=== VistoShield - Cloud Security Platform ===
Contributors: vistoweb
Tags: security, firewall, malware, cloud security, waf, login protection, scanner
Requires at least: 5.4
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 2.0.3
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Cloud security platform for WordPress. Real WAF, malware scanner, login protection, DNS monitoring — all from one EU-hosted dashboard.

== Description ==

VistoShield is a cloud-based security platform that protects your WordPress sites through 14 specialized security modules — all managed from one EU-hosted cloud dashboard.

**This plugin is the lightweight agent** that connects your WordPress site to the VistoShield cloud. It actively blocks attacks, scans for malware, monitors traffic, and provides a full security dashboard inside your WordPress admin.

= Real Security, Not Just Monitoring =

* **Web Application Firewall** — 25 rules blocking SQLi, XSS, LFI, RCE, scanners, bad bots
* **Login Guard** — Rate limiting, IP lockout after 5 failures, bad username blocking
* **Security Scanner** — Core file integrity, malware detection, vulnerability checks, config audit
* **Live Traffic** — Real-time HTTP request logging with Human/Bot/Internal classification
* **DNS Monitor** — Live DNS lookups, SSL certificate monitoring, change tracking

= 14 Security Modules =

* Live Traffic Monitor
* Security Scanner
* Firewall & WAF
* Bot Detector
* Login Guard
* Activity Log
* Password Policy
* API Security
* Vulnerability Patcher
* Incident Response
* CDN Connector
* DNS Monitor
* Uptime Monitor
* Reputation Monitor

= Key Features =

* Real WAF that blocks attacks (not just logs them)
* Login brute-force protection with automatic IP lockout
* Real malware scanner with WordPress core integrity checks
* One plugin, 14 modules — no bloat
* EU-hosted cloud dashboard (Hetzner, Germany)
* Google Sign-In and Magic Link authentication
* Per-site Pro/Max plans via Paddle billing
* Automatic plugin updates from VistoShield cloud
* Server-side auto-sync every 5 minutes
* Site offline monitoring with email alerts
* 16 branded transactional email types (welcome, alerts, reports)
* In-app customer support widget
* Mobile-responsive dashboard
* GDPR compliant

= How It Works =

1. Install and activate the plugin
2. Connect to your VistoShield cloud account (Google or email)
3. The plugin immediately starts protecting your site
4. Monitor and manage security from the cloud dashboard

= Links =

* [Website](https://vistoshield.com)
* [Cloud Dashboard](https://app.vistoshield.com)
* [Documentation](https://vistoshield.com/docs/)
* [Live Demo](https://app.vistoshield.com/demo/)

== Installation ==

1. Upload the plugin to `/wp-content/plugins/vistoshield/`
2. Activate through the 'Plugins' menu
3. Follow the setup wizard to connect to your VistoShield account
4. The WAF and Login Guard start protecting immediately

== Frequently Asked Questions ==

= Do I need a VistoShield account? =
Yes. Create a free account at app.vistoshield.com to get started. Sign in with Google or email.

= Where is my data stored? =
All data is stored in the EU on Hetzner Cloud infrastructure in Germany. Fully GDPR compliant.

= Does this plugin slow down my site? =
No. The agent is lightweight and runs security checks asynchronously. The WAF adds <1ms per request.

= Does the WAF really block attacks? =
Yes. The WAF inspects every request against 25 rules and returns 403 Forbidden for malicious requests. It blocks SQL injection, XSS, path traversal, scanners, and more.

= Does it work with caching plugins? =
Yes. Traffic tracking uses JavaScript beacons that work even with WP Rocket, LiteSpeed Cache, and other full-page cache plugins.

