Security (Critical) — file backup .zip ở 1.2.0 đặt thẳng vào wp-content/uploads/sitevorx-migrate/{job_id}/… với job_id chỉ 8 ký tự, không có auth gate → khả năng đoán URL và tải full DB hash. 1.2.1: download chuyển sang endpoint admin-post.php?action=sitevorx_migrate_download có manage_options cap + nonce + per-job binding, stream qua PHP. Job_id tăng lên 32 ký tự + thêm .htaccess (Apache) / web.config (IIS) deny ở root sitevorx-migrate/ làm defense-in-depth.
Stability — file inventory chuyển từ transient sang JSON trên disk ({tmp_dir}/files.json). 1.2.0 nhồi cả mảng path vào transient → site 50k file (5GB media) làm row wp_options vượt max_allowed_packet → set_transient() fail silent, job chết ngay sau init.
Performance — DB dump dùng cursor pagination (WHERE pk > $last_pk) khi bảng có primary key integer; fallback OFFSET. 1.2.0 dùng OFFSET cố định → O(n²) trên InnoDB nên bảng triệu row mất hàng phút mỗi chunk thứ 1000+.
Correctness — multisite: drop logic match base_prefix (1.2.0 dùng OR base_prefix → sub-site export nuốt nhầm bảng của các sub-site khác). Giờ chỉ match $wpdb->prefix đúng sub-site hiện tại.
Loại trừ thêm: node_modules, .git, .svn, .hg, .idea, .vscode ở mọi vị trí trong cây thư mục.
1.2.0
New: trang Sao chép Website (includes/sitevorx-migrate.php) — exporter chunked AJAX đóng gói database + wp-content/{uploads,themes,plugins,mu-plugins} thành 1 file .zip duy nhất, kèm manifest.json chứa marker sitevorx-migrate-v1, để chuyển sang hosting khác hoặc lưu sao lưu offline.
Exporter chạy theo lô qua 3 endpoint AJAX (init / step / finalize) — mỗi step xử lý 40 file hoặc 1 bảng DB rồi trả tiến độ, nên không bị timeout trên hosting có max_execution_time thấp. Có thanh progress, link tải về và nút dọn dẹp file tạm.
DB dump streaming-friendly: chunk 500 row/lần qua SELECT … LIMIT/OFFSET, ghi thẳng INSERT vào database.sql không nạp full table vào memory.
Tự loại trừ thư mục cache nặng (cache, wflogs, litespeed, et-cache, w3tc-config) và file rác (.DS_Store, Thumbs.db, error_log, debug.log) để bản sao gọn nhất có thể.
Phần Import (giải nén + restore DB + serialized search-replace URL) sẽ ra ở bản 1.2.1.
1.1.0
New module: Trung Tâm Bảo Mật (Security Center) — gom các tính năng bảo mật và bổ sung Security Score, Headers, Honeypot, User Enumeration Protection, Login Notification, Core Integrity Checker.
New: HTTP Security Headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) — chỉ áp dụng trên frontend.
New: Login Honeypot — chèn hidden field bẫy bot vào form đăng nhập, không ảnh hưởng người dùng thật.
New: User Enumeration Protection — chặn ?author=N và REST API /wp/v2/users cho khách.
New: Login Notification — gửi email cho admin khi tài khoản manage_options đăng nhập thành công (cooldown 1h/IP).
New: WordPress Core Integrity Checker — đối chiếu MD5 các file core với api.wordpress.org/core/checksums/1.0/ để phát hiện file bị sửa đổi hoặc thiếu (chạy theo yêu cầu, đã khai báo trong External Services).
UI: trang “Tối ưu & Bảo mật” đổi tên thành “Tối ưu Tốc Độ”; menu sidebar và dashboard có card mới cho Security Center.
Compliance: ghi nhận hành động bảo mật thông qua audit log thống nhất (sitevorx_audit_log), không lưu song song nhiều ring buffer.
