# Changelog

All notable changes to this project are documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [2.1.20] - 2026-06-04
### Added
- Added visible firewall log retention controls, including manual deletion for expired logs and all firewall logs.

### Fixed
- Stopped pending WAF approval counts and VulnTitan admin assets from running on unrelated WordPress admin screens.
- Moved firewall component self-heal checks off unrelated admin requests and cached firewall settings per request to reduce repeated admin-side processing.

## [2.1.19] - 2026-06-03
### Added
- Added separate Cloudflare Turnstile and hCaptcha controls for WooCommerce My Account login and registration forms, available only when WooCommerce is active.
- Kept WordPress login and registration CAPTCHA settings separate from WooCommerce account-form protection.
- Updated CAPTCHA coverage reporting and release metadata for WooCommerce-specific form protection.

## [2.1.18] - 2026-05-12
### Changed
- Improved Firewall settings navigation with clearer tab affordances, simpler labels, and grouped one-column settings sections.
- Clarified Cloudflare/proxy configuration copy and moved proxy status messages directly beside the related setting.
- Updated compatibility metadata after testing with WordPress 7.0.

### Fixed
- Hardened shared admin template rendering for non-standard contexts where the current admin screen is unavailable.

### Maintenance
- Added Composer package metadata so strict release validation passes cleanly.

## [2.1.17] - 2026-03-31
### Added
- Logged comments that land in the WordPress moderation queue into the firewall activity stream and weekly digest reporting.
- Expanded the weekly digest protection profile and activity summaries to cover comment moderation and form-spam signals.

### Changed
- Refined the weekly digest email layout so two-column sections collapse cleanly on mobile screens.

### Security
- Hardened malware and integrity scan actions with stricter capability checks, safer in-root path validation, and server-side verification of auto-fix targets.
- Enforced signed anti-spam tokens and CAPTCHA handling on REST comment submissions when anonymous REST comments are exposed elsewhere.
- Tightened trusted proxy handling, bounded anti-spam token lifetimes, rate-limited 2FA challenge attempts, and moved maintenance self-heal work off the hot request path.

## [2.1.16] - 2026-03-25
### Added
- Tightened Comment Shield spam detection with casino, betting, gambling, promotional-link, repeated-domain, and thin-link heuristics for guest comments.
- Logged suspicious comment holds and WordPress moderation-queue entries into the firewall activity stream.
- Expanded the weekly executive security digest with form spam, comment queue, and broader protection-profile coverage.

### Changed
- Reworked the HTML weekly digest layout so cramped two-column sections collapse into a readable mobile presentation.

## [2.1.15] - 2026-03-18
### Added
- Added “Not installed” provider messaging in Spam Protection and disabled unavailable form provider toggles until Contact Form 7 or Fluent Forms is activated.

## [2.1.14] - 2026-03-18
### Fixed
- Fixed the Firewall settings save flow after the Spam Protection UI refactor by removing stale legacy comment-field JavaScript references.

## [2.1.13] - 2026-03-18
### Added
- Added form anti-spam protection for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and rate limiting.
- Added a dedicated Spam Protection UI with separate Comments and Forms controls plus provider toggles.
- Logged supported form spam blocks into the WAF and live security feed with provider-aware event sources.

### Changed
- Separated form submission blocks from general WAF request blocks in the Live Security Feed with a dedicated Forms filter and overview metric.
- Updated plugin and readme messaging to reflect comment and form anti-spam coverage.

## [2.1.12] - 2026-03-16
### Added
- Added vulnerability detail fields: fixed version, affected versions, CVSS score/vector, published date, and exploit status.
- Added risk score (severity + exposure) badges in vulnerability findings.
- Added risk decisions (“Accept risk” / “Ignore”) with expiry and audit log entries.
- Persisted risk decisions with a dedicated table and returned decisions with scan results.
- Added robust formatting for affected version ranges, including Wordfence-style range objects.
- Added inline update/deactivate actions that run without leaving the scan view.
- Added post-update rescan for updated components to refresh vulnerability cards in place.

### Changed
- Mapped API fields (patched_versions, published, etc.) to UI-friendly names for vulnerability reporting.
- Refresh update transients before building scan items so update actions are available.

