=== Sitevorx === Contributors: inetcorp Tags: optimization, security, smtp, cleanup, maintenance Requires at least: 5.5 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.1.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html An all-in-one WordPress toolkit for site optimization, security hardening, SMTP configuration, disk cleanup, and maintenance monitoring. == Description == **Sitevorx** is a lightweight, all-in-one WordPress plugin that helps you optimize performance, harden security, and manage your website from a single, modern dashboard. No bloat, no external dependencies — just the tools you need. = Security Center (NEW in 1.1.0) = * **Security Score Dashboard**: A single 0–100 score that summarizes the hardening state of your site, with prioritized recommendations. * **Core Integrity Checker**: Compares every WordPress core file against the official `api.wordpress.org` MD5 checksums to detect modified, missing, or extra files. * **HTTP Security Headers**: One-click enable `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, and `Permissions-Policy` on the frontend. * **Login Honeypot**: Invisible bait field on `wp-login.php` that silently rejects spam bots without affecting real users. * **User Enumeration Protection**: Blocks `?author=N` probing and the public REST `/wp/v2/users` endpoint for non-logged-in visitors. * **Login Notification**: Emails the administrator whenever an account with `manage_options` logs in successfully (1-hour cooldown per IP). * **Login Attempt Limiter**: Lock out IPs after repeated failed login attempts, with configurable threshold, lockout duration, and IP allowlist. * **Secret Login URL**: Hide the default `wp-login.php` behind a custom keyword. * **Google reCAPTCHA v2 / v3**: Protect the login form from bots, with a configurable v3 score threshold. * **Disable XML-RPC** and **Disable File Editor**: Block DDoS / brute-force vectors and stop code editing from the dashboard. = Speed Optimization = * **Heartbeat Throttle**: Slows the Heartbeat API to 60 seconds instead of disabling it, preserving autosave and post-locking. * **System Tweaks**: Lazy load images, limit post revisions, allow safe SVG uploads (with XXE-hardened sanitizer). * **Database Cleanup**: Remove revisions, spam comments, and expired transients in one click. * **Malware Scanner**: Scan your entire codebase and database for suspicious injections. = SMTP Configuration = * Send emails via **Gmail** (App Password) or a **custom SMTP server** (SSL/TLS). * Built-in **Test Email** sender. * Email delivery log with success/failure tracking. * Force From Name and From Email to prevent address drift. = Website Utilities = * Inject tracking codes in **Header/Footer** (Google Analytics, Facebook Pixel, etc.). * **Content Protection**: Disable right-click, text selection, and drag-and-drop. * **Maintenance Mode**: Display a professional "under construction" page to visitors. * **Custom Login Logo**: Replace the WordPress logo on the login screen with your own brand. = Disk Space Manager = * Recursively scan your hosting for large files (>50 MB). * Auto-categorize files (backups, error logs, large media). * Bulk delete to free up disk space instantly. = Floating Contact Buttons = * **Phone Hotline** button with animated icon. * **Zalo** chat button (auto-opens Zalo app). * **Messenger** chat button (m.me deep link). * Fully responsive floating widget in the corner of your site. = Import / Export Settings = * **Export** all Sitevorx settings as a JSON file. * **Import** settings from another site in one click. * **Reset** all settings to factory defaults. = Scheduled Cleanup (WP-Cron) = * Automatic cleanup: daily, twice daily, or weekly. * Clears temp files, auto-drafts, spam, and optimizes database tables. * Activity log showing the last 20 cleanup runs. = Maintenance & Update Monitor = * Track plugins and themes that need updating. * Check WordPress core, PHP version, SSL status, and WP_DEBUG. * Maintenance health score with actionable recommendations. = Server Info = * View Web Server, PHP, MySQL, and WordPress versions at a glance. * PHP limits: memory, execution time, input vars, upload size. * List all loaded PHP extensions. * Database size monitoring. == External Services == = Google reCAPTCHA (v2 and v3) = Sitevorx can optionally integrate