Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…

1.13.0

• New: Progressive rate limiting — block duration doubles on each repeat offense (5 min → 10 min → 20 min, etc.) with configurable maximum cap from 1 hour to 7 days. Enabled by default in Maximum Security preset.
• New: Currently blocked IPs section in Firewall tab showing active rate limit blocks with IP, duration, strike count, and manual unblock button.
• Improved: “Events to Log” note clarifying that firewall, security and settings events are always logged is now displayed as a visible notice box instead of a small description text.

1.12.2

• Fix: rate limit logging now records only once per block instead of every repeated request
• Fix: file integrity scan compatibility with WordPress.org checksums API nested response format

1.12.1

• Fix: WooCommerce payment gateway IPN callbacks blocked by bot protection htaccess rules

1.12.0

• New: WordPress option change tracking now uses a curated whitelist of ~30 security-relevant core options instead of an unreliable blacklist. No more false positives from cache plugins, management tools, or hit counters.
• New: “Additional options to track” field in Security Audit settings — monitor options from WooCommerce, SEOPress, or any plugin using exact names or prefix matching (e.g. “woocommerce_”).
• Fix: REST API protected endpoints caused PHP warnings due to regex patterns being corrupted by input sanitization. Endpoint matching now uses simple prefix comparison, eliminating the issue entirely.

1.11.1

• Fix: Additional notification recipients were saved without line breaks, causing only the admin email to receive notifications. Recipients are now stored as an array internally.
• Fix: Disabling “Send to admin email” now works correctly — the fallback no longer overrides the user’s explicit choice.
• Fix: Creating a new user no longer generates a duplicate “role changed” log entry.
• Fix: Comment approvals and rejections are now logged (previously only creation, spam, trash, and deletion were tracked).
• Fix: Noisy options from management plugins (ManageWP, MainWP, InfiniteWP) and hit counters are filtered from option change logging.
• Improved: Events to Log checkboxes displayed in two-column grid layout.
• Improved: Exclusion fields include descriptive helper text.
• Improved: Settings change log entries show readable names instead of internal slugs.
• Improved: Instant alert description clarified in File Integrity settings.
• Improved: Existing corrupted email recipient data is automatically repaired on update.

1.11.0

• Fix: Security Audit logging was silently disabled after saving settings due to an internal flag being incorrectly reset. This was the root cause of inconsistent or missing log entries across sites.
• Fix: Per-category toggles (login, user changes, file changes) now actually control logging. Previously, external modules logged events regardless of user preferences.
• Fix: Extra data in log entries no longer duplicates object fields already stored in dedicated columns.
• Fix: Exclusion lists (users, IPs) and cleanup settings now use fresh values instead of stale cached data.
• Fix: Removed dead code in AJAX trait (unused sanitizer, preset handler calling non-existent method).
• New: Content edits without status change (e.g. editing a published post) are now logged as “edited” events.
• New: Plugin and theme installations are now logged (previously only activations, updates, and deletions were tracked).
• New: Theme updates are now logged via the upgrader.
• New: “Security” event type added for Under Attack mode events, with proper label and filter support.
• New: Complete settings form for Security Audit — all toggles are now visible and functional: failed logins, comments, media, file integrity, WordPress option changes, max entries, excluded users, and excluded IPs.
• New: Media uploads and deletions are now logged (previously broken due to missing default).
• Improved: WordPress option change logging now uses a blacklist approach instead of a 10-item whitelist, covering settings from WordPress core, WooCommerce, and other plugins.
• Improved: Refresh button shows visual feedback (spinner) during loading and displays errors when requests fail.
• Improved: Database migration automatically repairs sites where logging was silently disabled by previous versions.

1.10.1

• Improved: Notification table status column now adjusts to text width to prevent wrapping

1.10.0

• New: Centralized notification recipients – configure who receives all administrative emails from a single location in Settings & Tools
• New: Additional recipients field – add maintenance professionals or security contacts alongside the WordPress admin email
• New: Notification summary table – view all active notifications at a glance with direct links to configure each one
• New: File integrity instant alert – receive an immediate email when suspicious or additional files are detected, regardless of periodic report settings
• New: Developer filter vigilante_notification_recipients to programmatically modify admin email recipients
• Improved: Tools tab renamed to “Settings & Tools” with notification settings at the top
• Improved: Each notification section now shows a link to the centralized recipient settings
• Fix: Admin monitoring section no longer displays a misleading reference to a non-existent “Login Security > Notification Email” field
• Fix: File integrity scan “Total Scanned” now correctly sums OK + modified + suspicious + extra + ignored files instead of using an incomplete internal counter

