Vigilant — Full changelog

For each release, see the entries below. The latest version is always at the top.
The current release notes also live in readme.txt under "== Changelog ==".

= 2.3.0 =
* New: Bulk selection in File Integrity scan results. Each table (Suspicious, Extra, Modified, Ignored) now has a checkbox column with native WordPress "select all" header, plus an "Ignore selected" / "Stop ignoring selected" action button per table. No more clicking Ignore one row at a time after a plugin update bumps a checksum and a hundred files appear.
* New: Developer filter `vigilante_skip_rate_limit` for modules that need to opt visitors out of firewall rate limiting (used internally by Under Attack mode for verified visitors).
* Improved: Firewall &rarr; IP Whitelist and IP Blacklist now document the supported formats inline. The descriptions and placeholders show that exact IPs, CIDR ranges (IPv4 only) and wildcards with `*` are accepted — the matcher already supported all three, but it wasn't visible in the UI.
* Fix: Under Attack mode no longer leaves visitors stuck on the JavaScript challenge page until rate limiting kicks in. Verified visitors (those who already passed the challenge) now bypass the aggressive 30 req/min cap that the mode applies — previously, loading a normal page with many WordPress-served images/scripts could burn the cap and produce a "Rate limit exceeded" message that looked like the challenge had failed.
* Fix: Refreshing the JS challenge page no longer invalidates an in-flight challenge nonce. The transient is now reused if still valid, breaking the loop where a user pressing F5 would post a stale nonce and bounce back to a new challenge endlessly. Nonce TTL also raised to 15 minutes (was 5) to tolerate slow Proof-of-Work on weak CPUs.

= 2.2.0 =
* New: Two opt-in protections for `wp-cron.php` abuse, both off by default and clearly labeled as "only enable if your host has real server-side cron":
* New: **Protect wp-cron.php** (Firewall &rarr; File Protection) — adds an `.htaccess` rule (`<Files wp-cron.php> Require all denied </Files>`) that blocks direct external HTTP access. This is the actual protection against cron-spam DoS abuse.
* New: **Disable WP Cron** (WP Hardening &rarr; wp-config.php Security) — writes `define('DISABLE_WP_CRON', true)` to wp-config.php, stopping WordPress from auto-spawning cron from page views. Pairs with the .htaccess block for full coverage.
* Improved: wp-cron.php Security Check now reads both Vigilant settings plus the `DISABLE_WP_CRON` constant and gives accurate, scenario-specific messages instead of the previous generic "consider disabling WordPress cron" advice. PASS when the URL is blocked (with extra confirmation when both Vigilant toggles are also active). When the URL is still reachable, the message tells you exactly which protection is missing — and never tells you to "disable WP cron" if you already have. Clicking "Go to setting" now jumps straight to the Vigilant toggle that fixes it.

= 2.1.1 =
* Fix: `?author=N` author enumeration was still leaking the username even with "Block author scanning" enabled. The protection's hook ran at the same priority as WordPress core's canonical redirect, which executed first and exposed the login. Hook now runs at priority 1 so the username never reaches the response.
* Improved: Security Check distinguishes three scenarios when a probe still detects a leak — sub-toggle on but master module off (explicit FAIL pointing to the master switch), both toggles on but probe still leaks (WARN suggesting cache/CDN purge), or both off (clean FAIL). Applied to both `?author=N` and REST API user enumeration checks.
* Improved: "Excellent" quality tag is now reserved for a perfect 100/100 score. A single missing point drops to "Good" so the label stays meaningful.
* Improved: Warning color in the Security Check widget now uses the same amber (#ff9800) as the Configuration Score warnings — less alarming than the previous deep-orange and consistent across the plugin.
* Improved: Trend card now requires at least 3 scans before drawing a sparkline, adds a delta chip showing the score change vs. the previous scan, and a clearer "Score trend (last N scans)" label. Shows a friendly placeholder when fewer than 3 scans exist.
* Improved: Security Score card content centered (was floating left with empty space) and the Scan now button icon and text now align correctly.
* Changed: Informational categories (Reputation/DNSBL) replaced the confusing "Not scored" placeholder with an explicit "All clear" (green check) or "N findings" (amber warning) status. Listed-on-blacklist results now register visually as warnings without deducting from the score.
* Changed: User-visible English strings now consistently use "Vigilant" (matching the plugin's published name) instead of "Vigilante" in detail messages, email subjects, and the analyzer User-Agent. Internal identifiers (text domain, class names) remain unchanged.
* Internal: Plugin Check report cleaned up — added missing `translators:` comments for two header detail strings, fixed `_n()` singular without placeholder, scoped the `meta_key` slow-query and `fclose` (TLS stream socket, not filesystem) sniffer ignores precisely.