## [2.1.11] - 2026-03-16
### Added
- Added filters and sorting for severity, component type, active status, and fix availability in scan results.
- Added direct actions for “Update now”, “Deactivate”, and “Open plugin page”.
- Added “Last scan at”, “Errors count”, and “Data age” to the scan overview.
- Added “Retry failed”, “Stop scan”, and smart auto-scroll for scan flows.
- Added short server-side caching per (type, slug, version) and surfaced “data age” in the UI.

### Changed
- Normalized slug handling for single-file plugins and edge cases to improve scan accuracy.
- Continued scans when individual items fail instead of aborting the entire run.
- Added timeout/backoff handling with clear 429/503 messaging for vulnerability data requests.
- Styled scan output filter dropdowns to match the dashboard theme and remove white backgrounds.

## [2.1.10] - 2026-03-16
### Added
- Added Learning Mode suggestions for WAF whitelisting with configurable thresholds and review-only approvals.
- Added a Learning Suggestions panel with approve/dismiss actions.

### Fixed
- Fixed PHP 8.4 deprecation warning by making trusted proxy settings explicitly nullable.

## [2.1.9] - 2026-03-16
### Added
- Added Proxy/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs.
- Added in-dashboard warnings when proxy headers are detected but trust is not configured.

### Changed
- Updated client IP detection to trust forwarded headers only for configured proxies.

### Fixed
- Restricted malware, integrity, and vulnerability scan actions to administrators only.
- Hardened integrity scan file handling to prevent unsafe path traversal.

## [2.1.8] - 2026-03-16
### Fixed
- Restored PHP 7.4 compatibility by replacing PHP 8-only syntax in login security, CAPTCHA, integrity, and vulnerability scan flows.

## [2.1.6] - 2026-03-15
### Added
- Added scan progress status notes that highlight the current component or file during Malware, Vulnerability, and Integrity scans.

## [2.1.5] - 2026-03-15
### Added
- Added role-based 2FA enforcement, including mandatory profile enrollment for selected roles.
- Added a dedicated Live Security Feed submenu with load-more controls.
- Added lockout IP allowlisting and quick unblock/allowlist actions from log detail views.

### Changed
- Moved the Live Security Feed out of the Firewall settings page into its own workspace.

## [2.1.4] - 2026-03-14
### Added
- Added a Login Security Pack with TOTP-based 2FA for Administrator and Editor accounts, trusted devices, recovery codes, CAPTCHA challenges, XML-RPC policy controls, and weak-password blocking.

### Changed
- Reworked the 2FA profile experience into a step-by-step setup flow with local QR provisioning, clearer activation states, and inline verification guidance.
- Improved the Firewall Identity Security workspace with rollout guidance for 2FA and CAPTCHA configuration.

### Fixed
- Fixed the 2FA login challenge screen so it no longer calls admin-only helpers on the public login flow.
- Fixed 2FA profile setup validation so activation errors return directly to the verification step instead of surfacing only as a generic top-of-page profile error.

## [2.1.3] - 2026-03-14
### Added
- Added WP-CLI scan commands for malware, integrity, vulnerability, and combined scan execution.

### Changed
- Added readme and FAQ documentation showing how to run VulnTitan scans from the terminal and automation scripts.

## [2.1.2] - 2026-03-14
### Changed
- Refined the Vulnerability scanner UI with a more professional overview, findings hierarchy, and visual treatment.
- Moved the sticky Vulnerability Overview outside the scrolling results container so the summary remains separate from live findings.
- Clean-result messages now explicitly reference the scanned plugin, theme, or WordPress core component instead of a generic component label.

## [2.1.1] - 2026-03-14
### Added
- Added a live-updating Firewall security feed with pause/resume controls, quick event filters, search, and per-event forensic detail panels.

### Changed
- Expanded Firewall log payloads in the admin feed so recent events expose richer request, actor, and detection metadata for incident review.
- Background Firewall feed refresh now keeps unsaved settings intact while still updating overview telemetry and recent events.

## [2.1.0] - 2026-03-13
### Added
- Added Comment Shield anti-spam protection for WordPress comments with honeypot, submit-time validation, duplicate detection, guest link limits, and IP rate limiting.
- Added comment spam metrics to the Firewall overview and weekly executive digest.

### Changed
- Updated plugin positioning and readme messaging to reflect the expanded security scope beyond the original lightweight framing.
- Firewall MU loader status now shows WordPress-relative paths such as `wp-content/mu-plugins/vulntitan-firewall.php` instead of exposing absolute server filesystem paths.

## [2.0.8] - 2026-03-13
### Added
- Added a weekly executive security digest email for administrators with 7-day firewall telemetry, login abuse summaries, WAF detections, and top targeted paths/rules.

