=== Volixta SSL & Security Headers ===
Contributors: volixta
Tags: security headers, mixed content, ssl, https
Requires at least: 5.8
Tested up to: 6.9
Stable tag: 1.1.4
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Add modern security headers, enable SSL/HTTPS, fix mixed content, and force 301 redirects for WordPress. Fast, safe, and easy to use.

== Description ==

Is your WordPress site still serving pages over **HTTP** instead of **HTTPS**?  
Do you see browser warnings like *"Not Secure"* even though you installed SSL?  
Are you getting **mixed content errors** in Chrome or Firefox after enabling HTTPS?  
Is your Site Health report complaining about missing **security headers**?

👉 **Volixta SSL & Security Headers fixes all of these in a few clicks.**

Easily **activate SSL**, **force 301 redirects**, repair **mixed content**, and apply recommended **WordPress security headers** like HSTS, CSP, and X-Frame-Options.

---

### 🔐 What does Volixta do?

- **Activate SSL automatically**: safely update your WordPress `home` and `siteurl` to use `https://`.
- **Force HTTPS with 301 redirect**: adds a safe `.htaccess` block on Apache/LiteSpeed, or falls back to a PHP redirect if needed.
- **Fix mixed content**: scans your posts, postmeta, and options for `http://` links and replaces them with `https://` (serialization-safe).
- **Apply modern HTTP Security Headers**: HSTS, Content-Security-Policy (`upgrade-insecure-requests`), X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP.
- **Nginx friendly**: when `.htaccess` is not available, Volixta shows ready-to-copy Nginx rules.
- **Site Health integration**: checks for SSL, redirects, and security headers.

---

### ✅ Why choose Volixta?

- **Safe by design**  
  Nothing is applied automatically. You choose what to enable. Each `.htaccess` modification creates a timestamped backup.

- **Serialization-safe mixed content fixer**  
  No risk of breaking complex serialized data in `postmeta` or `options`.

- **Admin-only processing**  
  Everything runs in the admin area. The frontend only uses the optional PHP redirect when required.

- **Localhost aware**  
  Detects local environments (`localhost`, `.local`, `.test`) and provides instructions for enabling trusted HTTPS locally with [mkcert](https://github.com/FiloSottile/mkcert).

---

### 🔎 Typical problems solved

**How do I activate SSL in WordPress?**  
→ One click in Volixta updates your site to HTTPS safely.

**How do I force HTTPS with 301 redirects?**  
→ Volixta inserts a safe `.htaccess` redirect or uses a PHP fallback.

**My Site Health report says “No security headers detected”.**  
→ Apply modern **security headers** in one click.

**How can I add WordPress security headers without editing code?**  
→ Configure and apply headers from the plugin interface.

**After enabling SSL, my site still shows mixed content errors.**  
→ Run the Mixed Content Scan + Fixer.

**I'm on Nginx, so .htaccess doesn't work.**  
→ Volixta provides ready-to-copy Nginx configuration snippets.

---

== Installation ==

1. Upload to `/wp-content/plugins/` or install from the WordPress plugin directory.
2. Activate the plugin.
3. Open **Volixta SSL & Security** in the admin menu.
4. With a valid SSL certificate:
   - Click **Activate SSL** to update WordPress URLs to HTTPS.
   - Click **Enable HTTPS Redirect** to force HTTPS.
   - Click **Apply Security Headers**.

---

== Frequently Asked Questions ==

= How do I activate SSL in WordPress? =
Open Volixta → click **Activate SSL**. The plugin updates your WordPress and Site URL to HTTPS.

= How do I add security headers in WordPress? =
Go to the **Security Headers** panel and click **Apply Security Headers**.

= Does it modify .htaccess? =
Yes, but only when you trigger an action manually. Blocks are clearly wrapped:

- `# BEGIN Volixta HTTPS Redirect`
- `# END Volixta HTTPS Redirect`

Each change creates a backup file.

= Will it work on Nginx? =
Yes. Volixta shows Nginx configuration snippets for redirects and headers.

= Does it slow down my site? =
No. Everything runs only in the admin panel. On the frontend, only the optional PHP redirect runs when enabled.

= Can I use it locally? =
Yes. Local environments are detected automatically and instructions are provided to enable HTTPS with mkcert.

= Where are settings stored? =
Only minimal configuration is stored in `wp_options`:
- headers configuration
- redirect flag
- mixed content scan results

---

== Screenshots ==

1. Dashboard showing SSL, redirect, headers, and server checks
2. One-click SSL activation and HTTPS redirect
3. Mixed content scan and fixer
4. Security headers configuration panel

---

== Changelog ==

= 1.1.4 – 2026-03-11 =
* Updated readme.txt

= 1.1.3 – 2026-03-09 =
- Removed the Security Hardening module to improve stability and compatibility.  

= 1.1.2 – 2025-12-10 =
- Added new Hardening module:
  * Secure & HttpOnly cookies (adds COOKIE_SECURE and COOKIE_HTTPONLY to wp-config.php)
  * Disable directory indexing by inserting “Options -Indexes” into .htaccess
  * Block user enumeration (?author=ID and REST API `/wp/v2/users`)
- Improved PHPCS compliance and sanitization for user enumeration blocking
- Updated uninstall routine to remove new hardening options
- UI enhancements for Security Hardening settings panel
- Updated readme.txt

= 1.1.1 =
Tested up to WordPress 6.9.

= 1.1.0 =
Improved SSL detection and code compliance.

= 1.0.10 =
Updated readme.

= 1.0.0 =
Initial release.

---

== Upgrade Notice ==

= 1.1.3 =
The Security Hardening module has been removed to improve stability and compatibility.  
Those features will be included in the upcoming **Volixta Security Suite** plugin.

---

== Privacy ==

This plugin does not collect, store, or transmit personal data.

---

== Localization ==

Text domain: `volixta-ssl-security-headers`  
Load path: `/languages`

---

== What’s Next ==

If you like this plugin, check out our other tools:

- [VOLIXTA Booking – The All-in-One WordPress Booking Plugin](https://volixta.com)  
  Manage unlimited staff, services, clients, payments, and locations in one powerful system.  

- [VOLIXTA Security Suite – Advanced WordPress Security Made Simple](https://volixta.com/volixta-security-suite)