Replaced the remaining admin action request helper with explicit local request inspection to reduce review ambiguity around passive mutation detection.
1.0.11
Replaced generic request readers with explicit contextual request inspection and switched the post-toggle admin status notice to a controlled transient-based flow.
1.0.10
Changed the main freeze toggle button to use site-focused labels instead of the plugin brand name, and updated translation catalogs accordingly.
1.0.9
Added a warning encouraging site owners to verify site health before freezing, with a link to Telchar for security audits and related tools.
1.0.8
Blocked post.php?action=delete so attachments cannot be permanently deleted from their detail screen during freeze. Returned core-compatible AJAX errors for blocked comment moderation actions so the admin UI shows a visible failure instead of behaving as if the action succeeded.
1.0.7
Allowed the minimum safe core AJAX actions needed for media and taxonomy browsing in wp-admin, and returned a visible error for blocked AJAX term creation instead of leaving the UI loading indefinitely.
1.0.6
Blocked low-level comment creation paths that pass through wp_new_comment() preprocessing so comment writes are denied more consistently during freeze.
1.0.5
Removed the remaining Heartbeat AJAX exception so frozen sites no longer expose that write-capable route. Added low-level metadata, taxonomy relationship, and user table write blocking to reduce custom code bypasses.
1.0.4
Fixed get_server_value() to use $_SERVER directly instead of filter_input(INPUT_SERVER), which returns null in PHP-FPM environments and silently disabled HTTP-method-dependent admin blocks.
1.0.3
Renamed the plugin, removed manual translation loading, hardened request validation, added a persistent admin notice while frozen, and updated compatibility metadata.
1.0.2
Closed admin-post.php write bypass. Blocked add_option and delete_option during freeze. Strengthened user capability checks. Fixed text inconsistencies in admin UI.
1.0.1
Removed dead code in option allowlist. Session tokens are stored in user meta, not options, so the entry had no effect.
