Blueternal BOLT Security Toolkit

Changelog

0.6.9

• Extended auto-fix undo to cover modifications to existing files: wp-config.php and .htaccess originals are now saved to the database before BOLT changes them and restored on undo.
• Added cleanup of legacy bolt-backups and sasa-backups upload directories on plugin activation and uninstall.
• Added sasa_auto_fix_history and bolt_rest_api_custom_public_routes to the uninstall option cleanup list.

0.6.8

• Removed filesystem copy storage from the WordPress.org build.
• Changed public readme and public artifact fixes to delete exposed files instead of storing copies.
• Changed fix history to database-only metadata with undo limited to files BOLT creates itself.

0.6.7

• Documented Google Safe Browsing in External Services.
• Removed an unnecessary WordPress admin theme include from scan update checks.

0.6.6

• Added Attack Paths, a deterministic local rules engine that turns current scan findings into practical chained compromise scenarios.
• Added an Overview panel showing the top three attack paths with evidence, required conditions, baseline-new status, shortest fix path, and break-chain actions.
• Added a highlighted best break-chain action and near-miss detection for partially formed attack paths.
• Added a Most effective fix right now section that highlights the single action that breaks the most visible attack paths.
• Added wp-config.php persistence context so unsafe permissions appear as a near miss when alone or as a subtle amplifier on real write-capable attack paths.
• Added Free vs Pro gates for report cadence, multiple report recipients, custom branding, alerts, AI briefings, full activity history, on-demand reputation checks, advisory detail, and named baseline snapshots.

0.6.5

• Added Malware Triage Center for structured suspicious PHP file review.
• Added hash-based expected-file decisions so unchanged known-good malware-pattern hits stay out of Priority Actions while changed files are flagged again.

0.6.4

• Added Application Password Governance: BOLT now inventories actual WordPress application passwords, highlights stale, unused, and administrator-owned credentials, and links administrators to the relevant user profiles for review and revocation
• Changed the Application Passwords scan from a generic feature-availability warning into a credential-aware local governance check
• Added an Accepted Risk Register so administrators can document intentional unresolved findings with an owner, reason, and expiration date
• Suppressed unexpired accepted risks from Top Actions, overview hardening action queues, new-issue report sections, alerts, and AI action payloads while keeping the underlying score unchanged

0.6.3

• Removed public landing-page hooks so BOLT no longer alters front-end pages based on page slugs
• Removed review-blocking HEREDOC/NOWDOC syntax from generated hardening rules and BOLT-created mu-plugin code
• Documented Slack incoming webhook and generic webhook alert deliveries in the External Services section
• Removed the New/Changed/Improved/Resolved baseline-drift badges from the Overview tab category tables and from the Hardening tab; drift markers belong on the Baseline tab where they have proper saved-baseline context
• Standardized drift badge width on the Baseline tab so all four pill labels render at the same size regardless of text length
• Hardened the public install-proof endpoint: non-matching install identifiers now return HTTP 200 with ok:false instead of 403, so the endpoint is no longer an existence oracle for guessed install ids
• Added a 60/hour per-IP rate limit to install-proof requests to throttle brute-force attempts
• Tightened the loopback-probe nonce window from roughly two hours to roughly five to ten minutes (5-minute bucket with current and previous accepted), reducing replay surface while still tolerating bucket boundaries
• Hardened the auto-fix undo and bulk-session-undo handlers so missing or invalid fix entries redirect with a generic notice instead of wp_die‘ing on a reflected query parameter; the per-fix nonce action is preserved so an admin cannot be CSRF’d into undoing a different fix than they intended