with Google reCAPTCHA (v2 checkbox or v3 invisible / score-based) to protect the WordPress login form. This feature is disabled by default and only works when an administrator explicitly enables it, selects a version, and provides valid Google-issued API keys. When enabled, the plugin loads the Google reCAPTCHA JavaScript on the login screen and sends the generated verification token to Google's verification endpoint (`https://www.google.com/recaptcha/api/siteverify`) during login validation. For v3, the configurable score threshold (filter `sitevorx_recaptcha_v3_score_threshold`, default `0.5`) is compared against Google's returned score. This service is provided by Google: * Service URL: https://www.google.com/recaptcha/ * Verification endpoint: https://www.google.com/recaptcha/api/siteverify * Terms of Service: https://policies.google.com/terms * Privacy Policy: https://policies.google.com/privacy = WordPress.org Core Checksums API = The **Security Center → Kiểm Tra Toàn Diện → WordPress Core Integrity** check (off by default; runs only when the admin clicks "Kiểm tra") fetches the official MD5 checksums for the installed WordPress version from WordPress.org so it can flag modified or missing core files. * Verification endpoint: https://api.wordpress.org/core/checksums/1.0/ * Request payload: only the installed WordPress version string (e.g. `6.4.2`) and the locale `en_US`. No site URL, user data, or content is sent. * Operated by: WordPress.org * Terms of Service: https://wordpress.org/about/privacy/ == Highlights == * **All-in-one**: Replaces 5-7 single-purpose plugins (SMTP, Security, Optimization, Cleanup, Maintenance). * **Modern UI**: Gradient banners, collapsible sidebar, toast notifications, fully responsive. * **Secure by design**: Nonce verification, input sanitization, CSRF protection, prepared database queries. * **Lightweight**: Modular architecture — only loads what you use. Zero frontend impact. No Composer or NPM required. * **Localized**: Full Vietnamese (vi) translation included via .po/.mo files. == Installation == 1. Upload the `sitevorx` folder to `/wp-content/plugins/`, or install the ZIP file via **Plugins > Add New > Upload Plugin**. 2. Activate the plugin through the **Plugins** menu in WordPress. 3. Navigate to the **Sitevorx** menu item in your admin sidebar. == Frequently Asked Questions == = Does this plugin conflict with WP Mail SMTP? = Yes, both plugins hook into `phpmailer_init`. We recommend deactivating other SMTP plugins before using Sitevorx's built-in SMTP module. = Does it detect real IPs behind Cloudflare? = Yes. Sitevorx reads the `CF-Connecting-IP` header to identify the real visitor IP behind Cloudflare's proxy. = I forgot my secret login URL. How do I get back in? = Open phpMyAdmin (or any database tool), find the `wp_options` table, and delete the row where `option_name` is `sitevorx_sec_login_key`. Then access `/wp-login.php` as usual. == Changelog == = 1.1.0 = * New module: **Trung Tâm Bảo Mật** (Security Center) — gom các tính năng bảo mật và bổ sung Security Score, Headers, Honeypot, User Enumeration Protection, Login Notification, Core Integrity Checker. * New: HTTP Security Headers (`X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`) — chỉ áp dụng trên frontend. * New: Login Honeypot — chèn hidden field bẫy bot vào form đăng nhập, không ảnh hưởng người dùng thật. * New: User Enumeration Protection — chặn `?author=N` và REST API `/wp/v2/users` cho khách. * New: Login Notification — gửi email cho admin khi tài khoản `manage_options` đăng nhập thành công (cooldown 1h/IP). * New: WordPress Core Integrity Checker — đối chiếu MD5 các file core với `api.wordpress.org/core/checksums/1.0/` để phát hiện file bị sửa đổi hoặc thiếu (chạy theo yêu cầu, đã khai báo trong External Services). * UI: trang "Tối ưu & Bảo mật" đổi tên thành "Tối ưu Tốc Độ"; menu sidebar và dashboard có card mới cho Security Center. * Compliance: ghi nhận hành động bảo mật thông qua audit log thống nhất (`sitevorx_audit_log`), không lưu song song nhiều ring buffer. = 1.0.11 = * Dashboard: each health issue now has a "→" action link that jumps directly to the page where the admin can fix it (Bảo mật, SMTP, Bảo trì, Tiện ích). * Dashboard: new detection — `DISALLOW_WP_CRON` set in wp-config.php. Warns the admin that internal