=== Steel Security & Hardening – Site Audit Tools ===
Contributors: sweetwatermedia
Tags: security, hardening, audit, scanner
Requires at least: 6.4
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.0.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

High-signal WordPress security auditing and hardening with practical site audit tools for administrators.

== Description ==

Steel Security & Hardening – Site Audit Tools focuses on practical security hygiene for WordPress administrators.

The free plugin provides:

* on-demand security scans
* risk summaries grouped by severity and category
* checks for common WordPress hardening gaps
* checks for exposed root-level artifacts such as `.env`, SQL dumps, `phpinfo` files, and backup archives
* a quarantine vault for operator-reviewed file isolation
* uploads PHP execution blocking on supported server environments
* manual guidance when automatic server hardening is not safely supported

This plugin is positioned as an auditing and hardening tool. It helps surface risk and apply selected preventive controls, but it does not promise malware removal, incident response, or complete server protection.

= Included checks =

The scan currently looks for items such as:

* PHP error display exposure
* `WP_DEBUG` and `debug.log` exposure
* XML-RPC availability
* author and REST user enumeration exposure
* theme/plugin file editor availability
* WordPress generator meta output
* comments enabled by default
* uploads PHP execution hardening status
* root-level sensitive files and archives

= Server-aware behavior =

This plugin only auto-applies server config changes where it can do so in a scoped and reversible way.

* Apache and LiteSpeed: uploads PHP blocking is managed through a Steel Security-marked `.htaccess` block
* IIS: uploads PHP blocking is managed through a Steel Security-marked `web.config` section
* Nginx and unsupported environments: Steel Security provides manual guidance instead of claiming automatic protection

= Pro companion =

This plugin can work with a separate Pro companion plugin that adds features such as scheduled scans, scan history, reports, and managed server-level controls such as directory listing protection and baseline security headers. The free plugin remains usable on its own.

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/steel-security` directory, or install the plugin through the WordPress plugins screen.
2. Activate the plugin through the 'Plugins' screen in WordPress.
3. Open `Steel Security` in wp-admin to review the dashboard, run a scan, and configure hardening controls.

== Frequently Asked Questions ==

= Does this plugin make remote calls? =

The free plugin does not rely on a third-party service for core scanning or hardening, and it does not require remote API calls for its free feature set.

= Does this plugin remove malware automatically? =

No. This plugin is designed to audit, surface risk, and help with selective hardening and operator-reviewed quarantine workflows. It should not be described as an automatic malware removal tool.

= Will this plugin edit my server configuration? =

Only for specific controls where the plugin can write a clearly delimited, reversible block on supported servers. Unsupported environments receive manual guidance instead.

= What happens on uninstall? =

The plugin removes its stored scan data, settings, and hardening rollback metadata. Quarantine payloads are intentionally preserved so operators can review and handle them manually.

== Screenshots ==

1. Dashboard with scan and hardening summary
2. Scan results grouped by severity and category
3. Hardening controls with apply and rollback actions
4. Quarantine vault for isolated file review

== Changelog ==

= 1.0.4 =

* refreshed the free plugin release package for the latest WordPress.org submission

= 1.0.3 =

* finalized the WordPress.org review follow-up fixes, removed dormant Pro-only local hardening code from Free, moved rollback metadata out of uploads, and refreshed the release package

= 1.0.2 =

* rebuilt the free plugin package after final WordPress.org review fixes and packaging updates

= 1.0.1 =

* clarified advisory-only handling for `DISALLOW_FILE_MODS` and excluded it from hardening posture scoring
* moved managed directory listing and baseline security headers fully into the Pro companion plugin
* replaced hardening-page Pro placeholders with a contextual upgrade section
* moved admin-page JavaScript to enqueued assets and tightened WordPress.org review compliance

= 1.0.0 =

* finalized WordPress.org-compliant free plugin naming and packaging
* aligned Pro package naming to Steel Security Pro for clearer installs
* refreshed the Steel Security logo asset in the admin header

= 0.1.2 =

* narrowed backup archive detection to avoid false positives from plugin files in backup-related paths
* improved first-scan dashboard messaging so new installs prompt for a scan instead of showing a misleading high-risk empty state
* improved action button labels and tooltips for quarantine workflows
* tightened uninstall cleanup for Free and Pro-owned data and rollback metadata

= 0.1.1 =

* refreshed release packaging
* improved dashboard and scan presentation

== Upgrade Notice ==

= 1.0.4 =

Recommended update for the latest WordPress.org submission package refresh.

= 1.0.3 =

Recommended update for the final WordPress.org review follow-up fixes and refreshed packaging.

= 1.0.2 =

Recommended update for final WordPress.org review fixes and refreshed packaging.

= 1.0.1 =

Recommended update for WordPress.org review compliance, clearer advisory-only hardening guidance, and stricter Pro feature separation.

= 1.0.0 =

Recommended update for naming consistency, cleaner packaging, and clearer release structure.

= 0.1.2 =

Recommended update for improved scan accuracy, clearer first-run UX, and cleaner uninstall behavior.
