Atlant Security

1.1.4

• Added: CSV export on the Malware Scanner page — one-click downloads of full, untruncated File Findings and Database Findings (Reddit community suggestion). Paths, matched snippets, and details are no longer truncated — perfect for researching a hit in Excel/Numbers or sending to a security consultant before committing to Quarantine.
• Added: Tested up to bumped to WordPress 7.0
• Added: Scanner CSV exports are written to the audit log, so fleet admins can see when and by whom the full-detail extracts were downloaded
• Added: aswp_brand_name, aswp_brand_logo_url, aswp_brand_support_url filters so the Enterprise add-on can white-label the UI for agencies reselling the service
• Improved: CSV downloads include a UTF-8 BOM so Excel on Windows opens non-ASCII paths correctly

1.1.3 — Security Hardening

• Security: Custom Login URL grace cookie is now HMAC-signed (bound to user ID + wp_salt); the old “aswp_admin_grace=active” value can no longer bypass the hidden login URL
• Security: Two-Factor Authentication is now actually enforced for roles listed in “Required Roles” — users who have not enrolled are confined to profile.php on login until they set up TOTP or Email OTP
• Security: Outbound request log strips query strings and redacts Slack/Discord/Telegram webhook paths before storage — MaxMind license keys, API tokens, signed-URL signatures, and webhook secrets are no longer written to the database
• Security: SSRF protection always blocks outbound requests to private/internal IP ranges, regardless of the monitor’s log/enforce mode
• Security: SSRF DNS resolution now checks both IPv4 (A) and IPv6 (AAAA) records — previously only A records were inspected, letting a hostname with a public A record but a private AAAA record bypass the check on IPv6-preferring hosts
• Security: Concurrent session limiting now keys fingerprint/activity maps by the same verifier hash WordPress uses internally — previously the limiter could never actually destroy old sessions because it mixed raw tokens with verifier hashes
• Security: Loopback addresses (127.0.0.1, ::1) are no longer auto-whitelisted when the site is configured behind a reverse proxy or Cloudflare — on proxied hosts every visitor would otherwise appear as trusted
• Security: REST API write-block default policy now allows authenticated users with the edit_posts capability (editors, authors) so Gutenberg and the block editor keep working; only unauthenticated writes are refused
• Security: Post-Breach “Rotate Secret Keys” now rewrites wp-config.php directly (with a timestamped backup) instead of storing the new keys in wp_options where WordPress never reads them; falls back to a copy-paste snippet if the file is not writable
• Security: 2FA recovery codes are now generated and stored lowercased so user-entered codes verify correctly — previously the mixed-case display and lowercased verification hashed different strings, causing valid codes to fail
• Added: Trusted proxy IP setting in Settings › Reverse-Proxy / Load-Balancer — required for correct visitor IP detection behind Nginx, HAProxy, AWS ALB, and other reverse proxies
• Added: weekly cron schedule registration — required by the weekly Cloudflare / Google / Microsoft / GeoIP refresh jobs which WordPress core does not ship as a default interval
• Improved: Cloudflare / Google / Microsoft IP-range refresh cron callbacks now skip the outbound fetch when the matching integration toggle is disabled
• Improved: Multi-line settings (currently: trusted proxy IPs) preserve newlines on save instead of being collapsed by sanitize_text_field()

1.1.2

• Added: About page with 5-Layer Defense Architecture, competitive features list, attack vector coverage, and plugin information
• Improved: Dashboard decluttered — informational panels moved to About page for a cleaner operational view
• Improved: About page lists 15 unique competitive features with descriptions
• Fixed: Setup wizard no longer auto-redirects on plugin activation or reactivation
• Fixed: Setup wizard accessible from sidebar navigation at any time

1.1.1

• Improved: Visitor log table uses percentage-based column widths for fluid layout across screen sizes
• Improved: Filter bar and results info bar spacing tightened
• Fixed: Setup wizard admin notice removed — no longer floats above page layout

1.1.0

• Improved: Stat cards compacted — smaller icons, tighter padding, reduced font sizes
• Improved: Page header, grid column, and IP list padding reduced for denser layout
• Fixed: Session timeout now correctly respects “Exempt Administrators” setting for idle timeout and session fingerprint binding (was only checked for concurrent session limits)
• Fixed: Session security settings description updated to reflect full admin bypass scope

1.0.9

• Improved: Inner sidebar width reduced from 240px to 200px with tighter item padding
• Improved: Table headers shortened (IP Address > IP, Country > flag only, etc.)
• Improved: Top IPs widget uses compact 24x24px icon buttons instead of full-width buttons
• Improved: Dashboard grid right column uses responsive minmax sizing
• Improved: Page content padding and table cell padding reduced globally

1.0.8

• Fixed: Visitor log column widths — JS table-resize no longer overrides CSS-defined column classes
• Fixed: Added CSS column width classes to all table headers (visitor log + dashboard live visitors)
• Fixed: Dashboard live visitors table shows flag only (removed redundant country code text)