1.9.0

• Removed: Performance settings section from WP Hardening (post revisions, autosave interval, trash days, memory limit, auto updates). These are outside the scope of a security plugin and could cause conflicts with hosting configurations.
• Removed: CONCATENATE_SCRIPTS, WP_POST_REVISIONS, AUTOSAVE_INTERVAL, EMPTY_TRASH_DAYS, WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT, and WP_AUTO_UPDATE_CORE from wp-config.php managed constants. Vigilante no longer comments out or overwrites these constants.
• Fix: wp-config.php constants with multiple occurrences (e.g. duplicate WP_DEBUG defines) are now all properly commented. Previously only the first occurrence was handled, leaving duplicates active and causing conflicts.
• Fix: WP_DEBUG is now explicitly set to false in wp-config.php when debug mode is disabled, instead of relying on WordPress implicit defaults.
• Improved: Updated promotional banner with latest plugin and service catalog.
• Tested up to WordPress 7.0

1.8.0

• New – Force password reset by role: select one or more roles to reset all their users at once, ideal for security incidents
• New – Informative login message when a user tries to log in after a forced password reset

1.7.2

• Improved: Dashboard recommendations now include a direct link to the relevant settings tab
• Improved: Your current IP address is displayed in the firewall IP management section
• Improved: wp-config.php settings now visually separated into Security and Performance sections
• Improved: File integrity scan summary stats are now centered for better visual consistency
• Improved: Firewall description includes a compatibility note about full page caching systems (Varnish, LiteSpeed Cache, NGINX FastCGI, Cloudflare APO)
• Improved: Activity Log renamed to Security Audit across the entire admin interface (internal slugs unchanged)
• Fixed: File integrity scan totals now include an Ignored count so the summary numbers add up correctly

1.7.1

• Fixed: Under Attack mode now correctly auto-deactivates when the timer expires
• Fixed: JavaScript challenge no longer loops indefinitely – visitors pass through and get redirected properly
• Fixed: Challenge page assets externalized to CSS/JS files for Content Security Policy compatibility
• Fixed: Cache bypass on activation now works correctly with SiteGround (NGINX + Memcached + file-based cache), LiteSpeed, WP Rocket, WP Super Cache, W3 Total Cache, and other major caching solutions
• Fixed: Admin countdown timer now updates immediately on page load
• Improved: Added .htaccess cache-busting rules during Under Attack mode (auto-removed on deactivation)
• Improved: Added NGINX and CDN no-cache headers (X-Accel-Expires, Surrogate-Control) for reverse proxy environments

1.7.0

• New: Activity log search — find entries by IP, user agent, username, message, or any text. Minimum 3 characters, 400ms debounce. Works combined with existing type, severity, and method filters. Export respects active search and filters.
• New: Activity log type and severity columns now display translated labels instead of raw database values.
• Fix: Insecure username detection (admin, root, test, etc.) now checks all user roles, not just administrators. Consistent with username creation blocking which already prevents these names regardless of role.
• Fix: Insecure username warning now always active, independent of the “block insecure usernames” setting. Previously, disabling the setting also silenced the warning.
• Fix: Security score now penalizes installations with accounts using insecure usernames (-3 points).
• Fix: Insecure usernames now appear in dashboard security recommendations with high priority.
• Fix: Plugin name in browser tab titles is now translatable instead of hardcoded.
• Fix: Activity log table no longer crushes the Message column on narrow screens. Uses auto layout with horizontal scroll instead of fixed layout.

1.6.1

• New: Legacy WordPress core file detection in root scanner (wp-feed.php, wp-pass.php, etc.) – marked as additional instead of suspicious
• New: Browser tab title now shows plugin name and active tab (e.g. “Vigilant > Firewall”)
• Improved: Search engine verification files (BingSiteAuth.xml, LiveSearchSiteAuth.xml) and php.ini excluded from root directory scan

1.6.0

• New: Root directory scanning in file integrity – detects non-core PHP files in WordPress root (common attack vector)
• New: phpinfo() detection pattern in file integrity scanner
• New: WP_DEBUG active warning in security dashboard with score penalty
• New: Display name protection – prevents saving display name matching login username (User Security)
• New: Dashboard recommendation when users have display name equal to login
• New: Smart .htaccess classification in uploads – dangerous rules flagged as suspicious, protective rules as additional with content summary
• Fix: readme.html and license.txt were never deleted due to mismatched setting keys
• Fix: Sensitive file cleanup now runs daily (WordPress core updates recreate these files)
• Fix: Added licencia.txt (Spanish locale) to sensitive file deletion, firewall blocking, and htaccess protection

