=== AuthDock — Login Security, 2FA, Social Login & Brute Force Protection ===
Contributors: rakibantor
Donate link: https://degird.com
Tags: login security, two-factor authentication, social login, brute force protection, access control
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

All-in-one WordPress authentication plugin with social login, magic links, 2FA, brute force protection, custom login URL, session management, and security hardening.

== Description ==

**AuthDock** is a professional-grade WordPress authentication and user access management plugin that replaces 5–7 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API integration, and zero bloat.

Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet — AuthDock gives you full control over how users log in, stay safe, and interact with your site.

= 🔑 Social Login =

Let users sign in with one click using their existing accounts. No more forgotten passwords.

* **Google OAuth 2.0** — Sign in with Google using OAuth 2.0 authorization
* **Facebook Login** — Authenticate via the Facebook Graph API
* **GitHub OAuth** — Developer-friendly sign in with GitHub
* **X (Twitter) OAuth 2.0** — Uses OAuth 2.0 with PKCE (S256) for maximum security
* **Button Style** — Choose between icon + text, icon only, or text only button styles
* **Button Layout** — Display buttons vertically or horizontally
* **Button Order** — Drag and drop to reorder provider buttons
* **Default Role** — Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)
* **Auto-Registration** — Automatically create WordPress accounts from social profiles
* **Domain Restriction** — Restrict social login to specific email domains (e.g., `company.com`, `university.edu`)
* **Avatar Integration** — Automatically set user profile pictures from social account avatars
* **Account Linking** — Users can link/unlink social accounts from their WordPress profile page
* **Shortcode** — Place social login buttons anywhere using `[authdock_social_login]`
* **Developer Filters** — `authdock_allow_social_account_linking` and `authdock_allow_social_registration` for custom control

= ✉️ Magic Link Login =

Passwordless authentication — users receive a one-time login link via email. No passwords to remember or leak.

* **Enable/Disable** — Master toggle for passwordless login
* **Link Expiry** — Set how long each magic link stays valid (in minutes, default: 10 minutes)
* **Rate Limiting** — Maximum magic link requests per email per hour (default: 5/hour) to prevent abuse
* **Allowed Roles** — Restrict magic login to specific user roles (e.g., Subscribers, Editors)
* **Force Magic Login Mode** — Hide the standard WordPress password form entirely and show only the magic link form
* **Custom Email Subject** — Personalize the magic link email subject line
* **Custom Email Body** — Customize the email body using merge tags: `{user_name}`, `{magic_link}`, `{expiry_time}`, `{site_name}`, `{ip_address}`
* **One-Time Use** — Each magic link is cryptographically random and can only be used once
* **Token Invalidation** — Magic links are automatically invalidated when a user changes their password
* **Anti-Enumeration** — Generic success messages prevent attackers from discovering valid email addresses
* **Shortcode** — Display the form anywhere with `[authdock_magic_login]` and optional `redirect` attribute

= 🔐 Two-Factor Authentication (2FA) =

Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.

* **Enable/Disable** — Master toggle for two-factor authentication
* **TOTP Method** — Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.
* **Email Method** — Receive a 6-digit numeric verification code via email
* **Enforced Roles** — Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA
* **Grace Period** — Give users a configurable number of days to set up 2FA before enforcement kicks in (default: 3 days)
* **Trusted Devices** — Allow users to skip 2FA on recognized devices for a configurable number of days (default: 30 days)
* **Trust Duration** — Set how long a device stays trusted (in days)
* **Backup Recovery Codes** — Generate 10 one-time-use backup codes for account recovery if the authenticator device is lost
* **Brute-Force Protection** — Rate-limited to 5 verification attempts per session to prevent code guessing
* **Encrypted Secret Storage** — TOTP secrets are encrypted with AES-256-CBC before storing in the database
* **Replay Protection** — Each TOTP code can only be used once per time window (RFC 6238 §5.2)
* **Clock Drift Tolerance** — Accepts codes from ±1 time step (30 seconds) to handle minor clock differences
* **Interstitial Challenge Screen** — Clean, WordPress-native verification screen shown after primary authentication
* **Admin Management** — Administrators can view and disable 2FA for any user from the user profile page

= 🛡️ Brute Force Protection (Login Limiter) =

Stop brute-force attacks with intelligent lockout rules that escalate automatically.

