=== BaseCloud Shield === Contributors: basecloud Tags: 2fa, security, two-factor, authentication, otp Requires at least: 5.0 Tested up to: 6.9 Stable tag: 2.0.0 Requires PHP: 7.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Enterprise-grade Two-Factor Authentication (2FA) with support for Email, SendGrid API, Webhooks, WhatsApp, and SMS delivery. == Description == BaseCloud Shield is a lightweight yet powerful security plugin that enforces Two-Factor Authentication (2FA) on your WordPress login page. Unlike other bloat-heavy plugins, BaseCloud Shield focuses on reliability and flexibility in OTP delivery. **Key Features:** * **Plug & Play:** Works immediately using standard WordPress email delivery. * **Multi-Recipient System:** Send OTPs to the logging-in user, a manager email, or selected users. * **Multi-Channel Delivery:** Choose multiple delivery methods simultaneously (Email, SendGrid, WhatsApp, SMS, Webhook). * **WhatsApp Integration:** Send OTPs directly via WhatsApp using Twilio API. * **SMS Integration:** Deliver OTPs via SMS using Twilio API. * **SendGrid API V3:** Native integration for high-deliverability emails. * **Webhook Support:** Connect to custom webhooks for advanced automation flows. * **Secure OTPs:** 6-digit one-time passwords that expire automatically. * **Browser Trust:** "Remember this device" functionality to reduce friction for authorized users. == Installation == 1. Upload the `basecloud-shield` folder to the `/wp-content/plugins/` directory. 2. Activate the plugin through the 'Plugins' menu in WordPress. 3. Go to the "BC Shield" menu item in your dashboard. 4. Enable 2FA and choose your preferred Delivery Method. 5. (Optional) Enter a "Manager Email" if you wish to centralize all login codes. == External Services == This plugin may connect to external third-party services depending on your configuration. Below is a detailed explanation of what services are used, what data is sent, and when: **SendGrid Email API (Optional)** If you select "SendGrid API" as your delivery method in the plugin settings, this plugin will send data to SendGrid's email service to deliver one-time password (OTP) codes. * **Service**: SendGrid by Twilio * **What it's used for**: Sending two-factor authentication codes via email with improved deliverability * **When data is sent**: Every time a user attempts to log in and 2FA is enabled * **Data sent**: - Recipient email address (user's email or manager email if configured) - Sender email address (configured in plugin settings) - Site name - Username attempting to log in - 6-digit one-time password code - Email subject and HTML body * **API Endpoint**: https://api.sendgrid.com/v3/mail/send * **Terms of Service**: https://www.twilio.com/legal/tos * **Privacy Policy**: https://www.twilio.com/legal/privacy **Important**: You must have a SendGrid account and API key to use this feature. You are responsible for complying with SendGrid's terms of service and ensuring proper data handling practices. **Twilio API for WhatsApp & SMS (Optional)** If you select "WhatsApp" or "SMS" as delivery methods, the plugin will send data to Twilio's API to deliver one-time password codes. * **Service**: Twilio * **What it's used for**: Sending two-factor authentication codes via WhatsApp and/or SMS * **When data is sent**: Every time a user attempts to log in and 2FA is enabled with WhatsApp/SMS selected * **Data sent**: - Recipient phone number (from user meta field 'billing_phone') - Sender phone number (WhatsApp number or SMS number configured in settings) - Site name - Username attempting to log in - 6-digit one-time password code - Message body * **API Endpoint**: https://api.twilio.com/2010-04-01/Accounts/{AccountSid}/Messages.json * **Terms of Service**: https://www.twilio.com/legal/tos * **Privacy Policy**: https://www.twilio.com/legal/privacy **Important**: You must have a Twilio account with WhatsApp and/or SMS capabilities enabled. Phone numbers must be stored in user meta (field: 'billing_phone'). You are responsible for complying with Twilio's terms of service. **Custom Webhook (Optional)** If you select "Webhook" as a delivery method, the plugin will send login notification data to a webhook URL you configure. * **Service**: Custom webhook endpoint (configured by you) * **What it's