Sitevorx

Changelog

1.1.0

• New module: Trung Tâm Bảo Mật (Security Center) — gom các tính năng bảo mật và bổ sung Security Score, Headers, Honeypot, User Enumeration Protection, Login Notification, Core Integrity Checker.
• New: HTTP Security Headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) — chỉ áp dụng trên frontend.
• New: Login Honeypot — chèn hidden field bẫy bot vào form đăng nhập, không ảnh hưởng người dùng thật.
• New: User Enumeration Protection — chặn ?author=N và REST API /wp/v2/users cho khách.
• New: Login Notification — gửi email cho admin khi tài khoản manage_options đăng nhập thành công (cooldown 1h/IP).
• New: WordPress Core Integrity Checker — đối chiếu MD5 các file core với api.wordpress.org/core/checksums/1.0/ để phát hiện file bị sửa đổi hoặc thiếu (chạy theo yêu cầu, đã khai báo trong External Services).
• UI: trang “Tối ưu & Bảo mật” đổi tên thành “Tối ưu Tốc Độ”; menu sidebar và dashboard có card mới cho Security Center.
• Compliance: ghi nhận hành động bảo mật thông qua audit log thống nhất (sitevorx_audit_log), không lưu song song nhiều ring buffer.

1.0.11

• Dashboard: each health issue now has a “→” action link that jumps directly to the page where the admin can fix it (Bảo mật, SMTP, Bảo trì, Tiện ích).
• Dashboard: new detection — DISALLOW_WP_CRON set in wp-config.php. Warns the admin that internal WP-Cron is off and an external cron must be calling wp-cron.php, otherwise scheduled cleanup will not run.
• Dashboard: new detection — recent SMTP failures. If SMTP logging is on, the dashboard counts non-success entries in the last 24h and links straight to the log tab.
• Dashboard: new detection — active login lockouts. Shows how many IPs are currently locked, with a one-click jump to the Bảo Mật tab where they can be unlocked.
• Audit log: diff summary now ignores default-off toggles on first save — only flags fields whose normalized on/off state actually flipped, so the “Ngữ cảnh” column lists just what the admin changed.
• Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with $wpdb->prepare() + $wpdb->esc_like() to satisfy Plugin Check, even though both patterns are hardcoded.

1.0.10

• Audit log: the “Ngữ cảnh” column now describes what changed instead of dumping the full toggle state. Saving the security tab now records entries like “Bật Khóa XML-RPC, Tắt reCAPTCHA đăng nhập, Đổi số lần sai tối đa” instead of login_key=off | disable_editor=on | ....
• Audit log: split “Lưu cấu hình Tối ưu & Bảo mật” into two distinct events — “Lưu cấu hình Tăng tốc Website” (Tăng Tốc tab) and “Lưu cấu hình Bảo mật & Tường lửa” (Bảo Mật tab) — so the timeline is easier to read.
• Audit log: manual cleanup entries now say which cleanup categories were picked (e.g. “Dọn: bản nháp, bình luận rác — tổng 2 nhóm”) instead of revisions=1 | spam=0 | transients=1 | items=2.
• Audit log: new public helper sitevorx_audit_summarize_diff() for any module that wants to produce a similar before/after change list.

1.0.9

• Login lockout: maximum failed attempts and lockout duration are now admin-configurable (3–50 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts, 24 hours).
• Login lockout: new IP allowlist (one IPv4/IPv6 per line) — listed IPs are never counted and never locked, so an administrator on a known IP cannot lock themselves out.
• Login lockout: “IP đang bị khóa” diagnostics panel under Tối ưu & Bảo mật → Bảo Mật & Tường Lửa shows currently locked entries (hash + attempt count + expiry timestamp) with a per-row Unlock button. Unlock action is gated by manage_options + nonce and writes a login_unlock event to the audit log.
• Audit log: lockouts now write a login_lockout event the moment the threshold is hit, with IP, attempt count, last submitted username, and configured lockout window.
• Hardening: aligned the audit log’s IP capture with sitevorx_get_client_ip() so Cloudflare’s CF-Connecting-IP is only trusted when the matching CF-Ray header is present (not spoofable from arbitrary clients).
• i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the two reCAPTCHA tab comments that had been mojibake-encoded.