* **Enable/Disable** — Master toggle for login attempt limiting
* **Max Attempts** — Set the number of failed login attempts before triggering a lockout (default: 5)
* **Lockout Duration** — Time for the initial lockout period in minutes (default: 15 minutes)
* **Progressive Lockout** — Lockouts automatically escalate: 15 minutes → 1 hour → 24 hours for repeat offenders
* **Auto-Blacklist** — Permanently ban an IP after a configurable number of lockouts (e.g., after 5 lockouts)
* **IP Whitelist** — Allow trusted IP addresses to bypass login limits (supports exact match, CIDR ranges like `192.168.1.0/24`, and wildcards like `10.0.0.*`)
* **IP Blacklist** — Permanently block specific IP addresses, CIDR ranges, or wildcard patterns
* **Notify Admin on Lockout** — Send email alerts to the site administrator when an IP gets locked out
* **Notify Threshold** — Configure after how many lockouts the notification triggers (default: 1)
* **XML-RPC Integration** — Automatically block XML-RPC authentication from locked-out IPs
* **Login Page Warnings** — Display remaining attempt count and lockout timers directly on the login page
* **Log Retention** — Configure how long failed login attempt data is retained (default: 30 days)
* **Trusted Proxies** — Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers

= 🔄 Dynamic Login & Logout Redirects =

Send users exactly where they need to go — based on their role, or if it is their first login.

* **Role-Based Login Redirects** — Set a custom URL for each WordPress role after login (e.g., Editors → `/editorial-dashboard`, Subscribers → `/members-area`)
* **Role-Based Logout Redirects** — Set a custom URL for each WordPress role after logout
* **First-Login Redirect** — Redirect brand new users to a welcome page, onboarding wizard, or setup screen on their very first login
* **Relative & Absolute URLs** — Supports both relative paths (`/dashboard`) and full URLs (`https://example.com/welcome`)
* **Open Redirect Prevention** — All redirects are validated via `wp_safe_redirect()` and `wp_validate_redirect()` to prevent open redirect attacks

= 📋 Audit Logging =

Keep a complete, searchable record of every authentication event happening on your site.

* **Enable/Disable** — Master toggle for audit logging
* **Tracked Events** — Login success, login failure, logout, password reset, password change, user registration, profile updates (email/role changes), social login, social linking/unlinking, magic link requests, magic link usage, 2FA enabled/disabled, session termination, access blocked, lockout events
* **Event Details** — Each log entry records: user ID, event type, IP address, user agent, JSON context data, and precise timestamp
* **Retention Period** — Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited (0 = forever)
* **Auto-Cleanup** — Daily WP-Cron job automatically removes expired log entries in batches of 1,000 to avoid database locks
* **Filter by Event Type** — View only specific event categories (e.g., show only failed logins)
* **Filter by Date Range** — Narrow results by `date_from` and `date_to` parameters
* **Filter by User** — View all events for a specific user ID
* **Search by IP** — Find all events from a particular IP address
* **Full-Text Search** — Search across event types, IPs, and context data
* **CSV Export** — Download your complete audit log as a CSV file with formula injection protection
* **JSON Export** — Export logs in JSON format for integration with external tools
* **Purge All Logs** — One-click purge to clear all historical log data
* **Admin UI Viewer** — Built-in admin page with paginated table, filters, and export buttons
* **Custom Database Table** — Logs are stored in a dedicated `authdock_audit_logs` table with proper indexes for fast queries

= 🏰 Security Hardening =

Close common WordPress security holes without installing another plugin.

**Custom Login URL**
* **Custom Slug** — Replace `wp-login.php` with your own secret URL (e.g., `/my-secure-login`)
* **Block Action** — Choose what happens when someone visits the default `wp-login.php`: return a 404 error or redirect to the homepage
* **Recovery Key** — Access the login page in emergencies via a secret query parameter even when the custom URL is active

**XML-RPC Control**
* **Disable XML-RPC** — Completely disable the XML-RPC interface to block remote brute-force attacks
* **Partial Disable** — Remove only authentication methods while keeping pingbacks functional

**REST API Restriction**
* **Restrict to Authenticated Users** — Block all REST API access for unauthenticated visitors
* **Namespace Whitelist** — Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain accessible

**User Enumeration Prevention**
* **Block Author Archives** — Redirect `?author=N` enumeration queries to the homepage
* **Restrict User REST Endpoint** — Block `/wp-json/wp/v2/users` for non-logged-in users
* **Generic Login Errors** — Replace specific "username not found" or "wrong password" messages with a generic error

**Password Strength Enforcement**
* **Force Strong Passwords** — Master toggle for password policy enforcement
* **Minimum Length** — Set the minimum password length (default: 8 characters)
* **Require Uppercase** — Mandate at least one uppercase letter
* **Require Lowercase** — Mandate at least one lowercase letter
* **Require Number** — Mandate at least one numeric digit
* **Require Special Character** — Mandate at least one special character (e.g., `!@#$%`)
* **Enforced Roles** — Apply password rules only to specific roles

