=== Restrict Admin Login by Country - GRC ===

Contributors: robertutzu  
Tags: admin login, geolocation, country restriction, ipinfo, security  
Requires at least: 5.0  
Tested up to: 7.0 
Requires PHP: 7.4  
Stable tag: 1.6 
License: GPLv2 or later  
License URI: https://www.gnu.org/licenses/gpl-2.0.html  

Restrict admin, shop manager, editor, and author logins based on the user’s country. Automatically blocks access from non-authorized locations.

== Description ==

This plugin protects your WordPress login area by restricting access to specific countries based on geolocation. It is especially useful for hardening security for roles such as administrator, shop manager, editor, and author.

**Features:**

- Restricts logins for admin, shop manager, editor, and author roles based on IP geolocation.  
- Automatically whitelists the country where the plugin was first activated.  
- Settings page to manually select allowed countries.  
- Dynamically fetches a list of countries via a public API.  
- Lightweight and easy to configure.

Powered by [ipinfo.io](https://ipinfo.io) for IP geolocation detection.

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/restrict-country-login` directory, or install it via the WordPress Plugins screen.  
2. Activate the plugin through the ‘Plugins’ screen in WordPress.  
3. Navigate to **Settings → Restrict Country Login** to configure the allowed countries.  
4. Save your settings.

== Frequently Asked Questions ==

= What happens if the plugin cannot detect the user’s country? =  
If geolocation fails, the login will be blocked and the user will receive an error message.

= Can I remove the country where the plugin was first installed? =  
No. For security and fail-safe reasons, login access from the original install country is always allowed.

= Which user roles are affected by the restriction? =  
Only users with the roles **administrator**, **shop manager**, **editor**, and **author** are restricted by country. Other roles remain unaffected.

== Screenshots ==

1. Settings page with country selection.  
2. Example of a restricted login error message.

== Changelog ==

= 1.6 – 20256-02-20 =  
* Added button settings.  

= 1.5 – 2025-06-13 =  
* Added sanitization to `register_setting()` for WordPress Plugin Check compliance.  
* Escaped all output on the settings page.  
* Fixed missing text domains for translation.  
* Validated and sanitized IP addresses from `$_SERVER`.  
* Prevented removal of the installer's original country from the allowed list.

= 1.4 =  
* Fail-safe: always allow login from the original install country, regardless of settings.

= 1.3 =  
* Integrated dynamic country list via a public JSON API.

= 1.2 =  
* Added settings page to configure allowed countries.

= 1.1 =  
* Made restrictions dynamic instead of hardcoded for Romania (RO).  
* Improved error handling for IP detection.

= 1.0 =  
* Initial release.  
* Restricted admin/shop_manager/editor/author login access to Romania (RO) only.

== Upgrade Notice ==

= 1.5 =  
Strongly recommended: Security improvements, input sanitization, and full compatibility with WordPress Plugin Check standards.


== External Services ==

This plugin relies on two external services to function properly. These services are used to identify user locations and provide country data for configuration purposes.

=== 1. ipinfo.io ===

**What is the service used for?**  
- Used to determine the geolocation (specifically, the country) of an IP address attempting to log in.  
- Ensures that only users from allowed countries can log in as administrator, shop manager, editor, or author.

**What data is sent and when?**  
- The plugin sends the IP address of the user attempting to log in to `ipinfo.io` at the time of login.  
- This is done in real time to determine the user's country and enforce access rules.

**Service Provider:**  
- Website: [https://ipinfo.io](https://ipinfo.io)  
- Terms of Service: [https://ipinfo.io/terms](https://ipinfo.io/terms)  
- Privacy Policy: [https://ipinfo.io/privacy-policy](https://ipinfo.io/privacy-policy)

---

=== 2. restcountries.com ===

**What is the service used for?**  
- Used to dynamically fetch the list of countries (with country codes and names) displayed in the plugin settings.  
- Allows users to easily select which countries should be allowed for admin login access.

**What data is sent and when?**  
- No user data is sent.  
- The plugin performs a GET request to `https://restcountries.com/v3.1/all?fields=cca2,name` to fetch a list of country codes and names during plugin settings initialization.

**Service Provider:**  
- Website: [https://restcountries.com](https://restcountries.com)  
- API Documentation: [https://restcountries.com/#api-endpoints-v3-all](https://restcountries.com/#api-endpoints-v3-all)  
- No specific privacy policy is published, as this is a public API that does not handle user-specific data.

== License ==

This plugin is licensed under the GPLv2 or later. See [https://www.gnu.org/licenses/gpl-2.0.html](https://www.gnu.org/licenses/gpl-2.0.html) for details.
