=== WebKernelAI Security ===
Contributors: aamirsahil
Tags: security, wordpress security, csp, malware scanner, technical seo
Requires at least: 6.2
Tested up to: 7.1
Requires PHP: 7.4
Stable tag: 1.0.5
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Plugin URI: https://webkernelai.com/plugins/security/
Author: WebKernelAI
Author URI: https://webkernelai.com

A secure WordPress connector to remotely manage, audit, and harden your site from the WebKernelAI dashboard with cryptographic signature verification.

== Description ==

[WebKernelAI](https://webkernelai.com) is a Technical SEO and Website Security platform. The WebKernelAI Security plugin is a **highly secure connector** that links WordPress to the WebKernelAI dashboard for centralized security policy management, malware scanning, plugin auditing, user account management, file integrity monitoring, Web Application Firewall (WAF), and advanced site controls.

**This plugin is a read/execute connector only.** It does not store or expose sensitive credentials. All communication is cryptographically signed using HMAC-SHA256 + Ed25519 asymmetric keys. Every request must pass multi-layer signature verification before any action is executed. There is no way for any third party to hijack the site token or impersonate the dashboard.

Official Website:
https://webkernelai.com

Security Plugin:
https://webkernelai.com/plugins/security/

Documentation:
https://webkernelai.com/docs/security/

WebKernelAI helps developers, businesses, and production websites improve:

* Technical SEO
* Website Security
* Web Application Firewall (WAF) rule filters
* Crawl Intelligence
* JavaScript Vulnerability Detection
* Website Malware Detection
* Security Header Analysis
* SEO Metadata Management
* Content Security Policy (CSP) Management
* Remote Plugin Update Management
* WordPress User Account Auditing

== Why This Plugin Is Highly Secure ==

WebKernelAI Security is engineered from the ground up with a **zero-trust security model**. Every REST API request received by this plugin must pass all of the following layers before any action is taken:

1. **HMAC-SHA256 request signature** — Each request is signed with a shared secret derived from the site pairing token. Any tampered or unsigned request is immediately rejected with 403 Forbidden.
2. **Ed25519 asymmetric cryptography** — Critical operations (like agent revocation) are additionally signed with Ed25519 asymmetric keys for cryptographic non-repudiation.
3. **Nonce replay protection** — Every signed request includes a one-time nonce. Replayed or reused nonces are rejected even if the signature is valid.
4. **Timestamp freshness validation** — Requests older than a configurable time window are rejected to prevent delayed replay attacks.
5. **Trusted-origin enforcement** — REST API calls are validated against known dashboard origins.
6. **Pairing token architecture** — The 64-character site pairing token is generated locally in WordPress and never leaves the site in plaintext. The WebKernelAI dashboard holds only its HMAC derivative.
7. **Emergency revocation** — The WebKernelAI dashboard can remotely revoke or suspend the plugin agent instantly using a cryptographically signed one-time token.
8. **Permission-level callbacks** — Every REST endpoint is individually gated by a strict `permission_callback` that verifies the signed token before the handler ever runs.

**There is no possible way for any third party, attacker, or man-in-the-middle to hijack or impersonate the WebKernelAI dashboard connection without holding both the HMAC secret and a valid Ed25519 private key simultaneously.**

== Core Features ==

* Secure token-authenticated REST API endpoints
* Signed request validation using HMAC-SHA256 and Ed25519 asymmetric cryptography
* WAF Rule Engine for SQL Injection (SQLi), Cross-Site Scripting (XSS), and Local File Inclusion (LFI)
* Dynamic security telemetry monitoring & database event logs
* Brute force login lockout protections with auto-reset on successful auth
* Custom login URL slug masking with hybrid cookie & query parameter bypass
* Anonymous user enumeration blocks on user REST endpoints (403 Forbidden)
* File integrity inventory generation with weighted overview security scoring (0–100)
* Codebase Security Intelligence — SHA-256 file hashing with false-positive whitelisting for trusted plugin files
* Remote plugin self-update trigger — WebKernelAI dashboard can push plugin updates without WordPress admin access
* WordPress User Account Auditor — remotely list, audit, and delete WordPress user accounts from the dashboard
* First-user and last-user deletion protection — primary admin and the only remaining user can never be deleted remotely
* Plugin Ecosystem Auditor — detects outdated, vulnerable, official, and third-party plugins with real WordPress.org transient data
* Centralized SEO metadata synchronization
* Canonical URL synchronization
* OpenGraph metadata synchronization
* Robots.txt management and subdirectory-safe dynamic XML sitemap generation
* llms.txt controls
* Advanced Content Security Policy (CSP) management
* Security header management
* Production lock profile support
* Security policy rollback history
* Read-only security overview endpoint
* Integration with WebKernelAI Technical SEO Audit and security analysis tools
* Emergency agent revocation endpoint with Ed25519 + OTP verification

