=== Ultimate Security – Login Protection, 2FA, Anti-Spam CAPTCHA, Brute-Force & Security Tools ===
Contributors: wpultimatesecurity
Donate link: https://www.wpultimatesecurity.com
Tags: security, login security, two factor authentication, brute force, captcha
Requires at least: 5.8
Tested up to: 6.9.4
Requires PHP: 8.1
Stable tag: 1.0.20
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Block hackers, bots and brute-force attacks with 2FA, CAPTCHA, login protection, session controls, security tools and more.

== Description ==

#### WORDPRESS SECURITY PLUGIN — PROTECTION WITHOUT THE COMPLEXITY

Automated bots probe WordPress logins and forms around the clock. Ultimate Security shuts that down — with two-factor authentication, brute-force lockouts, anti-spam CAPTCHA, a hidden login URL, session controls, and security maintenance tools — all from a clean dashboard you do not need to be a security expert to run.

🛡️ **Lightweight. Privacy-first. No bloat.**

= Why Ultimate Security? =

* **It just works.** Sensible defaults out of the box — turn it on, you are safer in minutes.
* **Built for real attacks.** Stops the automated login, brute-force and spam traffic that actually hits WordPress sites.
* **Zero learning curve.** Plain-English settings, a Test Mode to preview rules before they go live.
* **Privacy-respecting.** No tracking, no data collection. Pro features are clearly labelled.

= 🔐 Login & Two-Factor Authentication =

* **Two-Factor Authentication (2FA)** — Email one-time codes **and** authenticator apps via TOTP/HOTP.
* **Per-user 2FA with role-based configuration options** — Let users enable 2FA and configure which roles should use email or app-based 2FA.
* **Brute-force login lockout** — Limit failed attempts, auto-lock offenders, auto-reset retries, block specific users, and keep a recovery URL for emergencies.
* **Custom login URL** — Hide `wp-admin` / `wp-login.php` behind a secret address so bots cannot find it.
* **Strong password policies** — Enforce length, complexity, expiry and password history.
* **Session control** — Limit concurrent logins per user and harden auth cookies.

= 🤖 Bot & Brute-Force Protection =

* **Anti-spam CAPTCHA** — Google reCAPTCHA v2/v3 **and** Cloudflare Turnstile.
* **Form coverage** — Protect WordPress login, registration and lost-password forms; Turnstile also supports comment forms; WooCommerce login/register forms are supported when enabled.
* **No-conflict mode** — Plays nicely alongside other CAPTCHA setups.

= 🧱 Security Maintenance & Controls =

* Rotate WordPress security keys / salts on demand.
* Use the Update Manager to control WordPress core, plugin and theme update behavior.
* Connect Cloudflare and deploy configurable WAF rule groups from the dashboard.
* Review a basic Security Score with prioritized security checks.
* Advanced hardening toggles, API privacy filtering and scheduled salt rotation are available in Pro.

= 📊 Monitoring & Tools =

* **Login Activity snapshot** — Review recent successful and failed login activity from the dashboard.
* **Basic Security Score** — See a scored security posture based on enabled protections.
* **Site Health snapshot** — WordPress/PHP versions, memory, active plugins and theme at a glance.
* **Test Mode** — Simulate security rules and review what *would* have been blocked before enforcing.
* **Settings backup & restore** — Export/import your configuration as JSON for migrations or disaster recovery.

👉 **[Check Out »](https://www.wpultimatesecurity.com)**

== Installation ==

**Requirements:** WordPress 5.8+ and PHP 8.1+. HTTPS is strongly recommended for 2FA and secure sessions.

1. In WordPress, go to **Plugins → Add New** and search for "WPUltimateSecurity".
2. Click **Install Now**, then **Activate**.
3. Open the **Ultimate Security** menu and follow the setup flow.

= Quick Start =

= Recommended first 5 minutes =

1. Enable **2FA** for all administrator accounts.
2. Set **login attempt limits** and a lockout duration.
3. Add **CAPTCHA** (reCAPTCHA or Cloudflare Turnstile) to the login, registration and comment forms.
4. Set a **custom login URL** and save it somewhere safe.
5. Review the **Security Score**, **Site Health** and **Test Mode** before enabling stricter rules.

== Frequently Asked Questions ==

= Will this slow down my site? =
It is built to stay lightweight — security checks run on login and form submission, not on every page view.

= Do I need any technical or coding knowledge? =
No. Defaults are safe out of the box and every setting is in plain English with a guided setup flow.

= I enabled 2FA / a custom login URL and locked myself out. How do I get back in? =
Disable the plugin to restore default login: via FTP/SFTP rename the folder `/wp-content/plugins/ultimate-security`, or over SSH/WP-CLI run `wp plugin deactivate ultimate-security`. Then log in and reconfigure.

= Does it work with WooCommerce? =
CAPTCHA and login protection cover WooCommerce login and registration forms where enabled. Checkout CAPTCHA is not currently part of the verified free feature set.

= Does it work on WordPress Multisite? =
Yes, it runs on Multisite. Network-wide behaviour depends on how you configure it per site.

= Does the custom login URL work with caching / CDNs? =
Yes. Exclude the login path from full-page caching (most caching plugins do this for login/admin automatically) so the secret URL is never served from cache.

