# Atlant Security - Changelog

All notable changes to the Atlant Security plugin are documented in this file.

---

## [1.0.0] - 2026-03-01

### Initial Release

#### Core Architecture
- Main plugin bootstrap (`atlant-security.php`) with PSR-4 autoloader under `FortressWP\` namespace
- Singleton `Plugin.php` orchestrator that boots all modules
- `Installer.php` with 6 custom database tables and 30+ default settings
- `RequestLogger.php` for request logging on every page load at `init` priority 1
- `Whitelist.php` for IP whitelist management with AJAX endpoints
- `Admin.php` with 15 admin pages, AJAX settings save, branding, setup wizard redirect

#### Database Tables Created
1. `fwwp_visitor_log` - Full request log (IP, country, city, UA, URL, user, status, bot detection)
2. `fwwp_blocked_ips` - IP block list (permanent/temporary, with reason tracking)
3. `fwwp_whitelist` - IP whitelist (type, value, label, creator)
4. `fwwp_login_attempts` - Brute-force tracking (IP, attempts, lockout timestamps)
5. `fwwp_events` - Security events (event_type, severity, rule_id, description)
6. `fwwp_audit_log` - Admin audit trail (user, action, object, description)

#### Security Modules (17 total)

1. **WAF** (`WAF.php`) - Web Application Firewall with 28+ attack pattern rules, SQL injection, XSS, RCE, directory traversal, protocol attacks. Block or log mode.

2. **LoginProtection** (`LoginProtection.php`) - 3-tier progressive lockout system (5min/30min/24h), failed login tracking, automatic IP blocking after threshold.

3. **CustomLoginURL** (`CustomLoginURL.php`) - Hides `/wp-login.php` with a custom secret slug. Blocks `/wp-admin/` for non-logged-in visitors. Random slug generation. Whitelist bypass.

4. **Hardening** (`Hardening.php`) - Disables XML-RPC, hides WP version, blocks REST API user enumeration, blocks author enumeration, disables file editor, blocks PHP in uploads.

5. **IPManager** (`IPManager.php`) - IP blocking/unblocking with AJAX, permanent/temporary blocks, reason tracking, request count updates, IP detail modal with recent request history.

6. **RateLimiter** (`RateLimiter.php`) - Per-IP request rate limiting with configurable thresholds and time windows.

7. **Notifications** (`Notifications.php`) - Email alerts for security events (lockouts, WAF blocks, suspicious activity).

8. **Scanner** (`Scanner.php`) - Malware scanning capabilities for files and database content.

9. **PostBreach** (`PostBreach.php`) - Post-breach recovery toolkit: admin account audit, secret key rotation, plugin reinstallation from wordpress.org, database malware scan, forced password reset, site lockdown mode, incident report generation.

10. **SecurityHeaders** (`SecurityHeaders.php`) - Adds security HTTP headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Strict-Transport-Security, Permissions-Policy, Content-Security-Policy).

11. **Honeypot** (`Honeypot.php`) - Hidden form fields on login/registration to detect bot submissions.

12. **TwoFA** (`TwoFA.php`) - Two-factor authentication module (placeholder/partial).

13. **AICrawlers** (`AICrawlers.php`) - 20 known AI/LLM crawler definitions (GPTBot, ClaudeBot, Google-Extended, etc.). Global toggle + per-crawler granular rules. Robots.txt injection. Request interception with 403 for blocked crawlers. 30-day stats per crawler.

14. **RestApiPolicy** (`RestApiPolicy.php`) - Per-namespace/per-route REST API policy engine. 5 default policies. Sliding-window rate limiting with APCu fast path. Authentication requirements per route. Whitelist bypass.

15. **SessionSecurity** (`SessionSecurity.php`) - Cookie hardening (HttpOnly, Secure, SameSite). Session binding (SHA-256 fingerprint of IP+UA). Concurrent session limits via WP_Session_Tokens API. Idle timeout with throttled activity tracking.

16. **OutboundMonitor** (`OutboundMonitor.php`) - SSRF prevention via `pre_http_request` filter. Domain allowlist with fnmatch patterns. Blocks private/internal IPs. Caller detection via backtrace. Log and enforce modes. Rolling log of last 500 requests.

17. **CronGuard** (`CronGuard.php`) - wp-cron.php flood protection (rate limiting). Suspicious cron job detection via baseline snapshot. System cron migration helper. Cron health dashboard.

