=== CoxWall ===
Contributors: themelooks
Tags: security, firewall, login protection, brute force, malware
Requires at least: 6.8
Tested up to: 7.0
Stable tag: 1.0.0
Requires PHP: 8.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Professional WordPress security plugin with firewall, brute-force protection, login hardening, security headers, and file integrity monitoring.

== Description ==

<p>CoxWall is a powerful and lightweight WordPress security plugin designed to protect your website from modern security threats, brute-force attacks, malware attempts, and unauthorized access.</p>

<p>It provides advanced security tools including firewall protection, login hardening, security headers, file integrity monitoring, WooCommerce security, and detailed audit logging — all in an easy-to-use interface.</p>

<p>Whether you run a blog, business website, membership platform, or WooCommerce store, CoxWall helps keep your WordPress site secure and protected in real time.</p>

**Key Features:**

* **Login Protection** – Limit login attempts per IP, lock out attackers, and receive email alerts.
* **Hide Login** – Move your login URL away from the default `wp-login.php`.
* **CAPTCHA** – Google reCAPTCHA v2 / v3 on login, registration, and WooCommerce forms.
* **Firewall** – Block SQLi, XSS, directory traversal, malicious bots, and XML-RPC abuse.
* **Security Headers** – Set X-Frame-Options, CSP, HSTS, Referrer-Policy, and more.
* **File Integrity** – Detect changes to WordPress core and plugin files.
* **WooCommerce** – Extra security for WooCommerce stores.
* **Audit Log** – Full event log with IP, user, and timestamp for every security event.

**Why Choose CoxWall?**

* Lightweight and performance-friendly
* Beginner-friendly setup
* Modern security protection
* WooCommerce compatible
* Advanced firewall system
* Detailed security logging
* Real-time protection and monitoring


<p><strong>CoxWall</strong> helps you secure your WordPress website with enterprise-level protection while keeping the setup simple and user-friendly.</p>

**Features:**

* **Login Protection**
* **Hide Login URL**
* **Google reCAPTCHA v2 / v3**
* **Firewall Protection**
* **SQL Injection (SQLi) Blocking**
* **XSS Attack Protection**
* **Directory Traversal Protection**
* **Malicious Bot Blocking**
* **XML-RPC Protection**
* **Security Headers Management**
* **Content Security Policy (CSP)**
* **HSTS Support**
* **Referrer Policy Protection**
* **File Integrity Monitoring**
* **Core File Change Detection**
* **Plugin File Change Detection**
* **WooCommerce Security**
* **Audit Log System**
* **IP Activity Logging**
* **User Activity Tracking**
* **Real-time Security Alerts**
* **Email Notifications**
* **Brute-force Protection**
* **Login Attempt Limiting**
* **IP Lockout System**
* **Malware Defense**
* **Website Hardening**
* **Real-time Monitoring**
* **WordPress Security Suite**


== Installation ==

1. Upload the `coxwall` folder to `/wp-content/plugins/`.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Navigate to **CoxWall → Dashboard** to configure.

== External services ==

This plugin optionally connects to the following third-party / external services. Each service is only contacted when its corresponding module is enabled and the described conditions are met.

= Google reCAPTCHA (Google LLC) =

**What it is and what it is used for:**
Google reCAPTCHA is a bot-detection service. CoxWall uses it to protect the WordPress login, registration, lost-password, comment, and WooCommerce My Account forms from automated attacks.

**What data is sent and when:**
When the CAPTCHA module is enabled, two types of requests are made to Google:

1. *Front-end (page load)* – the visitor's browser loads the reCAPTCHA JavaScript library directly from Google's CDN (`www.google.com`). Google receives the visitor's IP address, browser and device information, and the site's public reCAPTCHA site key.
2. *Back-end (form submission)* – when a visitor submits a protected form, the plugin sends the reCAPTCHA response token, the site's secret key, and the visitor's IP address to Google's verification endpoint (`www.google.com/recaptcha/api/siteverify`) to confirm the response is valid.

No data is sent if the CAPTCHA module is disabled or if no reCAPTCHA site/secret key has been configured.

**Service provider links:**
* Terms of Service: https://policies.google.com/terms
* Privacy Policy: https://policies.google.com/privacy
* reCAPTCHA-specific information: https://developers.google.com/recaptcha

= WordPress.org Core Checksums API (WordPress.org) =

**What it is and what it is used for:**
The WordPress.org Checksums API provides official MD5 hashes for every file in each WordPress core release. CoxWall's File Integrity module uses these hashes to detect unauthorized modifications to core files.

**What data is sent and when:**
When a file integrity scan runs (manually triggered or on schedule), the plugin sends a GET request to `https://api.wordpress.org/core/checksums/1.0/` containing:

* The installed WordPress version number.
* The site's configured locale/language.

No personal data, user data, or site content is transmitted. The request retrieves a publicly available checksum list.

**Service provider links:**
* Privacy Policy: https://wordpress.org/about/privacy/
* API documentation: https://codex.wordpress.org/WordPress.org_API

== Changelog ==

= 1.0.0 =
* Initial release.