== Official WebKernelAI Platform ==

WebKernelAI provides integrated Technical SEO and Website Security tools for WordPress websites and modern web applications.

Platform capabilities include:

* Technical SEO Audit
* Web Application Firewall (WAF)
* Crawl Intelligence
* JavaScript Vulnerability Scanner
* Website Malware Scanner
* Security Header Analysis
* SEO Metadata Synchronization
* Content Security Policy Management
* Website Security Monitoring
* Plugin Manager & Remote Updater
* WordPress User Account Auditing

Official platform:
https://webkernelai.com

== Security Architecture ==

WebKernelAI Security includes multiple protection layers:

* HMAC-SHA256 and Ed25519 asymmetric request signature verification
* WAF engine with customizable security rule drops
* Login custom slug protection with 404 response blocks
* Brute force lockout thresholds
* REST API endpoint restrictions (anonymous user list blocks)
* Nonce replay protection
* Timestamp freshness validation
* Trusted-origin enforcement
* Endpoint-level permission controls
* Rate limiting protections
* Production lock profile
* Rollback-safe policy management
* Emergency remote revocation with cryptographic verification
* False-positive whitelisting in codebase integrity engine

The plugin is designed for secure production environments and centralized security operations.

== Remote Plugin Update Security ==

In version 1.0.5, the plugin supports secure remote self-updates triggered from the WebKernelAI dashboard.

The update process:
1. The WebKernelAI dashboard computes the latest version from the official WordPress.org Plugins API.
2. If an update is available, the dashboard sends a signed POST request to the plugin's `/plugin/update` REST endpoint.
3. The plugin verifies the full HMAC-SHA256 signature before proceeding.
4. WordPress's native `Plugin_Upgrader` is used with `Automatic_Upgrader_Skin` to perform the update silently.
5. The plugin is temporarily deactivated during the file swap to prevent file lock conflicts, then automatically reactivated upon success.

The download URL is passed as a signed parameter and validated with `esc_url_raw()` before use.

== File Integrity Monitoring ==

The plugin supports secure integrity inventory generation for supported scan modes.

Supported integrity metadata includes:

* File path
* SHA-256/MD5 hash
* File size
* Modification timestamp
* Computed security score indicators (0–100)

Own plugin files are automatically whitelisted to prevent false-positives in the malware scanner regardless of the scan directory (including `wp-content/upgrade/` temporary update folders).

Raw file contents are not transmitted during standard integrity operations.

== User Account Auditing ==

The plugin exposes a secure `/users` REST endpoint for the WebKernelAI dashboard to:

* List all registered WordPress users, including their roles and registration dates
* Delete a specific user account remotely

Deletion is protected by the following safety rules:
* The first registered user (primary site administrator/creator) can never be deleted.
* The last remaining user on the site can never be deleted.
* Self-deletion of the current API context user is blocked.

All deletion requests must pass the standard HMAC-SHA256 signature verification before any action is taken.

== SEO & Technical Controls ==

The plugin supports centralized Technical SEO management from the WebKernelAI dashboard.

Supported controls include:

* Meta title synchronization
* Meta description synchronization
* Canonical URL synchronization
* OpenGraph metadata synchronization
* Robots directives
* Robots.txt management
* llms.txt management
* Dynamic XML sitemap generation
* Archive indexing controls

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/`
2. Activate the plugin through WordPress admin
3. Open **Settings → WebKernelAI Security**
4. Generate a secure site token
5. Connect your website with the WebKernelAI dashboard

== Frequently Asked Questions ==

= Does the plugin send file contents to WebKernelAI? =

No. The plugin sends integrity metadata and hashes only for supported scan modes.