1.0.7

• Added: Inner sidebar navigation (Nexus SEO style) — all plugin pages accessible from a persistent left panel
• Added: WordPress sidebar shows single “Atlant Security” entry instead of 23 submenu items
• Added: Sidebar brand header with logo, active page highlighting, version footer
• Added: Responsive sidebar — collapses to horizontal nav on screens below 1024px
• Fixed: Plugin footer now renders inside page layout instead of WP’s admin footer area
• Fixed: “Sorry, you are not allowed to access this page” error caused by removing WordPress $submenu entries — now uses CSS-based hiding to preserve permission checks

1.0.6

• Improved: All plugin admin pages now send no-cache headers to prevent stale data from caching plugins
• Fixed: Top Pages widget CSS class mismatch causing broken styling
• Fixed: Top IPs widget now excludes whitelisted IPs from the list

1.0.5

• Fixed: decodeEntities function scoping bug in admin.js causing HTML entity rendering issues

1.0.4

• Added: GeoIP country resolution — MaxMind GeoLite2-Country integration with pure-PHP MMDB reader, auto-download, weekly auto-update, and dedicated admin page with test lookup
• Added: Custom Login URL module — move wp-login.php to a custom slug with automatic redirect of the default login page
• Added: Password Policy module — configurable minimum length, character requirements, common password blocking, and passphrase generator
• Added: Force SSL Admin as a plugin-managed setting (defines FORCE_SSL_ADMIN constant at runtime)
• Added: Auto-Update Plugins and Auto-Update Themes toggles in Settings and Hardening checklist
• Improved: Admin sidebar pages reordered alphabetically for easier navigation
• Improved: Post-Breach Command Center layout — lockdown status widget moved into Critical Actions grid
• Improved: Hardening checklist — Force SSL Admin now toggleable from the checklist (was “Manual fix required”)
• Fixed: Post-Breach page SQL queries referenced nonexistent table name (aswp_ip_blocks > aswp_blocked_ips)
• Fixed: Post-Breach blocked IP count query used wrong column names (expires_at > permanent/blocked_until)
• Fixed: Database migration duplicate-key error that broke all AJAX endpoints (visitor log, dashboard widgets)
• Fixed: Settings loss on plugin reactivation — WAF mode, auto-blocks, and setup wizard no longer reset
• Fixed: Timezone mismatch between stat cards and live visitors (gmdate/NOW vs current_time)
• Fixed: Text domain loaded too early warning on WordPress 6.7+ (moved to init hook)
• Fixed: Plugin deletion wiped all data — uninstall now requires explicit opt-in via deactivation dialog or Settings toggle
• Fixed: ALTER TABLE ADD INDEX SQL errors corrupting AJAX JSON responses when WP_DEBUG_DISPLAY is on
• Fixed: Consistent timezone handling across all 12 modules
• Fixed: Correlated subquery in update_blocked_counts cron job — replaced with single JOIN
• Fixed: Daily digest cron hook not cleared on plugin deactivation
• Fixed: GeoIP database directory cleanup in uninstall.php
• Internal: Complete codebase prefix migration from fwwp_ to aswp_ with automatic database migration on upgrade

1.0.3

• Added: Honeypot module with hidden link trap, fake login page, comment honeypot, CF7 integration
• Added: 3-layer safe bot protection for honeypots (robots.txt, nofollow, UA detection)
• Added: Security Headers admin page with letter-grade scoring
• Added: Two-Factor Authentication admin page with TOTP and Email OTP
• Added: Notifications admin page (Email, Slack, Webhook, Daily Digest)
• Fixed: Top IPs widget now shows VirusTotal link, Block button, and Details button
• Fixed: IP Detail Modal — added max-height, scroll, wider layout
• Fixed: Blocked IPs now correctly log 403 status code instead of 200
• Fixed: TwoFA role handling for comma-separated role strings

1.0.2

• Added: 5 new security modules — AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard
• Added: 5 new admin pages with full settings UI for each module
• Improved: Dashboard with live visitors auto-refresh, traffic chart, top IPs/pages widgets

1.0.1

• Added: Setup Wizard with 7-step guided configuration
• Added: IP Detail Modal on Dashboard
• Improved: Dashboard stat cards, browser distribution chart
• Fixed: Setup wizard pagination and button responsiveness

1.0.0

• Initial release with 17 security modules
• Web Application Firewall with 28+ attack pattern rules
• Brute force protection with progressive lockout
• Malware scanner (file and database)
• Post-breach recovery toolkit (12 actions)
• IP blocking and whitelisting
• Visitor log with filtering and pagination
• Admin audit log
• WordPress hardening (6 toggles)
• Rate limiter (11 endpoint categories)
• Real-time security dashboard