used for**: Sending login notifications to external systems for custom processing * **When data is sent**: Every time a user attempts to log in and 2FA is enabled * **Data sent**: - Site name - Username attempting to log in - User email address - 6-digit one-time password code - Recipient information array - Timestamp of login attempt * **Endpoint**: User-configured webhook URL **Important**: When using the webhook option, you are responsible for the security and privacy compliance of the endpoint you configure. Ensure your webhook endpoint uses HTTPS and follows proper data protection practices. **Standard WordPress Email (Default)** By default, this plugin uses WordPress's built-in `wp_mail()` function, which does not involve any external services unless your WordPress installation is configured to use a third-party SMTP service. == Frequently Asked Questions == = Does this work with custom login pages? = Yes. BaseCloud Shield intercepts the authentication process at the core WordPress level, so it works with most standard login forms and custom themes. = What if I get locked out? = If you lose access to your email or the delivery method fails, you can disable the plugin by renaming the folder `basecloud-shield` to `basecloud-shield-disabled` via FTP/SFTP. = Is this compatible with WooCommerce? = Yes, it protects the standard WordPress user authentication flow, which WooCommerce utilizes for customer logins. == Screenshots == 1. The Professional Settings Panel. 2. The Secure OTP Verification Screen. == Changelog == = 2.0.0 = **Complete Plugin Rebuild — Best-in-Class 2FA** COMPLETE REWRITE FROM SCRATCH: CORE SECURITY (root cause of all prior OTP failures fixed): • OTP data moved from WordPress transients to user_meta — transients are wiped by caching plugins (WP Super Cache, W3 Total Cache, object cache flush) which silently deleted in-flight OTP sessions; user_meta is database-backed and immune to all cache operations • Session token is a pure random 48-char hex string (bin2hex(random_bytes(24))) stored inside the user_meta record — no IP, no User-Agent, no plugin version, no derivation, completely stateless • OTP is generated as a zero-padded 6-digit string from the start (str_pad(random_int(...))) — eliminates any integer/string mismatch in comparisons • Singleton pattern (BaseCloud_Shield::instance()) prevents duplicate hook registrations • Correct OTP always wins regardless of prior failed attempts — attempt counter only locks on wrong codes ANIMATIONS & FRONTEND: • Full-screen aurora effect — three drifting radial gradient blobs with smooth CSS animations • Glass morphism card with backdrop blur, slide-up entrance animation (cubic-bezier spring easing) • SVG circular countdown timer with gradient arc stroke, smooth linear transition, urgent red state at <60s • Auto-submit on 6 digits typed or pasted — paste support clears and re-fills correctly • Error shake animation on wrong code • Submit button loading spinner state • Resend button with 30s cooldown, max 3 resends, live feedback • Success overlay with animated check circle before redirect DELIVERY: • All 5 delivery channels preserved: WordPress Email, SendGrid API v3, Webhook, WhatsApp (Twilio), SMS (Twilio) • Webhook payload unchanged — site_name, site_url, username, email, otp_code (string), ip_address, user_agent, recipients, timestamp • Logging-in user always included in recipients regardless of recipient mode setting ADMIN UI: • Redesigned tabbed admin: Configuration / Security Logs / IP Management • Delivery method cards with visual toggle states • Status indicator chip showing ACTIVE / DISABLED with pulse animation • Security log table with per-severity filtering (critical / high / medium / info) • IP Management tab: view locked IPs with one-click unlock, whitelist/blacklist editors SECURITY: • Cloudflare IP header (HTTP_CF_CONNECTING_IP) checked first in IP detection chain • Security event webhook fires asynchronously for all medium+ severity events • Device trust cookie uses HMAC-SHA256 of uid|ip|ua against wp_salt('auth') • IP lockout, rate limiting, whitelist/blacklist, extended attempt IPs all preserved • CSRF nonce on every OTP submission = 1.7.2 = **Fix: Correct OTP entered but login fails — session token redesign** ROOT CAUSE: The bcshield_session cookie was