= 2.1.0 =
* New: Security Check analyzer — on-demand audit with a 0-100 Security Score and A-E grade, 43 checks across 6 categories (SSL/TLS, HTTP headers, WP exposure, auth/access, sensitive files, internal exclusives). Lives in the Dashboard with a compact widget and a full expandable report.
* New: 13 internal-exclusive checks impossible from external scanners: PHP EOL, WP core/plugins/themes updates, inactive plugins, file permissions, default salts, `wp_` table prefix, `admin` username, admins without 2FA, Vigilant modules off, recent activity log errors, file integrity status.
* New: Every failed check links directly to the relevant Vigilant setting with a visual pulse on arrival, so you know exactly what to change.
* New: Weekly automatic scan with optional email alert when the score drops 10+ points or new critical checks fail. SVG sparkline of the last 30 scans shows score evolution over time.
* New: Two separate metrics clarified — "Configuration Score" (how well you configured Vigilant) vs "Security Score" (how secure the site really is right now), displayed side by side on the Dashboard.
* Improved: Two-phase scan (fast checks first, then slow HTTP checks) so the report paints progressively instead of waiting 15s for a single response.

= 2.0.0 =
* New: Instant settings search — a search field inline on every tab title. Client-side matching against translated labels with English fallback. Results grouped by tab with direct links to the exact section.
* Improved: "Server Protection" section moved from the Firewall tab to the Security Headers tab, where it fits better. Existing settings are migrated automatically.
* Improved: Database backup table selector now shows the total size next to the table count. When you deselect tables, the counter switches to "X tables selected" with the size recalculated live.
* Improved: Cleaner "View" popup in Security Audit — removed the non-actionable "Extra Data" JSON dump and fixed the double line that appeared below the "Message" row.
* New: Whitelist/blacklist state in the Security Audit "View" popup — IPs and User-Agents already in a firewall list now show a disabled "In whitelist" / "In blacklist" button inline, without extra clicks.
* Changed: Version history moved to a dedicated changelog.txt file served from the plugin's public SVN, keeping readme.txt focused on the current release.

= 1.14.1 =
Improved: Typo changes for consistency

= 1.14.0 =
* New: Critical config file baseline monitoring — detects unauthorized modifications to wp-config.php and .htaccess using stored hash comparison. Closes the gap left by WordPress.org checksums, which don't cover these files
* New: Line-level diff view showing added and removed lines with line numbers, making injected code immediately visible
* New: Per-file approve workflow — review the diff and approve legitimate changes individually, recorded in Security Audit
* New: Scan Scope checkbox for critical config files (enabled by default)
* New: Vigilant's own modifications to wp-config.php and .htaccess automatically update the baseline to prevent false positives
* New: Dedicated email section for critical config changes with SECURITY ALERT subject
* Improved: Instant Alert now also fires on modified and critical config files (previously only suspicious and additional)
* Improved: "Suspicious only" notification level now includes critical config changes, since they represent the same severity tier

= 1.13.1 =
* Improve: Activity log entries are now trimmed immediately when retention limits are changed, instead of waiting for the next daily cron run.
* Improve: Lowered minimum and step for max entries setting from 1000/10000 to 100/100 for finer control.

= 1.13.0 =
* New: Progressive rate limiting — block duration doubles on each repeat offense (5 min → 10 min → 20 min, etc.) with configurable maximum cap from 1 hour to 7 days. Enabled by default in Maximum Security preset.
* New: Currently blocked IPs section in Firewall tab showing active rate limit blocks with IP, duration, strike count, and manual unblock button.
* Improved: "Events to Log" note clarifying that firewall, security and settings events are always logged is now displayed as a visible notice box instead of a small description text.

= 1.12.2 =
* Fix: rate limit logging now records only once per block instead of every repeated request
* Fix: file integrity scan compatibility with WordPress.org checksums API nested response format

= 1.12.1 =
* Fix: WooCommerce payment gateway IPN callbacks blocked by bot protection htaccess rules

= 1.12.0 =
* New: WordPress option change tracking now uses a curated whitelist of ~30 security-relevant core options instead of an unreliable blacklist. No more false positives from cache plugins, management tools, or hit counters.
* New: "Additional options to track" field in Security Audit settings — monitor options from WooCommerce, SEOPress, or any plugin using exact names or prefix matching (e.g. "woocommerce_").
* Fix: REST API protected endpoints caused PHP warnings due to regex patterns being corrupted by input sanitization. Endpoint matching now uses simple prefix comparison, eliminating the issue entirely.

