=== Breach Radar via verisizintisi.com ===
Contributors: verisizintisi
Donate link: https://verisizintisi.com
Tags: security, data breach, privacy, breach, users
Requires at least: 5.6
Tested up to: 6.8
Requires PHP: 7.2
Stable tag: 1.0.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Check your WordPress users’ emails against known breaches via verisizintisi.com and act on risks.

Language: English | Türkçe → readme-tr_TR.txt

== Description ==

Breach Radar helps WordPress site owners monitor whether their users’ email addresses appear in known data breaches.

Features:
- Dashboard overview with risk summary and insights
- Manual and scheduled scans (daily)
- Logs with filters (email, found, HTTP, date range)
- Admin notifications on breach count increases (configurable threshold)
- Protection badge shortcode and Theme Customizer integration
- i18n: English and Turkish included; Azerbaijani and Russian supported via PO files

= How it works =
1. Get your API key at get.verisizintisi.com/wordpress and paste it in Settings.
2. Start a manual scan or enable the daily scan. The plugin sends, over HTTPS:
   - Your site domain (to validate token usage)
   - The email addresses selected for scanning
3. The API authenticates, rate‑limits, and checks a breach dataset. It returns per‑email status and counts (no breach contents).
4. Results are summarized in your dashboard and stored locally as scan logs. Breach contents remain user‑private on verisizintisi.com.

= Language & translations =
- Text Domain: breach-radar (auto‑loaded from WordPress.org)
- Bundled translations: English, Turkish. PO fallbacks provided for az_AZ and ru_RU under `wordpress/languages/`.
- Plugin UI language can be forced at Breach Radar → Settings → Language. Default is “Auto (Site language)”.
- Language: English | Türkçe → readme-tr_TR.txt

= Data sent to the service =
- Site domain (host) to validate token usage
- The email addresses you submit for lookup (transmitted for lookup; not persisted by the API)
- Usage metadata (request time, status code, counters) for rate‑limiting and abuse prevention

= Privacy and Terms =
- No tracking scripts are added to your WordPress frontend or admin.
- Lookups only run when you initiate them or via your scheduled task. Visitors are not tracked.
- Review: https://verisizintisi.com/privacy and https://verisizintisi.com/terms

= Security model =
- Admin pages require `manage_options` capability.
- All state‑changing actions use nonces (`check_admin_referer`).
- Inputs sanitized and validated; outputs escaped (`esc_html`, `esc_attr`, `esc_url`, `wp_kses_post`).
- HTTP host is derived via a safe helper instead of raw `$_SERVER`.

= Consent =
Depending on your local laws and policies, you may need to inform users and/or obtain consent before checking their email addresses against breach datasets. This plugin provides the tools, but responsibility for lawful use remains with the site owner.

== Installation ==

From your WordPress admin:
1. Plugins → Add New → Upload Plugin → select the ZIP → Install Now → Activate
2. Get your API key at get.verisizintisi.com/wordpress
3. Go to Breach Radar → Settings and paste your API key
4. (Optional) Configure scan filters, notifications, language
5. Start a manual scan or enable daily scans

== Frequently Asked Questions ==

= Does this show breach contents inside WordPress? =
No. Breach contents are user‑private on verisizintisi.com. Admins see presence and counts only.

= Does the API store my users’ emails? =
Emails are transmitted for lookup and not stored in usage logs. The service records minimal metadata for rate‑limiting and abuse prevention.

= How often can I call the API? =
Default daily limit is 10 requests per token (subject to change by plan). See the dashboard usage card.

= How do I add the protection badge? =
Use the shortcode:
[verisizintisi_badge size="medium" theme="light" align="left" lang="auto"]
Or use Appearance → Customize → Breach Radar Badge.

= Can I force the plugin language? =
Yes. Go to Breach Radar → Settings → Language. “Auto” follows the site language. You can force Turkish, English, Azerbaijani, or Russian.

== Screenshots ==
1. Dashboard overview and insights
2. Logs with filters
3. Badge examples

== Changelog ==
= 1.0.2 =
- Added first‑run Setup Wizard (activation redirect, two‑step flow)
- API key connectivity test with clear status; daily scan toggle
- Admin notice until setup is completed
- Fixed redirects by processing setup via admin‑post to avoid "headers already sent"
- Minor UX copy and layout improvements

= 1.0.1 =
- Compliance and security improvements for Plugin Check
- Replaced raw $_SERVER usage with safe `get_site_url_safe()`
- Escaped flagged outputs (esc_html/esc_attr/esc_url/wp_kses_post)
- Confirmed sanitization/validation of GET/POST data
- Self‑healing scheduling for daily scans and last run tracking
- rand() → wp_rand(); parse_url() → wp_parse_url(); date() → gmdate()
- Always use $wpdb->prepare() with placeholders in Logs queries
- i18n fixes (Text Domain breach-radar), updated POT/PO files
- Removed chart embeds and unused assets

= 1.0.0 =
- İlk kararlı sürüm: risk özeti, öngörüler, günlük tarama, kayıt filtreleri, bildirimler, rozet sayfası

== Upgrade Notice ==
= 1.0.2 =
Setup Wizard, admin‑post redirect fix to avoid header warnings, and UX improvements.

= 1.0.0 =
Kararlı ilk sürüm.