a HMAC of (user_id + User-Agent + wp_salt + BCSHIELD_VERSION). Two problems: (1) even a minor User-Agent variation between the login POST and the OTP form POST (browser extensions, proxies) caused a permanent mismatch and silent redirect back to login; (2) every plugin version bump (e.g. 1.7.0 → 1.7.1) changed the HMAC secret, invalidating all in-flight sessions immediately. BUG FIXES: • Replaced HMAC-derived session token with a cryptographically random 16-byte token (bin2hex(random_bytes(16))) stored inside the OTP transient. The cookie value is verified by comparing it against the server-side transient value — no IP, no User-Agent, no plugin version involved. Immune to all environmental variations. • Fixed CSRF failure redirect — was pointing to home_url(), now correctly redirects to wp_login_url() so users land back on the login form instead of the home page. = 1.7.1 = **Fix: OTP page never shown — access-control plugins blocking home page redirect** BUG FIX: • Root cause: The OTP verification page was hosted at /?bcshield_action=verify_otp (the site home page). Any plugin or theme that redirects unauthenticated visitors away from the front-end (membership plugins, under-construction mode, WooCommerce My Account redirect, etc.) would intercept this URL and bounce the user straight back to the login page — making the 2FA step silently disappear. • Fix: OTP page is now served at wp-login.php?bcshield_action=verify_otp. WordPress's init hook fires inside wp-load.php which wp-login.php loads first, so our OTP form renders and exits before wp-login.php processes anything. wp-login.php is always reachable by unauthenticated users regardless of site-wide access rules. = 1.7.0 = **Critical auth-flow fixes — login → OTP → verify now works reliably** BUG FIXES: • Fixed: Session token included the client IP in its HMAC — any IP change between the login POST and the OTP submission (Cloudflare, mobile networks, proxies, load balancers) caused a silent session mismatch and bounced the user away; IP is no longer part of the session binding • Fixed: IP mismatch in OTP validation was a hard block that deleted the OTP and showed "Security validation failed" — common false failure behind CDNs; now logs the mismatch for audit purposes but allows the OTP to proceed (nonce + session token already prevent CSRF) • Fixed: Missing/failed cookie redirected to home_url() instead of wp_login_url() — users were dropped on the home page with no explanation • Fixed: OTP redirect URL used site_url() which breaks when WordPress is installed in a subdirectory; changed to trailingslashit(home_url()) • Fixed: Webhook otp_code field was sent as a JSON integer (123456) instead of a string ("123456") — strict-type consumers could fail to match the code • Improved: All plugin cookies now include SameSite=Lax via PHP 7.3+ array API (with PHP < 7.3 path-hack fallback) for modern browser compatibility = 1.6.9 = **Fix OTP timing and flow** - Fixed: OTP timer now accurately shows remaining time from creation - Fixed: If OTP is nearly expired (<2 min), generates fresh OTP instead of reusing old one - Fixed: Expired OTP sessions now redirect to login instead of showing expired form - Improved: Clear stale cookies when OTP data is missing or expired - OTP validity remains at 10 minutes by default = 1.6.8 = **Bug fixes: Timer and delivery method configuration** - Fixed: OTP timer showing "Expired" immediately on page load - Fixed: Missing configuration inputs for Webhook, SendGrid, WhatsApp, SMS - Timer now defaults to full validity time if OTP data not immediately available - Added auto-show/hide for delivery method config sections = 1.6.7 = **Rollback OTP flow to proven 1.3.9 architecture** • Restored working authentication flow from v1.3.9 • Fixed: Users couldn't reach OTP verification page in 1.6.6 • Back to ?bcshield_action=verify_otp URL (proven approach) • Restored bcshield_pending_user + bcshield_session cookies • Restored deterministic session tokens via generate_session_token() • Restored OTP lock mechanism (prevents duplicate sends within 60s) • Preserved modern 1.6.6 dark theme UI • Preserved security audit logs with webhook support • Preserved all delivery methods and configurable thresholds = 1.6.6 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.6.6 = **Complete