Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…

變更記錄

1.8.0

• New – Force password reset by role: select one or more roles to reset all their users at once, ideal for security incidents
• New – Informative login message when a user tries to log in after a forced password reset

1.7.2

• Improved: Dashboard recommendations now include a direct link to the relevant settings tab
• Improved: Your current IP address is displayed in the firewall IP management section
• Improved: wp-config.php settings now visually separated into Security and Performance sections
• Improved: File integrity scan summary stats are now centered for better visual consistency
• Improved: Firewall description includes a compatibility note about full page caching systems (Varnish, LiteSpeed Cache, NGINX FastCGI, Cloudflare APO)
• Improved: Activity Log renamed to Security Audit across the entire admin interface (internal slugs unchanged)
• Fixed: File integrity scan totals now include an Ignored count so the summary numbers add up correctly

1.7.1

• Fixed: Under Attack mode now correctly auto-deactivates when the timer expires
• Fixed: JavaScript challenge no longer loops indefinitely – visitors pass through and get redirected properly
• Fixed: Challenge page assets externalized to CSS/JS files for Content Security Policy compatibility
• Fixed: Cache bypass on activation now works correctly with SiteGround (NGINX + Memcached + file-based cache), LiteSpeed, WP Rocket, WP Super Cache, W3 Total Cache, and other major caching solutions
• Fixed: Admin countdown timer now updates immediately on page load
• Improved: Added .htaccess cache-busting rules during Under Attack mode (auto-removed on deactivation)
• Improved: Added NGINX and CDN no-cache headers (X-Accel-Expires, Surrogate-Control) for reverse proxy environments

1.7.0

• New: Activity log search — find entries by IP, user agent, username, message, or any text. Minimum 3 characters, 400ms debounce. Works combined with existing type, severity, and method filters. Export respects active search and filters.
• New: Activity log type and severity columns now display translated labels instead of raw database values.
• Fix: Insecure username detection (admin, root, test, etc.) now checks all user roles, not just administrators. Consistent with username creation blocking which already prevents these names regardless of role.
• Fix: Insecure username warning now always active, independent of the “block insecure usernames” setting. Previously, disabling the setting also silenced the warning.
• Fix: Security score now penalizes installations with accounts using insecure usernames (-3 points).
• Fix: Insecure usernames now appear in dashboard security recommendations with high priority.
• Fix: Plugin name in browser tab titles is now translatable instead of hardcoded.
• Fix: Activity log table no longer crushes the Message column on narrow screens. Uses auto layout with horizontal scroll instead of fixed layout.

1.6.1

• New: Legacy WordPress core file detection in root scanner (wp-feed.php, wp-pass.php, etc.) – marked as additional instead of suspicious
• New: Browser tab title now shows plugin name and active tab (e.g. “Vigilant > Firewall”)
• Improved: Search engine verification files (BingSiteAuth.xml, LiveSearchSiteAuth.xml) and php.ini excluded from root directory scan

1.6.0

• New: Root directory scanning in file integrity – detects non-core PHP files in WordPress root (common attack vector)
• New: phpinfo() detection pattern in file integrity scanner
• New: WP_DEBUG active warning in security dashboard with score penalty
• New: Display name protection – prevents saving display name matching login username (User Security)
• New: Dashboard recommendation when users have display name equal to login
• New: Smart .htaccess classification in uploads – dangerous rules flagged as suspicious, protective rules as additional with content summary
• Fix: readme.html and license.txt were never deleted due to mismatched setting keys
• Fix: Sensitive file cleanup now runs daily (WordPress core updates recreate these files)
• Fix: Added licencia.txt (Spanish locale) to sensitive file deletion, firewall blocking, and htaccess protection

1.5.5

• Fix: Submenu links (Activity Log, File Integrity) showing blank page on some hosting environments

1.5.4

• Fix: Close old comments setting no longer blocks WooCommerce product reviews
• Fix: Email header plugin name was not translatable due to wrong text domain
• Improved: Close old comments disabled by default (only active in Maximum preset)
• Improved: Database tables list in backup tool now has scroll, zebra striping, and better layout

1.5.3

• Fix: Plugin name in email header was not translatable
• Fix: Overly broad bot detection patterns in PHP firewall that could block legitimate HTTP requests from plugins and external services