### Changed
- Added digest delivery controls to the Firewall settings so administrators can enable the weekly report and override the recipient email address.
- Upgraded the weekly digest into a fully branded HTML email template with VulnTitan logo, metric cards, activity timeline, and protection profile summary.

## [2.0.7] - 2026-03-13
### Fixed
- Fixed custom login logout requests on some Nginx-backed WordPress sites so `/?action=logout` flows no longer fail with upstream `502 Bad Gateway` responses.
- Stabilized hidden login bootstrapping by priming the `wp-login.php` request context earlier and normalizing canonical custom login route handling.

## [2.0.6] - 2026-03-12
### Added
- Added configurable custom login slug support so administrators can expose a private login URL instead of the default `wp-login.php` path.

### Changed
- Reworked the Firewall admin page into a tabbed settings workspace with more breathing room between controls and a dedicated full-width recent events section.
- Replaced inline Firewall action notices with floating toast feedback for save, refresh, clear-log, warning, and error states.

### Security
- Hidden login access now blocks direct guest access to `wp-login.php` and default `wp-admin` entry points with `404` responses while preserving the custom login route.

## [2.0.5] - 2026-03-11
### Changed
- Updated plugin display name to comply with WordPress.org naming guidelines.
- Updated readme title and short description to match the new display name.

## [2.0.4] - 2026-03-10
### Changed
- Redesigned the VulnTitan Dashboard into a more professional security layout.
- Redesigned the Firewall page into a more professional layout.
- Removed the dashboard sidebar to keep the UI focused on scan operations.
- Redesigned the top navigation bar to match the dashboard and firewall style.

### Fixed
- Fixed scan progress indicator layout in the redesigned dashboard.

## [2.0.3] - 2026-03-10
### Fixed
- Reduced false positives for benign decode-only utilities (e.g., base64 + gzuncompress).
- Reduced false positives for safe `data:image/svg+xml;base64` payloads.
- Disabled auto-fix for low-risk malware findings to prevent accidental code removal.

## [2.0.2] - 2026-03-10
### Fixed
- Reduced malware scanner false positives for base64-decoded signature and key material.
- Avoided false positives from benign `data:image/*;base64,` CSS payloads embedded in PHP/JS strings.
- Prevented false positives on large serialized option blobs (e.g., cached security rulesets) without execution/file-write indicators.

## [2.0.1] - 2026-03-03
### Fixed
- Vulnerability scanner "Vulnerability Overview" panel now stays pinned at the top of the results area while scan content scrolls below it.
- Malware scanner now ignores benign CSS `content:` declarations and static string-literal matches that previously caused false-positive detections.

## [2.0.0] - 2026-02-25
### Added
- Integrity scanner now shows a dedicated "Problematic Integrity Files" block after scan completion with grouped non-OK results.
- Integrity scanner now shows a dedicated "Recommended Next Steps" panel with guidance based on detected statuses and file categories.
- Added a daily cleanup cron task that removes stale integrity queue files from `storage/queues`.
- Malware findings now include expandable code preview blocks with surrounding context lines and a highlighted suspicious line.
- Malware findings now support per-item "Apply Fix" actions with admin permission checks and user confirmation.
- Malware auto-fix creates a backup before patching, attempts targeted snippet removal, and falls back to line quarantine when safer.
- Added web-access hardening files (`.htaccess`, `web.config`, `index.php`) for backup directories used in fallback scenarios.
- Added daily malware-backup cleanup/rotation cron (14-day max age, keep 5 per source file, cap 500 total backups).
- Added a basic Firewall module with MU-plugin loader support for early request handling.
- Added firewall database log storage (`vulntitan_firewall_logs`) with daily retention cleanup.
- Added login protection with IP-based failed-attempt throttling, temporary lockouts, and firewall event logging.
- Added dedicated Firewall admin page with overview metrics, settings controls, and recent log history.
- Added WAF payload rule sets for SQL injection and command injection detection in MU firewall runtime.
- Added firewall whitelist path patterns (wildcard support) to bypass WAF payload rules for trusted endpoints.