OTP flow rebuild — bulletproof authentication** COMPLETE REWRITE: • Simplified session management — single transient with token as key • OTP verification runs on init at priority 1 (before any output) • Removed output buffering tricks that caused redirect failures • Removed complex cookie wrapper — uses standard setcookie() • Single cookie for session (bcshield_token), single for trust (bcshield_trusted) • Success redirects ALWAYS exit immediately — no code fall-through possible • Changed OTP URL from ?bcshield_action=verify_otp to ?bcshield_otp=1 • Inline CSS for OTP form — no external dependencies = 1.6.5 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.6.5 = **Critical fix — OTP verification "resets" instead of logging in** BUG FIXES: • Added SameSite=Lax cookie attribute for modern browser compatibility — without it, Chrome/Firefox/Safari may silently reject session cookies • Added output buffering — PHP notices from third-party plugins could break redirect headers • Form now has explicit action URL instead of relying on browser default • OTP input now fully sanitized with trim() and digit-only filter • OTP lock transient now cleared on successful login • All redirects use wp_safe_redirect() for security • Added user validation to prevent failures with invalid cookie data • "Remember device" checkbox now correctly sets WordPress session duration = 1.6.4 = **Bug fix — correct OTP rejected after failed attempts** • Fixed a critical logic bug where the attempts-exceeded check ran before the OTP comparison — entering the correct code after any previous wrong attempts could trigger an IP lockout instead of a successful login • A correct OTP now always grants access regardless of prior failed attempts; the lockout threshold only applies to wrong codes, which is exactly what the "Max OTP Attempts" admin setting describes = 1.6.3 = **OTP input replaced with single field** • Replaced 6 split digit boxes with one clean input field — value posts directly to PHP, no JS sync layer • autocomplete="one-time-code" lets browsers auto-fill OTP from email/SMS • Strips non-digits as you type; auto-submits on 6 digits (typed or pasted) • Same visual design, resend button and countdown unchanged = 1.6.2 = **Critical fix — OTP login was always resetting** BUG FIXES: • Session token was IP+UA-bound — any CDN/proxy/dual-stack IP variance caused a session mismatch and silent redirect to home page; token is now a server-side random value with no IP dependency • All cookies used secure:true regardless of protocol — on HTTP environments the browser drops these cookies and the session is never found; now uses is_ssl() • OTP data was IP-bound and deleted itself on any IP change — now logs the mismatch but allows the submission to proceed = 1.6.1 = **OTP paste & entry fixes** BUG FIXES: • Pasting a full 6-digit code now auto-submits the form — no extra click required • Paste now clears all boxes first; leftover digits from a previous attempt can no longer silently corrupt the submitted code • Typing the final digit also auto-submits, matching the paste experience = 1.6.0 = **OTP Resend Button — 3 resends per session** NEW FEATURES: • Resend Code button on the OTP verification screen — get a fresh code without going back to the login page • Up to 3 resends allowed per login session; counter is session-scoped and resets when the OTP window expires • 30-second client-side cooldown between resends to prevent accidental double-sends • Digit boxes clear automatically after a resend so you can enter the new code immediately TECHNICAL: • New AJAX endpoint (bcshield_resend_otp) with HMAC session validation and nonce protection • Shared deliver_otp() helper used by both initial send and resend — no code duplication • Resend counter stored as a transient scoped to the OTP validity window = 1.5.2 = **Extended Attempts IPs & UI Polish** NEW FEATURES: • Extended Attempts IPs: Configure specific IPs (office, home, admin) to receive a higher OTP attempt limit (default 10, configurable 3-20) before lockout — global setting stays strict for all other IPs • Current IP is shown inline in the Extended Attempts panel so you can add it immediately without looking it up • Supports the same flexible format as Whitelist/Blacklist: exact IPs, wildcards (192.168.*.