=== MJP Security Tools ===
Contributors: zackdesign, ElbertF
Donate link: https://zackdesign.biz/
Tags: security, xss, login, audit, permissions
Requires at least: 6.0
Tested up to: 6.9.1
Stable tag: 2.0.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight WordPress hardening — XSS database scanner, POST request logging, failed login logging, and file permission checker.

== Description ==

MJP Security Tools is a focused hardening plugin that does four things well:

* **XSS Database Scanner** — scans every table for `<script>`, `<iframe>`, `onclick`, `javascript:` and other injection patterns
* **POST Request Log** — records all POST data (passwords masked) with IP, user agent, and URL for CSRF/audit detection
* **Failed Login Log** — tracks every failed login attempt with username, IP, and timestamp
* **File Permission Checker** — verifies WordPress root files and directories have safe permissions, checks for missing `index.html` files and SVN working copies

**What this plugin does NOT do** (because WordPress core already handles it):

* SSL enforcement — use `FORCE_SSL_ADMIN` or let WordPress 5.7+ auto-redirect
* Password strength — WordPress core enforces strong passwords since 4.3
* Login rate limiting — use a dedicated plugin like Limit Login Attempts Reloaded
* Version number hiding — marginal benefit, not worth the complexity

**Upgrading from v1.x:**

* The admin page has moved from jQuery UI tabs to native WordPress nav tabs
* SSL forcing, password enforcement, login throttling, version hiding, admin username changing, database prefix randomization, password reset, and .htaccess generation have been removed — WordPress core and dedicated security plugins handle these better
* PHP sessions replaced with WP transients for flash messages
* Log data is now stored as JSON instead of serialized PHP
* The Javacrypt client-side crypt(3) script has been removed

== Installation ==

1. Upload the `mjp-security-plugin` folder to `/wp-content/plugins/`
2. Activate through the Plugins menu
3. Go to Tools > MJP Security Tools

== Frequently Asked Questions ==

= What happened to all the other features? =

WordPress 6.x handles SSL, password strength, and many security basics natively. Rather than duplicating core functionality, v2.0.0 focuses on the four features that WordPress does NOT provide out of the box: XSS scanning, POST logging, failed login logging, and file permission checking.

= Is this a replacement for Wordfence/iThemes? =

No — those are comprehensive security suites. MJP Security Tools is a lightweight auditing companion that provides specific database scanning and logging features.

== Changelog ==

= 2.0.0 =

* Rewrite: focused on 4 core features — XSS scanner, POST log, failed login log, file permissions
* Removed: SSL forcing, password enforcement, login throttling, version hiding (handled by WP core)
* Removed: Admin username changer, DB prefix randomizer, password reset all users, .htaccess generator
* Removed: jQuery UI 1.8.10 dependency and Javacrypt crypt(3) JavaScript (~500 lines)
* Removed: PHP sessions — uses WP transients for flash messages
* New: Native WordPress nav-tab interface (no jQuery UI)
* New: Dedicated CSS/JS assets instead of inline styles and CDN links
* New: Clear log buttons for POST and failed login logs
* New: Log data stored as JSON instead of serialized PHP
* New: File permission scan limited to 2 levels deep (prevents timeout on large installs)
* Fixed: HTML parse error in admin template (missing `>` on div tag)
* Fixed: Admin page uses dedicated slug instead of `__FILE__`
* Changed: Requires WordPress 6.0+

= 1.2.1 =

* Fixed PHP 8.1 deprecation: get_option() returning false passed to substr()

= 1.2.0 =

* PHP 8.x compatibility fixes
* Replaced deprecated functions and constants
* Tested with WP 6.9.1

= 1.1 =

* Tested in WP 3.3.2

= 1.0 =

* First Release