=== UltraGuard – Security Suite ===
Contributors: vikas_bhardwaj
Tags: security, firewall, malware scanner, login protection, two-factor authentication
Requires at least: 5.6
Tested up to: 6.9
Requires PHP: 8.1
Stable tag: 6.7.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

WordPress security plugin with firewall protection, malware scanning, login hardening, traffic monitoring, and security headers in one package.

== Description ==

**UltraGuard** is a modular WordPress security plugin for site owners, developers, and agencies who want one place to manage core site protection.

The plugin includes a firewall, malware scanner, login protection, security headers, audit logging, and real-time traffic monitoring. Additional advanced features can be unlocked with a valid Pro license.

= Core Features Included In This Plugin =

**Firewall (WAF)**
A fully integrated Web Application Firewall with 8 detection layers: IP whitelist/blacklist, CIDR range support, sliding-window rate limiting, geo-blocking, bot and bad-UA detection, proxy/VPN/datacenter detection, OWASP-aligned attack pattern matching (SQLi, XSS, RFI, RCE, Path Traversal, XXE, SSRF, CMDi, LFI), and user-defined custom rules. Auto-bans IPs that exceed attack thresholds. Includes hotlink protection and reputation feed integration.

**Antivirus Scanner (10 Layers)**
Detection layers include hash matching against known malware signatures, critical PHP heuristics, suspicious obfuscation patterns, JavaScript threat detection, HTML injection detection, WordPress core file integrity verification via official api.wordpress.org checksums, high-entropy string analysis, and plugin/theme vulnerability checks.

**Login Limiter**
Brute-force protection with configurable lockout thresholds, temporary and permanent IP bans, session management, and real-time lockout notifications.

**Login URL Obfuscation**
Hide your WordPress login page behind a custom secret path. Direct hits to the default wp-login.php are logged and can trigger automatic blocking.

**WordPress Hardening**
Apply a curated set of security hardening measures to your WordPress installation with a single click — disable XML-RPC, remove version exposure, protect sensitive files, and more.

**Security Headers**
Configure and send all critical HTTP security headers: Content-Security-Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more. Live header previewer included.

**.htaccess Manager**
Visual editor and template library for Apache .htaccess security rules. Safely preview, apply, and roll back changes without leaving wp-admin.

**Live Traffic Monitor (Real-Time SSE)**
Watch every request hit your site in real time — including threat classification, geo hints, user-agent, and one-click block action. Powered by Server-Sent Events (SSE) for true real-time delivery without expensive polling overhead.

**Audit Log**
Full activity trail: logins, logouts, failed attempts, settings changes, plugin activations/deactivations, user management events, and more. Searchable, filterable, and exportable.

**Auto Plugin, Theme & Core Updater**
Safely automate WordPress core, plugin, and theme updates with configurable scheduling, per-item include/exclude lists, detailed update logs, and rollback hooks.

**Notifications (Email + Webhook + Slack)**
Deliver security alerts through email, any HTTP webhook endpoint, or directly to a Slack channel. Independently configure delivery per event type.

**Onboarding Wizard**
Step-by-step setup guide that helps new users select modules, apply recommended settings, seed baseline scan data, and activate a license in minutes.