WP-Cron is off and an external cron must be calling wp-cron.php, otherwise scheduled cleanup will not run. * Dashboard: new detection — recent SMTP failures. If SMTP logging is on, the dashboard counts non-success entries in the last 24h and links straight to the log tab. * Dashboard: new detection — active login lockouts. Shows how many IPs are currently locked, with a one-click jump to the Bảo Mật tab where they can be unlocked. * Audit log: diff summary now ignores default-off toggles on first save — only flags fields whose normalized on/off state actually flipped, so the "Ngữ cảnh" column lists just what the admin changed. * Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with `$wpdb->prepare()` + `$wpdb->esc_like()` to satisfy Plugin Check, even though both patterns are hardcoded. = 1.0.10 = * Audit log: the "Ngữ cảnh" column now describes what changed instead of dumping the full toggle state. Saving the security tab now records entries like "Bật Khóa XML-RPC, Tắt reCAPTCHA đăng nhập, Đổi số lần sai tối đa" instead of `login_key=off | disable_editor=on | ...`. * Audit log: split "Lưu cấu hình Tối ưu & Bảo mật" into two distinct events — "Lưu cấu hình Tăng tốc Website" (Tăng Tốc tab) and "Lưu cấu hình Bảo mật & Tường lửa" (Bảo Mật tab) — so the timeline is easier to read. * Audit log: manual cleanup entries now say which cleanup categories were picked (e.g. "Dọn: bản nháp, bình luận rác — tổng 2 nhóm") instead of `revisions=1 | spam=0 | transients=1 | items=2`. * Audit log: new public helper `sitevorx_audit_summarize_diff()` for any module that wants to produce a similar before/after change list. = 1.0.9 = * Login lockout: maximum failed attempts and lockout duration are now admin-configurable (3–50 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts, 24 hours). * Login lockout: new IP allowlist (one IPv4/IPv6 per line) — listed IPs are never counted and never locked, so an administrator on a known IP cannot lock themselves out. * Login lockout: "IP đang bị khóa" diagnostics panel under Tối ưu & Bảo mật → Bảo Mật & Tường Lửa shows currently locked entries (hash + attempt count + expiry timestamp) with a per-row Unlock button. Unlock action is gated by manage_options + nonce and writes a `login_unlock` event to the audit log. * Audit log: lockouts now write a `login_lockout` event the moment the threshold is hit, with IP, attempt count, last submitted username, and configured lockout window. * Hardening: aligned the audit log's IP capture with `sitevorx_get_client_ip()` so Cloudflare's CF-Connecting-IP is only trusted when the matching CF-Ray header is present (not spoofable from arbitrary clients). * i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the two reCAPTCHA tab comments that had been mojibake-encoded. = 1.0.8 = * Compliance: SMTP log listing now uses `$wpdb->prepare()` for the LIMIT clause to satisfy automated SQL-injection scanners. * Compliance: removed PHP `@` error suppression on the malware scanner's file read; the scanner now checks `is_readable()` first and still gracefully skips unreadable files. * Compliance: clarified External Services disclosure in readme.txt to cover both reCAPTCHA v2 and v3, and to name the `api/siteverify` verification endpoint explicitly. * New: Audit Log submenu (Sitevorx → Nhật ký Kiểm toán) recording sensitive admin actions (settings save/reset/import, SMTP test, malware scan, scheduled cleanup change, manual cleanup run, disk file delete, log clear). Ring buffer of the 200 most recent entries, stored in the `sitevorx_audit_log` option (no new database table). * Hardening: factory reset now preserves the audit trail by skipping the audit-log option, so administrators can review what was reset after the fact. Uninstall still drops the option on full removal. * Dashboard: health overview now reflects runtime state, not just saved options. New warnings: scheduled cleanup enabled but no next run on cron (silent failure), SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site/Secret key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production. * Dashboard: SMTP and Cron status cards now show a red "Thiếu credential" / "Lỗi lịch" badge when the saved option does not match runtime readiness, and the health score stops counting a broken cron or credentials-less mailer as a passing