=== SecurityWP ===
Contributors: ini software
Tags: security, hardening, login, headers, privacy
Requires at least: 5.7
Tested up to: 6.5
Requires PHP: 7.4
Stable tag: 1.0.3
License: GPLv2 or later

Lightweight WordPress hardening — login protection, security headers, privacy and head cleanup.

== Description ==

SecurityWP is a focused, no-bloat hardening plugin for WordPress. Every feature
is an independent toggle, grouped into three areas:

**Security**

* Disable XML-RPC, disable the theme/plugin file editor, require login for the
  REST API.
* Limit login attempts (IP lockout), mask the login URL to a secret slug.
* Password-protect the whole front-end.
* Disable comments and pingbacks/trackbacks.
* Prevent user enumeration and information disclosure (directory listing,
  wp-config/.htaccess/backup/log access; Apache .htaccess rules or an Nginx
  snippet).
* Hardening HTTP security headers (X-Frame-Options, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy).
* ALTCHA proof-of-work login captcha (self-hosted, no third-party calls).
* Traffic monitor.

**Head cleanup**

* Remove the generator/RSD/WLW/shortlink tags, strip asset version query
  strings, drop front-end Dashicons.

**SEO & privacy**

* Disable feeds, disable author archives, obfuscate author slugs, and protect
  email addresses from harvesting.

**INI WP platform**

* Exposes a read-only, HMAC-signed REST endpoint (`secwp/v1/state`) so the
  INI WP control panel can pull this site's security posture and scan results.
  The endpoint only activates when the INI WP connector is installed and
  configured; auth reuses the connector's signed channel.

== Installation ==

1. Activate **SecurityWP** from Plugins.
2. Open **SecurityWP** and enable the hardening you want. Each toggle is
   independent and reversible.
3. For "Mask login URL", set a slug before enabling so you can't lock yourself
   out.

== Notes ==

* Head cleanup lives here, not in SeoWP — SeoWP keeps pure SEO concerns
  (titles, meta, schema, noindex directives).

== Changelog ==

= 1.0.3 =
* New: a built-in **SecurityWP → Traffic** view for sites not on the INI WP platform — totals, top offender IPs, suspicious paths, recent suspicious requests, suggested blocks, and a 1h / 24h / 7d window selector. Renders the same data the platform pulls.
* New: **IP blocking** — block an offender (or any IP) straight from the Traffic view; blocked IPs get a 403 early in the request. Uses the spoof-resistant client IP, runs independently of the traffic monitor, and refuses to block your own current IP (no self-lockout). Admins always bypass.

= 1.0.2 =
* New: the platform state endpoint (secwp/v1/state) now includes an aggregated `traffic` summary — totals, top offender IPs, suspicious paths, a recent sample, and suggested block rules — for the INI WP control panel's Traffic tab. Reports `enabled:false` when the traffic monitor is off. Honours an optional `?hours=` look-back window hint. Additive (schema_version unchanged).

= 1.0.1 =
* New: "Require login for REST API" now has a per-namespace public whitelist — tick which registered REST namespaces stay public (e.g. a headless front-end, oEmbed, a contact-form endpoint); everything else requires login. Strict by default (nothing public until ticked).
* Safety: the INI WP family REST namespaces are always exempt and can never be blocked, so the control panel (wp.ini.bg) and integrating plugins can't be locked out. Family membership is read from the connector's registry (iniwp_family_rest_namespaces) when present, with a safe built-in fallback when standalone; SecurityWP self-registers secwp/v1. The whitelist UI shows the always-public namespaces read-only.

= 1.0.0 =
* Initial release. Security / head-cleanup / SEO-privacy hardening extracted
  into a standalone plugin, plus the INI WP platform-state endpoint.
