=== Simple IP Blocker for Pages ===
Contributors: phm1000
Donate link: https://buymeacoffee.com/pmathis
Tags: ip blocking, security, access control, page protection, cidr
Requires at least: 6.0
Tested up to: 6.9
Stable tag: 2.3.4
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Block specific IP addresses or CIDR ranges from accessing selected WordPress pages with secure configuration.

== Description ==

**Simple IP Blocker for Pages** is a lightweight security plugin to restrict access to specific pages based on visitor IP addresses.

It features a secure administration interface and supports custom block messages with safe HTML (via `wp_kses_post`) for secure personalization.

=== Key Features ===
* **Flexible IP Blocking:** Block individual IPv4 addresses or entire ranges using CIDR notation (e.g., 192.168.1.0/24).
* **Page-Level Protection:** Select specific pages to protect while keeping the rest of your site accessible.
* **Enhanced Security:** Implements strict manual sanitization (`wp_unslash` and `sanitize_text_field`) and systematic output escaping with `absint()` for all numeric values.
* **Custom Block Messages:** Display personalized messages with safe HTML support or redirect blocked visitors.
* **Self-Blocking Prevention:** Built-in safeguard prevents administrators from accidentally locking themselves out.
* **User-Friendly Interface:** View blocked IPs list directly on the settings page with easy navigation to full management interface.
* **Real-Time Feedback:** Success and warning messages for all actions (add, delete, save settings).
* **CDN & Proxy Support:** Compatible with Cloudflare and proxies via `X-Forwarded-For` headers with built-in spoofing warnings.

== Installation ==

1. Upload the plugin folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Navigate to 'IP Blocker' to configure protected pages and blocked IP addresses.

== Screenshots ==

1. Settings page with page selection and block message preview
2. Add IPs to block with CIDR support and self-blocking protection
3. Manage blocked IPs with bulk deletion
4. Advanced options for proxy/CDN compatibility
5. Manage block message

== Frequently Asked Questions ==

= How do I block an IP address? =

1. Go to 'IP Blocker' in your WordPress admin menu
2. Scroll to the "Add IPs to Block" section
3. Enter IP addresses (one per line) or CIDR ranges (e.g., 192.168.1.0/24)
4. Click "Add IPs"
5. You'll see a success message confirming how many IPs were added

= Can I see which IPs are currently blocked? =

Yes! The blocked IPs list is displayed on the main settings page (first 10 IPs). Click "Manage All Blocked IPs" to see the complete list and manage them.

= How do I remove blocked IP addresses? =

1. Go to 'IP Blocker' → 'Manage IPs'
2. Check the boxes next to the IPs you want to remove
3. Click "Delete Selected"
4. You'll see a confirmation message

= What happens if I try to block my own IP? =

The plugin has a built-in safeguard that prevents you from blocking your own IP address. You'll receive a warning message showing which IPs were skipped.

= What is CIDR notation? =

CIDR (e.g., 192.168.1.0/24) allows you to block entire IP ranges. /24 blocks 256 addresses (192.168.1.0 to 192.168.1.255), /16 blocks 65,536 addresses, etc.

= Does this work with Cloudflare or other CDNs? =

Yes! Enable "Check Proxy/Cloudflare Headers" in the settings to correctly identify visitor IPs behind proxies or CDNs.

= Which pages can I protect? =

You can select any published WordPress page. The rest of your site remains accessible to everyone.

== Changelog ==

= 2.3.4 =
* **Security:** Added explicit re-validation of IP addresses before deletion to prevent invalid data manipulation.
* **Security:** Enhanced CIDR range validation with strict boundary checking (0-32) and decimal value prevention.
* **Security:** Improved `sipbl_validate_ip_or_cidr()` function with separated validation logic for better clarity and security.
* **Security:** Complete output escaping using `absint()` for all numeric values displayed in admin interface.
* **Security:** IP addresses in warning messages are now properly escaped with `esc_html()`.
* **Improvement:** Added comprehensive admin notification system with success, warning, and error messages.
* **Improvement:** Blocked IPs list now displayed on main settings page (shows first 10 with "...and X more" indicator).
* **Improvement:** Added "Manage All Blocked IPs" button for easy navigation to full IP management page.
* **Improvement:** Added "Back to Settings" navigation button on IP management page.
* **Improvement:** Real-time IP count indicators on both settings and management pages.
* **Improvement:** Better user feedback when attempting to block own IP address (shows specific IPs that were skipped).
* **Fix:** Resolved WordPress.Security.EscapeOutput.OutputNotEscaped warnings for numeric variables.

= 2.3.3 =
* **Security:** Full security audit of data validation and output escaping.
* **Security:** Strict page ID validation using `absint()` to prevent injection.
* **Security:** Enhanced redirect URL validation using `esc_url_raw()`.
* **Security:** Implemented systematic output escaping to prevent XSS vulnerabilities.

= 2.3.2 =
* **Security:** Fixed `WordPress.Security.EscapeOutput.OutputNotEscaped` errors.
* **Security:** Replaced `__` translation functions with `esc_html__` and `esc_attr__` for secure admin UI rendering.

= 2.3.0 =
* **Security:** Removed insecure `filter_input` calls and replaced them with strict manual sanitization using `wp_unslash()` and `sanitize_textarea_field()`.
* **Security:** Enhanced validation logic using `filter_var` with `FILTER_VALIDATE_IP` for all address and CIDR inputs.
* **Security:** Improved output escaping throughout the admin UI (esc_html, esc_attr, and esc_textarea).
* **Improvement:** Added safe admin UI feedback using transients for success and error notifications.

= 2.2.1 =
* **Security:** Full internationalization (i18n) of all user-facing strings.
* **Security:** Enhanced input validation and sanitization across all forms.
* **Security:** Strict nonce verification implemented for all admin actions.

== Upgrade Notice ==

= 2.3.4 =
Major update: Enhanced security with complete output escaping compliance, improved user interface with blocked IPs preview and navigation, comprehensive notification system. Recommended for all users.

= 2.3.3 =
Critical security update: Full audit of data validation and output escaping. All users must upgrade.

= 2.3.0 =
Important security update: Replaces insecure input filtering with strict sanitization and validation.