=== Vulnity Security === Contributors: manuelgalan Requires at least: 5.8 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.3.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Tags: security, siem, monitoring, intrusion-detection Security monitoring and SIEM integration that keeps your WordPress sites safe in real time. == Description == Vulnity Security brings enterprise-grade threat detection to WordPress. It connects your site to Vulnity's SIEM platform, correlates events, and alerts you before issues become incidents. = Features = * Real-time security event collection and forwarding to Vulnity SIEM. * Dashboard widgets that highlight critical findings and remediation steps. * Scheduled security scans for core files, plugins, and themes. * Centralized logging compatible with major SOC workflows. = Integration Requirements = To receive alerts, configure an API token and endpoint URL provided by your Vulnity SIEM account. Detailed configuration instructions are displayed after activating the plugin under **Vulnity \> Settings**. = External Services = This plugin connects to Vulnity's external API hosted on Supabase Edge Functions (domain: `euxnoekqasvzwfcbybkg.supabase.co`, base URL `https://euxnoekqasvzwfcbybkg.supabase.co/functions/v1`) to power SIEM alerts, inventory sync, and mitigation updates. * **What the service is and what it is used for:** * Vulnity SIEM API for pairing/unpairing, heartbeat checks, sending alerts, testing connectivity, syncing inventory, and receiving mitigation policies. * **Endpoints used:** * `/pair-plugin`, `/unpair-plugin` (pairing and disconnecting the site). * `/heartbeat` (periodic health check). * `/connection-test` (manual connection test). * `/scan-site-info` (inventory sync). * `/generic-alert`, `/brute-force-alert`, `/file-security-alert`, `/manage-user`, `/user-management-alert`, `/permission-change-alert`, `/file-editor-alert`, `/plugin-change-alert`, `/theme-change-alert`, `/core-update-alert`, `/suspicious-query-alert`, `/scanner-detected-alert` (security alerts). * `/mitigation-config`, `/mitigation-update` (mitigation policy sync and block/unblock updates). * **What data is sent and when:** * Pairing/unpairing: site ID, pair code, plugin/WordPress/PHP versions, and timestamp when pairing or disconnecting occurs. * Heartbeat: site ID, URLs, site metadata (name, language, timezone, theme), and runtime info (plugin/WordPress/PHP versions, latency) on a scheduled interval. * Alerts: site ID, alert type/severity, timestamps, and event details (such as IP address, user/action metadata, or file change context) whenever a security event is detected. * Inventory sync: site inventory details (installed plugins/themes/core metadata) when inventory sync runs. * Mitigation: site ID, block/unblock actions, IP address, reason, duration, and rule metadata when mitigation rules are synced or enforcement actions occur. * **Why the data is sent:** * To associate the site with your Vulnity account, deliver security alerts to the SIEM, validate connectivity, synchronize inventory and mitigation policies, and keep firewall enforcement consistent. * **Policies:** See the Vulnity [Terms of Service](https://vulnity.io/terms) and [Privacy Policy](https://vulnity.io/privacy) for details on how data is handled. == Installation == 1. Upload the plugin files to the `/wp-content/plugins/vulnity` directory or install from the WordPress plugin repository. 2. Activate the plugin through the **Plugins** screen in WordPress. 3. Navigate to **Vulnity \> Settings**, enter your Vulnity SIEM credentials, and save. 4. (Optional) Enable scheduled scans on the **Monitoring** tab to receive weekly reports. == Frequently Asked Questions == = Do I need a Vulnity SIEM subscription? = Yes. The plugin requires an active Vulnity SIEM account to collect and analyze events. = Will the plugin slow down my site? = No. Event collection runs asynchronously and offloads processing to the Vulnity cloud platform. = Can I disable certain alerts? = Absolutely. Use the **Alert Policies** section within the plugin settings to mute or reclassify events. == Screenshots == 1. Dashboard overview with real-time threat summary. 2. Alert detail screen showing remediation steps. 3. Settings page for configuring API credentials and scan schedules. == Changelog == = 1.3.0 = * Version bump to 1.3.0. = 1.2.3 = * Fixed firewall bootstrap blocking wp-login.php, wp-cron.php, admin-ajax.php, and xmlrpc.php for blocked IPs — admins can now recover access. * Fixed firewall bootstrap returning HTML instead of JSON for REST API requests from blocked IPs. * Fixed uninstall leaving broken .htaccess when file is read-only — now creates safe stub to prevent HTTP 500. * Fixed early IP blocking (plugins_loaded:0) intercepting AJAX and REST requests, breaking admin panel functionality. * Reduced SIEM alert timeout from 10s to 3s to prevent page hangs during attacks. * Reduced inventory sync timeout from 30s to 8s to prevent random slow page loads via pseudo-cron. * Improved file detection in Protect Common Paths — now handles query strings, trailing slashes, and dotted directory names correctly. * Added PHP execution blocking rule for uploads directory in generated Nginx configuration snippet. * Expanded REST API public route whitelist: added WooCommerce v3, UpdraftPlus, BackWPup, Elementor, Forminator, FluentForms, SureCart, MailPoet, and block editor endpoints. * Added `Options -Indexes` to Protect Common Paths .htaccess rules as defense-in-depth measure. * Updated Stable tag from 1.2.2 to 1.2.3. = 1.2.2 = * Fixed anti-collapse dedup system blocking subsequent auto-update state toggle events due to identical hash. * Fixed wrong authentication headers for `/real-time-alerts` endpoint (now uses HMAC-SHA256 signature instead of token). * Fixed missing `remediation` field in auto-update state events sent to the SIEM. * Fixed `version_old` not captured in auto-update events; now recorded via `upgrader_pre_install` hook before files are replaced. * Fixed auto-update trigger running on disable; updates now only fire for newly enabled component types. * Fixed auto-update event detection using `instanceof WP_Automatic_Updater` instead of `wp_doing_cron()` for broader compatibility. * Fixed single-file plugin slug resolving to `.