Squish Site Patrol

1.5.0

• Security hardening: all SQL queries now use $wpdb->prepare()
• All API keys (Google, WPScan, reCAPTCHA) encrypted at rest with AES-256-CBC
• API keys no longer exposed in settings form HTML — masked with status indicator
• 2FA login flow replaced PHP sessions with WordPress transients for better compatibility with load balancers and object caches
• Magic link token validation now enforces strict format checking
• Fixed race condition in magic link rate limiting
• SSL verification enabled in production for all internal HTTP requests
• HIBP breach check now uses configured API key from settings
• Removed “Up to 3 sites” from Patched feature list

1.4.0

• Added audit log — tracks logins, plugin installs, settings changes, scans, 2FA events, and baseline resets with 90-day retention
• Added magic link login — send a one-time HMAC-signed login link to your admin email (Patched)
• Redesigned dashboard — clean two-panel layout with dedicated Hardening tab for all Patched checks
• Improved issue count badges — Security panel shows free check issues only, Scans & hardening panel tracks scan and hardening issues separately
• Added Issues only toggle to Scans & hardening panel
• Added Recent activity strip to dashboard showing last 5 audit events
• Added Files tab to Scans panel with file change monitoring checks
• Score cards now hidden by default until first scan runs

1.3.0

• Added 2FA via TOTP with QR code setup (Google Authenticator, Authy compatible)
• Added custom branded interstitial login page — replaces default wp-login.php flow
• Added reCAPTCHA v3 on login page (moved to free tier, no checkbox required)
• Added Geo IP country blocking via ipapi.co
• Added weekly HTML email reports (Patched)
• Added aggressive transient caching (12–24hr TTL) across security, scanner, breach, and vulnerability check classes
• Added rescan button with toast notification (no page reload required)
• Added categorized check panels — Login, Server, and Files
• Added issues-only toggle to hide passing checks
• Redesigned Settings UI with card-based layout and masked API keys

1.1.0

• Added scheduled automatic daily scans (Patched)
• Added email scan reports when issues are detected (Patched)
• Added real-time file change monitoring with baseline comparison (Patched)
• Added SSL certificate expiry alerts (Patched)
• Added wp-config.php permissions check (Patched)
• Added failed login attempt monitoring (Patched)
• Added debug mode detection (Patched)
• Added XML-RPC status check (Patched)
• Added admin account audit for inactive admins (Patched)
• Added database prefix check (Patched)
• Added directory listing detection (Patched)
• Added email breach check via HaveIBeenPwned (Patched)
• Added reset file monitoring baseline button (Patched)
• Added suspicious file type detection in uploads (.exe, .sh, .bat)
• Added user enumeration vulnerability check
• Added dark mode toggle with localStorage persistence
• Added scanning spinner on Run scan button
• Added auto-scan status badge in scan bar
• Added inline metric tooltips (Performance, LCP, CLS, FCP)
• Score cards now show before a scan with placeholder values
• Improved dashboard layout and branding

1.0.0

• Initial release
• PageSpeed Insights integration with Core Web Vitals
• Security checker with 5 live checks
• WordPress core file integrity scanner
• PHP-in-uploads detection