### Changed
- Integrity scanner now excludes CSS and SCSS files from queue generation and baseline comparisons.
- Integrity scanner now excludes image formats from queue generation and baseline comparisons.
- Integrity scanner now excludes temporary `.queue` files and shows a contextual notice for internal VulnTitan storage files flagged as `unexpected`.
- Integrity scanner UI now includes a color legend for scan statuses (OK, MODIFIED, MISSING, UNEXPECTED, ERROR).
- Integrity legend is now rendered above the results list (outside the scroll area) and includes a short explanation for each status.
- Admin CSS/JS assets now use `filemtime`-based versioning for automatic cache busting after file changes.
- Vulnerability scanner UX redesigned with a clearer overview, vulnerable-components panel, and structured findings grouped by component severity.
- Malware scanner now uses clearer batch-result UX: per-file status display (clean/infected/skipped/error), streamed scan output, and a final problematic-files summary block.
- Malware scan results now return structured finding metadata (`line`, `severity`, `patterns`, `preview`) to support in-panel forensic preview UX.
- Integrity scanner batch processing is now adaptive (auto-tunes between safe min/max sizes based on server processing time) for faster scans without aggressive spikes.
- Integrity batch API now returns per-batch processing time metadata and uses safer server-side batch limits to balance performance and stability.
- Malware detection engine now includes broader PHP/JS signature coverage (execution, decode, obfuscation, file-write, and suspicious JS constructor patterns).
- Malware scanner now applies stronger combo heuristics (`decode+execution`, `user-input+execution`, `encoded write` chains) to improve real threat detection quality.
- Added per-file malware finding cap (`maxFindingsPerFile`) and extension-aware thresholds to improve scanner stability and reduce noisy/expensive scans.
- Firewall module is now separated from scanners and accessible via its own `VulnTitan > Firewall` submenu page.
- Firewall page UX/UI refreshed with a dedicated security-console layout, improved metric cards, and stronger input/button styling.
- Firewall log database schema is now versioned and auto-migrated with extended event metadata fields (request context, rule data, action/severity, flags, and forensic context JSON) for future features.
- Firewall settings now expose WAF toggles (SQLi/command-injection) and managed whitelist controls in the admin UI.
- Updated plugin/readme metadata (short description, long description, and tags) to reflect Firewall + WAF capabilities.

### Removed
- Removed all "Upgrade to PRO" admin upsell elements (submenu page, top navigation CTA, sidebar promo block, and dedicated upgrade page styles/files).

### Fixed
- Fixed scan panel state reset when switching scan types, so Integrity-only sections and old results are cleared before Malware/Vulnerability scans.
- Malware scanner now renders a dedicated "Problematic Malware Files" panel outside the scrollable results area, consistent with Integrity layout.
- Switching to Integrity or Vulnerability scan now clears/hides Malware problematic and overview panels to avoid stale cross-scan data.
- Integrity scanner frontend now uses guarded AJAX timeout/retry behavior and reduces batch size after transient failures to avoid PHP timeout/error loops.
- Fixed firewall login lockout flow so lockout message is preserved in login auth response and locked attempts no longer re-increment failure counters.

### Security
- Malware auto-fix backups are now stored outside `ABSPATH` by default (`../vulntitan-secure-backups/malware-fixes`) to reduce web exposure risk.
- Web-root backup fallback is disabled by default and can be explicitly enabled with `VULNTITAN_ALLOW_WEBROOT_BACKUPS`.

## [1.0.8] - 2026-02-24
### Changed
- Integrity scanner now uses server-side queued batches to avoid loading full file lists in the browser.
- Integrity scope reduced to core checksums plus plugin/theme/MU baselines and high-risk root files.
- Baseline generation is now lazy and efficient with improved filtering and core checksum caching.

## [1.0.7] - 2025-05-28
### Changed
- Minor changes.

## [1.0.6] - 2025-05-28
### Changed
- Improved description and tags.
- Minor changes.

## [1.0.5] - 2025-05-19
### Changed
- Improved malware scanner to eliminate false-positive results.
- Improved malware scanner scanning speed.
- Improved integrity scanner scanning speed.

## [1.0.4] - 2025-05-18
### Added
- Updated themes scanning (all themes are being scanned now).
- Updated readme.txt installation section.
- Introducing the redesigned VulnTitan dashboard for a smoother experience.
- Added malware scanner feature.
- Added file integrity scanner feature.

## [1.0.3] - 2025-05-13
### Changed
- Minor changes.

## [1.0.2] - 2025-05-12
### Changed
- Minor changes.

## [1.0.1] - 2025-05-11
### Changed
- Minor changes.

## [1.0.0] - 2025-05-04
### Added
- Initial release.