0.6.2

• Added a conditional one-click HSTS Header fix for HTTPS Apache/LiteSpeed-style .htaccess stacks
• Refreshed the stored scan snapshot after verified individual Fix Now actions so cleared findings disappear immediately
• Added a one-click removal fix for WordPress Readme File findings
• Made Domain Blacklist warning recommendations context-aware so Pro reputation warnings no longer say “Upgrade to Pro”
• Linked Overview Recommendations to the current Priority Actions so resolved findings no longer linger there
• Forced manual scans to refresh WordPress update data before ranking plugin/theme update priority actions
• Added a one-click removal fix for Public Backup / Dump Files findings
• Scoped Core File Integrity to runtime WordPress application files so bundled theme/plugin updates and removed package docs do not trigger critical core failures
• Routed Pro blacklist checks through the BOLT platform reputation endpoint, with direct DNSBL only as a labeled fallback
• Required license verification to match an active site seat, reacquired saved seats on plugin reactivation, and serialized platform seat assignment
• Detected and backed up wp-config.php when WordPress stores it one directory above ABSPATH
• Cleaned uninstall data more completely, including report status, tracked AI cache transients, REST allowlist options, and BOLT-created REST/XML-RPC mu-plugin files
• Removed unused legacy scanner/admin prototype files from the distribution tree
• Fixed DNSBL parsing so blocked/refused blacklist lookup responses are reported as inconclusive instead of listed
• Added an Overview Fix Plan that separates one-click fixes from server-limited and manual priorities
• Reworked the Hardening server profile card for clearer server/PHP handler context
• Added explicit diagnostics when PHP reports apache2handler while host settings claim PHP-FPM
• Bumped admin assets so the refreshed profile UI is not hidden by browser cache
• Simplified the AI Security Briefing by keeping detailed fix guidance in the scan table
• Increased AI structured-output headroom, added a retry for incomplete OpenAI responses, and invalidated older cached briefings
• Added BOLT hosted AI briefing support, optional direct OpenAI override, guide links, and a smaller fail/warn payload
• Added a REST API Fix Now action that writes a BOLT mu-plugin to restrict unauthenticated REST requests
• Preserved BOLT license, reputation, hosted AI, webhook, and vulnerability-feed REST routes when REST hardening is enabled
• Added persistent fix history for auto-fixes
• Added grouped fix sessions and a REST public-route allowlist manager to the Hardening tab
• Added finding-level baseline drift value diffs to the Baseline tab, reports, alerts, and AI payload evidence
• Added detected REST route selection to the REST public-route allowlist manager
• Hardened Loopback Requests and WP-Cron Health with a signed BOLT loopback probe, overdue-event diagnostics, cron-lock detection, and Reports tab health visibility

0.6.1

• Added central server/PHP profile detection for capability decisions
• Removed misleading one-click fix for disable_functions
• Restricted uploads execution auto-fix to Apache/LiteSpeed-style .htaccess stacks
• Removed adjacent auto-fix .bak files
• Updated PHP/database scan recommendations to a safer current production baseline

0.6.0

• Added MVP AI Security Briefing for the Scan tab with explicit manual generation
• Added structured AI security summary and prioritized action plan using the OpenAI Responses API
• Added AI settings page for API key, model, cache hours, and maximum findings
• Bumped plugin version to 0.6.0

0.5.2

• Added a dedicated Hardening tab in wp-admin
• Added a one-click hardening action using the existing auto-fix engine
• Added grouped one-click hardening controls and manual hardening priorities
• Bumped plugin version to 0.5.2

0.5.1

• Added active baseline drift detection against a saved scan baseline
• Added baseline save, update, and clear actions on the scan tab
• Added regressions, improvements, and resolved issue summaries since baseline
• Added optional alert mode for baseline regressions only
• Added a manual test alert action for configured alert destinations
• Bumped plugin version to 0.5.1

0.5.0

• Added a dedicated Activity tab with filterable security timeline entries
• Added audit logging for authentication events, software changes, and BOLT actions
• Added activity cleanup during uninstall
• Bumped plugin version to 0.5.0

0.4.1

• Added Pro malware-pattern scanning for suspicious PHP files
• Added malware guidance in the admin UI and docs
• Bumped plugin version to 0.4.1

0.4.0

• Added Pro WordPress core file integrity monitoring using official checksum verification
• Added detection for unexpected files inside wp-admin and wp-includes
• Added file integrity guidance in the admin UI and docs
• Bumped plugin version to 0.4.0

0.3.1

• Added a dedicated Alerts tab for outbound Slack and generic webhook destinations
• Added Pro alert delivery for newly detected scheduled-scan issues
• Added critical-only filtering for outbound alerts
• Bumped plugin version to 0.3.1

0.3.0

• Added Pro vulnerability intelligence for WordPress core, plugins, and themes
• Added configurable cached vulnerability feed support with advisory version matching
• Added vulnerability documentation for feed configuration and payload shape
• Bumped plugin version to 0.3.0

0.2.4

• Added new hardening checks for database prefix, user registration, default admin username, debug log exposure, readme.html exposure, and application passwords
• Expanded scan categories with Authentication and Site Exposure sections
• Synced plugin version metadata with the current codebase

0.2.0

• Refactored plugin bootstrap and lifecycle hooks
• Rebuilt admin UI around consistent scan/report data model
• Wired scheduled scans and email reports end-to-end
• Replaced prototype license handling with remote HTTPS license validation
• Added seat-based license enforcement via the Blueternal platform
• Added Stripe-integrated license issuance (checkout.session.completed webhook)
• Added Pro plans: Single ($49), Agency ($99), Developer ($199) — annual
• Added one-click auto-fixes for WP_DEBUG, File Editor, Directory Listing, Executable Files in Uploads, and XML-RPC; dangerous PHP functions remain host-level guidance
• Fixed deprecated current_time(‘timestamp’) in cron scheduler
• Removed class collision risk from stale admin class file
• Added /bolt and /bolt-pro landing pages