**Security HTTP Headers**
* **X-Content-Type-Options** — Prevents MIME-type sniffing (`nosniff`)
* **X-Frame-Options** — Blocks clickjacking by restricting iframe embedding (`SAMEORIGIN`)
* **X-XSS-Protection** — Legacy XSS filter for older browsers (`1; mode=block`)
* **Referrer-Policy** — Controls referrer information sent with requests (`strict-origin-when-cross-origin`)
* **Strict-Transport-Security (HSTS)** — Enforces HTTPS connections for 1 year (`max-age=31536000; includeSubDomains`)
* **Permissions-Policy** — Restricts access to camera, microphone, and geolocation APIs

**Role-Based Session Duration**
* **Per-Role Cookie Lifetime** — Set different authentication cookie durations per WordPress role (in hours)

= 📧 Email Notifications =

Stay informed about critical security events with real-time email alerts — for admins and users.

**Admin Notifications**
* **Multiple Failed Logins** — Alert every N failed attempts from the same IP (default: every 3)
* **IP Lockout** — Alert when an IP address gets locked out
* **Admin Login Alert** — Notify when an administrator account logs in
* **New User Registration** — Alert on every new user registration
* **User Promoted to Admin** — Alert when any user is promoted to the Administrator role
* **Admin Password Changed** — Alert when an administrator's password is changed or reset
* **2FA Disabled** — Alert when any user disables their two-factor authentication
* **Login from New IP** — Alert when a user logs in from a previously unseen IP address

**User Self-Notifications**
* **Password Changed** — Notify the user when their password is changed
* **Email Changed** — Notify at the OLD email address when a user's email is updated (security measure)
* **2FA Status Changed** — Notify the user when 2FA is enabled or disabled on their account
* **Social Account Linked** — Notify when a social provider is connected to their account
* **New Device Login** — Notify the user when a login is detected from a new IP address
* **Account Locked** — Notify the user when their account is locked due to failed attempts

**Notification Settings**
* **Custom Recipients** — Set custom email addresses for admin notifications (defaults to the site admin email)
* **Throttle Period** — Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)
* **Digest Mode** — Option to batch notifications instead of sending them individually
* **Test Email** — Send a test notification to verify your email configuration is working

= 🚪 wp-admin Access Control =

Restrict who can access the WordPress dashboard — by role, by IP, or both.

* **Enable/Disable** — Master toggle for access control
* **Blocked Roles** — Select which WordPress roles are blocked from accessing `/wp-admin` (e.g., Subscriber, Customer)
* **IP Restriction Mode** — Enable IP-based restrictions so only whitelisted IPs can access wp-admin
* **IP Whitelist** — Specify allowed IP addresses and CIDR ranges (e.g., `203.0.113.5`, `192.168.1.0/24`)
* **Hide Admin Bar** — Remove the WordPress admin bar from the frontend for blocked roles
* **Redirect Action** — Choose what happens when access is denied: redirect to homepage, redirect to a custom URL, or show a 403 Forbidden page
* **Custom Redirect URL** — Set a specific URL for the access-denied redirect
* **Emergency Bypass Key** — A secret query parameter (`?authdock_bypass=YOUR_KEY`) to regain access if you get locked out
* **Smart Exceptions** — AJAX requests, WP-Cron, and `admin-post.php` are always allowed through
* **Administrator Immunity** — Administrators are never blocked, regardless of settings

= ⏱️ Session Management =

Take control of user sessions — limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.

* **Enable/Disable** — Master toggle for session management
* **Concurrent Session Limit** — Set the maximum number of simultaneous active sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded
* **Idle Session Timeout** — Automatically log out users after a configurable period of inactivity (in minutes, 0 = disabled)
* **Per-Role Session Duration** — Set different session lifetimes for each WordPress role (in hours)
* **Admin Session Viewer** — View all active user sessions via the REST API, including user details and last activity timestamps
* **Remote Session Termination** — Administrators can terminate all sessions for any user with a single API call
* **Throttled Activity Tracking** — Last-activity timestamps are updated at most once per 5 minutes to minimize database writes

= ⚡ Performance & Infrastructure =

AuthDock is built for speed and follows WordPress best practices from top to bottom.