= Can someone hijack my site token? =

No. Every REST request requires a valid HMAC-SHA256 signature derived from the shared pairing token plus Ed25519 asymmetric signature verification for critical operations. Without the private key, it is cryptographically impossible to forge a valid request.

= Can I disable CSP or security headers? =

Yes. Security headers and CSP policies can be managed through the WebKernelAI dashboard.

= Can I manually customize CSP rules? =

Yes. Advanced CSP editing and enforcement controls are supported.

= Does the plugin support replay attack protection? =

Yes. Signed requests include nonce replay protection and timestamp freshness validation.

= Can I roll back security policy changes? =

Yes. Security policy versioning supports rollback to previous configurations.

= Does the plugin support Technical SEO workflows? =

Yes. The plugin integrates directly with WebKernelAI Technical SEO Audit and metadata synchronization systems.

= Can WebKernelAI update the plugin remotely? =

Yes. Version 1.0.5 adds a secure signed remote update endpoint that allows the WebKernelAI dashboard to push plugin updates using WordPress's native upgrader, without requiring manual admin access.

= Can WebKernelAI delete admin users from my site? =

The plugin allows the dashboard to delete non-primary users. The first registered user (primary administrator) and the last remaining user on the site are permanently protected from remote deletion by server-side safety rules.

== External Services ==

This plugin connects to WebKernelAI cloud services.

Official platform:
https://webkernelai.com

Data may be transmitted to:

* https://webkernelai.com
* your configured WebKernelAI dashboard/backend endpoint

Data transmitted may include:

* Authenticated API requests
* Integrity inventory metadata
* SEO synchronization payloads
* Security policy payloads
* Selected configuration settings

Data is transmitted:

* When connecting a website to WebKernelAI
* When administrators trigger dashboard operations
* During scan, synchronization, or policy deployment operations

Terms of Service:
https://webkernelai.com/terms

Privacy Policy:
https://webkernelai.com/privacy

== Changelog ==

= 1.0.5 =

* Added secure remote plugin self-update endpoint (`POST /webkernelai/v1/plugin/update`) using WordPress native `Plugin_Upgrader` with `Automatic_Upgrader_Skin`
* Added WordPress User Account Auditor with `GET /webkernelai/v1/users` and `DELETE /webkernelai/v1/users` REST endpoints
* Added first-user and last-user deletion protection guards — primary site admin can never be deleted remotely
* Added Plugin Ecosystem Auditor — detects outdated, vulnerable, official (WordPress.org transient), and third-party plugins
* Added `author` and `plugin_uri` fields to the plugin overview payload in the security overview endpoint
* Added `is_official` flag detection using WordPress.org update transients in `get_security_overview()`
* Added false-positive whitelist for WebKernelAI Security files in the Codebase Integrity Engine (including `wp-content/upgrade/` temp folders)
* Fixed custom silent upgrader skin fatal error by switching to WordPress core `Automatic_Upgrader_Skin`
* Restored all REST routes including `/security-scan-v2`, `/infections`, `/users`, `/plugin/update`, and `/revoke`
* Improved `get_security_overview()` to include per-plugin `author`, `plugin_uri`, and `is_official` fields

= 1.0.4 =

* Added Web Application Firewall (WAF) filter rules (XSS, SQLi, LFI)
* Added Ed25519 cryptographic signature verification
* Added Custom Login URL Slug redirect & hybrid cookie/query bypass
* Added dynamic XML sitemaps (images, video, news) with subdirectory-safe routing
* Added Redirects Manager (regex, wildcards, 410) & Robots visual compiler
* Added Schema JSON-LD builder injection engine
* Added anonymous /wp/v2/users REST API block (403 Forbidden)
* Added brute-force lockout automatic transient reset on successful login
* Added integrity scanning overview security scoring (0-100)

= 1.0.3 =

* Added REST route `GET /webkernelai/v1/security-overview`
* Added improved active theme update detection compatibility

= 1.0.2 =

* Added advanced security mode with HMAC request validation
* Added nonce replay protection
* Added trusted-origin validation
* Added endpoint rate limiting
* Added production lock profile support
* Added policy rollback history
* Added advanced CSP management support

= 1.0.1 =

* Added WordPress.org compliance improvements
* Added unique option keys
* Added legacy option migration support

= 1.0.0 =

* Initial public release
