# Changelog All notable changes to BaseCloud Shield will be documented in this file. ## [1.6.2] - 2026-03-17 ### 🚨 Critical Bug Fixes — OTP login was always failing Three compounding bugs caused every OTP submission to silently redirect back to the login page ("reset") instead of completing the login: **Bug 1 — Session token was IP + User-Agent bound (root cause)** The `bcshield_session` cookie value was an HMAC computed from the client IP and User-Agent at login time, and re-computed at submission time. Any difference in how the server sees the IP between the two requests (CDN hops, proxy layers, dual-stack IPv4/IPv6 selection, load balancer variance) produced a mismatch, triggering `session_mismatch` → `wp_redirect(home_url())`. **Fix:** Session token is now a cryptographically random 64-char hex string generated at login time and stored server-side in a transient. Only the cookie value is compared against the stored value — IP/UA are no longer part of the token. **Bug 2 — All cookies used hard-coded `secure: true`** Every `setcookie()` call had the `$secure` parameter hard-coded to `true`. On any non-HTTPS connection (HTTP dev environment, mixed-protocol proxy) the browser silently drops cookies with the `secure` flag, so `bcshield_pending_user` and `bcshield_session` were never returned to the server, causing an immediate redirect to `home_url()`. **Fix:** All `setcookie()` calls now use `is_ssl()` so the secure flag is set only when the connection actually is HTTPS. **Bug 3 — OTP data was IP-bound (deleted OTP on any IP change)** The OTP transient stored the client IP at generation time and deleted the OTP + blocked the user if the submission IP differed. Combined with Bug 1, any IP variance broke the entire flow. **Fix:** IP mismatch is now logged as informational only — the session token already proves the submitter is the same browser that received the form. ### 🔧 Technical - New `make_session_token($uid, $validity_secs)` — generates random token, stores in `bcshield_sess_{uid}` transient - New `verify_session_token($uid, $cookie_value)` — constant-time compare against stored transient - New `delete_session_token($uid)` — cleans up on successful login - Old `session_token($uid, $ip, $ua)` HMAC method removed from the critical auth path ## [1.6.1] - 2026-03-17 ### 🔧 Fixed - **Paste auto-submit**: Pasting a complete 6-digit OTP now automatically submits the form after 80ms — no need to click "Verify & Sign In" separately - **Paste clears old digits**: The paste handler now clears all digit boxes before filling them; previously, if the user had partially typed digits and then pasted, the leftover values in un-overwritten boxes would silently corrupt the submitted code - **Auto-submit on last digit**: Typing the final (6th) digit also triggers auto-submission, making both paste and manual entry equally seamless ## [1.6.0] - 2026-03-17 ### ✨ New Features - **OTP Resend Button**: Added a "Resend Code" button on the verification screen — users can request a fresh OTP up to **3 times per session** without having to navigate back to the login page - **Session-scoped resend counter**: Resend count is tracked per login session and resets automatically when the OTP validity window expires; after 3 resends the button is permanently disabled for that session - **30-second client-side cooldown**: After each resend the button shows a live countdown before re-enabling, preventing accidental double-sends - **Auto-clear digit boxes**: When a resend is triggered the digit input fields are cleared automatically so the user can enter the fresh code straight away ### 🔧 Technical - Extracted `deliver_otp()` private helper — OTP delivery logic is now shared between `intercept_login` and the new resend AJAX handler (no duplication) - New `wp_ajax_nopriv_bcshield_resend_otp` / `wp_ajax_bcshield_resend_otp` AJAX endpoints with full HMAC session validation and nonce protection - Resend counter stored as `bcshield_resend_{uid}` transient scoped to the OTP validity window; initialised to 0 on every fresh OTP generation ## [1.5.2] - 2026-03-17 ### ✨ New Features - **Extended Attempts IPs**: Added per-IP attempt limit overrides — list trusted IPs (office, home, admin) that get a configurable higher attempt count (default 10, range 3–20) before lockout, while the global setting stays strict - **Current IP hint**: The Extended Attempts IPs admin panel shows your current IP inline so you can add it with one glance ### 🔧 Technical - New `max_attempts_for_ip($ip)` method checks IP against extended list before falling back to global `max_attempts` - Extended attempts IPs use the same flexible format as Whitelist/Blacklist: exact IPs, wildcards, and CIDR notation ## [1.5.1] - 2026-03-17 ### 🎨 UI