` (e.g. hello-dolly) in update event payloads. * Added `triggered_by` field to update events: `siem_manual`, `siem_auto_update`, or `wp_auto_updater`. * Auto-update toggles in the admin panel are now read-only; changes must be made from the SIEM. * Replaced `parse_url()` with `wp_parse_url()` for WordPress coding standards compliance. = 1.2.1 = * Plugin Check compatibility improvements for filesystem and nonce-related warnings. * Runtime validation improvements for scanner detection, file editor monitoring, and firewall state serialization. = 1.2.0 = * Fixed login URL rename validation against existing pages/posts and reserved WordPress routes. * Fixed uninstall cron cleanup to use `wp_unschedule_hook()` for complete removal. * Fixed heartbeat, mitigation sync, and alert buffer crons not cancelled on plugin disconnect. = 1.1.9 = * Send whitelist IPs (user public IP + localhost) to the SIEM during pairing so the whitelist persists after synchronization. = 1.1.8 = * Fixed Nginx warning notice appearing repeatedly on every admin page load; it now displays only once. * Improved notice format: each protected path is shown on its own line for better readability. * Added link to solution documentation for Nginx .htaccess compatibility. = 1.1.7 = * Fixed deactivation not clearing all cron jobs (4 missing hooks, plus events re-scheduled by late-firing alert hooks). * Added `final_deactivation_cleanup` at priority 9999 to ensure complete cron and .htaccess cleanup after all hooks fire. * Replaced `wp_clear_scheduled_hook` with `wp_unschedule_hook` to clear single events with arguments. * Added native PHP fallback for .htaccess marker removal when WP_Filesystem is unavailable. * Fixed Plugin Check error: replaced direct `is_writable()` with `vulnity_path_is_writable()` and `WP_Filesystem_Direct`. = 1.1.5 = * Fix uninstall multisite cleanup query when `sitemeta` table is not available to prevent SQL warnings in debug.log. = 1.1.4 = * Ensure uninstall removes Vulnity firewall/log folders recursively so no plugin-owned folders are left behind. = 1.1.3 = * Ensure uninstall removes Vulnity firewall/log folders even when permissions are restrictive by attempting safe chmod before cleanup. = 1.1.2 = * Added a dedicated Vulnity log with line-based rotation and safe fallbacks when uploads are not writable. * Added admin warning when firewall storage cannot be written, with clear remediation guidance. * Expanded uninstall cleanup to remove Vulnity log files and firewall artifacts across fallback paths. = 1.1.1 = * Fixed deactivation cleanup so Vulnity hardening marker blocks are removed fully from `.htaccess` without modifying user-defined rules. * Improved deactivation safety in shared hosting environments with conservative, marker-only rollback behavior. = 1.1.0 = * Improved admin UI consistency across Dashboard, Synchronization, Mitigation, Hardening, and Setup screens. * Hardened plugin lifecycle behavior for shared hosting compatibility and safer deactivation/uninstall flows. * Added conservative server integration safeguards to reduce side effects in Apache/Nginx environments. = 1.0.5 = * Version bump to 1.0.5. = 1.0.4 = * Version bump to 1.0.4. = 1.0.3 = * Standardized admin asset enqueues and AJAX URL localization for compliant loading. * Hardened nonce and capability checks across alerts and admin handlers. * Improved path resolution using WordPress APIs for non-default installs. * Documented external Supabase services used for alerts and mitigation updates. = 1.0.2 = * Initial release. == Upgrade Notice == = 1.3.0 = Version 1.3.0 release. = 1.2.3 = Critical stability fixes: prevents admin lockout from firewall, reduces SIEM request timeouts, fixes uninstall leaving broken .htaccess, and expands REST API compatibility with popular plugins. = 1.2.2 = Fixes bidirectional auto-update sync with the SIEM: corrects authentication headers, dedup hashing, version tracking, and update trigger logic. = 1.2.1 = Maintenance release with Plugin Check compatibility fixes. = 1.2.0 = Fixes login URL validation and cron cleanup on disconnect. = 1.1.9 = Whitelist IPs are now sent to the SIEM during pairing to prevent them from being lost on sync. = 1.1.8 = Nginx warning now shows only once and includes a link to the solution documentation. = 1.1.7 = Deactivation now fully clears all cron jobs and .htaccess markers, including events re-scheduled by alert hooks. = 1.1.5 = Fixes a multisite uninstall query edge case that could log an SQL warning. = 1.1.4 = Uninstall cleanup now removes Vulnity firewall/log folders recursively so nothing is left behind. = 1.1.3 = Improved uninstall cleanup for firewall/log folders in restrictive hosting environments. = 1.1.2 = New rotating Vulnity logs plus safer firewall storage warnings and cleanup behavior for shared hosting. = 1.1.1 = Conservative `.htaccess` cleanup update: Vulnity now removes only its own marker blocks on deactivation and leaves user rules untouched. = 1.1.0 = Stability and compatibility update focused on safer lifecycle handling and cleaner admin UX. = 1.0.5 = Version bump to 1.0.5. = 1.0.4 = Version bump to 1.0.4. = 1.0.3 = Compliance-focused update to align asset loading, documentation, and escaping with WordPress.org guidelines. = 1.0.2 = Initial public release featuring Vulnity SIEM integration and security monitoring dashboard. == License == This plugin is licensed under the GNU General Public License v2.0 or later. You are free to redistribute and/or modify it under the terms of the GPL as published by the Free Software Foundation. The complete license text is included in the bundled `license.txt` file and is also available online at https://www.gnu.org/licenses/gpl-2.0.html.