= Additional Features Available With Pro =

* **Authenticator** — App-based TOTP two-factor authentication and WebAuthn **passkeys** for password-less login. Configurable per user role, grace periods, backup codes, and self-enrollment options.
* **REST API & XML-RPC Security** — Route-level access controls, API key enforcement, rate limiting per endpoint, and full XML-RPC disable/allow-list options.
* **IP Reputation & Threat Intelligence** — Automatic synchronisation of hostile IP feeds from cloud threat intelligence sources. Seamlessly integrates with the firewall to block known bad actors before they reach your site.
* **Vulnerability Scanner** — Detect known CVEs in installed plugins, themes, and WordPress core via WPScan and Patchstack databases. Includes **Virtual WAF Patching** — instantly deploy a firewall rule to block exploitation of an unpatched vulnerability.
* **File Checker** — Continuous file integrity monitoring and change detection. Get alerted the moment any tracked file is created, modified, or deleted.
* **Database Scanner** — Scan every WordPress database table for injected malicious content: SEO spam, pharma hacks, eval() injections, hidden zero-pixel iframes, base64/gzinflate obfuscated payloads, header redirect injections, and orphaned backdoor admin accounts.
* **Blacklist & Reputation Monitor** — Continuously monitor your domain and server IP against major blacklist providers. Get an immediate alert if you are listed anywhere.
* **Uptime & SSL Monitor** — Monitor site availability, response time, and SSL certificate health. Receive alerts before your certificate expires and the moment downtime is detected.
* **WooCommerce Security Mode** — Checkout-specific security rules, real-time JavaScript skimmer detection, secure store headers, and WooCommerce-aware event logging.
* **Compliance Reports** — Generate downloadable security evidence reports from your UltraGuard data. Ideal for GDPR, PCI-DSS, ISO 27001, and SOC 2 audit requirements.

= Built for Developers & Agencies =

UltraGuard is engineered to the same standards you hold your own code to:

* **PSR-4 autoloader** with full namespace separation — zero procedural globals
* **Dependency-injected modular architecture** — every module receives the plugin container via constructor, making it safe to extend without coupling
* **Server-Sent Events** for real-time data delivery — no polling overhead
* **DB-query caching layer** with granular key-based invalidation
* **Native multisite/network support** included in the free tier
* **PHP 8.1+** — typed properties, named arguments, match expressions, readonly
* Exposes `ultraguard_pro_init`, `ultraguard_pro/early_security_init/before|after`, and dozens of additional action/filter hooks for custom integrations

= Privacy =

UltraGuard does not sell or share user data.

This plugin can connect to external services when specific features are enabled or configured by the site owner:

* **UltraGuard licensing / cloud services** at `ultraguard.net` for Pro license validation and threat intelligence sync.
* **WordPress.org** for core checksum and update data.
* **WPScan** and **Patchstack** for vulnerability lookups when vulnerability scanning is used.
* **ip-api.com** for IP geolocation lookups when country detection is needed.
* **Google reCAPTCHA** or **Cloudflare Turnstile** when CAPTCHA protection is enabled.
* **Slack** or any configured **webhook endpoint** when notification channels are enabled.

Data sent depends on the enabled feature and can include your site URL, license key/email, public IP address being checked, or alert payloads sent to your own configured notification destination.

== Installation ==

= Automatic Installation =

1. Log in to your WordPress admin.
2. Navigate to **Plugins → Add New**.
3. Search for **UltraGuard**.
4. Click **Install Now**, then **Activate**.
5. The onboarding wizard will launch automatically to guide you through setup.

= Manual Installation =

1. Download the plugin ZIP from the WordPress Plugin Directory.
2. In your admin, go to **Plugins → Add New → Upload Plugin**.
3. Upload the ZIP file and click **Install Now**.
4. Activate the plugin.
5. Navigate to **UltraGuard → Dashboard** to begin setup.

= Requirements =

* WordPress 5.6 or higher
* PHP 8.1 or higher
* PHP extensions: `json`, `curl`, `openssl`

== Frequently Asked Questions ==

= Will UltraGuard slow down my site? =

UltraGuard is engineered for minimal performance overhead. The firewall runs at the earliest possible WordPress hook, the dashboard uses Server-Sent Events instead of polling, and a granular DB-query caching layer prevents redundant database reads. On most hosting environments the impact is not measurable.

= Is the firewall free or paid? =

The WAF, IP blocking, rate limiting, geo-blocking, bot detection, and all core firewall functionality are included in the **free** version. No paid license is required to protect your site.

= Does UltraGuard support WordPress Multisite? =

Yes. UltraGuard natively supports WordPress Multisite/Network from the free tier. Network activation is supported via the `Network: true` plugin header.

