=== iSecure Guard Pro ===
Contributors: mamuniu06
Tags: security, firewall, login protection, brute force, hardening
Requires at least: 5.8
Tested up to: 6.7
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Complete security suite for WordPress — login protection, firewall headers, info hiding, and hardening.

== Description ==

iSecure Guard protects your WordPress site with:

* **Two-Factor Authentication (2FA)** — Standard TOTP support (Google Authenticator, Authy, Microsoft Authenticator, 1Password). Users enable it individually from their Profile page with QR-code setup, and receive 10 one-time recovery codes. Works fully offline — no external service or email required.
* **Login Protection** — Limits failed login attempts per IP with configurable lockout duration, generic error messages (no username/password hints), and a hidden honeypot field that silently blocks bots.
* **Firewall & Headers** — Sends modern security headers (X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, HSTS on HTTPS) and blocks requests containing common SQL injection / XSS / path traversal patterns.
* **Hide WordPress Info** — Removes the WP version from meta tags and asset URLs, blocks ?author=N user enumeration scans, and hides the public REST API users endpoint.
* **Hardening** — Disables XML-RPC (a common brute-force vector) and the built-in theme/plugin file editor.

All features can be toggled individually from Settings → iSecure Guard. A lockout log shows the last 20 blocked login attempts.

== Installation ==

1. Upload the `isecure-guard` folder to `/wp-content/plugins/`, or upload the zip via Plugins → Add New → Upload Plugin.
2. Activate the plugin through the Plugins menu.
3. Configure options under Settings → iSecure Guard.

== External Services ==

This plugin's optional **Country Block** feature (disabled by default) uses the free geo-location service ip-api.com to determine the country of a visitor's IP address.

* **What is sent:** Only the visitor's IP address is sent to ip-api.com, and only when the Country Block feature is manually enabled by the site administrator and a visitor's country is not already cached.
* **When:** On the first request from a given IP; the result is cached locally for 24 hours, so repeat visitors trigger no external calls.
* **No other data** (no personal info, no site data) is ever transmitted.

Service provider: ip-api.com — Terms: https://ip-api.com/docs/legal — Privacy: https://ip-api.com/docs/legal

If the Country Block feature is disabled (the default), the plugin makes no external requests whatsoever.

== Frequently Asked Questions ==

= I'm locked out of two-factor authentication. How do I get back in? =

There are three rescue paths, in order of ease:

1. **Recovery codes** — enter one of your saved one-time recovery codes in the Authentication Code field on the login screen.
2. **Ask an administrator** — any admin can open Users → your profile and reset your 2FA with one click. You can then log in with just your password and set 2FA up again.
3. **Server access (site owners)** — add this line to your wp-config.php file: `define( 'ISG_DISABLE_2FA', true );` — this temporarily bypasses 2FA for all logins. Log in, reset your 2FA from your profile, then REMOVE the line again. Because it requires file access, only someone who controls the server can use it.

= Will this conflict with other security plugins? =
Avoid running multiple firewall/login-limit plugins at once — features may overlap.

= I use Jetpack or a mobile app to publish. =
Disable the "Disable XML-RPC" option in settings.

== Changelog ==

= 1.0.0 =
* Initial release.
* Login protection: per-IP attempt limits, lockouts, honeypot, generic error messages.
* Two-Factor Authentication (TOTP): QR-code setup, recovery codes, low-code warnings, works offline.
* DDoS/flood protection via per-IP rate limiting.
* Firewall: malicious query blocking and modern security headers.
* Country blocking (optional, via ip-api.com with local caching).
* Comment spam protection: honeypot and link limits.
* Daily critical-file change detection with admin and email alerts.
* Hardening: XML-RPC off, file editor off, version hiding, user-enumeration blocking.
* Bundled QRCode.js by davidshimjs (MIT license, GPL-compatible) for local QR rendering.