Refinements - **OTP Screen — Aurora Background**: Added a slow-drifting animated aurora gradient behind the verification card for depth and motion - **OTP Screen — Card Entrance**: Replaced static appearance with a smooth spring-eased scale-in animation on page load - **OTP Screen — Top Accent Line**: Added a subtle green gradient glow line at the top of the verification card to frame the interface - **OTP Screen — Digit Pop Animation**: Digit boxes now animate with a spring bounce when filled, giving tactile feedback - **OTP Screen — Filled State**: Wired up `.filled` CSS class to digit boxes on input, backspace, and paste — green tint now correctly activates when a digit is entered - **Admin Header — Scan Line**: Added a continuous sweeping horizontal green light line along the bottom of the admin header for a live-system aesthetic ## [1.3.9] - 2026-02-25 ### 🔧 Fixed - **Logo Display**: Fixed breathing logo display in admin settings header - **Asset Deployment**: Ensured logo PNG properly deploys to WordPress.org ## [1.3.8] - 2026-02-25 ### 🔧 Fixed - **Config Labels Visibility**: Fixed "Webhook URL", "From Email Address" and other config section labels - now properly white and visible - **Enhanced CSS Specificity**: Improved CSS rules to ensure all labels in configuration sections display correctly - **Checkbox Labels**: Fixed delivery method checkbox labels to be white ## [1.3.7] - 2026-02-25 ### 🔧 Fixed - **Section Headers**: Fixed dark "Webhook Configuration", "Email Configuration" and other section headers - now white for visibility - **Config Labels**: All configuration section labels now properly white colored - **Breathing Logo**: Ensured breathing logo PNG displays correctly in admin header ## [1.3.6] - 2026-02-25 ### ✨ New Features - **Breathing Logo Animation**: Added animated breathing logo alongside the settings page heading for enhanced visual appeal - **Premium Branding**: Integrated official BaseCloud Shield PNG logo with CSS pulse animation ### 🎨 UI Improvements - **White Text Theme**: Fixed all dark text issues - all text now visible white for better contrast - **Input Field Styling**: Updated all input fields with white text and proper placeholder colors - **Enhanced Readability**: Improved visibility across all admin interface elements ## [1.3.5] - 2026-02-13 ### 🔧 Fixed - **Broken Logo Image**: Fixed broken logo image in settings page header by adding proper logo.png file from main assets - **Menu Icon**: Replaced broken base64 PNG icon with clean SVG shield icon for WordPress admin menu - **Asset Integration**: Integrated official BaseCloud Shield logo from main folder into plugin assets ### 🎨 Enhanced - **Visual Consistency**: Improved brand consistency across WordPress admin interface with proper logo display ## [1.3.4] - 2026-02-12 ### 🔧 Fixed - **Logo Display**: Updated logo assets to ensure proper display in admin panel - **Asset Sync**: Synchronized icon files with UTM Tracker branding ## [1.3.3] - 2026-02-12 ### 🎨 UI/UX Revolution - **Premium Glassmorphism Design**: Complete UI overhaul with stunning glass-morphic effects and backdrop blur - **Advanced Animations**: Added shimmer, float, glow-pulse, and logo-pulse animations for modern feel - **Enhanced Logo Display**: Upgraded to animated BaseCloud logo with glowing effects and floating animation - **Futuristic Color Scheme**: Deep space blues with vibrant neon green accents - **Interactive Elements**: Smooth hover effects, transform animations, and enhanced visual feedback - **Professional Polish**: Refined typography, spacing, and visual hierarchy throughout admin interface - **Consistent Branding**: Matches BaseCloud UTM Tracker's premium design language ## [1.3.2] - 2026-02-04 ### 🎨 Branding Update - Replaced Lottie animation with official BaseCloud SVG logo - Removed Lottie player dependency for lighter plugin footprint - Updated admin header to use static SVG logo from BaseCloud Global ## [1.3.1] - 2026-02-04 ### 🎨 UI Improvements - Removed placeholder text from IP Whitelist and IP Blacklist fields for cleaner interface - Textareas now appear empty by default - Current IP still displayed in info box below whitelist for easy reference ## [1.3.0] - 2026-02-04 ### 🎯 New Features: Advanced IP Management - **IP Whitelist**: Add trusted IPs that bypass all lockout and rate limiting - Support for exact IPs (e.g., `169.0.79.28`) - Support for wildcards (e.g., `192.168.*.