins before using Sitevorx's built-in SMTP module.

= Does it detect real IPs behind Cloudflare? =
Yes. Sitevorx reads the `CF-Connecting-IP` header to identify the real visitor IP behind Cloudflare's proxy.

= I forgot my secret login URL. How do I get back in? =
Open phpMyAdmin (or any database tool), find the `wp_options` table, and delete the row where `option_name` is `sitevorx_sec_login_key`. Then access `/wp-login.php` as usual.

== Changelog ==

= 1.1.0 =
* New module: **Trung Tâm Bảo Mật** (Security Center) — gom các tính năng bảo mật và bổ sung Security Score, Headers, Honeypot, User Enumeration Protection, Login Notification, Core Integrity Checker.
* New: HTTP Security Headers (`X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`) — chỉ áp dụng trên frontend.
* New: Login Honeypot — chèn hidden field bẫy bot vào form đăng nhập, không ảnh hưởng người dùng thật.
* New: User Enumeration Protection — chặn `?author=N` và REST API `/wp/v2/users` cho khách.
* New: Login Notification — gửi email cho admin khi tài khoản `manage_options` đăng nhập thành công (cooldown 1h/IP).
* New: WordPress Core Integrity Checker — đối chiếu MD5 các file core với `api.wordpress.org/core/checksums/1.0/` để phát hiện file bị sửa đổi hoặc thiếu (chạy theo yêu cầu, đã khai báo trong External Services).
* UI: trang "Tối ưu & Bảo mật" đổi tên thành "Tối ưu Tốc Độ"; menu sidebar và dashboard có card mới cho Security Center.
* Compliance: ghi nhận hành động bảo mật thông qua audit log thống nhất (`sitevorx_audit_log`), không lưu song song nhiều ring buffer.

= 1.0.11 =
* Dashboard: each health issue now has a "→" action link that jumps directly to the page where the admin can fix it (Bảo mật, SMTP, Bảo trì, Tiện ích).
* Dashboard: new detection — `DISALLOW_WP_CRON` set in wp-config.php. Warns the admin that internal WP-Cron is off and an external cron must be calling wp-cron.php, otherwise scheduled cleanup will not run.
* Dashboard: new detection — recent SMTP failures. If SMTP logging is on, the dashboard counts non-success entries in the last 24h and links straight to the log tab.
* Dashboard: new detection — active login lockouts. Shows how many IPs are currently locked, with a one-click jump to the Bảo Mật tab where they can be unlocked.
* Audit log: diff summary now ignores default-off toggles on first save — only flags fields whose normalized on/off state actually flipped, so the "Ngữ cảnh" column lists just what the admin changed.
* Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with `$wpdb->prepare()` + `$wpdb->esc_like()` to satisfy Plugin Check, even though both patterns are hardcoded.

= 1.0.10 =
* Audit log: the "Ngữ cảnh" column now describes what changed instead of dumping the full toggle state. Saving the security tab now records entries like "Bật Khóa XML-RPC, Tắt reCAPTCHA đăng nhập, Đổi số lần sai tối đa" instead of `login_key=off | disable_editor=on | ...`.
* Audit log: split "Lưu cấu hình Tối ưu & Bảo mật" into two distinct events — "Lưu cấu hình Tăng tốc Website" (Tăng Tốc tab) and "Lưu cấu hình Bảo mật & Tường lửa" (Bảo Mật tab) — so the timeline is easier to read.
* Audit log: manual cleanup entries now say which cleanup categories were picked (e.g. "Dọn: bản nháp, bình luận rác — tổng 2 nhóm") instead of `revisions=1 | spam=0 | transients=1 | items=2`.
* Audit log: new public helper `sitevorx_audit_summarize_diff()` for any module that wants to produce a similar before/after change list.

= 1.0.9 =
* Login lockout: maximum failed attempts and lockout duration are now admin-configurable (3–50 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts, 24 hours).
* Login lockout: new IP allowlist (one IPv4/IPv6 per line) — listed IPs are never counted and never locked, so an administrator on a known IP cannot lock themselves out.
* Login lockout: "IP đang bị khóa" diagnostics panel under Tối ưu & Bảo mật → Bảo Mật & Tường Lửa shows currently locked entries (hash + attempt count + expiry timestamp) with a per-row Unlock button. Unlock action is gated by manage_options + nonce and writes a `login_unlock` event to the audit log.
* Audit log: lockouts now write a `login_lockout` event the moment the threshold is hit, with IP, attempt count, last submitted username, and configured lockout window.
* Hardening: aligned the audit log's IP capture with `sitevorx_get_client_ip()` so Cloudflare's CF-Connecting-IP is only trusted when the matching CF-Ray header is present (not spoofable from arbitrary clients).
* i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the two reCAPTCHA tab comments that had been mojibake-encoded.

