All notable changes to Silver Assist Security Essentials will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- GraphQL Authentication Requirement: Enforce authentication for all GraphQL requests via
graphql_request_datafilter, using WPGraphQL's nativerestrict_endpoint_to_logged_in_userssetting as the single source of truth (RSM pentest audit finding) - Custom API Key Authentication: Plugin-managed API key system supporting
X-API-Keyheader andAuthorization: Bearertoken for server-to-server authentication - Secure Key Storage: API keys stored as hashed values using
wp_hash_password(), verified withwp_check_password() - Service User Binding: API key authentication resolves to a configurable WordPress service account user
- Environment-Aware Bypass: Authentication enforcement is bypassed only in
local/developmentenvironments to allow development tooling
- Authentication Settings UI: Admin panel section showing WPGraphQL authentication status badge with direct link to WPGraphQL settings, API key management (generate/regenerate/revoke), service user dropdown, and one-time key display
- Dashboard Auth Indicator: Authentication status ("Required" / "Public") shown in GraphQL Security dashboard card
- Security Level Scoring: Authentication requirement contributes to the GraphQL security level calculation
- AJAX API Key Management: Generate, regenerate, and revoke API keys via AJAX without page reload, keeping the user on the GraphQL Security tab
- API Key Usage Example: Success-styled notice showing
X-API-KeyandAuthorization: Bearerheader formats, visible only when an API key is configured
- Undefined Property: Remove dead
$this->headless_modeassignments inenable_headless_mode()anddisable_headless_mode() - Security Score Double-Counting:
calculate_security_level()no longer awards points twice when both endpoint access is restricted and authentication is required
- Unit tests for
is_authentication_required()covering WPGraphQL setting on/off and security level scoring - Integration tests for auth enforcement,
validate_authentication(), andauthenticate_api_key()(filter registration, logged-in pass-through, unauthenticated blocking, env bypass, API key via X-API-Key and Bearer headers) - Unit tests for
GraphQLApiKeyAjaxHandler: generate success, nonce validation, capability checks, key regeneration, revoke flow, hex format validation
- Updated POT file with new translatable strings
- Added Spanish (es_ES) translations for all authentication UI strings
- Release Workflow: Make Node.js setup, npm install, and build steps conditional on
package.jsonexistence
- Vendor Assets: Ensure vendor package assets (CSS/JS) are included in release builds
- Null Safety: Add null guards for
UnderAttackModein CF7 CAPTCHA methods (inject_captcha_field,ajax_generate_captcha,enqueue_captcha_assets)
- PHPCS: Fix 7 auto-fixable formatting issues in
ContactForm7AjaxHandler,ContactForm7Integration, andLoginSecurity - PHPStan: Resolve all 5 nullable type errors — now 0 errors at configured level
- Release Pipeline: Unify release workflow and build script across all plugins
- Selective copy strategy replaces copy-all-then-clean approach
- Remove
composer.jsonfrom ZIP (not needed at runtime) - Auto-detect plugin structure (directories, main file, version)
- Generate MD5 + SHA256 checksums
- GitHub Actions: Pin all dependencies to SHA hashes for supply chain protection
actions/checkout@v4.3.1shivammathur/setup-php@v2.36.0softprops/action-gh-release@v2.5.0
- Settings Hub Integration: Renamed plugin tab from "Security" to "Security Essentials" for clearer identification
- Update Check Delegation: Simplified update checking by delegating to
wp-github-updaterv1.3.0 built-inenqueueCheckUpdatesScript(), removing custom AJAX handler andupdate-check.js - Removed
update-check.js: Eliminated standalone update check script in favor of centralized wp-github-updater functionality - Removed duplicate
<h1>title: AdminPageRenderer no longer renders standalone page title (handled by Settings Hub) - Version badge CSS: Added
.version-badgecomponent style using CSS design system variables
- wp-github-updater: Updated from
^1.0to^1.3for built-in update check UI support - wp-settings-hub: Updated from
^1.1.3to^1.2forplugin_fileregistration support - Updater config: Added
text_domainparameter for localized update notifications
- Copilot Setup Steps: Added
.github/workflows/copilot-setup-steps.ymlfor automated PHP dependency setup in Copilot coding agents
- Login CAPTCHA: Math-based CAPTCHA challenge on WordPress login page when Under Attack Mode is active
- Validates CAPTCHA answer server-side before authentication
- Accessible design with ARIA labels and screen reader support