= Will it conflict with other security or CAPTCHA plugins? =
It can if two plugins do the same job. Pick one plugin per function (one 2FA, one CAPTCHA, one login limiter) and disable the overlapping feature in the other.

= Is my data private? Does the plugin track me or phone home? =
No telemetry, no tracking, no usage data collection. It only contacts third-party services you explicitly enable (see External Services below).

= Is it GDPR-friendly? =
Yes. The plugin is self-hosted and stores its data in your own database. The only outbound calls are the optional services you turn on (reCAPTCHA, Turnstile, WordPress.org salt API).

= What happens to my data when I uninstall? =
You control whether plugin data is removed on uninstall via the plugin's settings.

= What is the difference between Free and Pro? =
Free covers core protection: Email/App 2FA, brute-force lockout, CAPTCHA, custom login URL, password policies, session limits, manual salt rotation, update controls, basic Security Score, Cloudflare WAF rules, Site Health, Test Mode and backup/restore. Pro adds will add more advanced security features once it is released.

= How do I get support? =
Use the plugin support forum on WordPress.org, or visit https://www.wpultimatesecurity.com.


== External Services ==

This plugin connects to the following third-party services, and only when you explicitly enable the related feature:

= Google reCAPTCHA =
* When: reCAPTCHA CAPTCHA protection is enabled.
* Data sent: the visitor's reCAPTCHA response token and your site secret key.
* Endpoint: https://www.google.com/recaptcha/api/siteverify
* Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

= Cloudflare Turnstile =
* When: Cloudflare Turnstile CAPTCHA protection is enabled.
* Data sent: the visitor's Turnstile response token and your site secret key.
* Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify
* Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/

= WordPress.org Secret-Key (Salt) API =
* When: you request rotation of WordPress security keys/salts.
* Data sent: a request for randomly generated salt strings (no site or user data).
* Endpoint: https://api.wordpress.org/secret-key/1.1/salt/
* Privacy: https://wordpress.org/about/privacy/

= WordPress.org Core Version Check =
* When: the Update Manager checks for available WordPress core updates.
* Data sent: a standard WordPress core version-check request (no user data).
* Endpoint: https://api.wordpress.org/core/version-check/1.7/
* Privacy: https://wordpress.org/about/privacy/

= Cloudflare API =
* When: you connect Cloudflare or deploy/view WAF rules.
* Data sent: Cloudflare credentials/token, selected zone/rule data, and Cloudflare API requests needed for verification, deployment and analytics.
* Endpoint: https://api.cloudflare.com/client/v4/
* Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/

== Changelog ==

= 1.0.20 =
* New: Improved Session Management settings including concurrent login limits, session cookie hardening and more,
* New: Cloudflare Turnstile and reCAPTCHA CAPTCHA verifcation when applying their respective keys.
* Improvement: Cloudflare WAF rules function improvement.
* Improvement: Code optimization and performance improvements.

= 1.0.19 =
* Fix: 2FA User role was not working properly.
* Fix: Login activity dashboard modal was showing wrong agent.
* Improvement: Better user friendly Server Protection Card Design
* Improvement: Code cleanup and optimization.

= 1.0.18 =
* New: One-click Cloudflare WAF rules apply
* New: New Modal for Login activity with detailed information.
* Improvement: Code cleanup and optimization
* Fix: Login redirected URL was showing exisiting login for password reset

= 1.0.17 =
* Fix: Minor bug fixes and stability improvements
* Improvement: Code cleanup and optimization

= 1.0.16 =
* Improvement: Code improvements to the ovearll plugin making it snappier.

= 1.0.15 =
* Improvement: Conflict management between applied settings.
* Improvement: UI improvements to existing settings pages. Making it more intuitive to use.
* Fix: Multiple bug fixes to dashboard. You should get more accurate results now.
* Fix: New deactivation URL was not saving after deactiviting-activating plugin.

= 1.0.14 =
* Fix: Email 2FA codes were not being sent properly
* Fix: 2FA code page flickering effect after login

= 1.0.13 =
* New: Completely redesigned user interface for better usability

= 1.0.12 =
* New: Security Score meter to track your site's security level
* Improvement: Enhanced modal design for better UI/UX

= 1.0.11 =
* Fix: Minor UI bug fixes

= 1.0.10 =
* Security: Removed unauthenticated AJAX actions
* Security: REST routes now require admin permission

= 1.0.9 =
* Fix: Dashboard emergency deactivation URL display issue

= 1.0.8 =
* Improvement: Human-readable values in activity log
* Improvement: Reduced plugin size with optimized code
* Fix: 2FA reset issue for users
* Fix: Password policy not applying to new users

= 1.0.7 =
* New: Activity Log feature
* New: Improved dashboard design
* Fix: Nonce validation issues
* Fix: Turnstile not showing on comment forms

= 1.0.6 =
* Fix: Custom login setup issues
* Fix: Email 2FA asking for OTP twice
* Fix: Feedback form email delivery
* Improvement: Reorganized menu navigation
* Improvement: Performance optimizations

= 1.0.5 =
* Fix: Request logs page display issue
* Fix: URL Guard SQL query display
* Improvement: Performance optimizations

= 1.0.4 =
* Redesigned settings page interface
