Sitevorx

Changelog

1.0.7

  • Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.
  • Updated the reCAPTCHA settings heading to match the available v2/v3 selector.

1.0.6

  • Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer & Security hardening controls.
  • Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.

1.0.5

  • Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.
  • Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.
  • Improved: SMTP “Force From Email” now warns when the sender domain differs from the site domain (SPF/DKIM mismatch hint).
  • Improved: Scheduled cleanup skips OPTIMIZE TABLE on tables larger than 500MB to avoid long table locks on shared hosting.
  • New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter sitevorx_recaptcha_v3_score_threshold (default 0.5).
  • Compliance: Added empty index.php files in /assets, /includes, /languages for directory listing protection.

1.0.4

  • Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site/user locale is English.

1.0.3

  • Added dashboard, support, and rating links to the WordPress Plugins screen.

1.0.2

  • Second pass on WordPress Plugin Directory automated review feedback:
    • Header/footer script output now goes through wp_kses() with a strict allow-list (sitevorx_kses_tracking_tags()) that permits only tracking / verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through wp_kses_bad_protocol() which strips javascript:, data: and vbscript: URLs.
    • The “Clear error log” feature now targets the canonical WP_CONTENT_DIR/debug.log location and uses the WordPress WP_Filesystem API. The plugin no longer writes anywhere outside wp-content/.
    • Escaped the secret login URL preview with esc_url( home_url( ‘/?’ . $key ) ).
    • Removed the runtime .po -> .mo translation compiler. The plugin previously regenerated languages/sitevorx-en_US.mo on demand; that wrote to the plugin folder, which is not allowed. The compiled .mo is now shipped pre-built with the plugin and WordPress loads it normally.
    • Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled .mo file is now the only source of English strings.
    • Wrapped every remaining dynamic CSS class / inline style ternary (e.g. echo $active ? ‘on’ : ‘off’) with esc_attr() across the sidebar, dashboard overview, SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.

1.0.1

  • Security hardening per WordPress Plugin Review feedback:
    • Added sanitize_text_field() wrapper around every nonce value passed to wp_verify_nonce().
    • Sanitized $_POST raw script fields (header/footer injection) with a dedicated helper (sitevorx_sanitize_raw_script) before update_option(); save path remains gated by the unfiltered_html capability.
    • Replaced esc_url_raw() with esc_url() for inline CSS output in the custom login logo.
    • Escaped every translated/output string that previously used __() inside echo/printf/sprintf: now wrapped with esc_html__(), esc_html( sprintf(…) ), or the sitevorx_kses_basic() helper (allowlisted <strong>, <a>, <br>, <code>, …).
    • Hardened the JSON import flow with explicit wp_unslash() + wp_check_invalid_utf8() before json_decode(); per-field sanitization was already enforced on every decoded value.
    • Escaped integer counters and dynamic CSS class/style values with (int), esc_attr(), and esc_html() across all admin screens.
    • Sanitized the heavy_files[] array from the disk cleaner with array_map( ‘sanitize_text_field’, wp_unslash(…) ).

1.0.0

  • Initial public release.
  • Full security audit: nonce verification, capability checks, input sanitization on all forms.
  • Malware scanner for files and database.
  • System optimizer with scheduled WP-Cron cleanup.
  • Maintenance & Update monitor module.
  • Modern Flex/Grid responsive dashboard UI.
  • Complete Vietnamese localization.
  • Dashboard: complete UI redesign — hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.
  • Dashboard: “Xem dung lượng chi tiết” links directly to Detailed Storage tab.
  • Disk Space Manager: two-tab interface — “File Cỡ Lớn (>50 MB)” (scan & delete) and “Dung Lượng Chi Tiết” (WP Content breakdown by plugins/themes/uploads/other + top-10 DB tables + Refresh).
  • Security: added validation — cannot enable “Đổi Đường Dẫn Đăng Nhập” or “Khóa Tự Động Đăng Nhập” without filling required fields; shows error instead of silently reverting.
  • i18n: bundled language files included for English and Vietnamese.
  • i18n: added new translation strings for all new UI elements.

Plugin Website
Visit website

Author
iNET
Version:
1.0.7
Last Updated
May 5, 2026
Requires
WordPress 5.5
Tested Up To
WordPress 6.9.4
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.