- CF7 CAPTCHA: CAPTCHA challenge injected into Contact Form 7 forms during Under Attack Mode
- Automatic injection via
wpcf7_form_elementsfilter - Server-side validation via
wpcf7_validatehook
- Automatic injection via
- Shared Template System:
templates/captcha-field.phprenders consistent CAPTCHA across all entry pointsSecurityHelper::render_template()for output-buffered template rendering- JavaScript-powered refresh without page reload
- Dedicated
captcha.cssandcaptcha.jsassets with build pipeline integration
- Remember Me Removal: "Remember Me" checkbox hidden via CSS on login page
- Session cookie lifetime enforced to match configured session timeout
- Prevents users from bypassing session timeout policies
- Singleton Pattern:
UnderAttackModeconverted to singleton matchingIPBlacklistpatterngetInstance()used consistently acrossLoginSecurity,ContactForm7Integration, andSecurityDataProvider
- Under Attack Mode Status: Real-time Active/Inactive indicator in General Security dashboard card
- IP Blacklisting Status: Enabled/Disabled indicator in General Security dashboard card
- Session Timeout Stat: Displays configured timeout value (minutes) in Admin Security card
- Dashboard Auto-Refresh: Switching to dashboard tab automatically refreshes security status and login stats
- Bot Protection Selector Fix: Updated JS selector from
:last-childto:nth-child(2)after Session Timeout stat addition
- Persistent Indicator Bug: Fixed
showSavingIndicator()only showing visual feedback on first save- Root cause:
.fadeOut()left indicator in DOM withdisplay:none, subsequent calls found existing div and did nothing - Fix:
.stop(true, true).html(savingText).removeClass("error").show()on existing indicator - Changed
$("form").append()to$("form").first().append()to prevent duplicates
- Root cause:
- POT Regenerated:
wp i18n make-pot— 791 → 1087 lines, all new translatable strings captured - Spanish (es_ES): 82 new strings translated, 61 fuzzy flags resolved, 4 format errors fixed
- Binary Compiled:
.mofile regenerated withmsgfmt --checkvalidation (234 translated messages)
- README.md: Added Under Attack Mode, CAPTCHA, IP Blacklisting, Session Timeout, Remember Me removal sections
- Test Coverage: Updated counts to reflect current test suite (350+ unit, 50+ integration)
- Card-Based Layout: Complete redesign of the security dashboard with status cards
- Login Security, Admin Security, GraphQL Security, General Security, and Form Protection cards
stat-value/stat-labelcomponents for consistent data display- Feature-status rows with enabled/disabled indicators and
::beforeicons - Security Statistics section: Blocked IPs, Failed Attempts (24h), Security Events (7d)
- Activity Tabs: New tabbed interface (Blocked IPs / Security Logs) in Recent Activity section
- Loading spinners and loading-text placeholders for async content
- Interactive tab switching with smooth transitions
- Settings Tabs Card Migration: All 4 settings tabs now use
.status-cardwith.card-header/.card-content- Login Protection, GraphQL Security, Contact Form 7, and IP Management sections wrapped in styled cards
- Consistent card structure with header icons across all tabs
- Status Indicator Semantics: Renamed
.disabledto.inactivefor clarity - Toggle Switch Refactor: Native
:checkedselector with.toggle-sliderclass instead of JS class toggling
- Toggle switch to enable/disable admin URL hiding
- Custom admin path input with real-time validation and preview
- Security warning notice with recovery instructions
- Path validation fallback for undefined error messages
- Security Logs Panel: New logs viewer in dashboard Recent Activity
- AJAX-loaded table with timestamp, event type, and details columns
- Secure DOM construction using jQuery
.text()to prevent XSS
- IP Unblock Functionality: Unblock IPs directly from IP Management tab
unblock_ipAJAX endpoint inSecurityAjaxHandler- Full table view with per-IP unblock buttons
- Compact dashboard summary (last 3 IPs) with "View all" link
- Blocked IPs Display: Split into compact dashboard summary and full IP Management table
- DOM XSS Prevention: Added
escapeHtml()helper to admin.js for all user-data DOM insertion- Blocked IPs table: IP addresses, reasons, timestamps all escaped
- Security logs: Rebuilt with jQuery DOM construction (
.text()) instead of template literals - CF7 blocked IPs: Table headers use
esc_html__(), cell values useesc_html()
- AJAX Scope Fix: Resolved
ReferenceError—ajaxurl/noncenow destructured in correct scope for unblock button handlers - Smart Logging System: Severity-based security event logging
- 58 event types classified as error (13), warning (33), or info (12)
WP_DEBUGgate — no log output when debugging is disabled- Test environment filtering — only errors logged during tests
