=== Performance & Security ===
Contributors: jmrcodes
Donate link: https://buymeacoffee.com/jmrcodes
Tags: performance, security, toolkit
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.1.0
License: GPL-3.0+
License URI: https://www.gnu.org/licenses/gpl-3.0.html

A site manager's toolkit. Settings to modify WordPress and improve performance and security.

== Description ==

A self-hosted site manager's toolkit: the security hardening, performance tuning, admin cleanup, content controls and email handling you'd otherwise install half a dozen micro-plugins for — as independent modules on a single settings page (Settings → Site Toolkit). Every module is off by default and registers no hooks while disabled, so the plugin changes nothing until you opt in.

🔐 **Security** — disable XML-RPC, hide the WordPress version, disable user enumeration (author scans, sitemaps, oEmbed, author archives), block the REST users endpoint, disable the file editors, block readme/license files, security headers (with optional HSTS), disable application passwords, session management, and an admin audit log.

🔓 **Login Page** — change the login URL, login rate limiting, hide detailed login errors, username-only sign-in, disable the language switcher, record each user's last login, and login screen branding (use your site identity automatically or a custom logo from the media library).

🚀 **Performance** — control autosave and post revisions, remove asset version query strings, throttle the Heartbeat API, remove wp_head bloat and generator tags, dequeue unused default assets (emoji, jQuery Migrate, Block Library CSS), disable self-pings, scheduled database maintenance, DNS prefetch/preconnect hints, and manage generated image sizes.

🛠️ **Admin / UX** — hide the front-end toolbar, change the WordPress greeting, replace the account menu with a logout button, dashboard widget manager, custom admin footer, maintenance mode, media library user isolation, environment indicator, suppress update notices on non-production, trim the WordPress toolbar menu, and an "All Settings" menu item.

📝 **Content & Editorial** — customize excerpts, disable the block editor per post type, disable trackbacks, targeted comment controls (media comments, plain-text links, minimum length), disable comments entirely, disable oEmbed, and restore the Links Manager.

📧 **Email & Notifications** — disable selected notification emails, and redirect or block all outgoing email on non-production environments.

***

If you have further suggestions, please contact us via the [plugin support page](https://wordpress.org/support/plugin/wp-performance-security).

If this plugin is useful for managing your WordPress settings, please [leave a review](https://wordpress.org/support/view/plugin-reviews/wp-performance-security).

Developed by [JMR.codes](https://jmr.codes).

== Installation ==

1. Unzip the plugin and copy the `wp-performance-security` folder to the `/wp-content/plugins/` directory
1. Activate the plugin through the 'Plugins' menu in WordPress


== Changelog ==

= 1.1.0 =

This is a major release. The plugin has been rebuilt around a modular framework: every feature is now an independent module on a single **Settings → Toolkit** page ("Performance & Security Toolkit"), and each module is off by default and adds no overhead until you switch it on. The old "Performance & Security" settings page has been retired, and your existing 1.0 settings are migrated to the equivalent modules automatically when you upgrade.

**Requirements**

* Now requires WordPress 6.2 or later (the audit log uses the `%i` SQL identifier placeholder added in WordPress 6.2).
* Now requires PHP 7.4 or later.

**New — 49 modules across six sections**

* Security: Disable XML-RPC; Hide WordPress version; Disable user enumeration (blocks author scans, with optional removal from XML sitemaps and oEmbed, author-archive redirect and author-link unlinking); Block REST API user endpoint; Disable theme/plugin file editor; Block access to readme/license files; Add security headers (duplicate detection, optional HSTS gated on HTTPS); Disable application passwords; Session management (log out other sessions on password change, optional session-lifetime cap); Admin audit log (Tools → Audit Log) with a daily retention purge.
* Login Page: Change login URL; Login rate limiting; Hide detailed login errors (with a custom message); Disable login via email address (username-only sign-in); Disable the login language switcher; Record user last login time (adds a sortable "Last Login" column to the Users screen); Customize login screen branding (use your site identity automatically, or set a custom logo from the media library, link and title).
* Performance: Disable autosave or increase the autosave interval; Limit post revisions; Remove version query strings from assets; Control the Heartbeat API; Remove additional wp_head bloat (including per-source generator tags for WordPress, WooCommerce, Google Site Kit, Performance Lab, Modern Image Formats and Speculative Loading); Dequeue unused default assets (emoji, jQuery Migrate, Block Library CSS and more); Disable self-pings; Database maintenance (scheduled cleanup with a "Run now" button); DNS prefetch / preconnect hints; Manage generated image sizes.
* Admin / UX: Hide the toolbar on the front end; Change the WordPress greeting; Replace the account menu with a logout button; Dashboard widget manager; Custom admin footer text (with optional database statistics); Maintenance / coming soon mode; Media library user isolation; Environment indicator; Suppress update notices on non-production environments; Remove the WordPress toolbar menu; Add an "All Settings" menu item.
* Content & Editorial: Disable the block editor (Gutenberg) per post type; Disable trackbacks and pingbacks; Disable oEmbed; Disable comments (thorough, with granular keep-toggles); Disable comments on media files; Disable active links in comments; Minimum comment length; Customize excerpts (word length and "more" text); Enable the Links Manager.
* Email & Notifications: Disable email notifications (auto-update, background-update, successful-core-update and password-reset emails, each individually toggleable); Redirect outgoing email on non-production environments (to a catch-all address, or block it entirely).