1.0.11
Dashboard: each health issue now has a “→” action link that jumps directly to the page where the admin can fix it (Bảo mật, SMTP, Bảo trì, Tiện ích).
Dashboard: new detection — DISALLOW_WP_CRON set in wp-config.php. Warns the admin that internal WP-Cron is off and an external cron must be calling wp-cron.php, otherwise scheduled cleanup will not run.
Dashboard: new detection — recent SMTP failures. If SMTP logging is on, the dashboard counts non-success entries in the last 24h and links straight to the log tab.
Dashboard: new detection — active login lockouts. Shows how many IPs are currently locked, with a one-click jump to the Bảo Mật tab where they can be unlocked.
Audit log: diff summary now ignores default-off toggles on first save — only flags fields whose normalized on/off state actually flipped, so the “Ngữ cảnh” column lists just what the admin changed.
Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with $wpdb->prepare() + $wpdb->esc_like() to satisfy Plugin Check, even though both patterns are hardcoded.
1.0.10
Audit log: the “Ngữ cảnh” column now describes what changed instead of dumping the full toggle state. Saving the security tab now records entries like “Bật Khóa XML-RPC, Tắt reCAPTCHA đăng nhập, Đổi số lần sai tối đa” instead of login_key=off | disable_editor=on | ….
Audit log: split “Lưu cấu hình Tối ưu & Bảo mật” into two distinct events — “Lưu cấu hình Tăng tốc Website” (Tăng Tốc tab) and “Lưu cấu hình Bảo mật & Tường lửa” (Bảo Mật tab) — so the timeline is easier to read.
Audit log: manual cleanup entries now say which cleanup categories were picked (e.g. “Dọn: bản nháp, bình luận rác — tổng 2 nhóm”) instead of revisions=1 | spam=0 | transients=1 | items=2.
Audit log: new public helper sitevorx_audit_summarize_diff() for any module that wants to produce a similar before/after change list.
1.0.9
Login lockout: maximum failed attempts and lockout duration are now admin-configurable (3–50 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts, 24 hours).
Login lockout: new IP allowlist (one IPv4/IPv6 per line) — listed IPs are never counted and never locked, so an administrator on a known IP cannot lock themselves out.
Login lockout: “IP đang bị khóa” diagnostics panel under Tối ưu & Bảo mật → Bảo Mật & Tường Lửa shows currently locked entries (hash + attempt count + expiry timestamp) with a per-row Unlock button. Unlock action is gated by manage_options + nonce and writes a login_unlock event to the audit log.
Audit log: lockouts now write a login_lockout event the moment the threshold is hit, with IP, attempt count, last submitted username, and configured lockout window.
Hardening: aligned the audit log’s IP capture with sitevorx_get_client_ip() so Cloudflare’s CF-Connecting-IP is only trusted when the matching CF-Ray header is present (not spoofable from arbitrary clients).
i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the two reCAPTCHA tab comments that had been mojibake-encoded.
1.0.8
Compliance: SMTP log listing now uses $wpdb->prepare() for the LIMIT clause to satisfy automated SQL-injection scanners.
Compliance: removed PHP @ error suppression on the malware scanner’s file read; the scanner now checks is_readable() first and still gracefully skips unreadable files.
Compliance: clarified External Services disclosure in readme.txt to cover both reCAPTCHA v2 and v3, and to name the api/siteverify verification endpoint explicitly.
New: Audit Log submenu (Sitevorx → Nhật ký Kiểm toán) recording sensitive admin actions (settings save/reset/import, SMTP test, malware scan, scheduled cleanup change, manual cleanup run, disk file delete, log clear). Ring buffer of the 200 most recent entries, stored in the sitevorx_audit_log option (no new database table).
Hardening: factory reset now preserves the audit trail by skipping the audit-log option, so administrators can review what was reset after the fact. Uninstall still drops the option on full removal.