[ERROR]/[WARNING]/[INFO]severity prefixes in log format- Eliminated ~70 noisy log lines from test output
- RenderHelper Utility Class (
src/Admin/Renderer/RenderHelper.php): Shared static methods for UI renderingrender_feature_status()— Feature enabled/disabled rowsrender_stat()— Numeric stat values with label and optional suffixrender_async_stat()— AJAX-loaded stat cards with loading spinner
- SecurityDataProvider Expanded: Added
form_protection, GraphQL detail fields (query_depth_limit,query_complexity_limit,query_timeout,introspection_disabled),xmlrpc_disabled,version_hiding, and overall statistics - StatisticsProvider: Cross-component stats with inlined log file reading to avoid circular dependency
- DashboardRenderer Refactored: All repetitive HTML blocks replaced with
RenderHelpercalls (8 feature-status, 7 stat, 3 async-stat)
- Submit buttons disabled with "Saving..." label during autosave
- Manual submit cancels pending autosave timer
- 15s fallback timeout re-enables buttons if autosave hangs
- CSS
.is-savingclass for visual feedback
- CF7 Detection (CF7 v6.x): Removed deprecated
function_exists('wpcf7_get_contact_form_by_id')check — this function was removed in CF7 v6.x, causing the CF7 tab to not appear - CF7 Blocked IPs Loading:
loadCF7BlockedIPs()now targets both#cf7-blocked-ips-contentand#cf7-blocked-ips-container - CF7 Tab Data Loading: Added
cf7-securitycase toswitchToTabfor CF7 tab activation - CF7 Empty State Styling: Changed to
.no-threatsclass for consistent green styling - Admin Path Validation: Added fallback
"Invalid path"for undefined error messages; removed static div (JS creates it dynamically) - Toggle Switch Initialization: Skip checkboxes already inside
.toggle-switchlabels to prevent double-wrapping - Blocked IPs Data Extraction: Handle both array and object response formats
- GraphQL Timeout Option Key: Fixed
silver_assist_graphql_timeout→silver_assist_graphql_query_timeoutto show correct dashboard value - PHP Function Prefixes: Added
\towp_json_encode(), removed unnecessary\fromround()(PHP built-in) - SecurityDataProvider PHPDoc: Fixed mis-indented docblock for
$stats_providerproperty - Noisy Log Removed: Removed
IP_CLEANUP_INITIALIZEDlog from Plugin.php
- AjaxTestHelper Trait: Reusable AJAX testing infrastructure
AjaxTestDieError extends \Errorbypasses WordPress die handlers in testssetup_ajax_environment(),call_ajax_handler(),teardown_ajax_environment()methods
- 36 Pre-Existing Test Failures Fixed across 5 categories:
- UI structure mismatches — updated tab IDs, CSS classes, text labels
- Removed/refactored methods — rewired tests to
SettingsHandler::save_security_settings() - Hook registration issues — fixed test isolation and explicit component creation
- Singleton/void/input ID —
getInstance(),ob_start()buffering, correct field IDs
- 283 Tests Passing: Unit (122), Functional (42), Security (62), Integration (57+)
- PHPCS Compliance: Auto-fixed 223 violations via PHPCBF (0 errors, 3 pre-existing warnings remaining)
SettingsRenderer.php: 200 fixes (spacing, brace placement, indentation)SecurityDataProvider.php: 23 fixes
- PHPStan Level 8: Resolved all 37 static analysis errors (100% compliance)
- Copilot Instructions Updated: Documentation rule now distinguishes between project docs and Copilot config files
.github/skills/— Copilot Skills (domain knowledge).github/prompts/— Copilot Prompt Files (reusable workflows).github/instructions/— Copilot Instruction Files (scoped context)
- Dashboard Styles Skill:
.github/skills/dashboard-styles/SKILL.md— CSS classes, HTML patterns, component usage guide - Dependabot Auto-Merge: Documented GitHub Actions limitation for workflow file modifications
- 📦 Contact Form 7 Stubs: Added
miguelcolmenares/cf7-stubs^6.1 for PHPStan static analysis - 🔧 GitHub Workflow Permissions: Added
contents: writeandpull-requests: writeto quality-checks workflow - 🚀 Quality Checks Script: Improved non-interactive mode, CI/CD integration, WP_VERSION environment variable support
- ⚙️ GitHub Actions Workflow: Simplified to use unified
run-quality-checks.shscript
- 🗑️ Deleted temporary documentation files (
.github/FIX_SUMMARY.md,.github/GITHUB_APP_PERMISSIONS.md)
- Advanced Tab Structure: Enhanced from 3 tabs to comprehensive 5-tab interface
- Security Dashboard: Real-time overview, compliance status, and security alerts
- Login Protection: Brute force settings, session management, bot protection
- GraphQL Security: Query limits, rate limiting, introspection control
- Form Protection: Contact Form 7 integration (conditional tab when CF7 active)
- IP Management: Comprehensive IP blocking, allowlists, and monitoring
-
Seamless Integration: Automatic detection and integration with Contact Form 7
