# Changelog All notable changes to BaseCloud Shield will be documented in this file. ## [1.2.7] - 2026-02-03 ### 🔐 Security Enhancements - **CRITICAL FIX**: Resolved duplicate OTP email sending issue - Implemented comprehensive duplicate prevention across all delivery methods - Added email deduplication to prevent same address receiving multiple OTPs - Added phone number deduplication for WhatsApp/SMS delivery methods - Enhanced recipient list deduplication to prevent duplicate user entries ### 🛡️ Enterprise-Grade Security Features - **Brute Force Protection**: Maximum 5 OTP attempts before 15-minute IP lockout - **Rate Limiting**: Limit OTP generation to 3 requests per 10-minute window - **Cryptographically Secure OTP**: Replaced rand() with random_bytes() for secure random generation - **Session Binding & Anti-Hijacking**: - IP address validation - OTP must be verified from same IP - User-Agent fingerprinting for browser consistency validation - HMAC-SHA256 session tokens to prevent session fixation - Secure HMAC-based trust cookies (replaced simple MD5) - **CSRF Protection**: WordPress nonce validation on OTP submission - **Enhanced Cookie Security**: All cookies now use httponly and secure flags - **Security Event Logging**: Comprehensive logging of all security events (last 100 events) - **Real-Time Security Alerts**: - Automatic email alerts for suspicious activity - Webhook integration for enterprise monitoring - Detection of session hijacking, IP mismatches, failed attempts - **Attack Detection & Prevention**: - Session fixation attempt detection - OTP interception prevention (IP binding) - CSRF attack protection - Brute force attack blocking - Rate limit violation detection - **Timing Attack Protection**: Uses hash_equals() for constant-time comparisons ### 🔧 Technical Improvements - Added 60-second OTP generation lock to prevent rapid duplicate sends - Enhanced IP detection supporting proxies, CloudFlare, and load balancers - Implemented proper IP validation before processing - OTP data now includes metadata (IP, User-Agent, timestamp, attempt counter) - Improved error messages with remaining attempt counter - Added pattern validation for numeric OTP input (inputmode="numeric") ### 📊 Security Monitoring - New security event types tracked: - `ip_lockout` - IP locked due to multiple failures - `rate_limited` - OTP generation rate limited - `trusted_login` - Login via trusted device - `invalid_trust_cookie` - Suspicious cookie detected - `otp_generated` - New OTP created - `otp_expired` - Expired OTP usage attempt - `max_attempts` - Maximum attempts exceeded - `ip_mismatch` - OTP verification from different IP - `session_mismatch` - Session token validation failed - `otp_success` - Successful OTP verification - `otp_failed` - Failed OTP attempt - `csrf_attempt` - CSRF token validation failed ### 🎯 What This Prevents - OTP Interception (IP binding enforcement) - Session Hijacking (multi-factor validation) - CSRF Attacks (nonce protection) - Replay Attacks (one-time codes with metadata) - Rate Limit Abuse (throttling) - Brute Force Attacks (auto-lockout) - Timing Attacks (constant-time comparisons) ## [1.2.6] - Previous Release - Initial stable release - Multiple delivery method support - Recipient routing options - Basic 2FA functionality