1.5.5

• Fix: Submenu links (Activity Log, File Integrity) showing blank page on some hosting environments

1.5.4

• Fix: Close old comments setting no longer blocks WooCommerce product reviews
• Fix: Email header plugin name was not translatable due to wrong text domain
• Improved: Close old comments disabled by default (only active in Maximum preset)
• Improved: Database tables list in backup tool now has scroll, zebra striping, and better layout

1.5.3

• Fix: Plugin name in email header was not translatable
• Fix: Overly broad bot detection patterns in PHP firewall that could block legitimate HTTP requests from plugins and external services

1.5.2

• New: Admin option to allow/disallow “Remember this device” checkbox on 2FA verification (disabled by default)
• New: Password expiry email reminder – sends notification when warning period starts
• Improved: File integrity scanner skips known false positives (version.php, readme files)
• Improved: Default email notification level changed to “Suspicious only” for file integrity
• Improved: Custom login URL placeholder is now translatable
• Improved: Explanatory text for password expiry email reminder setting
• Fix: Password expiry email reminder setting had no functional implementation

1.5.1

• Improved: Plugin rebranded to “Vigilant” for better international naming
• Improved: New brand icon and banners

1.5.0

• New: Authenticator app (TOTP) two-factor authentication – RFC 6238 compliant
• New: Method selector – choose between email codes or authenticator app per site
• New: QR code setup in user profile with verification step
• New: Backup codes for TOTP – 10 emergency codes generated on setup
• New: Grace period for TOTP setup (configurable 0-30 days)
• New: Admin TOTP reset tool – search and reset users who lost authenticator access
• New: Grace period dashboard notice reminding users to set up their authenticator app
• New: Dedicated TOTP database table with encrypted secrets (AES-256-CBC)
• New: HTML styled emails for verification codes and activation notifications
• New: Admin password change alert in user security monitoring
• New: Login URL change notification with auto-send and manual button

• New: 2FA settings UI with visual method selector cards

• Fix: Admin login notification now fires for all administrator logins

• Fix: Plugin deactivation email was never sent
• Improved: File integrity scan patterns stored externally for better hosting compatibility

1.4.2

• Improved: Pagination for activity log (server-side, 20 items per page with AJAX navigation)
• Improved: Pagination for file integrity scan results (suspicious, extra, and modified files)
• Improved: Pagination for ignored files, blocked IPs, and active sessions lists
• Improved: All paginated tables show item count and range indicator, with navigation arrows when needed
• Improved: Pagination updates dynamically when items are removed (ignore file, unblock IP, revoke session)

1.4.1

• Improved: All firewall block messages are now fully translatable (46 strings added to translation system)
• Improved: Session limits default behavior changed to “Close oldest session” (recommended) instead of “Block new login”
• Improved: Default WordPress memory limit increased to 1024 MB
• Added: 2048 MB option for WordPress memory limit

1.4.0

• New: Email notification levels – choose between all issues, suspicious only, or disabled
• New: Excluded file extensions setting to reduce false positives (e.g., .log, .pot, .po, .mo)
• New: Excluded paths UI – configure which directories to skip during scans
• New: Ignore list – dismiss individual files from scan results and email notifications
• New: Extra file detection in plugins and themes (PHP files not in official WordPress.org packages)
• New: Plugins and themes without checksums are now scanned for suspicious code patterns
• New: Two-level detection system – strict mode for plugins (obfuscation combos only), standard mode for uploads (broad pattern matching)
• New: Extra files with suspicious code automatically escalate to the Suspicious category
• New: String concatenation obfuscation detection (e.g., building dangerous function names from split strings)
• New: Double extension detection in uploads directory (e.g., file.php.jpg)
• New: .htaccess detection in uploads directory
• New: HTML formatted email notifications with severity sections and summary stats
• New: Enhanced suspicious code pattern detection (hex2bin, create_function, hex-encoded strings, chr() obfuscation, eval+decode combos)
• Fix: Missing Scan Themes checkbox in settings UI
• Fix: Plugins without available checksums were completely skipped, including suspicious file detection
• Improved: Scan results tables now include Ignore buttons for each file
• Improved: Scan scope checkboxes grouped in a single fieldset for clarity

1.3.2

• Fixed: File integrity email notifications failing with “No recipient forward path” error when notification email field was empty

1.3.1

• Fix: All admin JavaScript strings are now fully translatable (activity log popup, scan results, password reset, session management, user approval, preset badges, and more)
• Fix: File integrity email notifications now work for both manual and scheduled scans
• Fix: Duplicate scheduled file integrity scans removed (respects configured frequency)
• Improved: Email notification on file changes is now enabled by default