= Where is malware scan data stored? =

All scan results, quarantine records, and malware signatures are stored in your own WordPress database. No file content is transmitted externally unless you explicitly opt in to cloud-assisted scanning features.

= Can I use UltraGuard alongside other security plugins? =

It is generally recommended to avoid running two WAF-level plugins simultaneously, as conflicting firewall rules can cause unexpected blocks. UltraGuard is designed as a full-stack security solution so that additional security plugins are not necessary.

= Does the free version include malware scanning? =

Yes. The 10-layer antivirus scanner is included in the free version. The Pro tier adds the database scanner, file integrity monitor, vulnerability scanner with virtual patching, and IP threat intelligence feeds.

= How do I activate a Pro license? =

Navigate to **UltraGuard → License & Upgrade Center** and enter your license key and email address. The plugin validates the key with the UltraGuard licensing server and unlocks Pro modules immediately.

= What PHP version is required? =

PHP 8.1 or higher is required. UltraGuard is actively tested on PHP 8.1, 8.2, and 8.3.

= Is there a multisite per-site license option? =

Please refer to the pricing page on ultraguard.net for current license tiers, including agency and unlimited-site options.

== Screenshots ==

1. **Security Dashboard** — At-a-glance security score, real-time threat stats, and module status overview.
2. **Firewall Rules** — Visual rule builder with IP, CIDR, country, and attack-type controls.
3. **Antivirus Scanner** — Scan progress, detection results, and one-click quarantine actions.
4. **Live Traffic Monitor** — Real-time request feed with threat labels and geo hints via SSE.
5. **Login Limiter** — Brute-force protection settings and live lockout log.
6. **Security Headers** — Point-and-click header configuration with live preview.
7. **Vulnerability Scanner** — CVE detection results with virtual patch controls.
8. **Compliance Reports** — Report configuration and download centre.

== Changelog ==

= 6.7.1 =
* Hardened the plugin for WordPress.org submission by resolving the remaining Plugin Check and PHPCS security, escaping, i18n, and database warnings.
* Replaced external admin assets with bundled local files for Font Awesome, chart plugins, and CAPTCHA loaders to improve compliance and reliability.
* Improved performance by moving license sync, free registration, signature refresh, firewall data refresh, and IP intelligence lookups into background processing where appropriate.
* Fixed self-interference edge cases so UltraGuard can safely perform its own uptime checks, security header tests, and other internal actions without being blocked.
* Fixed dashboard and module data issues affecting firewall summaries, live traffic country reporting, notifications charts, malware result previews, and protection coverage layouts.
* Improved soft-gating, upgrade flows, multisite behavior, uninstall cleanup, and license state handling across Free, Pro, and Agency experiences.
* Added internal antivirus allowlisting for UltraGuard detection sources to prevent false positives against the plugin's own signature and scanning files.

= 6.7.0 =
* Added a richer Free / Pro / Agency upgrade experience with improved license status messaging and clearer plan comparisons.
* Improved multisite support across activation, provisioning for new sites, network-safe admin links, and cleanup flows.
* Expanded soft-gating so premium modules show persuasive preview states with sample data while blocking paid-only actions safely.
* Fixed Login URL Protection edge cases, including logout flow handling, old `wp-login.php` hit logging, and overlap with Login Limiter ownership.
* Improved backend communication with `ultraguard.net` for licensing and remote intelligence, including better endpoint resolution, sync handling, and timeout backoff.
* Fixed firewall and analytics data issues affecting top blocked IPs, attacked URIs, notification failure charts, and other dashboard summaries.
* Hardened uninstall and database cleanup behavior, including better multisite cleanup propagation and more complete table / option removal.
* Fixed shared database-layer issues affecting chunked query cache reconstruction, UTC-based retention cleanup, and firewall rate-limit window calculations.

= [Archived] =

== Upgrade Notice ==

= 6.7.2 =
Maintenance and submission hardening release with performance, compatibility, and dashboard/data fixes.