1.5.2

• New: Admin option to allow/disallow “Remember this device” checkbox on 2FA verification (disabled by default)
• New: Password expiry email reminder – sends notification when warning period starts
• Improved: File integrity scanner skips known false positives (version.php, readme files)
• Improved: Default email notification level changed to “Suspicious only” for file integrity
• Improved: Custom login URL placeholder is now translatable
• Improved: Explanatory text for password expiry email reminder setting
• Fix: Password expiry email reminder setting had no functional implementation

1.5.1

• Improved: Plugin rebranded to “Vigilant” for better international naming
• Improved: New brand icon and banners

1.5.0

• New: Authenticator app (TOTP) two-factor authentication – RFC 6238 compliant
• New: Method selector – choose between email codes or authenticator app per site
• New: QR code setup in user profile with verification step
• New: Backup codes for TOTP – 10 emergency codes generated on setup
• New: Grace period for TOTP setup (configurable 0-30 days)
• New: Admin TOTP reset tool – search and reset users who lost authenticator access
• New: Grace period dashboard notice reminding users to set up their authenticator app
• New: Dedicated TOTP database table with encrypted secrets (AES-256-CBC)
• New: HTML styled emails for verification codes and activation notifications
• New: Admin password change alert in user security monitoring
• New: Login URL change notification with auto-send and manual button

• New: 2FA settings UI with visual method selector cards

• Fix: Admin login notification now fires for all administrator logins

• Fix: Plugin deactivation email was never sent
• Improved: File integrity scan patterns stored externally for better hosting compatibility

1.4.2

• Improved: Pagination for activity log (server-side, 20 items per page with AJAX navigation)
• Improved: Pagination for file integrity scan results (suspicious, extra, and modified files)
• Improved: Pagination for ignored files, blocked IPs, and active sessions lists
• Improved: All paginated tables show item count and range indicator, with navigation arrows when needed
• Improved: Pagination updates dynamically when items are removed (ignore file, unblock IP, revoke session)

1.4.1

• Improved: All firewall block messages are now fully translatable (46 strings added to translation system)
• Improved: Session limits default behavior changed to “Close oldest session” (recommended) instead of “Block new login”
• Improved: Default WordPress memory limit increased to 1024 MB
• Added: 2048 MB option for WordPress memory limit

1.4.0

• New: Email notification levels – choose between all issues, suspicious only, or disabled
• New: Excluded file extensions setting to reduce false positives (e.g., .log, .pot, .po, .mo)
• New: Excluded paths UI – configure which directories to skip during scans
• New: Ignore list – dismiss individual files from scan results and email notifications
• New: Extra file detection in plugins and themes (PHP files not in official WordPress.org packages)
• New: Plugins and themes without checksums are now scanned for suspicious code patterns
• New: Two-level detection system – strict mode for plugins (obfuscation combos only), standard mode for uploads (broad pattern matching)
• New: Extra files with suspicious code automatically escalate to the Suspicious category
• New: String concatenation obfuscation detection (e.g., building dangerous function names from split strings)
• New: Double extension detection in uploads directory (e.g., file.php.jpg)
• New: .htaccess detection in uploads directory
• New: HTML formatted email notifications with severity sections and summary stats
• New: Enhanced suspicious code pattern detection (hex2bin, create_function, hex-encoded strings, chr() obfuscation, eval+decode combos)
• Fix: Missing Scan Themes checkbox in settings UI
• Fix: Plugins without available checksums were completely skipped, including suspicious file detection
• Improved: Scan results tables now include Ignore buttons for each file
• Improved: Scan scope checkboxes grouped in a single fieldset for clarity

1.3.2

• Fixed: File integrity email notifications failing with “No recipient forward path” error when notification email field was empty

1.3.1

• Fix: All admin JavaScript strings are now fully translatable (activity log popup, scan results, password reset, session management, user approval, preset badges, and more)
• Fix: File integrity email notifications now work for both manual and scheduled scans
• Fix: Duplicate scheduled file integrity scans removed (respects configured frequency)
• Improved: Email notification on file changes is now enabled by default

1.3.0

• New: User-Agent whitelist – exclude services like ManageWP, MainWP, UptimeRobot from firewall checks
• New: User-Agent blacklist – block requests by User-Agent string with partial matching
• New: HTTP request method column in activity log (GET, POST, PUT, DELETE, etc.)
• New: Request method filter in activity log
• New: Quick action buttons in log detail popup to add IPs or User-Agents to firewall lists
• New: IP lookup links to AbuseIPDB directly from log entries
• Improved: Log detail popup redesigned with grouped sections (Request, Client, Extra Data)
• Improved: CSV export now includes request method column

1.2.3

• Fix: IP whitelist and blacklist entries were merged into a single line after page reload, preventing exclusions from working correctly
• Fix: Automatic migration repairs previously corrupted IP lists on update

1.2.2

• Improved: New plugin suggestion added.