== Screenshots ==

1. Cloud dashboard overview with security score
2. Live traffic monitor with Human/Bot/Internal filters
3. Firewall WAF rules with toggleable categories
4. DNS Monitor with health score and SSL tracking
5. Security scanner results with vulnerability details
6. Setup wizard

== Changelog ==

= 2.0.3 =
* Fix: Duplicate events across all modules (traffic, login, scanner) — each request was logged twice
* Fix: Traffic log now only records humans via JS beacon (bots/internal via PHP) — no more double-counting
* Fix: Login lockout email sent only once per threshold crossing (was firing on every subsequent attempt)
* Fix: Already-locked-out IPs no longer re-increment failure counter or fire duplicate events
* Fix: API now deduplicates events within a single push batch (safety net for plugin retries)
* Fix: API now deduplicates traffic entries within a single push batch

= 2.0.2 =
* Fix: WAF no longer blocks Elementor, Divi, WPBakery, Beaver Builder, and other page builders
* Fix: WAF skips all logged-in users (not just admins) — editors and shop managers can use page builders
* Fix: WAF skips entire REST API — fixes Gutenberg, WooCommerce Store API, Rank Math
* Fix: WAF whitelists 30+ AJAX actions for WooCommerce, contact forms, and cache plugins
* Fix: WAF rules narrowed to query strings for XSS/SQLi/RCE patterns (no more false positives on POST body)
* Fix: WP Rocket, LiteSpeed, Stripe webhooks no longer blocked as bots
* Fix: php://input scan limit increased from 8KB to 64KB for large Elementor pages
* Fix: Iframe session expiry — re-authenticates via postMessage instead of redirecting to login
* Fix: Plugin sync endpoint now rate-limited (10 req/min per IP) against brute force
* Fix: Site connection state can no longer become inconsistent

= 2.0.1 =
* Fix: HMAC authentication now tries both site_secret and site_key for backward compatibility
* Fix: Heartbeat reliability — cloud ping cron now reaches all active sites
* Fix: Security score consistency between sites list and site overview
* Fix: Rescue service API endpoint corrections
* Improved: Cloud-to-agent sync stability

= 2.0.0 =
* Cloud dashboard launched at app.vistoshield.com
* Single lightweight plugin connects to EU-hosted cloud for centralized management
* All 14 security modules managed from one cloud dashboard
* Multi-site management from a single account
* HMAC authentication with dedicated site_secret
* Rescue malware cleanup service ($299 one-time)
* Paddle billing integration for Pro/Max plans
* Google Sign-In and Magic Link authentication
* 16 branded transactional email types
* Customer support widget with ticket system
* Site offline monitoring with email alerts
* Real WAF with 25 built-in rules (SQLi, XSS, LFI, RCE, scanners, bots)
* Login Guard with rate limiting, IP lockout, bad username blocking
* Security Scanner with core integrity, malware, vulnerability, and config audit
* Live traffic logging with Human/Bot/Internal classification
* JavaScript beacon for traffic tracking (works with all caching plugins)
* Plugin auto-update system from VistoShield cloud
* Mobile-responsive dashboard

= 1.1.0 =
* WordPress 6.7 compatibility verified across all modules
* Consistent admin UI styling and improved responsive layouts
* Performance optimizations for database queries and AJAX handlers

= 1.0.0 =
* First stable release — Linux daemon, 5 WordPress modules, DirectAdmin and Webmin integrations
* Security Scanner, Firewall & WAF, Bot Detector, Login Guard, Activity Log
* Dual firewall backend (nftables and iptables) with automatic detection
* Full IPv4 and IPv6 dual-stack protection
* One-line installer with OS and panel auto-detection

== Upgrade Notice ==

= 2.0.3 =
Critical fix: eliminates duplicate events in traffic log, login alerts, and all security modules. Recommended update for all users.

= 2.0.2 =
Critical fix: WAF no longer blocks Elementor, page builders, WooCommerce, contact forms, or cache plugins. Recommended update for all users.

= 2.0.1 =
Fixes HMAC authentication compatibility, heartbeat reliability, and security score consistency. Recommended update for all users.

= 2.0.0 =
Major release: EU-hosted cloud dashboard, 14 security modules, multi-site management, Rescue service, and Paddle billing. All managed from one lightweight plugin.
