=== Vegestic - Users Login Limit ===
Contributors: vegesticsolutions
Tags: login, sessions, security, concurrent login, user management
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Control concurrent login sessions per user — set limits, track login history, and force logout from your dashboard.

== Description ==

**Vegestic - Users Login Limit** helps you control how many devices or browsers a user can stay logged into at the same time. It is ideal for membership sites, subscription websites, online courses, and any WordPress site where you want to reduce account sharing.

= Features =

* Limit the number of simultaneous logins for each user.
* View user login activity.
* Record login IP addresses.
* Detect the approximate login location.
* Force logout active sessions.
* Customize the login limit message.
* Export login history as CSV.
* Supports unlimited users.
* Compatible with WordPress privacy tools.

= Installation =

1. Upload the `vegestic-users-login-limit` folder to the `/wp-content/plugins/` directory, or install it through the WordPress Plugins screen.
2. Activate the plugin.
3. Open **Vegestic - Users Login Limit** from the WordPress dashboard.
4. Configure your preferred login limits and settings.

== Privacy ==

This plugin stores login-related information such as login time, IP address, browser information, session details, and approximate location (if enabled).

For location detection, the plugin may connect to free public IP geolocation services. Only the user's IP address is used to retrieve an approximate location. Location data is cached to reduce external requests.

Users can remove their personal data using WordPress's built-in privacy tools.

== External Services ==

If location detection is enabled, the plugin may connect to the following free IP geolocation services:

* ipapi.co
* ipwho.is
* freeipapi.com
* ip-api.com

These services are used only to retrieve the approximate location of a user's IP address.

== Frequently Asked Questions ==

= Does this work with any WordPress theme? =
Yes. The plugin works at the authentication level and is entirely theme-independent.

= Will this log out users who are already logged in? =
No. Existing sessions are not affected when you add a user or lower their limit. Only new login attempts after the limit is set are blocked. Use the **Logout All** button to clear existing sessions manually.

= Can I disable location tracking? =
Yes. Add this to your theme's `functions.php` or a custom plugin:
`add_filter( 'wpll_geo_api_providers', '__return_empty_array' );`

= Is user data exported for GDPR requests? =
Yes. The plugin registers with WordPress's privacy tools. Administrators can export or erase a user's login data via **Tools → Export Personal Data** and **Tools → Erase Personal Data**.

= What happens if a user is at their limit and tries to log in? =
They see the custom block message on the login screen and their login is rejected. The blocked attempt is logged in their history.

= Can I change the session limit per user? =
Yes. Each user in the block list has their own configurable session limit. You can update it from the Block Users table or from the User Details page.

== Screenshots ==

1. Dashboard overview showing managed users and active sessions.
2. Block Users page — add users and set individual session limits.
3. User Details page — view sessions, login history, IP and location data.
4. Login Message editor — customize the error shown to blocked users.

== Changelog ==

= 1.0.1 =
* Security: Geo-location transients are now only created for valid, publicly routable IP addresses. Private, reserved, and localhost IP addresses are resolved as "Local Network" without writing a transient, preventing any transient-flooding vector via spoofed request headers.
* Improvement: Reduced geo-location transient lifetime from 24 hours to 12 hours, limiting stale cache exposure while preserving the lookup-reduction benefit.
* Compliance: Updated ipwho.is and freeipapi.com third-party legal URLs to their current canonical forms in the readme.

= 1.0.0 =
* Initial public release.
* Session limiting per user with configurable limit.
* Login history tracking (up to 50 records per user).
* IP address logging on each login event.
* Location detection via free public geo-IP APIs (ipapi.co, ipwho.is, freeipapi.com, ip-api.com).
* Active sessions view with force-logout option.
* Custom login block message editor.
* CSV export of login history.
* GDPR-compliant privacy data exporter and eraser.
* Full i18n support with translatable strings.

== Upgrade Notice ==

= 1.0.1 =
Security and privacy improvements for geo-location caching and protected-user login tracking.

= 1.0.0 =
Initial release.