1.3.0

• New: User-Agent whitelist – exclude services like ManageWP, MainWP, UptimeRobot from firewall checks
• New: User-Agent blacklist – block requests by User-Agent string with partial matching
• New: HTTP request method column in activity log (GET, POST, PUT, DELETE, etc.)
• New: Request method filter in activity log
• New: Quick action buttons in log detail popup to add IPs or User-Agents to firewall lists
• New: IP lookup links to AbuseIPDB directly from log entries
• Improved: Log detail popup redesigned with grouped sections (Request, Client, Extra Data)
• Improved: CSV export now includes request method column

1.2.3

• Fix: IP whitelist and blacklist entries were merged into a single line after page reload, preventing exclusions from working correctly
• Fix: Automatic migration repairs previously corrupted IP lists on update

1.2.2

• Improved: New plugin suggestion added.

1.2.1

• Improved: wp-config.php constant insertion now correctly placed before “That’s all, stop editing” comment, with support for translated wp-config files

1.2.0

• New: Database backup download tool with table selection (Tools tab)
• New: Database prefix change with random secure prefix generation (WP Hardening tab)

1.1.1

• Fix: HTTP method restriction no longer blocks PUT and DELETE, allowing REST API requests from plugins like SiteGround Optimizer to work correctly.

1.1.0

• New: Under Attack mode – Emergency JavaScript challenge protection with one-click activation
• New: Automatic browser verification with proof-of-work challenge for frontend visitors
• New: HMAC-signed verification cookies to prevent cookie forgery
• New: Aggressive rate limiting (30 req/min) and HTTP method restriction during attacks
• New: Auto-deactivation after 4 hours with email notifications
• New: REST API and XML-RPC lockdown during Under Attack mode
• New: Non-dismissible admin notice with link to dashboard while mode is active

1.0.4

• Fixed: File Integrity scan results are now fully translatable
• Fixed: File Integrity scanner now reliably detects suspicious files in uploads
• Improved: Uploads directory is now scanned first for faster malware detection
• Improved: Scan time limit increased from 25 to 60 seconds for thorough scanning
• Improved: File limit in uploads scan increased from 2,000 to 10,000 files

1.0.3

• Fixed: Security Headers test button and results are now fully translatable
• Improved: Custom plugin icon now displayed in settings page header
• Improved: Activation notice now includes shield dashicon

1.0.2

• Improved: Settings page now uses full available width for better tab display

1.0.1

• Fixed: REST API compatibility with plugins using PUT/DELETE methods
• Fixed: wp-config.php constant insertion now works correctly on non-English WordPress installations
• Fixed: WP Hardening options now properly apply when unchecking (disabling) settings
• Fixed: Custom configuration detection now triggers when changing any section settings
• Fixed: Corrupted UTF-8 characters in activity log messages and CSS
• Improved: Custom login URL now automatically enables wp-login.php redirect to 404
• Improved: Session limits no longer exclude administrators by default for better security
• Improved: Dashboard “Custom Configuration” badge now uses more visible orange color
• Improved: htaccess HTTP method restrictions now exclude REST API endpoints

1.0.0

• Initial release
• Two-factor authentication via email with trusted device support
• Role-based 2FA enforcement
• Advanced PHP-based firewall with SQL injection, XSS, and file inclusion protection
• Rate limiting with configurable thresholds
• IP whitelist and blacklist management
• Complete security headers implementation (CSP, HSTS, X-Frame-Options, Permissions Policy)
• Built-in security header testing tool
• HTTPS enforcer with mixed content detection
• Login security with brute force protection and progressive lockouts
• Custom login URL support
• XML-RPC and application passwords control
• User security with insecure username blocking
• Strong password enforcement with minimum length
• Password expiration with history tracking
• Force password reset for all users
• Session management and concurrent session limits
• Email verification for new registrations
• Registration approval workflow
• Admin account monitoring and alerts
• WordPress hardening (wp-config constants, comment security, head cleanup)
• Feed management and security
• REST API security with selective endpoint protection
• User enumeration prevention
• Activity log with configurable event tracking
• Log export to CSV and filtering
• File integrity monitoring against WordPress.org checksums
• Two-level suspicious code detection (strict for plugins, broad for uploads)
• Extra file and obfuscation detection in plugins and themes
• Scheduled scans with HTML email notifications and severity levels
• Settings export and import
• Manual backup creation tool
• Two configuration presets (Standard, Maximum Security)
• Automatic backup and restoration system
• Clean rollback on deactivation
• Full admin interface with tabbed settings