=== Vulnerability Monitor for Wordfence Intelligence ===
Contributors: interaktivch
Donate link: https://interaktiv.ch
Tags: security, vulnerabilities, scanner, monitoring, themes
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.2
Stable tag: 1.3.10
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Scans installed WordPress plugins and themes against the Wordfence Intelligence v3 feed and alerts admins about known vulnerabilities.

== Description ==

**Vulnerability Monitor for Wordfence Intelligence** helps WordPress administrators identify known security vulnerabilities affecting installed plugins and themes. The plugin regularly checks the Wordfence Intelligence v3 vulnerability feed (supports object-map, array, NDJSON; gzip-aware; memory-safe) and provides alerts when vulnerable software is detected, helping keep WordPress installations secure and up to date. Not affiliated with Wordfence.

This plugin is designed to be:

- **Lightweight** – no external SaaS services beyond the official Wordfence feed API.
- **Privacy-friendly** – no tracking or telemetry; vulnerability matching happens locally on your site.
- **Memory-safe** – supports streaming large NDJSON and gzip feeds without exhausting server memory.
- **Fully configurable** – email notifications, severity levels, scheduled scans, and more.

Perfect for agencies, freelancers, and site owners who want proactive security visibility without complexity.

### Key Features

- Scan installed **plugins and themes** for known vulnerabilities.
- Supports **NDJSON**, **array JSON**, and **object-map JSON** feed formats.
- Handles **gzip-compressed** feeds automatically.
- Match detection for:
  - severity levels (critical, high, medium, low)
  - patched versions
  - remediation steps
- Customizable **email notifications** with templates.
- Optional **scheduled scans** (hourly, daily, or custom).
- "Only notify on new issues" mode.
- Supports the current **Wordfence Intelligence V3** API with API key authentication.
- Debug mode with detailed logs.
- No tracking or telemetry.
- Matching and reporting logic runs locally on your site.

### How It Works

The plugin fetches the Wordfence Intelligence feed, streams it in a memory-safe way, and compares each entry with your installed plugins/themes.  
You can trigger scans:

- manually from the WP Admin panel  
- or automatically via the scheduled scan option  

The results include severity, details, patched versions, and links to advisories.

== External services ==

This plugin connects to the Wordfence Intelligence vulnerability feed provided by Defiant, Inc. to download vulnerability data used for scans.

The request is sent when you run a manual scan, when a scheduled scan runs, or when the cached feed expires and the plugin needs a fresh copy. The request sends your configured Wordfence API key in the `Authorization` header and standard web request metadata from your server such as your server IP address and user agent. The plugin does not send your installed plugin/theme inventory, scan results, or site content to Wordfence.

Service provider: Defiant, Inc.
Terms of Service: https://www.wordfence.com/terms-of-service/
Privacy Policy: https://www.wordfence.com/privacy-policy/

== Installation ==

1. Upload `vulnerability-monitor-for-wordfence-intelligence` to the `/wp-content/plugins/` directory.
2. Activate the plugin through the **Plugins** menu.
3. Open **Vulnerability Monitor for Wordfence Intelligence** in the WordPress admin sidebar.
4. Configure notification email, Wordfence API key, and preferred severity levels.
5. (Optional) Enable scheduled scans.

== Frequently Asked Questions ==

= Does this plugin send my data to external servers? =  
The plugin fetches the Wordfence Intelligence feed from Wordfence.  
It does **not** upload your installed plugin/theme inventory or scan results to Wordfence.

= Does it slow down my website? =  
No. All scans are manual or scheduled via WP-Cron.  
Normal visitors are never affected.

= Do I need a Wordfence account? =  
Yes. Wordfence Intelligence V3 requires an API key from your Wordfence account.
You can create it after signing in at the Integrations page in your Wordfence.com account.

= Does this plugin store a default API key or email address? =
No. The plugin does not ship with any embedded API key or hardcoded email address.
By default it uses your site's existing `admin_email` setting until you change it.