*), and CIDR (10.0.0.0/8) UI IMPROVEMENTS: • OTP verification screen: animated aurora background, spring-eased card entrance, top green accent glow line • OTP digit boxes: spring-bounce pop animation when filled; .filled state now correctly activated on input, backspace, and paste • Admin header: subtle sweeping green scan line along the bottom edge = 1.5.1 = **OTP Screen & Admin UI Refinements** UI IMPROVEMENTS: • Animated drifting aurora background on OTP verification screen • Spring-eased card entrance animation • Green gradient top accent line on verification card • Digit box spring-bounce animation when filled • Admin header scan line sweep = 1.5.0 = **Security Operations Center UI, Configurable Thresholds & OTP Spam Prevention** NEW FEATURES: • Security Operations Center admin design: dark void background, scanline overlay, live status bar showing 2FA state, locked IPs and event counts • Configurable Security Thresholds panel: max OTP attempts, lockout duration, rate-limit count/window, OTP cooldown period, and device-trust duration — all adjustable from the admin without touching code • OTP Spam Prevention: configurable cooldown between OTP sends (default 5 minutes); if a send lock is active but the OTP has expired a cooldown error is returned instead of generating a new code, preventing OTP flooding • Remember Device toggle on verification screen respects the configurable trust duration setting • OTP countdown timer on verification screen shows remaining validity in real time BUG FIXES: • Fixed white-on-white text in admin input fields — high-specificity CSS with !important now forces dark background (#0a1522) and light text on all input, textarea, and select elements regardless of WordPress admin theme • Backspace navigation on split-digit OTP input now correctly moves focus to the previous field IMPROVEMENTS: • JetBrains Mono + DM Sans Google Fonts for a distinctive, technical aesthetic • Seven new settings fields (max_attempts, lockout_mins, otp_rate_limit, otp_rate_window, otp_cooldown, trust_hours) stored in existing options key — backwards compatible • cfg() helper with static cache reduces repeated get_option calls • Security log stats header shows total events, high-risk last 24h, medium last 24h, and informational counts = 1.4.0 = **Major Update — Security Webhooks, Audit Logs & UI Redesign** NEW FEATURES: • Security Event Webhook: Dedicated webhook that fires on every security event, sending IP address, user agent, event type, severity level, username, site URL and timestamp to any external endpoint (SIEM, Slack, alerting systems) • Security Logs Panel: Full audit log viewer inside the admin with 500-event retention, severity colour-coded badges (critical / high / medium / info), per-severity filtering, and one-click "Clear Logs" with confirmation • Split-digit OTP input: Verification screen now uses 6 individual digit boxes with auto-advance, backspace navigation, and paste support for a faster, more polished login experience • IP address and user agent now included in OTP Webhook payload BUG FIXES: • Fixed critical bug: ajax_unlock_ip handler was registered but never defined — Unlock IP button now works correctly • Fixed wildcard IP matching regex that could produce incorrect results • Fixed OTP remaining-validity calculation when incrementing failed attempts IMPROVEMENTS: • Redesigned admin UI using official BaseCloud brand logo and colour system (#52C25A green) • Tabbed admin interface: Configuration tab and Security Logs tab • Log retention increased from 100 to 500 events • Security event webhook fires asynchronously (non-blocking) to avoid login delays • OTP email template redesigned with per-digit display and BaseCloud branding • CIDR matching now validates mask range (0–32) before calculation • All wp_remote_post webhook calls now send JSON with Content-Type header = 1.3.9 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.8 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.7 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.6 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.6 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.5 = **Logo & Icon Fixes** • FIXED: Broken logo image in settings page header • FIXED: Broken menu icon - replaced with clean SVG shield icon • IMPROVED: Integrated official