- Dynamic tab appearance: Form Protection tab shows only when CF7 is active
- Zero configuration required - automatically activates when CF7 detected
- Complete compatibility with existing CF7 installations
-
Advanced Form Security:
- Rate Limiting: IP-based submission limits to prevent spam floods
- Bot Protection: Advanced detection of automated form submission attempts
- CSRF Enhancement: Strengthened nonce validation for form security
- Real-time Monitoring: Track and display blocked form submissions
- IP Blocking: Temporary blocks for IPs exceeding submission thresholds
-
Dual Navigation System: Revolutionary namespace separation enables coexistence
- Settings Hub Level:
.nav-tabclasses for plugin switching (Security ↔ SEO ↔ etc.) - Security Plugin Level:
.silver-nav-tabclasses for internal feature navigation - Zero Conflicts: Both navigation systems work independently and simultaneously
- Settings Hub Level:
-
Technical Implementation:
- CSS Namespace Isolation: Complete class separation prevents style conflicts
- JavaScript Scope Separation: Dynamic tab detection with conditional CF7 handling
- Responsive Design: Both navigation levels adapt to screen size and content
- Accessibility: Full keyboard navigation and screen reader support maintained
-
Component Separation: Professional admin component architecture
AdminPageRenderer.php: Main page structure with namespace-separated navigationSettingsRenderer.php: All settings tabs with.silver-tab-contentclassesDashboardRenderer.php: Security dashboard with real-time statistics
-
Dynamic Tab Management:
- JavaScript automatically detects available tabs from DOM structure
- Handles conditional CF7 tab without hardcoded dependencies
- URL hash routing with browser back/forward support
- Smooth transitions with fade effects between tab content
-
CI/CD Matrix Expansion: Enhanced from 3 to 12 test combinations
- Quality Checks: PHP 8.0-8.3 × WordPress 6.5, 6.6, latest (9 combinations)
- CF7 Integration: PHP 8.3 × WordPress 6.5, 6.6, latest (3 combinations)
- Complete Coverage: All WordPress versions tested with Contact Form 7
-
WordPress Real Environment Testing:
- 250+ tests across security components with real WordPress + MySQL
- Integration tests for tab navigation and CF7 compatibility
- Security validation for all form protection features
- CI/CD pipeline ensures all 12 environments pass before deployment
- Enhanced Minification: PostCSS + cssnano for CSS, Grunt + uglify for JavaScript
- admin.js: 55kB → 16.7kB (70% reduction)
- CSS optimization: Modern CSS features preserved (layers, nesting, container queries)
- Build automation:
npm run buildfor complete asset pipeline
-
GitHub Actions + Dependabot Integration: Complete automation for dependency updates
- Weekly automated checks for Composer, npm, and GitHub Actions dependencies
- Automatic Pull Request creation for outdated packages
- Intelligent grouping of minor/patch updates in single PRs
- Separate PRs for major versions requiring manual review
-
Quality Assurance Automation:
check-composer-updatesjob: PHP dependencies validation with PHPStan and PHPCScheck-npm-updatesjob: JavaScript dependencies with build verificationsecurity-auditjob: CVE scanning for both Composer and npm packagesvalidate-prjob: Comprehensive validation of all Dependabot PRsauto-merge-dependabotjob: Safe auto-merge for patch/minor updates
-
Security-First Approach:
- Continuous vulnerability scanning (reports stored for 90 days)
- Critical packages flagged for manual review on major versions:
silverassist/wp-settings-hub(Settings Hub integration)silverassist/wp-github-updater(Update system)
- GitHub Copilot automatically reviews all dependency PRs
- Automated security audits for both PHP and JavaScript ecosystems
-
Configuration Files Added:
.github/dependabot.yml: Dependency scanning and PR creation configuration.github/workflows/dependency-updates.yml: CI/CD workflow with 5 automated jobs
-
Schedule:
- Monday 9:00 AM (Mexico City): Composer packages check
- Monday 9:30 AM (Mexico City): npm packages check
- Monday 10:00 AM (Mexico City): GitHub Actions check
- 24/7: Security vulnerability monitoring and alerts
- Zero manual intervention for safe updates (minor/patch versions)
- Automated quality gates ensure code standards maintained
- Complete audit trail via GitHub PRs
- Time savings on dependency maintenance
- Early detection of security vulnerabilities
- GitHub Copilot AI reviews provide intelligent feedback
- Auto-merge enabled for
version-update:semver-patchandversion-update:semver-minor - Major version updates require manual review and approval
- All PRs labeled automatically:
