=== JR Security Hardening and Login Protection ===
Contributors: reinajhon46
Tags: security, hardening, login protection
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

WordPress hardening and login protection: security headers, enumeration blocking, rate limiting, IP whitelist, event logging and server rules.

== Description ==

JR Security Hardening and Login Protection secures your WordPress installation at the application level with one-click hardening modules. Designed to be secure by default and Cloudflare compatible.

**Included modules:**

* **Disable XML-RPC** — Full block (filter + hard block) to prevent brute force attacks and pingback DDoS.
* **Hide WordPress version** — Removes version from generator meta and CSS/JS assets.
* **Disable file editor** — Prevents theme and plugin editing from the admin panel (DISALLOW_FILE_EDIT).
* **Disable emojis** — Removes WordPress emoji scripts and styles, improving performance.
* **Block user enumeration (?author= and /author/)** — Dual-layer protection against username discovery.
* **Block REST enumeration (wp-json users)** — Prevents enumeration via the WordPress REST API.
* **Block sensitive paths/files** — Blocks access to readme.html, license.txt, .env, .git, composer.json, etc. (only what passes through WordPress).
* **Security headers** — X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, HSTS (HTTPS only) and removal of technology-revealing headers.
* **Login protection** — Rate limiting by IP and by user+IP with configurable temporary lockout.
* **IP whitelist** — Excludes trusted IPs from rate limiting to avoid accidental lockouts.
* **Email notification** — Receive an email when an IP is locked out due to too many failed login attempts.
* **Activity log** — Security event logging in a dedicated database table with configurable retention and automatic cleanup via cron.
* **Ready-to-use server rules** — Code for Apache (.htaccess) and Nginx to block static files that WordPress cannot reach.

**Smart IP detection:**

* Native support for Cloudflare (CF-Connecting-IP).
* Option to trust X-Forwarded-For / X-Real-IP behind trusted proxies.
* Fallback to REMOTE_ADDR.

**Clean uninstall:**

When the plugin is deleted, all options, the events table and transients are removed. No data is left behind in your database.

== Installation ==

1. Upload the `jr-security-hardening-login-protection` folder to `/wp-content/plugins/`.
2. Activate the plugin from the WordPress "Plugins" menu.
3. Go to **Settings → JR Security** and configure the modules.
4. For full static file protection, apply the server rules shown in the "Server" tab.

== Frequently Asked Questions ==

= Does this plugin replace a server-level firewall? =

No. This plugin protects what goes through WordPress. For static files like /readme.html, you need server-level rules (Apache/Nginx). The plugin includes those rules ready to copy and paste in the "Server" tab.

= Does it work with Cloudflare? =

Yes. It automatically detects the visitor's real IP via CF-Connecting-IP. If you use another proxy, you can enable "Trust proxy headers" in the settings.

= What if I lock myself out? =

Lockouts use WordPress transients and expire automatically based on the configured hours. You can also add your IP to the whitelist from settings, or temporarily deactivate the plugin via FTP/SSH by renaming the folder.

= Can I use this plugin with other security plugins? =

Yes, but avoid duplicating functionality. If another plugin already disables XML-RPC or adds headers, disable those modules here to avoid conflicts.

= Are settings lost when deactivating the plugin? =

No. Settings are preserved when deactivating. They are only deleted when **uninstalling** the plugin completely.

= Why is ?author= enumeration not blocked? =

If you are logged in as an administrator, the plugin does NOT block the author page — this is normal behavior. To test, use an incognito window without a WordPress session.

== Changelog ==

= 1.0.0 =
* First release.
* Modules: XML-RPC, WP version, file editor, emojis, user enumeration (?author= and /author/), REST enumeration, sensitive paths, security headers, login protection, IP whitelist, email notification, activity log, server rules.
* IP detection with Cloudflare support (CF-Connecting-IP), X-Forwarded-For/X-Real-IP and REMOTE_ADDR.
* Admin panel with tabs: Dashboard, Hardening, Login, Logs, Server.
* Automatic log cleanup via WP Cron with configurable retention.
* Clean uninstall (options, events table, transients).

== Upgrade Notice ==

= 1.0.0 =
First release available on WordPress.org.