**Changed**

* Settings have moved to Settings → Toolkit (titled "Performance & Security Toolkit"); the "Settings" link on the Plugins screen now points there. Your existing settings are migrated automatically — no reconfiguration needed.

**Removed**

* GZIP compression — removed with no in-plugin replacement. Compression belongs at the server or CDN level (enable it in cPanel/Plesk or ask your host): that is more reliable, avoids conflicts with caching plugins, and supports Brotli.
* Several niche legacy options were retired because they need theme code to be useful or duplicate settings handled better elsewhere: excerpts on Pages, the "Read more" anchor tweak, content/excerpt auto-formatting toggles, custom post types in search and RSS, tags on pages and in queries, and HTML5 markup support. The comment-form URL-field removal was also dropped, as it cannot be done reliably across both classic and block themes.

**Fixed**

* The "WordPress greeting" option now works — and in every language. The previous version hooked too early to ever modify the toolbar greeting, so it had no effect.
* "Disable self-ping" can now be saved. The legacy checkbox was missing from the settings whitelist and never persisted.

**Security**

* Login rate limiting now reads the proxy-appended client IP instead of the spoofable left-most X-Forwarded-For value, and the lockout window no longer extends on already-blocked attempts (which could permanently lock out everyone sharing an IP).
* Maintenance mode now also returns a 503 for anonymous REST API requests, so posts and pages are not readable via /wp-json while the site is hidden.
* Media library user isolation now covers the list view and the REST media endpoint, not only the grid view.
* The login-screen logo URL is quoted inside its CSS to prevent CSS injection, and author-enumeration blocking also catches the array form (?author[]=1).

= 1.0.0 =

* Security: settings are now saved through the WordPress Settings API with a dedicated nonce and a `manage_options` capability check
* Security: all stored settings are sanitised against a whitelist of known options (unknown keys are discarded)
* Security: all settings and URLs are escaped on output
* Fixed fatal errors on PHP 8 caused by `create_function()`
* Fixed the custom login logo, login URL, login title and minimum comment length options, which previously referenced settings out of scope
* Fixed reactivation overwriting saved settings
* Custom post types in search results now use `pre_get_posts` so the option works as described
* The settings page now lists all options on a single page, grouped into fieldsets by feature type

= 0.9.2 =

* Removed Google Analytics section now that Universal Analytics are no longer supported

= 0.9.1 =

* Fixed a bug on the login screen

= 0.9 =

* Fixed a bug with comments being disabled by default
* Remove oEmbed support option
* Remove jQuery migrate option
* Improved emoji removal to include dns-prefetch of image sources

= 0.8 =

* Tested against WP 5.0.1
* Open Sans was dropped from WP 4.6 in favour of system fonts - so this option will only show for older versions of WP
* Updated Google Analytics to support Google Tag Manager (gtag.js)
* Added the ability to hide existing comments
* Jetpack devicepx option only shown if Jetpack is active
* Improved handling of custom post type options
* Added support for enabling (and disabling) the Links Manager
* Removed SVG support due to changes in WP since 4.7
* Minor code improvements

= 0.7 =

* Added new feature to remove the styles and scripts that make up emoji support, which was added in WP 4.2

= 0.6 =

* Fixed a range of alerts that appear in debug mode

= 0.5 =

* Fixed issue where plugin might conflict with WP Super Cache

= 0.4.1 =

* Minor changes to plugin settings in WP

= 0.4 =

Minor code changes

* JS only loaded on plugin page
* Changed default settings, all plugin options set to the WordPress defaults

= 0.3 =

* Updated plugin to allow for internationalization
* Added icon

= 0.2 =

* Added support for adding Google Analytics tracking code
* Added a toggle to remove the admin bar from front-facing pages
* Added a setting to enforce and set the minimum number of characters required in a comment

= 0.1 =

* Initial launch