dependencies,composer/npm/github-actions,automated - Comprehensive reporting: outdated packages, security audits, build results
- Artifacts retention: outdated reports (30 days), security audits (90 days)
- Consolidated Documentation: All documentation maintained in core files (README, CHANGELOG, copilot-instructions)
- No Separate MD Files: Prevents documentation fragmentation and maintenance overhead
- Single Source of Truth: Easier to maintain and keep up-to-date
- AI Instruction: Explicit guidance added to prevent creation of separate documentation files
- Menu Structure Changed: Plugin now registers under centralized "Silver Assist" menu via Settings Hub
- Before: Standalone menu in WordPress Settings → "Security Essentials"
- After: Top-level "Silver Assist" menu → "Security" submenu
- URL Change: Admin page URL structure modified for hub integration
- Backward Compatibility: Automatic fallback to standalone menu when Settings Hub unavailable
-
Settings Hub Integration (
silverassist/wp-settings-hub v1.1.0):- Centralized admin interface for all Silver Assist plugins
- Professional plugin dashboard with cards and metadata display
- Cross-plugin navigation via tabs (when multiple plugins installed)
- Dynamic action buttons support
- Enhanced user experience with consistent UI across Silver Assist ecosystem
-
"Check Updates" Button:
- New action button in Settings Hub plugin card
- One-click update checking via AJAX
- Automatic redirection to WordPress Updates page when update available
- Real-time feedback with user-friendly messages
- Seamless integration with existing wp-github-updater package
-
Removed Plugin Updates Section:
- Eliminated redundant "Plugin Updates" card from admin page
- Update functionality consolidated into Settings Hub action button
- Cleaner admin interface with reduced UI clutter
- Maintained all update checking capabilities
-
New Methods in AdminPanel:
register_with_hub(): Main hub registration with automatic fallbackget_hub_actions(): Configures action buttons for plugin cardrender_update_check_script(): JavaScript callback for update buttonajax_check_updates(): AJAX handler for update verificationadd_admin_menu(): Fallback method for standalone menu registration
-
Settings Hub Registration:
$hub->register_plugin( 'silver-assist-security', __('Security', 'silver-assist-security'), [$this, 'render_admin_page'], [ 'description' => __('Security configuration for WordPress', 'silver-assist-security'), 'version' => SILVER_ASSIST_SECURITY_VERSION, 'tab_title' => __('Security', 'silver-assist-security'), 'actions' => [ [ 'label' => __('Check Updates', 'silver-assist-security'), 'callback' => [$this, 'render_update_check_script'], 'class' => 'button button-primary', ] ] ] );
-
Intelligent Fallback System:
- Automatic detection of Settings Hub availability
- Graceful degradation to standalone menu when hub absent
- Zero functionality loss in fallback mode
- Exception handling with security event logging
- New Test Suite:
tests/Integration/SettingsHubTest.php(10 test cases):- Settings Hub class detection and availability
- Fallback menu registration verification
- Update button configuration validation
- AJAX handler functionality tests
- Security validation for update checks
- Update script rendering verification
- Hub registration metadata validation
- Actions array structure tests
- Admin hooks registration checks
- Integration testing with wp-github-updater
- AJAX Security:
- Nonce validation for all update check requests
- User capability verification (
manage_options) - Comprehensive error handling and logging
- Sanitized JavaScript output with
esc_js(),esc_url() - SecurityHelper integration for event logging
-
User Experience:
- ✅ Unified admin interface for Silver Assist plugins
- ✅ Professional dashboard with plugin cards
- ✅ Quick access to update checking
- ✅ Consistent UI across plugin ecosystem
⚠️ URL change may affect bookmarks (acceptable for major version)
-
Developer Experience:
- ✅ Modular architecture with clean separation
- ✅ Easy to extend with additional action buttons
- ✅ Comprehensive test coverage
- ✅ Well-documented integration patterns
-
Compatibility:
- ✅ Works with or without Settings Hub
- ✅ Maintains all existing functionality
- ✅ Backward compatible via fallback mechanism
- ✅ No data migration required
- Standards Compliance: Full WordPress coding standards adherence
- Type Safety: Strict PHP 8+ type declarations throughout
- Documentation: Complete PHPDoc for all new methods
- Error Handling: Comprehensive try-catch blocks with logging
- Internationalization: All user-facing strings properly translated
- Added:
silverassist/wp-settings-hub^1.1 (production dependency) - Maintained: All existing dependencies (wp-github-updater, PHPUnit, etc.)