* **Conditional Asset Loading** — CSS and JavaScript files load only on pages where they are needed
* **Indexed Database Tables** — Custom tables use proper indexes for fast lookups
* **WP-Cron Maintenance** — Audit log cleanup runs via non-blocking WP-Cron
* **Transient-Based Tracking** — Brute force attempt tracking uses transients (no additional DB queries per login attempt)
* **REST API Powered** — All admin data operations go through the `authdock/v1` REST API namespace with 15+ endpoints
* **Hook-Based Architecture** — Centralized Loader class registers all hooks for clean dependency management
* **Custom Capabilities** — `authdock_manage_settings`, `authdock_view_audit_logs`, `authdock_export_audit_logs`, `authdock_manage_sessions`, `authdock_manage_lockouts`
* **Clean Activation** — Creates database tables, sets default options, registers capabilities, and schedules cron
* **Clean Deactivation** — Clears cron events but preserves all settings for reactivation
* **Full Uninstall** — Removes everything: options, user meta, database tables, capabilities, and transients
* **Full i18n** — All user-facing strings use proper WordPress internationalization functions with the `authdock` text domain

= 🤔 Why Choose AuthDock? =

* **Replace 5–7 plugins** — Social login + magic links + 2FA + brute force + audit logs + session management + access control — all in one
* **WordPress-native UI** — Looks and feels like core WordPress, not a foreign dashboard
* **REST API powered** — Modern, secure data handling for all admin operations
* **Lightweight & fast** — Conditional loading, object caching, and zero external CSS/JS frameworks in admin
* **Developer-friendly** — Extensive hooks, filters, and custom capabilities for extensibility
* **WordPress.org compliant** — No tracking, no encoded code, no forced upsells, full GPL-2.0+ license

= 🔗 Shortcodes =

* `[authdock_social_login]` — Display social login buttons (attributes: `layout`, `style`)
* `[authdock_magic_login]` — Display magic link login form (attributes: `redirect`)
* `[authdock_login_form]` — Display login form with 2FA support

== External services ==

This plugin connects to the following third-party services under the conditions described below. No data is sent to any external service unless the respective feature is explicitly enabled by the site administrator.

= Google OAuth 2.0 =

Used for "Sign in with Google" functionality. When a user clicks the Google login button, the plugin redirects them to Google's authorization server and receives back an authorization code, which is exchanged for an access token to retrieve the user's name, email, and profile picture.

* Service URL: https://accounts.google.com
* Data sent: Authorization code (during token exchange)
* Data received: User's name, email address, and profile picture URL
* When: Only when a user initiates a Google login
* [Google Terms of Service](https://policies.google.com/terms)
* [Google Privacy Policy](https://policies.google.com/privacy)

= Facebook Graph API =

Used for "Sign in with Facebook" functionality. When a user clicks the Facebook login button, the plugin redirects them to Facebook's authorization page and receives back an authorization code, which is exchanged for an access token to retrieve the user's name, email, and profile picture.

* Service URL: https://www.facebook.com
* Data sent: Authorization code (during token exchange)
* Data received: User's name, email address, and profile picture URL
* When: Only when a user initiates a Facebook login
* [Facebook Terms of Service](https://www.facebook.com/legal/terms)
* [Facebook Privacy Policy](https://www.facebook.com/privacy/policy/)

= GitHub OAuth =

Used for "Sign in with GitHub" functionality. When a user clicks the GitHub login button, the plugin redirects them to GitHub's authorization page and receives back an authorization code, which is exchanged for an access token to retrieve the user's name, email, and avatar.

* Service URL: https://github.com
* Data sent: Authorization code (during token exchange)
* Data received: User's name, email address, and avatar URL
* When: Only when a user initiates a GitHub login
* [GitHub Terms of Service](https://docs.github.com/en/site-policy/github-terms/github-terms-of-service)
* [GitHub Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement)

= X (Twitter) OAuth 2.0 =

Used for "Sign in with X" functionality. When a user clicks the X login button, the plugin redirects them to X's authorization page and receives back an authorization code, which is exchanged for an access token to retrieve the user's name, username, and profile picture.

* Service URL: https://x.com
* Data sent: Authorization code and PKCE code verifier (during token exchange)
* Data received: User's name, username, and profile picture URL
* When: Only when a user initiates an X (Twitter) login
* [X Terms of Service](https://x.com/en/tos)
* [X Privacy Policy](https://x.com/en/privacy)

== Installation ==

1. Upload the `authdock` folder to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Go to **AuthDock** in the admin menu to configure settings
4. Enable the features you want to use

Or install directly from the WordPress plugin repository:

1. Go to **Plugins → Add New** in your WordPress admin
2. Search for "AuthDock"
3. Click **Install Now**, then **Activate**

== Frequently Asked Questions ==

= Does AuthDock work with WooCommerce? =

Yes. Social login buttons can be displayed on WooCommerce login and checkout pages when WooCommerce is active. Role-based redirects also work with WooCommerce customer roles.