= 1.0.8 =
* Compliance: SMTP log listing now uses `$wpdb->prepare()` for the LIMIT clause to satisfy automated SQL-injection scanners.
* Compliance: removed PHP `@` error suppression on the malware scanner's file read; the scanner now checks `is_readable()` first and still gracefully skips unreadable files.
* Compliance: clarified External Services disclosure in readme.txt to cover both reCAPTCHA v2 and v3, and to name the `api/siteverify` verification endpoint explicitly.
* New: Audit Log submenu (Sitevorx → Nhật ký Kiểm toán) recording sensitive admin actions (settings save/reset/import, SMTP test, malware scan, scheduled cleanup change, manual cleanup run, disk file delete, log clear). Ring buffer of the 200 most recent entries, stored in the `sitevorx_audit_log` option (no new database table).
* Hardening: factory reset now preserves the audit trail by skipping the audit-log option, so administrators can review what was reset after the fact. Uninstall still drops the option on full removal.
* Dashboard: health overview now reflects runtime state, not just saved options. New warnings: scheduled cleanup enabled but no next run on cron (silent failure), SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site/Secret key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production.
* Dashboard: SMTP and Cron status cards now show a red "Thiếu credential" / "Lỗi lịch" badge when the saved option does not match runtime readiness, and the health score stops counting a broken cron or credentials-less mailer as a passing check.

= 1.0.7 =
* Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.
* Updated the reCAPTCHA settings heading to match the available v2/v3 selector.

= 1.0.6 =
* Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls.
* Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.

= 1.0.5 =
* Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.
* Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.
* Improved: SMTP "Force From Email" now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint).
* Improved: Scheduled cleanup skips `OPTIMIZE TABLE` on tables larger than 500MB to avoid long table locks on shared hosting.
* New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter `sitevorx_recaptcha_v3_score_threshold` (default 0.5).
* Compliance: Added empty `index.php` files in `/assets`, `/includes`, `/languages` for directory listing protection.

= 1.0.4 =
* Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English.

= 1.0.3 =
* Added dashboard, support, and rating links to the WordPress Plugins screen.

= 1.0.2 =
* Second pass on WordPress Plugin Directory automated review feedback:
  * Header/footer script output now goes through `wp_kses()` with a strict allow-list (`sitevorx_kses_tracking_tags()`) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through `wp_kses_bad_protocol()` which strips `javascript:`, `data:` and `vbscript:` URLs.
  * The "Clear error log" feature now targets the canonical `WP_CONTENT_DIR/debug.log` location and uses the WordPress `WP_Filesystem` API. The plugin no longer writes anywhere outside `wp-content/`.
  * Escaped the secret login URL preview with `esc_url( home_url( '/?' . $key ) )`.
  * Removed the runtime `.po` -> `.mo` translation compiler. The plugin previously regenerated `languages/sitevorx-en_US.mo` on demand; that wrote to the plugin folder, which is not allowed. The compiled `.mo` is now shipped pre-built with the plugin and WordPress loads it normally.
  * Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled `.mo` file is now the only source of English strings.
  * Wrapped every remaining dynamic CSS class / inline style ternary (e.g. `echo $active ? 'on' : 'off'`) with `esc_attr()` across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.

= 1.0.1 =
* Security hardening per WordPress Plugin Review feedback:
  * Added `sanitize_text_field()` wrapper around every nonce value passed to `wp_verify_nonce()`.
  * Sanitized `$_POST` raw script fields (header/footer injection) with a dedicated helper (`sitevorx_sanitize_raw_script`) before `update_option()`; save path remains gated by the `unfiltered_html` capability.
  * Replaced `esc_url_raw()` with `esc_url()` for inline CSS output in the custom login logo.
  * Escaped every translated/output string that previously used `__()` inside `echo`/`printf`/`sprintf`: now wrapped with `esc_html__()`, `esc_html( sprintf(...) )`, or the `sitevorx_kses_basic()` helper (allowlisted `<strong>`, `<a>`, `<br>`, `<code>`, ...).
  * Hardened the JSON import flow with explicit `wp_unslash()` + `wp_check_invalid_utf8()` before `json_decode()`; per-field sanitization was already enforced on every decoded value.
  * Escaped integer counters and dynamic CSS class/style values with `(int)`, `esc_attr()`, and `esc_html()` across all admin screens.
  * Sanitized the `heavy_files[]` array from the disk cleaner with `array_map( 'sanitize_text_field', wp_unslash(...) )`.

= 1.0.0 =
* Initial public release.
* Full security audit: nonce verification, capability checks, input sanitization on all forms.
* Malware scanner for files and database.
* System optimizer with scheduled WP-Cron cleanup.
* Maintenance & Update monitor module.
* Modern Flex/Grid responsive dashboard UI.
* Complete Vietnamese localization.
* Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.
* Dashboard: "Xem dung lượng chi tiết" links directly to Detailed Storage tab.
* Disk Space Manager: two-tab interface — "File Cỡ Lớn (>50 MB)" (scan & delete) and "Dung Lượng Chi Tiết" (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh).
* Security: added validation — cannot enable "Đổi Đường Dẫn Đăng Nhập" or "Khóa Tự Động Đăng Nhập" without filling required fields; shows error instead of silently reverting.
* i18n: bundled language files included for English and Vietnamese.
* i18n: added new translation strings for all new UI elements.