1.2.1

• Improved: wp-config.php constant insertion now correctly placed before “That’s all, stop editing” comment, with support for translated wp-config files

1.2.0

• New: Database backup download tool with table selection (Tools tab)
• New: Database prefix change with random secure prefix generation (WP Hardening tab)

1.1.1

• Fix: HTTP method restriction no longer blocks PUT and DELETE, allowing REST API requests from plugins like SiteGround Optimizer to work correctly.

1.1.0

• New: Under Attack mode – Emergency JavaScript challenge protection with one-click activation
• New: Automatic browser verification with proof-of-work challenge for frontend visitors
• New: HMAC-signed verification cookies to prevent cookie forgery
• New: Aggressive rate limiting (30 req/min) and HTTP method restriction during attacks
• New: Auto-deactivation after 4 hours with email notifications
• New: REST API and XML-RPC lockdown during Under Attack mode
• New: Non-dismissible admin notice with link to dashboard while mode is active

1.0.4

• Fixed: File Integrity scan results are now fully translatable
• Fixed: File Integrity scanner now reliably detects suspicious files in uploads
• Improved: Uploads directory is now scanned first for faster malware detection
• Improved: Scan time limit increased from 25 to 60 seconds for thorough scanning
• Improved: File limit in uploads scan increased from 2,000 to 10,000 files

1.0.3

• Fixed: Security Headers test button and results are now fully translatable
• Improved: Custom plugin icon now displayed in settings page header
• Improved: Activation notice now includes shield dashicon

1.0.2

• Improved: Settings page now uses full available width for better tab display

1.0.1

• Fixed: REST API compatibility with plugins using PUT/DELETE methods
• Fixed: wp-config.php constant insertion now works correctly on non-English WordPress installations
• Fixed: WP Hardening options now properly apply when unchecking (disabling) settings
• Fixed: Custom configuration detection now triggers when changing any section settings
• Fixed: Corrupted UTF-8 characters in activity log messages and CSS
• Improved: Custom login URL now automatically enables wp-login.php redirect to 404
• Improved: Session limits no longer exclude administrators by default for better security
• Improved: Dashboard “Custom Configuration” badge now uses more visible orange color
• Improved: htaccess HTTP method restrictions now exclude REST API endpoints

1.0.0

• Initial release
• Two-factor authentication via email with trusted device support
• Role-based 2FA enforcement
• Advanced PHP-based firewall with SQL injection, XSS, and file inclusion protection
• Rate limiting with configurable thresholds
• IP whitelist and blacklist management
• Complete security headers implementation (CSP, HSTS, X-Frame-Options, Permissions Policy)
• Built-in security header testing tool
• HTTPS enforcer with mixed content detection
• Login security with brute force protection and progressive lockouts
• Custom login URL support
• XML-RPC and application passwords control
• User security with insecure username blocking
• Strong password enforcement with minimum length
• Password expiration with history tracking
• Force password reset for all users
• Session management and concurrent session limits
• Email verification for new registrations
• Registration approval workflow
• Admin account monitoring and alerts
• WordPress hardening (wp-config constants, comment security, head cleanup)
• Feed management and security
• REST API security with selective endpoint protection
• User enumeration prevention
• Activity log with configurable event tracking
• Log export to CSV and filtering
• File integrity monitoring against WordPress.org checksums
• Two-level suspicious code detection (strict for plugins, broad for uploads)
• Extra file and obfuscation detection in plugins and themes
• Scheduled scans with HTML email notifications and severity levels
• Settings export and import
• Manual backup creation tool
• Two configuration presets (Standard, Maximum Security)
• Automatic backup and restoration system
• Clean rollback on deactivation
• Full admin interface with tabbed settings