= Is AuthDock multisite compatible? =

Yes. Each subsite in a WordPress multisite network has independent settings and its own audit log table.

= Will AuthDock slow down my site? =

No. AuthDock uses conditional asset loading — CSS and JavaScript are only loaded on pages where they are needed. Database queries use proper indexing, and brute force tracking uses lightweight transients instead of database writes.

= What happens when I deactivate the plugin? =

Cron events are cleaned up, but your settings, database tables, and user data are preserved so you can reactivate later without losing configuration.

= What happens when I delete the plugin? =

All plugin data is completely removed: options, user meta (social IDs, 2FA secrets, trusted devices), custom database tables, custom capabilities, and transients.

= Can I use social login and 2FA together? =

Absolutely. When a user logs in via social login, they are still required to complete the 2FA challenge if 2FA is enabled for their account or role. AuthDock ensures 2FA cannot be bypassed regardless of the login method.

= What authenticator apps work with AuthDock 2FA? =

Any TOTP-compatible authenticator app works, including Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and FreeOTP.

= What if I get locked out by the custom login URL? =

AuthDock includes a recovery key parameter. Access your login page via `?authdock_recover=YOUR_KEY` to bypass the custom login URL block. The recovery key is set in your security settings.

= Does the brute force protection work with Cloudflare or reverse proxies? =

Yes. You can configure trusted proxy IPs in the login limiter settings, and AuthDock will correctly read the real client IP from `X-Forwarded-For` headers.

= Can I export my audit logs? =

Yes. Audit logs can be exported in both CSV and JSON formats via the REST API or the admin UI. CSV exports include formula injection protection for safe spreadsheet use.

== Screenshots ==

1. **Dashboard** — Overview of authentication activity with live stats and quick feature toggles.
2. **Social Login Settings** — Configure Google, Facebook, GitHub, and X OAuth providers with button style options.
3. **Magic Link Settings** — Configure link expiry, rate limiting, allowed roles, and force-magic mode.
4. **Two-Factor Authentication** — TOTP and email-based 2FA setup with QR code provisioning and backup codes.
5. **Login Protection** — Brute force settings with progressive lockout, IP whitelist/blacklist, and notification options.
6. **Dynamic Redirects** — Role-based login and logout redirect rules with first-login redirect.
7. **Audit Logs** — Searchable, filterable log of all authentication events with CSV/JSON export.
8. **Security Hardening** — Custom login URL, XML-RPC control, security headers, password policies, and user enumeration prevention.
9. **Email Notifications** — Admin and user notification settings with throttle control and test email.
10. **Access Control** — wp-admin restriction by role and IP with emergency bypass and admin bar hiding.
11. **Session Management** — Concurrent limits, idle timeout, per-role session duration, and remote termination.
12. **Social Login Buttons** — Clean social login buttons on the WordPress login page.

== Changelog ==

= 1.0.0 =
* Initial release
* Social Login with Google, Facebook, GitHub, and X (Twitter) via OAuth 2.0
* Magic Link passwordless login with configurable expiry, rate limiting, and force-magic mode
* Two-Factor Authentication — TOTP (RFC 6238) and email-based 2FA with encrypted secret storage, backup codes, trusted devices, and per-role enforcement
* Brute force protection with configurable attempts, progressive lockout escalation, IP whitelist/blacklist with CIDR and wildcard support, and auto-blacklist
* Dynamic login/logout redirects with per-role configuration and first-login redirect
* Comprehensive audit logging to custom database table with retention, filters, CSV/JSON export, and auto-cleanup
* Security hardening — custom login URL with recovery key, XML-RPC control, REST API restriction, user enumeration prevention, password strength enforcement, and 6 security HTTP headers
* wp-admin access control with role-based and IP-based restrictions, admin bar hiding, emergency bypass key, and smart AJAX/cron exceptions
* Session management — concurrent session limiting, idle timeout, per-role session duration, admin session viewer, and remote termination
* Email notification system with 8 admin triggers, 6 user self-notification triggers, configurable throttling, custom recipients, and test email
* REST API namespace `authdock/v1` with 15+ endpoints for all data operations
* 5 custom capabilities for granular permission control
* Full i18n support with `.pot` file
* WordPress.org compliance — GPL-2.0+, no tracking, no encoded code, third-party service disclosure

== Upgrade Notice ==

= 1.0.0 =
Initial release of AuthDock. Install to replace multiple security plugins with a single, comprehensive authentication solution.