For End Users:
- Update plugin to v1.1.13
- Admin menu location changes automatically
- Find plugin under "Silver Assist" → "Security" (or Settings if hub not installed)
- Update bookmarks if accessing settings directly
For Developers:
- Install/update via Composer:
composer update - Settings Hub automatically detected if installed
- Fallback mechanism ensures compatibility
- No code changes required in consuming applications
- 🚀 CRITICAL FIX: Replaced broken grunt-contrib-cssmin with modern PostCSS + cssnano system:
- CSS Corruption Fixed: grunt-contrib-cssmin was corrupting modern CSS features (@layer, nesting)
- All Classes Preserved: Fixed loss of CSS classes during minification (46/46 classes now preserved)
- Modern CSS Support: Full support for @layer directives, CSS nesting, container queries
- Better Compression: Improved compression rates (37-50% vs previous inconsistent results)
- Build System Hybrid: PostCSS for CSS + Grunt for JavaScript (best of both worlds)
- New Primary Command:
npm run build- Complete CSS + JS minification - Granular Control:
npm run minify:css(PostCSS) andnpm run minify:js(Grunt) - Enhanced Script:
./scripts/minify-assets-npm.shwith detailed logging and verification - Development Friendly:
npm run cleanto remove minified files during development
- Real-time Verification: Script shows compression ratios and file size reductions
- Dependency Management: Auto-installs and updates npm packages
- Error Prevention: Validates all required configuration files (postcss.config.js, Gruntfile.js)
- Comprehensive Logging: Detailed build process information with colored output
- Complete Guide: Updated all documentation to reflect new PostCSS + Grunt workflow
- Script README: Added comprehensive
minify-assets-npm.shdocumentation - Release Workflow: Updated release process to include asset minification step
- Developer Instructions: Enhanced Copilot instructions with modern CSS minification details
- CSS Pipeline: assets/css/.css → PostCSS + cssnano → assets/css/.min.css
- JS Pipeline: assets/js/.js → Grunt + uglify → assets/js/.min.js
- Configuration: postcss.config.js (CSS) + Gruntfile.js (JS) + package.json (dependencies)
- Compression: CSS 37-50% reduction, JavaScript 69-79% reduction
- Compatibility: Node.js 16+, npm 8+, modern CSS features fully supported
- Fixed Critical Issue: Admin styles no longer lost during minification
- Enhanced Performance: Better compression rates for faster page loads
- Future-Proof: Support for cutting-edge CSS features as they're adopted
- Reliable Builds: No more random minification failures or corrupted output
- Developer Productivity: Clear build commands and comprehensive error reporting
- 📦 Updated silverassist/wp-github-updater: Upgraded to version 1.1.3 (latest)
- Enhanced Reliability: Improved auto-update system stability
- Better Error Handling: More robust GitHub API interaction
- Performance Optimization: Faster update checks and download processes
- WordPress 6.7+ Compatibility: Full compatibility with latest WordPress versions
- Clean Architecture: Maintained consistent coding standards across all components
- Version Synchronization: All version references updated consistently using automated script
- Documentation Updates: Updated version numbers in headers and constants
- 🐛 Fixed Frontend Redirect Issue: Session timeouts now handle frontend vs admin differently:
- Frontend: Silent logout without redirect - users stay on their current page
- Admin: Logout with redirect to login page showing
session_expired=1
- Better UX: Users visiting public pages no longer get redirected to login when session expires
- SEO Friendly: Google search traffic and direct links to blog posts work properly even with expired sessions
- Root Cause: Previous implementation redirected all session timeouts to login, regardless of context
- Solution: Added conditional logic in
LoginSecurity::setup_session_timeout()to differentiate frontend vs admin behavior
- Maintained Security: All session timeout protections remain active for legitimate sessions
- Admin Protection: Admin area maintains proper session timeout redirect behavior
- Frontend Preservation: Public pages no longer interrupted by authentication flows
- 🎉 MAJOR UPGRADE: Complete replacement of unreliable bash/API minification with professional NPM + Grunt system:
- Outstanding Results: 38-79% file size reduction vs. previous 6-8%
- Industry Standard: Uses