Dashboard: health overview now reflects runtime state, not just saved options. New warnings: scheduled cleanup enabled but no next run on cron (silent failure), SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site/Secret key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production.
Dashboard: SMTP and Cron status cards now show a red “Thiếu credential” / “Lỗi lịch” badge when the saved option does not match runtime readiness, and the health score stops counting a broken cron or credentials-less mailer as a passing check.
1.0.7
Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.
Updated the reCAPTCHA settings heading to match the available v2/v3 selector.
1.0.6
Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls.
Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.
1.0.5
Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.
Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.
Improved: SMTP “Force From Email” now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint).
Improved: Scheduled cleanup skips OPTIMIZE TABLE on tables larger than 500MB to avoid long table locks on shared hosting.
New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter sitevorx_recaptcha_v3_score_threshold (default 0.5).
Compliance: Added empty index.php files in /assets, /includes, /languages for directory listing protection.
1.0.4
Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English.
1.0.3
Added dashboard, support, and rating links to the WordPress Plugins screen.
1.0.2
Second pass on WordPress Plugin Directory automated review feedback:
Header/footer script output now goes through wp_kses() with a strict allow-list (sitevorx_kses_tracking_tags()) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through wp_kses_bad_protocol() which strips javascript:, data: and vbscript: URLs.
The “Clear error log” feature now targets the canonical WP_CONTENT_DIR/debug.log location and uses the WordPress WP_Filesystem API. The plugin no longer writes anywhere outside wp-content/.
Escaped the secret login URL preview with esc_url( home_url( ‘/?’ . $key ) ).
Removed the runtime .po -> .mo translation compiler. The plugin previously regenerated languages/sitevorx-en_US.mo on demand; that wrote to the plugin folder, which is not allowed. The compiled .mo is now shipped pre-built with the plugin and WordPress loads it normally.
Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled .mo file is now the only source of English strings.
Wrapped every remaining dynamic CSS class / inline style ternary (e.g. echo $active ? ‘on’ : ‘off’) with esc_attr() across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.
1.0.1
Security hardening per WordPress Plugin Review feedback:
Added sanitize_text_field() wrapper around every nonce value passed to wp_verify_nonce().
Sanitized $_POST raw script fields (header/footer injection) with a dedicated helper (sitevorx_sanitize_raw_script) before update_option(); save path remains gated by the unfiltered_html capability.
Replaced esc_url_raw() with esc_url() for inline CSS output in the custom login logo.
Escaped every translated/output string that previously used __() inside echo/printf/sprintf: now wrapped with esc_html__(), esc_html( sprintf(…) ), or the sitevorx_kses_basic() helper (allowlisted <strong>, <a>, <br>, <code>, …).
Hardened the JSON import flow with explicit wp_unslash() + wp_check_invalid_utf8() before json_decode(); per-field sanitization was already enforced on every decoded value.
Escaped integer counters and dynamic CSS class/style values with (int), esc_attr(), and esc_html() across all admin screens.
Sanitized the heavy_files[] array from the disk cleaner with array_map( ‘sanitize_text_field’, wp_unslash(…) ).
1.0.0
Initial public release.
Full security audit: nonce verification, capability checks, input sanitization on all forms.
Malware scanner for files and database.
System optimizer with scheduled WP-Cron cleanup.
Maintenance & Update monitor module.
Modern Flex/Grid responsive dashboard UI.
Complete Vietnamese localization.
Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.
Dashboard: “Xem dung lượng chi tiết” links directly to Detailed Storage tab.
Disk Space Manager: two-tab interface — “File Cỡ Lớn (>50 MB)” (scan & delete) and “Dung Lượng Chi Tiết” (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh).
Security: added validation — cannot enable “Đổi Đường Dẫn Đăng Nhập” or “Khóa Tự Động Đăng Nhập” without filling required fields; shows error instead of silently reverting.
i18n: bundled language files included for English and Vietnamese.
i18n: added new translation strings for all new UI elements.