check. = 1.0.7 = * Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page. * Updated the reCAPTCHA settings heading to match the available v2/v3 selector. = 1.0.6 = * Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls. * Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module. = 1.0.5 = * Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking. * Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required. * Improved: SMTP "Force From Email" now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint). * Improved: Scheduled cleanup skips `OPTIMIZE TABLE` on tables larger than 500MB to avoid long table locks on shared hosting. * New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter `sitevorx_recaptcha_v3_score_threshold` (default 0.5). * Compliance: Added empty `index.php` files in `/assets`, `/includes`, `/languages` for directory listing protection. = 1.0.4 = * Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English. = 1.0.3 = * Added dashboard, support, and rating links to the WordPress Plugins screen. = 1.0.2 = * Second pass on WordPress Plugin Directory automated review feedback: * Header/footer script output now goes through `wp_kses()` with a strict allow-list (`sitevorx_kses_tracking_tags()`) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through `wp_kses_bad_protocol()` which strips `javascript:`, `data:` and `vbscript:` URLs. * The "Clear error log" feature now targets the canonical `WP_CONTENT_DIR/debug.log` location and uses the WordPress `WP_Filesystem` API. The plugin no longer writes anywhere outside `wp-content/`. * Escaped the secret login URL preview with `esc_url( home_url( '/?' . $key ) )`. * Removed the runtime `.po` -> `.mo` translation compiler. The plugin previously regenerated `languages/sitevorx-en_US.mo` on demand; that wrote to the plugin folder, which is not allowed. The compiled `.mo` is now shipped pre-built with the plugin and WordPress loads it normally. * Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled `.mo` file is now the only source of English strings. * Wrapped every remaining dynamic CSS class / inline style ternary (e.g. `echo $active ? 'on' : 'off'`) with `esc_attr()` across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly. = 1.0.1 = * Security hardening per WordPress Plugin Review feedback: * Added `sanitize_text_field()` wrapper around every nonce value passed to `wp_verify_nonce()`. * Sanitized `$_POST` raw script fields (header/footer injection) with a dedicated helper (`sitevorx_sanitize_raw_script`) before `update_option()`; save path remains gated by the `unfiltered_html` capability. * Replaced `esc_url_raw()` with `esc_url()` for inline CSS output in the custom login logo. * Escaped every translated/output string that previously used `__()` inside `echo`/`printf`/`sprintf`: now wrapped with `esc_html__()`, `esc_html( sprintf(...) )`, or the `sitevorx_kses_basic()` helper (allowlisted ``, ``, `
`, ``, ...). * Hardened the JSON import flow with explicit `wp_unslash()` + `wp_check_invalid_utf8()` before `json_decode()`; per-field sanitization was already enforced on every decoded value. * Escaped integer counters and dynamic CSS class/style values with `(int)`, `esc_attr()`, and `esc_html()` across all admin screens. * Sanitized the `heavy_files[]` array from the disk cleaner with `array_map( 'sanitize_text_field', wp_unslash(...) )`. = 1.0.0 = * Initial public release. * Full security audit: nonce verification, capability checks, input sanitization on all forms. * Malware scanner for files and database. * System optimizer with scheduled WP-Cron cleanup. * Maintenance & Update monitor module. * Modern Flex/Grid responsive dashboard UI. * Complete Vietnamese localization. * Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid. * Dashboard: "Xem dung lượng chi tiết" links directly to Detailed Storage tab. * Disk Space Manager: two-tab interface — "File Cỡ Lớn (>50 MB)" (scan & delete) and "Dung Lượng Chi Tiết" (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh). * Security: added validation — cannot enable "Đổi Đường Dẫn Đăng Nhập" or "Khóa Tự Động Đăng Nhập" without filling required fields; shows error instead of silently reverting. * i18n: bundled language files included for English and Vietnamese. * i18n: added new translation strings for all new UI elements.