BaseCloud Shield logo from main assets • IMPROVED: Visual consistency across WordPress admin interface = 1.3.4 = * FIXED: Logo display in admin panel * IMPROVED: Updated logo assets to match UTM Tracker branding = 1.3.3 = * NEW: Premium Glassmorphism Design with stunning glass-morphic effects * NEW: Advanced animations (shimmer, float, glow-pulse, logo-pulse) * IMPROVED: Enhanced logo with glowing effects and floating animation * IMPROVED: Futuristic color scheme with deep space blues and neon green accents * IMPROVED: Interactive elements with smooth hover effects * IMPROVED: Matches BaseCloud UTM Tracker's premium design language = 1.3.2 = **Branding Update** • Replaced Lottie animation with official BaseCloud SVG logo • Removed Lottie player dependency for lighter plugin • Cleaner, faster admin interface = 1.3.1 = **UI/UX Polish** • Removed placeholder text from IP Whitelist and Blacklist fields • Cleaner, empty textareas by default • Current IP info box remains for reference = 1.3.0 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.3.3 = **Premium UI/UX Overhaul - Glassmorphism Design** **UI/UX REVOLUTION:** • Premium Glassmorphism Design: Complete admin interface redesign with stunning glass-morphic effects and backdrop blur • Advanced Animations: Added shimmer, float, glow-pulse, and logo-pulse animations throughout interface • Enhanced Logo Display: Upgraded to animated BaseCloud logo with glowing effects and smooth floating animation • Futuristic Color Scheme: Deep space blues (#0a1628) with vibrant neon green accents (#4bc46a) • Interactive Elements: Smooth hover effects, transform animations, and enhanced visual feedback on all controls • Professional Polish: Refined typography, improved spacing, and enhanced visual hierarchy • Consistent Branding: Now matches BaseCloud UTM Tracker's premium design language • Modern Aesthetics: Rounded corners, gradient backgrounds, and sophisticated shadow effects • Enhanced Accessibility: Better contrast ratios and clearer visual states = 1.3.0 = **Advanced IP Management & Security Controls** **NEW FEATURES:** • IP Whitelist: Add trusted IPs that bypass lockout and rate limiting - Support for exact IPs (169.0.79.28) - Support for wildcards (192.168.*.*) - Support for CIDR notation (10.0.0.0/24) - Current IP displayed for easy whitelisting • IP Blacklist: Permanently block malicious IPs from accessing site • Manual IP Unlock: Real-time lockout management - View all currently locked IPs in admin panel - See countdown timers for auto-unlock - One-click manual unlock button - Audit trail for all unlock actions **SECURITY IMPROVEMENTS:** • Whitelisted IPs bypass all lockout checks and rate limiting • Blacklist check occurs before authentication processing • Enhanced logging for whitelist/blacklist activities • Secure AJAX endpoint for IP unlock with nonce verification **UI/UX ENHANCEMENTS:** • New "Security Controls" section in admin settings • Real-time locked IP display with status indicators • Color-coded security interface • Improved admin panel organization = 1.2.8 = **Critical Hotfix - Login Issue Resolved** **CRITICAL FIX:** • Fixed "Suspicious session detected" blocking legitimate logins • Session token now uses consistent secret (not time-based) • Users can now successfully complete login with OTP **Improvements:** • Enhanced OTP lock mechanism to prevent duplicate generation • Existing valid OTP reused if login attempted multiple times • Better handling of page refreshes during OTP verification • Reduced false positive security alerts = 1.2.7 = **Critical Security & Bug Fix Release** **CRITICAL FIX - Duplicate OTP Prevention:** • Fixed issue causing multiple duplicate OTP emails to be sent • Implemented email deduplication across all delivery methods • Added phone number deduplication for WhatsApp/SMS • Enhanced recipient list processing to prevent duplicate entries • Added 60-second OTP generation lock to prevent rapid duplicates **Enterprise-Grade Security Enhancements:** • Brute Force Protection: Maximum 5 OTP attempts before 15-minute IP lockout • Rate Limiting: 3 OTP requests per 10-minute window per user/IP • Cryptographically Secure OTP: Replaced rand() with random_bytes() • Session Binding: IP address validation, User-Agent fingerprinting • HMAC-SHA256 session tokens to