grunt-contrib-cssminandgrunt-contrib-uglify - Reliable: No more API dependency failures or inconsistent compression
- CI/CD Ready: Node.js and npm available in GitHub Actions by default
- 📊 Actual Compression Results:
- admin.css: 57% reduction (23,139 → 9,838 bytes)
- password-validation.css: 38% reduction (4,297 → 2,647 bytes)
- variables.css: 48% reduction (9,735 → 4,981 bytes)
- admin.js: 69% reduction (38,679 → 11,950 bytes)
- password-validation.js: 79% reduction (10,945 → 2,274 bytes)
- 📦 package.json: NPM dependencies with correct PolyForm-Noncommercial-1.0.0 license
- ⚙️ Gruntfile.js: Professional CSS and JavaScript minification configuration
- 🔧 scripts/minify-assets-npm.sh: Node.js-based minification script with comprehensive error handling
- 🔄 Updated build-release.sh: NPM-first approach with bash fallback for maximum reliability
- WordPress Compatibility: Preserves jQuery, $, window, document globals for WordPress integration
- License Preservation: Maintains copyright headers and important comments
- Modern CSS Support: Handles CSS nesting (with warnings) while achieving excellent compression
- IE9+ Compatibility: CSS minification maintains compatibility for WordPress requirements
- Dynamic URL Generation: Intelligent path construction for minified vs. original assets
- WordPress Integration: Seamless integration with WordPress
wp_enqueue_style()andwp_enqueue_script() - Backward Compatibility: Zero impact on existing functionality - graceful fallback to original files
- Production Optimization: Faster asset loading in production without compromising functionality
- 🔧 New SecurityHelper Class: Created
src/Core/SecurityHelper.phpas centralized utility system:- Asset Management:
get_asset_url()with SCRIPT_DEBUG-aware minification support - Network Security:
get_client_ip(),is_bot_request(),send_404_response()functions - Authentication:
is_strong_password(),verify_nonce(),check_user_capability()utilities - Data Management:
generate_ip_transient_key(),sanitize_admin_path()helpers - Logging & Monitoring:
log_security_event(),format_time_duration()structured logging - AJAX Utilities:
validate_ajax_request()with comprehensive security validation
- Asset Management:
- 📚 Documentation Standards: Comprehensive Copilot instructions with mandatory usage patterns
- 🚫 Code Deduplication: Eliminated ~100 lines of duplicated utility code across components
- 🔄 Component Integration: Updated all security classes to use centralized helper functions:
AdminPanel.php- Uses SecurityHelper for asset loadingLoginSecurity.php- Uses SecurityHelper for IP detection, logging, and bot detectionGeneralSecurity.php- Uses SecurityHelper for asset managementAdminHideSecurity.php- Uses SecurityHelper for path validation and responses
- 📋 Helper Function Categories: Established 6 mandatory function categories for future development
- 🚨 Critical Coding Standards: Added SecurityHelper to mandatory compliance section
- 🔧 Integration Patterns: Documented correct/incorrect usage examples for developers
- ♻️ Migration Process: Created systematic approach for centralizing future utility functions
- 📝 Auto-Initialization: SecurityHelper auto-initializes without manual setup requirements
- Code Quality: Centralized security utilities ensure consistent behavior across all components
- Maintainability: Single source of truth for utility functions reduces maintenance overhead
- Developer Experience: Clear guidelines and patterns for future helper function development
- Performance: Optimized helper functions with intelligent caching and minimal overhead
- Fixed Login Loop Bug: Resolved infinite redirect loop where users were sent to
?session_expired=1after logout and subsequent login attempts - Root Cause:
last_activitymetadata was persisting after logout, causing immediate session timeout on new login attempts - Session Cleanup: Added comprehensive session metadata cleanup in multiple points:
clear_login_attempts()- Clearslast_activityduring logout processhandle_successful_login()- Removes stale metadata before establishing new sessionsetup_session_timeout()- Enhanced with login process detection
- New Function:
is_in_login_process()- Intelligent detection of login workflow to prevent premature timeouts - Detection Points:
- wp-login.php page access
- POST login requests
- Recent login activity (< 30 seconds)
- Login-related actions (login, logout, register, resetpass, etc.)
