=== CountryLock ===
Contributors: topsyde
Tags: block, country, geo, geoip, block country
Requires at least: 5.0
Tested up to: 6.8
Stable tag: 1.0.8
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Block/allow countries with one toggle. Lightweight, no upsells. Includes admin bypass, IP allowlist, and block stats.

== Description ==

CountryLock provides a simple, lightweight way to allow or block countries from accessing your WordPress site.

It's designed to be **"set it and forget it"** with no upsells, ads, or complex configurations.

### ✨ Key Features
* **Master Toggle:** Enable or disable the firewall with a single click.
* **Allowed Countries List:** Specify which two-letter country codes (e.g., `US`, `CA`) are allowed. Everyone else is blocked.
* **Admin Bypass:** Logged-in administrators can always bypass the block (toggleable).
* **IP Allowlist:** A simple list of IPs or CIDR ranges (like `123.45.67.89` or `10.0.0.0/8`) that are always allowed.
* **Block Logging:** See which countries and IPs are being blocked (toggleable).
* **Zero-Lookup Detection:** Automatically uses Cloudflare (`HTTP_CF_IPCOUNTRY`) and other common server-level GEO headers for instant decisions with zero performance impact.
* **Remote Lookup:** As a fallback, it can query an external service (`ipapi.co`) if no headers are found.

== Installation ==

1.  Upload the `countrylock` folder to the `/wp-content/plugins/` directory.
2.  Activate the plugin through the 'Plugins' menu in WordPress.
3.  Go to the new 'CountryLock' menu in your admin sidebar.
4.  Configure your allowed countries and toggle the plugin to "Enabled".

== External Services ==

This plugin uses one external service as a fallback to determine a visitor's country if no local GEO headers (like those from Cloudflare or a server-level GeoIP module) are present.

* **Service:** `ipapi.co`
* **What it's used for:** To look up the country of origin for a visitor's IP address.
* **Data Sent:** The visitor's IP address is sent to the service. This happens *only* if the "Use remote lookup if no geo headers" setting is enabled AND no local GeoIP headers are detected.
* **Service Policies:**
    * [Terms of Service](https://ipapi.co/terms/)
    * [Privacy Policy](https://ipapi.co/privacy/)

== Changelog ==

= 1.0.8 =
* Fix: Corrected admin page structure to prevent other plugins' notices from appearing inside the UI.

= 1.0.7 =
* Fatal Error fix

= 1.0.6 =
* Refactor: Move inline CSS and JS to external files (tscl-admin.css, tscl-admin.js) and enqueue them properly.
* Refactor: Rename all internal prefixes from `cl_` to `tscl_` to meet WordPress.org prefixing standards.
* Refactor: Remove custom 403 page in favor of the standard `wp_die()` screen for better compatibility.
* Fix: Use `filemtime()` for asset versioning to automatically bust cache.
* Docs: Add `readme.txt` with external service disclosure.

= 1.0.5 =
* Initial public release.