1.0.8

• Compliance: SMTP log listing now uses $wpdb->prepare() for the LIMIT clause to satisfy automated SQL-injection scanners.
• Compliance: removed PHP @ error suppression on the malware scanner’s file read; the scanner now checks is_readable() first and still gracefully skips unreadable files.
• Compliance: clarified External Services disclosure in readme.txt to cover both reCAPTCHA v2 and v3, and to name the api/siteverify verification endpoint explicitly.
• New: Audit Log submenu (Sitevorx → Nhật ký Kiểm toán) recording sensitive admin actions (settings save/reset/import, SMTP test, malware scan, scheduled cleanup change, manual cleanup run, disk file delete, log clear). Ring buffer of the 200 most recent entries, stored in the sitevorx_audit_log option (no new database table).
• Hardening: factory reset now preserves the audit trail by skipping the audit-log option, so administrators can review what was reset after the fact. Uninstall still drops the option on full removal.
• Dashboard: health overview now reflects runtime state, not just saved options. New warnings: scheduled cleanup enabled but no next run on cron (silent failure), SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site/Secret key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production.
• Dashboard: SMTP and Cron status cards now show a red “Thiếu credential” / “Lỗi lịch” badge when the saved option does not match runtime readiness, and the health score stops counting a broken cron or credentials-less mailer as a passing check.

1.0.7

• Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.
• Updated the reCAPTCHA settings heading to match the available v2/v3 selector.

1.0.6

• Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls.
• Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.

1.0.5

• Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.
• Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.
• Improved: SMTP “Force From Email” now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint).
• Improved: Scheduled cleanup skips OPTIMIZE TABLE on tables larger than 500MB to avoid long table locks on shared hosting.
• New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter sitevorx_recaptcha_v3_score_threshold (default 0.5).
• Compliance: Added empty index.php files in /assets, /includes, /languages for directory listing protection.

1.0.4

• Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English.

1.0.3

• Added dashboard, support, and rating links to the WordPress Plugins screen.

1.0.2

• Second pass on WordPress Plugin Directory automated review feedback:
  • Header/footer script output now goes through wp_kses() with a strict allow-list (sitevorx_kses_tracking_tags()) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through wp_kses_bad_protocol() which strips javascript:, data: and vbscript: URLs.
  • The “Clear error log” feature now targets the canonical WP_CONTENT_DIR/debug.log location and uses the WordPress WP_Filesystem API. The plugin no longer writes anywhere outside wp-content/.
  • Escaped the secret login URL preview with esc_url( home_url( '/?' . $key ) ).
  • Removed the runtime .po -> .mo translation compiler. The plugin previously regenerated languages/sitevorx-en_US.mo on demand; that wrote to the plugin folder, which is not allowed. The compiled .mo is now shipped pre-built with the plugin and WordPress loads it normally.
  • Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled .mo file is now the only source of English strings.
  • Wrapped every remaining dynamic CSS class / inline style ternary (e.g. echo $active ? 'on' : 'off') with esc_attr() across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.

1.0.1

• Security hardening per WordPress Plugin Review feedback:
  • Added sanitize_text_field() wrapper around every nonce value passed to wp_verify_nonce().
  • Sanitized $_POST raw script fields (header/footer injection) with a dedicated helper (sitevorx_sanitize_raw_script) before update_option(); save path remains gated by the unfiltered_html capability.
  • Replaced esc_url_raw() with esc_url() for inline CSS output in the custom login logo.
  • Escaped every translated/output string that previously used __() inside echo/printf/sprintf: now wrapped with esc_html__(), esc_html( sprintf(...) ), or the sitevorx_kses_basic() helper (allowlisted <strong>, <a>, <br>, <code>, …).
  • Hardened the JSON import flow with explicit wp_unslash() + wp_check_invalid_utf8() before json_decode(); per-field sanitization was already enforced on every decoded value.
  • Escaped integer counters and dynamic CSS class/style values with (int), esc_attr(), and esc_html() across all admin screens.
  • Sanitized the heavy_files[] array from the disk cleaner with array_map( 'sanitize_text_field', wp_unslash(...) ).

1.0.0

• Initial public release.
• Full security audit: nonce verification, capability checks, input sanitization on all forms.
• Malware scanner for files and database.
• System optimizer with scheduled WP-Cron cleanup.
• Maintenance & Update monitor module.
• Modern Flex/Grid responsive dashboard UI.
• Complete Vietnamese localization.
• Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.
• Dashboard: “Xem dung lượng chi tiết” links directly to Detailed Storage tab.
• Disk Space Manager: two-tab interface — “File Cỡ Lớn (>50 MB)” (scan & delete) and “Dung Lượng Chi Tiết” (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh).
• Security: added validation — cannot enable “Đổi Đường Dẫn Đăng Nhập” or “Khóa Tự Động Đăng Nhập” without filling required fields; shows error instead of silently reverting.
• i18n: bundled language files included for English and Vietnamese.
• i18n: added new translation strings for all new UI elements.