= Does this replace Wordfence? =  
No. This plugin is not a firewall.  
It is a **lightweight vulnerability monitor**.

= Can I customize the email template? =  
Yes! Both subject and body support placeholders like `{site}`, `{count}`, `{time}`, `{list_html}`.

= Can agencies use this on client websites? =  
Absolutely. That’s one of the primary use cases.

== Changelog ==

= 1.3.10 =
* Fixed a case where vulnerability notification emails could be sent but the scan summary in the WordPress admin page did not persist or display the latest results.

= 1.3.9 =
* Stored scan result and operational status options with `autoload` disabled to reduce unnecessary front-end option loading.

= 1.3.8 =
* Replaced inline admin CSS and JavaScript with properly enqueued assets.
* Documented the Wordfence external service usage, data flow, and policy links in the readme.
* Renamed generic runtime identifiers to stronger `wfim`-prefixed names to reduce conflict risk.

= 1.3.7 =
* Renamed the public plugin package and release metadata for the new WordPress.org naming requirements.
* Updated the public slug, text domain, and bundled archive structure to match the new plugin name.

= 1.3.6 =
* Optimized feed matching so scans no longer re-scan the full installed plugin and theme lists for every feed item.
* Reduced the risk of 30-second timeouts on larger Wordfence Intelligence v3 feeds.

= 1.3.5 =
* Updated release metadata for the WordPress 7.0 compatibility check.
* Bumped the packaged plugin version to 1.3.5.

= 1.3.4 =
* Added an admin confirmation notice after sending a test email.
* Improved test email feedback so successful sends are visible immediately in settings.

= 1.3.3 =
* Fixed WordPress.org Plugin Check findings in the admin UI and packaging metadata.
* Aligned plugin headers and readme requirements for WordPress.org submission.
* Cleaned the release package and removed development-only warnings.

= 1.3.2 =
* Distributed scheduled scans across sites using a stable per-site offset, reducing simultaneous Wordfence API requests.
* Re-aligned existing scheduled scans to the new staggered timing after settings updates and plugin load.

= 1.3.1 =
* Added detailed diagnostics for Wordfence feed fetch failures, including HTTP 429 rate-limit hints.
* Preserved debug logs for failed scans so API error details remain visible in Scan Summary.

= 1.3.0 =
* Added operational alert emails for scan failures, overdue scheduled scans, and fatal plugin errors.
* Added recovery emails when scanning starts working again.
* Added throttling to reduce repeat alert spam.

= 1.2.1 =
* Improved the settings UX by moving the API key directly below the feed URL and removing the misleading "optional" label.

= 1.2.0 =
* Migrated the default vulnerability feed from Wordfence V2 to V3.
* Automatically upgrades the legacy V2 endpoint to the V3 endpoint in plugin settings.
* Shows a clear admin error when the required Wordfence API key is missing.

= 1.1.0 =
* Fixed `send_only_new` email logic so only genuinely new findings trigger notifications.
* Added feed caching based on the configured cache TTL.
* Made scheduled/manual scan failures return gracefully instead of terminating abruptly.
* Fixed the deactivation modal stylesheet.

= 1.0 =
* Initial public release.

== Upgrade Notice ==

= 1.3.10 =
Fixes scan result persistence so the admin scan summary stays in sync with sent vulnerability notifications.

= 1.3.9 =
Performance-focused follow-up release that disables autoload for scan result and related runtime options.

= 1.3.8 =
Addresses the latest WordPress.org review feedback for asset loading, external service disclosure, and unique naming.

= 1.3.5 =
Refreshes release metadata and packages the WordPress 7.0 compatibility update.

= 1.3.4 =
Improves admin feedback after sending a test email from plugin settings.

= 1.3.3 =
WordPress.org submission cleanup release with Plugin Check and packaging fixes.

= 1.3.2 =
Reduces API spikes by spreading scheduled scans across different sites automatically.

= 1.3.1 =
Improves troubleshooting for Wordfence API failures and rate limits.

= 1.3.0 =
Operational monitoring release with alert emails for plugin health issues.
