# Changelog All notable changes to BaseCloud Shield will be documented in this file. ## [1.3.2] - 2026-02-04 ### 🎨 Branding Update - Replaced Lottie animation with official BaseCloud SVG logo - Removed Lottie player dependency for lighter plugin footprint - Updated admin header to use static SVG logo from BaseCloud Global ## [1.3.1] - 2026-02-04 ### 🎨 UI Improvements - Removed placeholder text from IP Whitelist and IP Blacklist fields for cleaner interface - Textareas now appear empty by default - Current IP still displayed in info box below whitelist for easy reference ## [1.3.0] - 2026-02-04 ### 🎯 New Features: Advanced IP Management - **IP Whitelist**: Add trusted IPs that bypass all lockout and rate limiting - Support for exact IPs (e.g., `169.0.79.28`) - Support for wildcards (e.g., `192.168.*.*`) - Support for CIDR notation (e.g., `10.0.0.0/24`) - Current IP displayed for easy whitelisting - Multiple IPs supported (one per line) - **IP Blacklist**: Permanently block malicious IPs from accessing your site - Immediate denial of access for blacklisted IPs - Same flexible format support as whitelist - **Manual IP Unlock**: Real-time IP lockout management - View all currently locked IPs in admin panel - See time remaining until auto-unlock - One-click manual unlock button - Audit trail logging for all manual unlocks ### 🛡️ Security Improvements - Whitelisted IPs now bypass both lockout checks and rate limiting - Blacklist check occurs before any authentication processing - Enhanced security event logging for whitelist/blacklist activities - Admin AJAX endpoint with proper nonce verification for IP unlocking ### 🎨 UI/UX Enhancements - New "Security Controls" section in admin settings - Real-time display of locked IPs with countdown timers - Improved admin interface with color-coded IP status indicators - Current user IP prominently displayed for convenience ## [1.2.8] - 2026-02-03 ### 🔥 Critical Hotfix - **FIXED**: "Suspicious session detected" error blocking legitimate logins - **FIXED**: Session token validation now works correctly - Session token generation now uses consistent secret instead of time-based - Users can successfully complete login flow without false security alerts ### ✨ Improvements - Enhanced OTP lock mechanism to prevent unnecessary duplicate OTP generation - Existing valid OTP is reused if user attempts login multiple times - Better handling of page refreshes during OTP verification process - Reduced false positive security alerts for legitimate users ### 🐛 Bug Fixes - Session token mismatch that was flagging all logins as suspicious - OTP lock mechanism now properly redirects to verification page ## [1.2.7] - 2026-02-03 ### 🔐 Security Enhancements - **CRITICAL FIX**: Resolved duplicate OTP email sending issue - Implemented comprehensive duplicate prevention across all delivery methods - Added email deduplication to prevent same address receiving multiple OTPs - Added phone number deduplication for WhatsApp/SMS delivery methods - Enhanced recipient list deduplication to prevent duplicate user entries ### 🛡️ Enterprise-Grade Security Features - **Brute Force Protection**: Maximum 5 OTP attempts before 15-minute IP lockout - **Rate Limiting**: Limit OTP generation to 3 requests per 10-minute window - **Cryptographically Secure OTP**: Replaced rand() with random_bytes() for secure random generation - **Session Binding & Anti-Hijacking**: - IP address validation - OTP must be verified from same IP - User-Agent fingerprinting for browser consistency validation - HMAC-SHA256 session tokens to prevent session fixation - Secure HMAC-based trust cookies (replaced simple MD5) - **CSRF Protection**: WordPress nonce validation on OTP submission - **Enhanced Cookie Security**: All cookies now use httponly and secure flags - **Security Event Logging**: Comprehensive logging of all security events (last 100 events) - **Real-Time Security Alerts**: - Automatic email alerts for suspicious activity - Webhook integration for enterprise monitoring - Detection of session hijacking, IP mismatches, failed attempts - **Attack Detection & Prevention**: - Session fixation attempt detection - OTP interception prevention (IP binding) - CSRF attack protection - Brute force attack blocking - Rate limit violation detection - **Timing Attack Protection**: Uses hash_equals() for constant-time comparisons ### 🔧 Technical Improvements - Added 60-second OTP generation lock to prevent rapid duplicate sends - Enhanced IP detection supporting proxies, CloudFlare, and load balancers - Implemented proper IP validation before processing - OTP data now includes metadata (IP, User-Agent, timestamp, attempt counter) - Improved error messages with remaining attempt counter - Added pattern validation for numeric OTP input (inputmode="numeric") ### 📊 Security Monitoring - New security event types tracked: - `ip_lockout` - IP locked due to multiple failures - `rate_limited` - OTP generation rate limited - `trusted_login` - Login via trusted device - `invalid_trust_cookie` - Suspicious cookie detected - `otp_generated` - New OTP created - `otp_expired` - Expired OTP usage attempt - `max_attempts` - Maximum attempts exceeded - `ip_mismatch` - OTP verification from different IP - `session_mismatch` - Session token validation failed - `otp_success` - Successful OTP verification - `otp_failed` - Failed OTP attempt - `csrf_attempt` - CSRF token validation failed ### 🎯 What This Prevents - OTP Interception (IP binding enforcement) - Session Hijacking (multi-factor validation) - CSRF Attacks (nonce protection) - Replay Attacks (one-time codes with metadata) - Rate Limit Abuse (throttling) - Brute Force Attacks (auto-lockout) - Timing Attacks (constant-time comparisons) ## [1.2.6] - Previous Release - Initial stable release - Multiple delivery method support - Recipient routing options - Basic 2FA functionality