prevent session fixation attacks • CSRF Protection: WordPress nonce validation on all OTP submissions • Enhanced Cookie Security: httponly and secure flags on all cookies • Security Event Logging: Comprehensive audit trail (last 100 events) • Real-Time Security Alerts: Email/webhook alerts for suspicious activity • Timing Attack Protection: Constant-time comparisons using hash_equals() **Attack Prevention:** • OTP Interception Prevention (IP binding) • Session Hijacking Detection (multi-factor validation) • CSRF Attack Protection (nonce tokens) • Replay Attack Prevention (one-time codes with metadata) • Rate Limit Abuse Prevention (throttling) • Brute Force Attack Blocking (auto-lockout) **Security Monitoring:** • 12 new security event types tracked and logged • IP mismatch detection and alerting • Session token mismatch detection • Failed attempt tracking with remaining attempt counter • Expired OTP usage attempt logging • Invalid trust cookie detection **Technical Improvements:** • Enhanced IP detection (proxy, CloudFlare, load balancer support) • OTP metadata tracking (IP, User-Agent, timestamp, attempts) • Improved error messages with security context • Pattern validation for numeric OTP input • Better cookie management with expiration handling = 1.2.6 = **Release Update** • Bug fixes and improvements • Updated version for deployment = 1.2.5 = **SendGrid From Email Enhancement** • Added dedicated "From Email Address" field for SendGrid configuration • Allows customization of sender email specifically for SendGrid API • Improved email deliverability and branding control for SendGrid users • Defaults to site admin email if not configured = 1.2.4 = **Lottie Logo Fix** • Fixed Lottie player script loading order to display logo properly • Changed script loading from footer to header for immediate availability • Resolved warning icon display issue on page load = 1.2.3 = **Visual Enhancement** • Added animated BaseCloud logo (Lottie) to settings page header • Logo animation loops continuously for enhanced brand presence • Improved visual appeal and professional appearance = 1.2.2 = **WordPress.org Compliance** • Fixed tag limit compliance (reduced to 5 tags as per WordPress.org requirements) • Optimized tags for better plugin discoverability = 1.2.1 = **UI/UX Improvements** • Enhanced select dropdown readability with bright green highlight for selected options • Improved multi-select list with visible selection states • Added hover effects and visual feedback for better user experience • Enhanced checkbox styling with BaseCloud green accent colors • Improved input field focus states with green border highlights • Added text selection styling with brand colors • Enhanced save button with glow effect and hover animation • Better contrast and readability across all form elements • More polished "BaseCloud" branded interface = 1.2.0 = **Major Feature Release - Multi-Recipient & Multi-Channel Delivery** • Added Multi-Recipient System with 3 modes: - Send to Logging-in User (default) - Send to Manager Email (centralized notifications) - Send to Selected Users (choose specific users from your site) • Added Multi-Channel Delivery - select multiple delivery methods simultaneously • Added WhatsApp integration via Twilio API • Added SMS integration via Twilio API • Enhanced UI with organized sections and dynamic form fields • User selection interface with multi-select dropdown • Auto-detection of all WordPress users on the site • Smart routing system sends OTP to all selected recipients via all selected methods • Phone number retrieval from user meta (billing_phone field) • Improved settings panel layout with collapsible configuration sections • Each delivery method now has dedicated configuration area • Backward compatible with existing configurations = 1.1.0 = **Internal Development Version** • Pre-release testing version = 1.0.1 = **UI Improvements** • Updated labels and placeholders to be more generic for broader use • Changed "BaseCloud CRM Webhook" to "Webhook" in delivery method options • Removed BaseCloud-specific email placeholders for wider audience compatibility • Updated version for deployment = 1.0.0 = * Initial Release. * Added Central Manager Email routing. * Added SendGrid API V3 integration. * Added BaseCloud CRM Webhook integration.