Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.
Updated the reCAPTCHA settings heading to match the available v2/v3 selector.
1.0.6
Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls.
Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.
1.0.5
Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.
Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.
Improved: SMTP “Force From Email” now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint).
Improved: Scheduled cleanup skips OPTIMIZE TABLE on tables larger than 500MB to avoid long table locks on shared hosting.
New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter sitevorx_recaptcha_v3_score_threshold (default 0.5).
Compliance: Added empty index.php files in /assets, /includes, /languages for directory listing protection.
1.0.4
Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English.
1.0.3
Added dashboard, support, and rating links to the WordPress Plugins screen.
1.0.2
Second pass on WordPress Plugin Directory automated review feedback:
Header/footer script output now goes through wp_kses() with a strict allow-list (sitevorx_kses_tracking_tags()) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through wp_kses_bad_protocol() which strips javascript:, data: and vbscript: URLs.
The “Clear error log” feature now targets the canonical WP_CONTENT_DIR/debug.log location and uses the WordPress WP_Filesystem API. The plugin no longer writes anywhere outside wp-content/.
Escaped the secret login URL preview with esc_url( home_url( ‘/?’ . $key ) ).
Removed the runtime .po -> .mo translation compiler. The plugin previously regenerated languages/sitevorx-en_US.mo on demand; that wrote to the plugin folder, which is not allowed. The compiled .mo is now shipped pre-built with the plugin and WordPress loads it normally.
Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled .mo file is now the only source of English strings.
Wrapped every remaining dynamic CSS class / inline style ternary (e.g. echo $active ? ‘on’ : ‘off’) with esc_attr() across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.
1.0.1
Security hardening per WordPress Plugin Review feedback:
Added sanitize_text_field() wrapper around every nonce value passed to wp_verify_nonce().
Sanitized $_POST raw script fields (header/footer injection) with a dedicated helper (sitevorx_sanitize_raw_script) before update_option(); save path remains gated by the unfiltered_html capability.
Replaced esc_url_raw() with esc_url() for inline CSS output in the custom login logo.
Escaped every translated/output string that previously used __() inside echo/printf/sprintf: now wrapped with esc_html__(), esc_html( sprintf(…) ), or the sitevorx_kses_basic() helper (allowlisted <strong>, <a>, <br>, <code>, …).
Hardened the JSON import flow with explicit wp_unslash() + wp_check_invalid_utf8() before json_decode(); per-field sanitization was already enforced on every decoded value.
Escaped integer counters and dynamic CSS class/style values with (int), esc_attr(), and esc_html() across all admin screens.
Sanitized the heavy_files[] array from the disk cleaner with array_map( ‘sanitize_text_field’, wp_unslash(…) ).
1.0.0
Initial public release.
Full security audit: nonce verification, capability checks, input sanitization on all forms.
Malware scanner for files and database.
System optimizer with scheduled WP-Cron cleanup.
Maintenance & Update monitor module.
Modern Flex/Grid responsive dashboard UI.
Complete Vietnamese localization.
Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.
Dashboard: “Xem dung lượng chi tiết” links directly to Detailed Storage tab.
Disk Space Manager: two-tab interface — “File Cỡ Lớn (>50 MB)” (scan & delete) and “Dung Lượng Chi Tiết” (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh).
Security: added validation — cannot enable “Đổi Đường Dẫn Đăng Nhập” or “Khóa Tự Động Đăng Nhập” without filling required fields; shows error instead of silently reverting.
i18n: bundled language files included for English and Vietnamese.
i18n: added new translation strings for all new UI elements.