= 1.11.1 =
* Fix: Additional notification recipients were saved without line breaks, causing only the admin email to receive notifications. Recipients are now stored as an array internally.
* Fix: Disabling "Send to admin email" now works correctly — the fallback no longer overrides the user's explicit choice.
* Fix: Creating a new user no longer generates a duplicate "role changed" log entry.
* Fix: Comment approvals and rejections are now logged (previously only creation, spam, trash, and deletion were tracked).
* Fix: Noisy options from management plugins (ManageWP, MainWP, InfiniteWP) and hit counters are filtered from option change logging.
* Improved: Events to Log checkboxes displayed in two-column grid layout.
* Improved: Exclusion fields include descriptive helper text.
* Improved: Settings change log entries show readable names instead of internal slugs.
* Improved: Instant alert description clarified in File Integrity settings.
* Improved: Existing corrupted email recipient data is automatically repaired on update.

= 1.11.0 =
* Fix: Security Audit logging was silently disabled after saving settings due to an internal flag being incorrectly reset. This was the root cause of inconsistent or missing log entries across sites.
* Fix: Per-category toggles (login, user changes, file changes) now actually control logging. Previously, external modules logged events regardless of user preferences.
* Fix: Extra data in log entries no longer duplicates object fields already stored in dedicated columns.
* Fix: Exclusion lists (users, IPs) and cleanup settings now use fresh values instead of stale cached data.
* Fix: Removed dead code in AJAX trait (unused sanitizer, preset handler calling non-existent method).
* New: Content edits without status change (e.g. editing a published post) are now logged as "edited" events.
* New: Plugin and theme installations are now logged (previously only activations, updates, and deletions were tracked).
* New: Theme updates are now logged via the upgrader.
* New: "Security" event type added for Under Attack mode events, with proper label and filter support.
* New: Complete settings form for Security Audit — all toggles are now visible and functional: failed logins, comments, media, file integrity, WordPress option changes, max entries, excluded users, and excluded IPs.
* New: Media uploads and deletions are now logged (previously broken due to missing default).
* Improved: WordPress option change logging now uses a blacklist approach instead of a 10-item whitelist, covering settings from WordPress core, WooCommerce, and other plugins.
* Improved: Refresh button shows visual feedback (spinner) during loading and displays errors when requests fail.
* Improved: Database migration automatically repairs sites where logging was silently disabled by previous versions.

= 1.10.1 =
* Improved: Notification table status column now adjusts to text width to prevent wrapping

= 1.10.0 =
* New: Centralized notification recipients - configure who receives all administrative emails from a single location in Settings & Tools
* New: Additional recipients field - add maintenance professionals or security contacts alongside the WordPress admin email
* New: Notification summary table - view all active notifications at a glance with direct links to configure each one
* New: File integrity instant alert - receive an immediate email when suspicious or additional files are detected, regardless of periodic report settings
* New: Developer filter `vigilante_notification_recipients` to programmatically modify admin email recipients
* Improved: Tools tab renamed to "Settings & Tools" with notification settings at the top
* Improved: Each notification section now shows a link to the centralized recipient settings
* Fix: Admin monitoring section no longer displays a misleading reference to a non-existent "Login Security > Notification Email" field
* Fix: File integrity scan "Total Scanned" now correctly sums OK + modified + suspicious + extra + ignored files instead of using an incomplete internal counter

= 1.9.0 =
* Removed: Performance settings section from WP Hardening (post revisions, autosave interval, trash days, memory limit, auto updates). These are outside the scope of a security plugin and could cause conflicts with hosting configurations.
* Removed: CONCATENATE_SCRIPTS, WP_POST_REVISIONS, AUTOSAVE_INTERVAL, EMPTY_TRASH_DAYS, WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT, and WP_AUTO_UPDATE_CORE from wp-config.php managed constants. Vigilant no longer comments out or overwrites these constants.
* Fix: wp-config.php constants with multiple occurrences (e.g. duplicate WP_DEBUG defines) are now all properly commented. Previously only the first occurrence was handled, leaving duplicates active and causing conflicts.
* Fix: WP_DEBUG is now explicitly set to false in wp-config.php when debug mode is disabled, instead of relying on WordPress implicit defaults.
* Improved: Updated promotional banner with latest plugin and service catalog.
* Tested up to WordPress 7.0

