=== Liveupx Security ===
Contributors: liveupx
Tags: security, firewall, malware scanner, 2FA, login protection
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 4.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Complete WordPress security — Firewall, 2FA, Malware Scanner, Vulnerability Scanner, Login Protection, Security Headers. 100% free.

== Description ==

Liveupx Security is a complete, 100% free WordPress security plugin that rivals paid solutions. No paywalls, ever.

= Core Features =

**Login Security**
* Brute force protection with progressive lockouts (1st/2nd/3rd+ strikes escalate automatically)
* Multi-provider CAPTCHA: Math, Google reCAPTCHA v3, hCaptcha, Cloudflare Turnstile
* Honeypot bot detection (wp-login.php + WooCommerce)
* Passwordless magic link login
* Two-factor authentication: TOTP (Google Authenticator) + Email OTP
* Trusted device (30-day bypass cookie)
* Geolocation login alerts — notify when login comes from a new country
* Subnet auto-blocking (repeated attacks from /24 range)
* Custom login URL (hide wp-login.php)

**Firewall / WAF**
* PHP-based Web Application Firewall running at priority 1
* Remote WAF rule feed (auto-updated from liveupx.com)
* Admin-defined custom firewall rules
* Per-endpoint rate limiting (REST API, checkout, search, etc.)
* REST API security controls (block guests, hide /users endpoint)
* Country/geo blocking with API fallback chain
* Bad bot blocking with verified bot allowlist (Google, Bing, etc.)
* Referrer blocking with spam referrer presets
* Bad query/XSS/SQL injection blocking
* .htaccess security rules

**Malware Scanner**
* Chunked AJAX scanner — scans plugins, themes, uploads, mu-plugins
* 30+ malware patterns including backdoors, crypto miners, shell injections
* Heuristic risk scoring (0–100) per suspicious file
* Auto-quarantine critical findings during scan
* Scan diff — shows new threats vs last scan
* Database malware scanner (posts, options, comments, users)
* File quarantine and permanent delete

**Vulnerability Scanner**
* Powered by WPScan API (free tier)
* Scans all active plugins and active theme for known CVEs
* CVSS severity scoring (Critical/High/Medium/Low)
* Dashboard widget showing unresolved critical/high count
* Dedicated Vulnerabilities admin page

**File Integrity**
* WordPress core file integrity check (vs WordPress.org checksums API)
* Plugin & theme checksum verification (vs WordPress.org checksums)
* wp-config.php and .htaccess tampering detection
* Unknown PHP file detection in core directories

**Core File Repair**
* Downloads clean copies from WordPress.org SVN
* MD5 verification before writing
* Single file or bulk repair

**Security Headers**
* X-Frame-Options, X-Content-Type-Options, X-XSS-Protection
* Referrer-Policy, Permissions-Policy (per-feature builder)
* HSTS with preload support
* Content-Security-Policy with visual builder
* CSP violation reporting endpoint (REST API)
* A–F letter grade for your header configuration

**User Security**
* User enumeration protection (?author= + REST API)
* Strong password enforcement
* Block dangerous usernames (admin, root, etc.)
* Inactive user auto-lock (configurable threshold)
* Admin action audit trail
* Active session manager (view & revoke)
* GDPR IP anonymization

**Post-Hack Recovery**
* Lock PHP execution in uploads and wp-includes
* Log out all users instantly
* Force password reset for all users
* Reinstall free plugins from WordPress.org
* Delete version-revealing files (readme.html, etc.)
* Weekly security summary email report

**Monitoring & Notifications**
* Activity log (filterable, paginated, CSV export, configurable retention)
* HTML branded email alerts
* Slack/webhook notifications (compatible with Make.com, Zapier, Discord)
* Real-time dashboard stats (auto-refresh every 30s)
* 7-day login attempt chart

**Developer Tools**
* WP-CLI commands (wp xsec status|scan|block-ip|unblock-ip|2fa-reset|export-settings|import-settings)
* Settings import/export (JSON)
* Security score with category breakdown

Developed by [Liveupx.com](https://liveupx.com)
Cloud hosting partner: [xHost](https://xhost.live) — by Liveupx.com
[Featured on JustHunt.co](https://justhunt.co/startups/x-security)

== Installation ==

1. Upload the plugin files to `/wp-content/plugins/liveupx-security`
2. Activate the plugin through the 'Plugins' screen
3. Navigate to **Liveupx Security** in the admin menu
4. Review your security score and enable recommended features

== Frequently Asked Questions ==

= Is this plugin really 100% free? =
Yes. All features are free forever. No premium tier, no feature paywalls, no upsells.

= Will it conflict with other security plugins? =
It's designed to work standalone. Deactivate conflicting security plugins (Wordfence, iThemes) before using.

= Does it support WooCommerce? =
Yes — honeypot and CAPTCHA protection apply to WooCommerce login forms.

= Does it support multisite? =
Basic multisite support in v4.0.0. Network-wide management is planned for v5.

== Changelog ==

= 4.0.1 =
* FIX: Custom Login URL feature now correctly serves the login page at the custom slug
* FIX: Direct wp-login.php access now properly returns 404 for non-authenticated visitors
* FIX: Password reset, logout, and other core WordPress actions no longer blocked by custom login URL
* FIX: Logged-in administrators can still access wp-login.php directly
* FIX: Replaced PHP parse_url() with WordPress wp_parse_url() for coding standards compliance

= 4.0.0 =
* NEW: Multi-provider CAPTCHA (reCAPTCHA v3, hCaptcha, Cloudflare Turnstile)
* NEW: Magic link / passwordless login
* NEW: Progressive lockouts (escalating duration per IP)
* NEW: Trusted device (30-day 2FA bypass cookie)
* NEW: Geolocation login alerts with one-click account lock
* NEW: Subnet auto-blocking
* NEW: Remote WAF rule feed
* NEW: Admin-defined custom firewall rules
* NEW: Per-endpoint rate limiting
* NEW: REST API security controls
* NEW: Verified bot allowlist (Google, Bing, etc.)
* NEW: Referrer blocking with spam presets
* NEW: Vulnerability Scanner (WPScan API)
* NEW: Database malware scanner
* NEW: Plugin/theme checksum verification
* NEW: wp-config.php and .htaccess integrity check
* NEW: Heuristic risk scoring (0–100) for malware
* NEW: Auto-quarantine on scan
* NEW: Scan diff (new vs cleared threats)
* NEW: HTML email templates for all alerts
* NEW: Webhook/Slack notifications
* NEW: Real-time dashboard stats
* NEW: 7-day login attempt chart
* NEW: Security score breakdown by category
* NEW: Inactive user auto-lock
* NEW: Admin action audit trail
* NEW: Active session manager
* NEW: GDPR IP anonymization
* NEW: WP-CLI commands
* NEW: Settings import/export (JSON)
* NEW: Configurable log retention
* NEW: CSP visual builder
* NEW: CSP violation reporting endpoint
* NEW: Permissions-Policy per-feature builder
* NEW: Security header A–F grade
* NEW: Vulnerabilities admin page
* FIX: TOTP user_id detection on Edit User page
* FIX: DISALLOW_FILE_MODS now properly wired
* FIX: RSS toggle uses AJAX save (not fragile hidden form)
* FIX: WooCommerce login honeypot and CAPTCHA support
* FIX: Geo API fallback chain (ip-api.com → ipapi.co → skip)

= 3.0.0 =
* TOTP 2FA (Google Authenticator), email OTP fallback, backup codes
* Core file repair (download from WordPress.org SVN with checksum verification)
* Post-Hack recovery tools
* Malware quarantine and permanent delete