﻿=== Oriole One Master Guard ===
Contributors: rashidsharafat
Tags: login security, brute force, limit login attempts, hardening, security
Requires at least: 6.4
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.1.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

All-in-one WordPress security with brute-force protection, hardening controls, and a clear failed login audit log.

== Description ==

**Oriole One Master Guard** is a lightweight, all-in-one security plugin for WordPress. It protects your site against brute-force login attacks, hardens common WordPress attack surfaces, and gives you full control over your security configuration from a clean admin interface — all without touching WordPress core files.

Whether you run a personal blog, a business site, or manage WordPress for clients, Oriole One Master Guard is designed to be straightforward to configure and effective out of the box.

= Who Is This For? =

* Site owners who want meaningful login protection without relying on a large, bloated security suite.
* Developers who need a practical hardening toolkit with sensible defaults they can tune.
* Agencies managing multiple WordPress installations who need reliable, low-maintenance protection.

= What It Does =

**Brute-Force Login Protection**
Limits the number of failed login attempts allowed from a given IP address or username within a configurable time window. Once the threshold is reached, the account is temporarily locked and further attempts are blocked. A replay-safe token system ensures that hitting the browser back button or refreshing after a failed attempt does not count as additional attempts.

**Security Hardening**
A dedicated Hardening tab lets you enable or disable individual hardening features with a single checkbox. The plugin applies these protections directly using standard WordPress hooks and filters, keeping the setup simple and safe.

Hardening options include:

* Block XML-RPC requests site-wide
* Remove the users provider from WordPress sitemaps
* Return HTTP 404 for author archive pages and prevent username enumeration via ?author=N queries
* Restrict the /wp-json/wp/v2/users REST endpoint to logged-in users with the list_users capability
* Remove the WordPress version tag, RSD link, WLW manifest, oEmbed discovery links, and REST API head link
* Add a noindex, follow meta tag to category, tag, and author archive pages

**Code Preview**
The Code Preview tab shows the generated reference snippets that correspond to your current hardening settings. This output is read-only and provided for transparency only. The plugin does not ask administrators to paste or save arbitrary PHP, JavaScript, or CSS.

**Failed Login Audit Log**
Every lockout is recorded in a persistent audit table showing the blocked username, IP address, geolocation country, number of attempts, and the time the block was placed and will expire. Individual entries can be removed, or the entire log can be cleared with one click.

= Why Choose Oriole One Master Guard? =

* **Focused and lightweight** — does exactly what the name says with no unnecessary bulk.
* **Transparent** — the hardening behavior is clearly visible in the admin and not hidden in plugin internals.
* **Non-destructive** — uses WordPress hooks and the Settings API only; never modifies core files or theme files.
* **Auditable** — every lockout event is logged so you always know what happened and when.

== Installation ==

= Automatic Installation =

1. Log in to your WordPress admin dashboard.
2. Go to **Plugins > Add New Plugin**.
3. Search for **Oriole One Master Guard**.
4. Click **Install Now**, then click **Activate**.
5. Go to **Settings > Oriole One Master Guard** to configure the plugin.

= Manual Installation =

1. Download the plugin zip file from WordPress.org.
2. Log in to your WordPress admin dashboard.
3. Go to **Plugins > Add New Plugin** and click **Upload Plugin**.
4. Choose the downloaded zip file and click **Install Now**.
5. Click **Activate Plugin**.
6. Go to **Settings > Oriole One Master Guard** to configure the plugin.

= First-Time Setup =

After activation, the plugin is immediately active with secure default settings. Visit each tab to review and adjust:

* **Limit Logins** — set your preferred attempt threshold, window duration, and lockout length.
* **Hardening** — enable the security features that apply to your site.
* **Code Preview** — review the generated hardening snippets for reference.
* **Failed Logs** — monitor blocked login attempts.

== Frequently Asked Questions ==

= Does this plugin modify my theme's functions.php file? =

No. The plugin does not write to your theme files or ask you to save custom code. All protections are applied directly through standard WordPress hooks and filters.

= Will the hardening features conflict with other plugins? =

Each generated hardening snippet is wrapped in a function_exists() check, so they will not conflict with functions of the same name defined elsewhere. If you are already using another plugin to handle one of the same concerns (for example, blocking XML-RPC), you can simply leave that toggle unchecked.

= What happens if I deactivate or uninstall the plugin? =

Deactivating the plugin stops all brute-force protection and removes the security hooks. Uninstalling the plugin removes the stored plugin options from the database and cleans up legacy files from older versions if present. Your theme files are not affected in either case.

= Can I edit the generated hardening code? =

The Code Preview tab is read-only and provided for reference only. In line with WordPress.org security guidance, the plugin does not allow administrators to store or execute arbitrary PHP, JavaScript, or CSS.

= Why is geolocation shown as "Unknown"? =

Geolocation is resolved locally using PHP server extensions. If your hosting environment does not have a GeoIP extension or database available, the country value will display as Unknown. The login protection itself is not affected — all lockout logic is based on IP address, not geolocation.

= Can I unblock a locked user or IP manually? =

Yes. Go to the **Failed Logs** tab in the plugin settings. You can remove individual entries using the **Remove** button next to each row, which will also release any active lock for that user or IP. The **Clear Entries** button removes all log entries and releases all active locks at once.

= Does refreshing the login page after a failed attempt count as another attempt? =

No. The plugin uses a one-time token system tied to each login form submission. Refreshing the page or hitting the back button after a failed attempt does not create a new token and therefore does not count as another attempt.

= Does this plugin work with WooCommerce or other login forms? =

The brute-force protection is applied to the standard WordPress login form at wp-login.php. Custom login forms provided by WooCommerce or membership plugins that bypass wp-login.php are not currently covered.

= Will enabling all hardening features break my site? =

Each feature is designed to be safe to enable on a standard WordPress installation. However, a few features have functional side effects you should be aware of: blocking author archives will affect sites that use author archive pages for editorial or portfolio purposes; restricting the REST users endpoint may affect some third-party integrations that query user data publicly. Review each feature description before enabling it.

= Does the Code Preview tab run any custom code? =

No. It only displays reference snippets based on your current hardening settings. The preview itself does not execute any user-provided code.

== Screenshots ==

1. **Limit Logins tab** — Configure maximum failed attempts, attempt window, lockout duration, and whether IP locking, username locking, or both are enabled.
2. **Hardening tab** — Enable or disable individual security hardening features using simple checkboxes.
3. **Code Preview tab** — View the generated hardening snippets for transparency and reference.
4. **Failed Logs tab** — Audit table listing blocked login attempts with username, IP address, geolocation, attempt count, and block timestamps.

== Requirements ==

* **WordPress:** 6.4 or higher
* **PHP:** 8.0 or higher

== Support ==

For questions, bug reports, or feature requests, please use the support forum on the plugin's WordPress.org page. When reporting a bug, include your WordPress version, PHP version, and a description of the steps to reproduce the issue.