= 1.8.0 =
* New - Force password reset by role: select one or more roles to reset all their users at once, ideal for security incidents
* New - Informative login message when a user tries to log in after a forced password reset

= 1.7.2 =
* Improved: Dashboard recommendations now include a direct link to the relevant settings tab
* Improved: Your current IP address is displayed in the firewall IP management section
* Improved: wp-config.php settings now visually separated into Security and Performance sections
* Improved: File integrity scan summary stats are now centered for better visual consistency
* Improved: Firewall description includes a compatibility note about full page caching systems (Varnish, LiteSpeed Cache, NGINX FastCGI, Cloudflare APO)
* Improved: Activity Log renamed to Security Audit across the entire admin interface (internal slugs unchanged)
* Fixed: File integrity scan totals now include an Ignored count so the summary numbers add up correctly

= 1.7.1 =
* Fixed: Under Attack mode now correctly auto-deactivates when the timer expires
* Fixed: JavaScript challenge no longer loops indefinitely - visitors pass through and get redirected properly
* Fixed: Challenge page assets externalized to CSS/JS files for Content Security Policy compatibility
* Fixed: Cache bypass on activation now works correctly with SiteGround (NGINX + Memcached + file-based cache), LiteSpeed, WP Rocket, WP Super Cache, W3 Total Cache, and other major caching solutions
* Fixed: Admin countdown timer now updates immediately on page load
* Improved: Added .htaccess cache-busting rules during Under Attack mode (auto-removed on deactivation)
* Improved: Added NGINX and CDN no-cache headers (X-Accel-Expires, Surrogate-Control) for reverse proxy environments

= 1.7.0 =
* New: Activity log search — find entries by IP, user agent, username, message, or any text. Minimum 3 characters, 400ms debounce. Works combined with existing type, severity, and method filters. Export respects active search and filters.
* New: Activity log type and severity columns now display translated labels instead of raw database values.
* Fix: Insecure username detection (admin, root, test, etc.) now checks all user roles, not just administrators. Consistent with username creation blocking which already prevents these names regardless of role.
* Fix: Insecure username warning now always active, independent of the "block insecure usernames" setting. Previously, disabling the setting also silenced the warning.
* Fix: Security score now penalizes installations with accounts using insecure usernames (-3 points).
* Fix: Insecure usernames now appear in dashboard security recommendations with high priority.
* Fix: Plugin name in browser tab titles is now translatable instead of hardcoded.
* Fix: Activity log table no longer crushes the Message column on narrow screens. Uses auto layout with horizontal scroll instead of fixed layout.

= 1.6.1 =
* New: Legacy WordPress core file detection in root scanner (wp-feed.php, wp-pass.php, etc.) - marked as additional instead of suspicious
* New: Browser tab title now shows plugin name and active tab (e.g. "Vigilant > Firewall")
* Improved: Search engine verification files (BingSiteAuth.xml, LiveSearchSiteAuth.xml) and php.ini excluded from root directory scan

= 1.6.0 =
* New: Root directory scanning in file integrity - detects non-core PHP files in WordPress root (common attack vector)
* New: phpinfo() detection pattern in file integrity scanner
* New: WP_DEBUG active warning in security dashboard with score penalty
* New: Display name protection - prevents saving display name matching login username (User Security)
* New: Dashboard recommendation when users have display name equal to login
* New: Smart .htaccess classification in uploads - dangerous rules flagged as suspicious, protective rules as additional with content summary
* Fix: readme.html and license.txt were never deleted due to mismatched setting keys
* Fix: Sensitive file cleanup now runs daily (WordPress core updates recreate these files)
* Fix: Added licencia.txt (Spanish locale) to sensitive file deletion, firewall blocking, and htaccess protection

= 1.5.5 =
* Fix: Submenu links (Activity Log, File Integrity) showing blank page on some hosting environments

= 1.5.4 =
* Fix: Close old comments setting no longer blocks WooCommerce product reviews
* Fix: Email header plugin name was not translatable due to wrong text domain
* Improved: Close old comments disabled by default (only active in Maximum preset)
* Improved: Database tables list in backup tool now has scroll, zebra striping, and better layout