*`) - Support for CIDR notation (e.g., `10.0.0.0/24`) - Current IP displayed for easy whitelisting - Multiple IPs supported (one per line) - **IP Blacklist**: Permanently block malicious IPs from accessing your site - Immediate denial of access for blacklisted IPs - Same flexible format support as whitelist - **Manual IP Unlock**: Real-time IP lockout management - View all currently locked IPs in admin panel - See time remaining until auto-unlock - One-click manual unlock button - Audit trail logging for all manual unlocks ### 🛡️ Security Improvements - Whitelisted IPs now bypass both lockout checks and rate limiting - Blacklist check occurs before any authentication processing - Enhanced security event logging for whitelist/blacklist activities - Admin AJAX endpoint with proper nonce verification for IP unlocking ### 🎨 UI/UX Enhancements - New "Security Controls" section in admin settings - Real-time display of locked IPs with countdown timers - Improved admin interface with color-coded IP status indicators - Current user IP prominently displayed for convenience ## [1.2.8] - 2026-02-03 ### 🔥 Critical Hotfix - **FIXED**: "Suspicious session detected" error blocking legitimate logins - **FIXED**: Session token validation now works correctly - Session token generation now uses consistent secret instead of time-based - Users can successfully complete login flow without false security alerts ### ✨ Improvements - Enhanced OTP lock mechanism to prevent unnecessary duplicate OTP generation - Existing valid OTP is reused if user attempts login multiple times - Better handling of page refreshes during OTP verification process - Reduced false positive security alerts for legitimate users ### 🐛 Bug Fixes - Session token mismatch that was flagging all logins as suspicious - OTP lock mechanism now properly redirects to verification page ## [1.2.7] - 2026-02-03 ### 🔐 Security Enhancements - **CRITICAL FIX**: Resolved duplicate OTP email sending issue - Implemented comprehensive duplicate prevention across all delivery methods - Added email deduplication to prevent same address receiving multiple OTPs - Added phone number deduplication for WhatsApp/SMS delivery methods - Enhanced recipient list deduplication to prevent duplicate user entries ### 🛡️ Enterprise-Grade Security Features - **Brute Force Protection**: Maximum 5 OTP attempts before 15-minute IP lockout - **Rate Limiting**: Limit OTP generation to 3 requests per 10-minute window - **Cryptographically Secure OTP**: Replaced rand() with random_bytes() for secure random generation - **Session Binding & Anti-Hijacking**: - IP address validation - OTP must be verified from same IP - User-Agent fingerprinting for browser consistency validation - HMAC-SHA256 session tokens to prevent session fixation - Secure HMAC-based trust cookies (replaced simple MD5) - **CSRF Protection**: WordPress nonce validation on OTP submission - **Enhanced Cookie Security**: All cookies now use httponly and secure flags - **Security Event Logging**: Comprehensive logging of all security events (last 100 events) - **Real-Time Security Alerts**: - Automatic email alerts for suspicious activity - Webhook integration for enterprise monitoring - Detection of session hijacking, IP mismatches, failed attempts - **Attack Detection & Prevention**: - Session fixation attempt detection - OTP interception prevention (IP binding) - CSRF attack protection - Brute force attack blocking - Rate limit violation detection - **Timing Attack Protection**: Uses hash_equals() for constant-time comparisons ### 🔧 Technical Improvements - Added 60-second OTP generation lock to prevent rapid duplicate sends - Enhanced IP detection supporting proxies, CloudFlare, and load balancers - Implemented proper IP validation before processing - OTP data now includes metadata (IP, User-Agent, timestamp, attempt counter) - Improved error messages with remaining attempt counter - Added pattern validation for numeric OTP input (inputmode="numeric") ### 📊 Security Monitoring - New security event types tracked: - `ip_lockout` - IP locked due to multiple failures - `rate_limited` - OTP generation rate limited - `trusted_login` - Login via trusted device - `invalid_trust_cookie` - Suspicious cookie detected - `otp_generated` - New OTP created - `otp_expired` - Expired OTP usage attempt - `max_attempts` - Maximum attempts exceeded - `ip_mismatch` - OTP verification from different IP - `session_mismatch` - Session token validation failed - `otp_success` - Successful OTP verification - `otp_failed` - Failed OTP attempt - `csrf_attempt` - CSRF token validation failed ### 🎯 What This Prevents - OTP Interception (IP binding enforcement) - Session Hijacking (multi-factor validation) - CSRF Attacks (nonce protection) - Replay Attacks (one-time codes with metadata) - Rate Limit Abuse (throttling) - Brute Force Attacks (auto-lockout) - Timing Attacks (constant-time comparisons) ## [1.2.6] - Previous Release - Initial stable release - Multiple delivery method support - Recipient routing options - Basic 2FA functionality