=== TrapFlux Request Firewall ===
Contributors: susheelhbti
Tags: firewall, security, rate limiting, bot blocking, honeypot
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.2
Stable tag: 1.0.5
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight, behavior-based bot firewall. Blocks scanners before WordPress loads, with text attack reports for your hosting company.

== Description ==

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by **how they behave**, not just where they come from.

* **Behavior-based blocking** — exploit-path probes (`.env`, `wp-config` backups, `.sql` dumps), malicious user agents, and request floods.
* **Rate limiting** — every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.
* **Honeypot traps** — invisible links only bots follow; one visit means a permanent ban.
* **Subnet bans** — block a whole CIDR range (e.g. `20.100.172.0/24`) when attackers rotate IPs on cloud providers.
* **Text attack reports** — one-click downloadable `.txt` reports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company.
* **fail2ban-friendly log** — one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin's detections.
* **Fails open** — any internal error and your site keeps working normally. An emergency `disable.flag` file shuts blocking off instantly via FTP.

= Strongest mode (optional) =

By default the firewall runs when plugins load — before WP routing, themes and queries. For maximum resource savings you can point PHP's `auto_prepend_file` at `firewall.php` so blocking happens before WordPress loads at all. See the FAQ.

= Honest limitations =

* This is a request firewall, not a malware scanner — it will not detect an already-infected site.
* It ships with rules for today's common probes and has no cloud threat feed; review the rules occasionally.
* The "Block xmlrpc.php" option breaks Jetpack and the WordPress mobile app — disable that single toggle if you use them.
* All assets (CSS/JS) are bundled — the plugin makes no external network requests.

== Installation ==

1. Upload the `trapflux-request-firewall` folder to `/wp-content/plugins/`, or install the zip via Plugins → Add New → Upload.
2. Activate **TrapFlux Request Firewall**. Your current IP is auto-whitelisted on activation.
3. Open the **TrapFlux Request Firewall** menu in wp-admin for stats, logs, reports and settings.

Data (config, bans, logs) is stored in `wp-content/uploads/trapflux-request-firewall/`. An `.htaccess` deny rule is written automatically (Apache). On NGINX add:

`location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }`

== Frequently Asked Questions ==

= How do I enable blocking before WordPress loads? =

Set PHP's `auto_prepend_file` to the engine, in `.user.ini` (most shared hosting) or `php.ini`:

`auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php`

Or in Apache `.htaccess` (mod_php):

`php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"`

The engine guards against double-loading, so having both is safe.

= I locked myself out. What do I do? =

Create an empty file named `disable.flag` inside `wp-content/uploads/trapflux-request-firewall/` via FTP or your host's file manager. All blocking stops instantly. Delete the file to re-enable.

= Can my hosting company use the log with fail2ban? =

Yes. Each blocked request is one line in `wp-content/uploads/trapflux-request-firewall/blocked.log`:

`2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit`

Suggested failregex: `^.* \| <HOST> \| .* \| BLOCKED: .*$`

== Changelog ==

= 1.0.5 =
* Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data directory now resolves exclusively via wp_upload_dir(); activation aborts with a clear message if that is unavailable, instead of guessing a path.

= 1.0.4 =
* Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR hardcode and dirname walk-up fallbacks.
* Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
* Plugin activation now stores the resolved upload path in config.json so prepend-mode engine can locate its data without guessing.

= 1.0.3 =
* Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all options, hooks, AJAX actions and constants.
* Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/trapflux-request-firewall/.
* Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request URI).
* Added a direct-access guard to the firewall engine file.

= 1.0.2 =
* Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes, no build step, no framework).

= 1.0.1 =
* Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard now makes zero external requests.

= 1.0.0 =
* Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans, text reports, fail2ban-friendly logging, emergency off-switch.

== Upgrade Notice ==

= 1.0.2 =
Admin styles rewritten as plain CSS; no framework or build step.