= 1.5.3 =
* Fix: Plugin name in email header was not translatable
* Fix: Overly broad bot detection patterns in PHP firewall that could block legitimate HTTP requests from plugins and external services

= 1.5.2 =
* New: Admin option to allow/disallow "Remember this device" checkbox on 2FA verification (disabled by default)
* New: Password expiry email reminder - sends notification when warning period starts
* Improved: File integrity scanner skips known false positives (version.php, readme files)
* Improved: Default email notification level changed to "Suspicious only" for file integrity
* Improved: Custom login URL placeholder is now translatable
* Improved: Explanatory text for password expiry email reminder setting
* Fix: Password expiry email reminder setting had no functional implementation

= 1.5.1 =
* Improved: Plugin rebranded to "Vigilant" for better international naming
* Improved: New brand icon and banners

= 1.5.0 =
* New: Authenticator app (TOTP) two-factor authentication - RFC 6238 compliant
* New: Method selector - choose between email codes or authenticator app per site
* New: QR code setup in user profile with verification step
* New: Backup codes for TOTP - 10 emergency codes generated on setup
* New: Grace period for TOTP setup (configurable 0-30 days)
* New: Admin TOTP reset tool - search and reset users who lost authenticator access
* New: Grace period dashboard notice reminding users to set up their authenticator app
* New: Dedicated TOTP database table with encrypted secrets (AES-256-CBC)
* New: HTML styled emails for verification codes and activation notifications
* New: Admin password change alert in user security monitoring
* New: Login URL change notification with auto-send and manual button
* New: 2FA settings UI with visual method selector cards

* Fix: Admin login notification now fires for all administrator logins
* Fix: Plugin deactivation email was never sent
* Improved: File integrity scan patterns stored externally for better hosting compatibility

= 1.4.2 =
* Improved: Pagination for activity log (server-side, 20 items per page with AJAX navigation)
* Improved: Pagination for file integrity scan results (suspicious, extra, and modified files)
* Improved: Pagination for ignored files, blocked IPs, and active sessions lists
* Improved: All paginated tables show item count and range indicator, with navigation arrows when needed
* Improved: Pagination updates dynamically when items are removed (ignore file, unblock IP, revoke session)

= 1.4.1 =
* Improved: All firewall block messages are now fully translatable (46 strings added to translation system)
* Improved: Session limits default behavior changed to "Close oldest session" (recommended) instead of "Block new login"
* Improved: Default WordPress memory limit increased to 1024 MB
* Added: 2048 MB option for WordPress memory limit

= 1.4.0 =
* New: Email notification levels - choose between all issues, suspicious only, or disabled
* New: Excluded file extensions setting to reduce false positives (e.g., .log, .pot, .po, .mo)
* New: Excluded paths UI - configure which directories to skip during scans
* New: Ignore list - dismiss individual files from scan results and email notifications
* New: Extra file detection in plugins and themes (PHP files not in official WordPress.org packages)
* New: Plugins and themes without checksums are now scanned for suspicious code patterns
* New: Two-level detection system - strict mode for plugins (obfuscation combos only), standard mode for uploads (broad pattern matching)
* New: Extra files with suspicious code automatically escalate to the Suspicious category
* New: String concatenation obfuscation detection (e.g., building dangerous function names from split strings)
* New: Double extension detection in uploads directory (e.g., file.php.jpg)
* New: .htaccess detection in uploads directory
* New: HTML formatted email notifications with severity sections and summary stats
* New: Enhanced suspicious code pattern detection (hex2bin, create_function, hex-encoded strings, chr() obfuscation, eval+decode combos)
* Fix: Missing Scan Themes checkbox in settings UI
* Fix: Plugins without available checksums were completely skipped, including suspicious file detection
* Improved: Scan results tables now include Ignore buttons for each file
* Improved: Scan scope checkboxes grouped in a single fieldset for clarity

= 1.3.2 =
* Fixed: File integrity email notifications failing with "No recipient forward path" error when notification email field was empty

= 1.3.1 =
* Fix: All admin JavaScript strings are now fully translatable (activity log popup, scan results, password reset, session management, user approval, preset badges, and more)
* Fix: File integrity email notifications now work for both manual and scheduled scans
* Fix: Duplicate scheduled file integrity scans removed (respects configured frequency)
* Improved: Email notification on file changes is now enabled by default