#### Admin Pages (15 pages)

1. **Dashboard** - Live visitor table (15s auto-refresh), 24h stats cards, traffic chart (Chart.js), top IPs, top pages, browser distribution doughnut.
2. **Hardening Status** - Checklist of all hardening options with current status (secure/insecure) and one-click enable buttons.
3. **Visitor Log** - Full filterable request log with pagination, IP/URL/bot/blocked filters, CSV export, time range selector.
4. **IP Whitelist** - Whitelist management with add/remove, "whitelist my IP" button, live search, labels.
5. **IP Block List** - Blocked IPs table with unblock/whitelist actions, quick block form, search.
6. **Login Security** - Custom login URL configuration, brute-force attempt monitor table, lockout status, stats sidebar.
7. **Audit Log** - Admin action audit trail.
8. **AI Crawlers** - Per-crawler toggle table (20 crawlers), robots.txt preview, "block all" toggle, 30-day crawler stats sidebar.
9. **REST API** - Policy table with add/edit/delete, namespace discovery, auth/rate-limit settings per route.
10. **Session Security** - Cookie hardening settings, session binding controls, concurrent session limits, idle timeout.
11. **Outbound Monitor** - SSRF settings, domain allowlist editor, outbound request log table, stats.
12. **Cron Guard** - Cron health status, scheduled events table, suspicious event alerts, system cron migration guide.
13. **Post-Breach** - 6-step recovery toolkit with guided actions and result panels.
14. **Settings** - Centralized settings page for visitor logging, login security, hardening toggles, notifications.
15. **Setup Wizard** - 7-step guided setup (hidden page, auto-redirects on first activation).

#### Setup Wizard (NEW)
- Auto-redirects on first plugin activation via transient
- 7 steps: Welcome, Hardening, Login Protection, Firewall & Monitoring, Session & Cookie Security, AI Crawlers & Notifications, Whitelist IP & Finish
- Each setting includes detailed advice explaining what it does and why it matters
- Whitelist IP step prevents admin lockout
- Saves all settings via existing AJAX endpoint on completion
- Sets `fwwp_setup_complete` flag to prevent re-redirect

#### Frontend Assets
- `admin.css` - Enterprise admin stylesheet with Inter font, design tokens, BEM naming, responsive grid layouts, 1800+ lines
- `admin.js` - AJAX-driven admin JS with live visitor feed, Chart.js integration, IP detail modal, block modal, CSV export, per-module initializers, setup wizard controller, column resizer, ~1800 lines
- `atlant-logo.png` - Brand logo

#### Branding
- Plugin name: "Atlant Security"
- Internal codename: FortressWP (namespace prefix `fwwp_`)
- Brand: Atlant Security (atlantsecurity.com)
- Footer branding on all admin pages with logo, version, docs/support links
- Plugin row meta links (Documentation, Support, Atlant Security)

---

## [1.0.1] - 2026-03-01

### Bug Fixes
- **Setup Wizard pagination**: Fixed wizard displaying all 7 steps simultaneously instead of one at a time. Added inline `style="display:none"` to steps 2–7 in PHP template. Enhanced JavaScript `goToStep()` to set inline `display` styles directly.
- **Setup Wizard "Let's Go" button**: Fixed navigation buttons not responding. Added inline `<script>` in `setup-wizard.php` with vanilla JS step navigation that works independently of `admin.js`, eliminating dependency chain issues.
- **Setup Wizard layout**: Completely decoupled wizard from `.fwwp-wrap` (which uses negative margins + `width: calc(100%+30px)` for edge-to-edge layout on other pages). Removed `fwwp-wrap` class from wizard HTML. Made `.fwwp-wizard-wrap` fully self-contained with its own typography, centered card layout (`max-width: 760px; margin: 0 auto`), proper padding, and responsive breakpoints. Wizard now sits naturally inside WP's `#wpcontent` area without overlapping the sidebar or stretching to screen edges.

- **Setup Wizard Step 7 buttons**: Rewrote inline `<script>` to be a fully self-contained wizard controller with vanilla JS `fetch()` for all AJAX (Whitelist My IP, Complete Setup), zero dependency on `admin.js` or jQuery. Handles settings collection, save via `fwwp_save_settings`, setup completion via `fwwp_complete_setup`, and redirect to dashboard.
- **Footer emoji**: Changed "made with 🔒" to "made with ❤️" in footer branding text.
- **Footer underlapping sidebar**: Footer was rendered via `admin_footer` hook (fires outside `#wpwrap`) causing it to appear under the WordPress admin sidebar. Switched to `in_admin_footer` hook which fires inside `#wpfooter` → `#wpcontent`, inheriting the sidebar's margin-left. Added CSS to hide WP's default footer content on plugin pages. Added responsive footer styles for mobile.

### New Features
- **VirusTotal IP Lookup**: Added VirusTotal lookup buttons across the plugin:
  - Visitor log table: "🛡️ VT" button in each row's actions column
  - Live visitors table (Dashboard): "🛡️ VT" button in each row's actions column
  - IP detail modal: "🛡️ VirusTotal Lookup" button in the actions area
  - Top IPs panel (Dashboard): "🛡️" icon button next to each IP
  - All buttons open `https://www.virustotal.com/gui/ip-address/{IP}` in a new tab (no API key required)
  - Custom hover styling (green accent) to distinguish VT buttons

---

## Build History

| Build | Date | Zip File | Notes |
|-------|------|----------|-------|
| Initial | 2026-03-01 02:08 | `atlant-security_old.zip` | First build with core modules |
| Pre-wizard | 2026-03-01 10:34 | `atlant-security_v1.0.0-pre-wizard.zip` | Added 5 new modules (AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard) + 5 admin views + hardening rename |
| With wizard | 2026-03-01 10:34 | `atlant-security.zip` | Added 7-step setup wizard with advice |