= 1.3.0 =
* New: User-Agent whitelist - exclude services like ManageWP, MainWP, UptimeRobot from firewall checks
* New: User-Agent blacklist - block requests by User-Agent string with partial matching
* New: HTTP request method column in activity log (GET, POST, PUT, DELETE, etc.)
* New: Request method filter in activity log
* New: Quick action buttons in log detail popup to add IPs or User-Agents to firewall lists
* New: IP lookup links to AbuseIPDB directly from log entries
* Improved: Log detail popup redesigned with grouped sections (Request, Client, Extra Data)
* Improved: CSV export now includes request method column

= 1.2.3 =
* Fix: IP whitelist and blacklist entries were merged into a single line after page reload, preventing exclusions from working correctly
* Fix: Automatic migration repairs previously corrupted IP lists on update

= 1.2.2 =
* Improved: New plugin suggestion added.

= 1.2.1 =
* Improved: wp-config.php constant insertion now correctly placed before "That's all, stop editing" comment, with support for translated wp-config files

= 1.2.0 =
* New: Database backup download tool with table selection (Tools tab)
* New: Database prefix change with random secure prefix generation (WP Hardening tab)

= 1.1.1 =
* Fix: HTTP method restriction no longer blocks PUT and DELETE, allowing REST API requests from plugins like SiteGround Optimizer to work correctly.

= 1.1.0 =
* New: Under Attack mode - Emergency JavaScript challenge protection with one-click activation
* New: Automatic browser verification with proof-of-work challenge for frontend visitors
* New: HMAC-signed verification cookies to prevent cookie forgery
* New: Aggressive rate limiting (30 req/min) and HTTP method restriction during attacks
* New: Auto-deactivation after 4 hours with email notifications
* New: REST API and XML-RPC lockdown during Under Attack mode
* New: Non-dismissible admin notice with link to dashboard while mode is active

= 1.0.4 =
* Fixed: File Integrity scan results are now fully translatable
* Fixed: File Integrity scanner now reliably detects suspicious files in uploads
* Improved: Uploads directory is now scanned first for faster malware detection
* Improved: Scan time limit increased from 25 to 60 seconds for thorough scanning
* Improved: File limit in uploads scan increased from 2,000 to 10,000 files

= 1.0.3 =
* Fixed: Security Headers test button and results are now fully translatable
* Improved: Custom plugin icon now displayed in settings page header
* Improved: Activation notice now includes shield dashicon

= 1.0.2 =
* Improved: Settings page now uses full available width for better tab display

= 1.0.1 =
* Fixed: REST API compatibility with plugins using PUT/DELETE methods
* Fixed: wp-config.php constant insertion now works correctly on non-English WordPress installations
* Fixed: WP Hardening options now properly apply when unchecking (disabling) settings
* Fixed: Corrupted UTF-8 characters in activity log messages and CSS
* Improved: Custom login URL now automatically enables wp-login.php redirect to 404
* Improved: Session limits no longer exclude administrators by default for better security
* Improved: Dashboard "Custom Configuration" badge now uses more visible orange color
* Improved: htaccess HTTP method restrictions now exclude REST API endpoints

= 1.0.0 =
* Initial release
* Two-factor authentication via email with trusted device support
* Role-based 2FA enforcement
* Advanced PHP-based firewall with SQL injection, XSS, and file inclusion protection
* Rate limiting with configurable thresholds
* IP whitelist and blacklist management
* Complete security headers implementation (CSP, HSTS, X-Frame-Options, Permissions Policy)
* Built-in security header testing tool
* HTTPS enforcer with mixed content detection
* Login security with brute force protection and progressive lockouts
* Custom login URL support
* XML-RPC and application passwords control
* User security with insecure username blocking
* Strong password enforcement with minimum length
* Password expiration with history tracking
* Force password reset for all users
* Session management and concurrent session limits
* Email verification for new registrations
* Registration approval workflow
* Admin account monitoring and alerts
* WordPress hardening (wp-config constants, comment security, head cleanup)
* Feed management and security
* REST API security with selective endpoint protection
* User enumeration prevention
* Activity log with configurable event tracking
* Log export to CSV and filtering
* File integrity monitoring against WordPress.org checksums
* Two-level suspicious code detection (strict for plugins, broad for uploads)
* Extra file and obfuscation detection in plugins and themes
* Scheduled scans with HTML email notifications and severity levels
* Settings export and import
* Manual backup creation tool
* Two configuration presets (Standard, Maximum Security)
* Automatic backup and restoration system
* Clean rollback on deactivation
* Full admin interface with tabbed settings