- Session Protection: Prevents session timeout during active login processes
- Pre-logout Cleanup: Session metadata cleared before logout to prevent state persistence
- Fresh Session Initialization: Each successful login starts with clean session state
- Improved User Experience: Eliminates frustrating login loops while maintaining security
- Maintained Security: All session timeout protections remain active for legitimate sessions
- Login Flow Protection: Timeout checks skip during login processes to allow smooth authentication
- Stale Session Prevention: Automatic cleanup prevents old session data from interfering with new logins
- 🔧 New SecurityHelper Class: Created
src/Core/SecurityHelper.phpas centralized utility system:- Asset Management:
get_asset_url()with SCRIPT_DEBUG-aware minification support - Network Security:
get_client_ip(),is_bot_request(),send_404_response()functions - Authentication:
is_strong_password(),verify_nonce(),check_user_capability()utilities - Data Management:
generate_ip_transient_key(),sanitize_admin_path()helpers - Logging & Monitoring:
log_security_event(),format_time_duration()structured logging - AJAX Utilities:
validate_ajax_request()with comprehensive security validation
- Asset Management:
- 📚 Documentation Standards: Comprehensive Copilot instructions with mandatory usage patterns
- 🚫 Code Deduplication: Eliminated ~100 lines of duplicated utility code across components
- 🔄 Component Integration: Updated all security classes to use centralized helper functions:
AdminPanel.php- Uses SecurityHelper for asset loadingLoginSecurity.php- Uses SecurityHelper for IP detection, logging, and bot detectionGeneralSecurity.php- Uses SecurityHelper for asset managementAdminHideSecurity.php- Uses SecurityHelper for path validation and responses
- 📋 Helper Function Categories: Established 6 mandatory function categories for future development
- 🚨 Critical Coding Standards: Added SecurityHelper to mandatory compliance section
- 🔧 Integration Patterns: Documented correct/incorrect usage examples for developers
- ♻️ Migration Process: Created systematic approach for centralizing future utility functions
- 📝 Auto-Initialization: SecurityHelper auto-initializes without manual setup requirements
- Code Quality: Centralized security utilities ensure consistent behavior across all components
- Maintainability: Single source of truth for utility functions reduces maintenance overhead
- Developer Experience: Clear guidelines and patterns for future helper function development
- Performance: Optimized helper functions with intelligent caching and minimal overhead
- Centralized Legitimate Actions: Moved all WordPress action arrays (
logout,postpass,resetpass,lostpassword, etc.) from duplicated implementations to centralizedDefaultConfig.php - New Configuration Methods: Added three new methods for action management:
get_legitimate_actions(bool $include_logout)- General method with logout toggleget_bot_protection_bypass_actions()- Actions that bypass bot protection (includes logout)get_admin_hide_bypass_actions()- Actions for admin hide URL filtering (excludes logout)
- Improved Rate Limiting: Increased threshold from 5 to 15 requests per minute to accommodate legitimate user flows (password changes, logout confirmations)
- Enhanced User Flow Detection: Added specific exclusions for logged-in users and legitimate WordPress actions
- False Positive Reduction: More lenient detection criteria to prevent blocking legitimate users during normal WordPress operations
- Better Header Validation: Improved browser header detection logic for more accurate bot identification
- Eliminated Code Duplication: Removed redundant action arrays from
LoginSecurity.phpandAdminHideSecurity.php - Single Source of Truth: All legitimate action definitions now managed centrally for consistency
- Maintainability Enhancement: Future action updates only require changes in one location
- Clear Method Documentation: Comprehensive PHPDoc for all new configuration methods
- 404 Error Resolution: Fixed issue where legitimate users received 404 responses during password changes and logout flows
- Authentication Flow: Improved handling of legitimate WordPress authentication actions
- Session Management: Better integration between bot protection and user session handling
- Comprehensive ES6+ Destructuring: Complete implementation of object destructuring patterns across all JavaScript functions for cleaner, more maintainable code
- Centralized Timing Constants: New
TIMINGobject with 7 centralized timeout values (AUTO_SAVE_DELAY: 2000ms, VALIDATION_DEBOUNCE: 500ms, ERROR_DISPLAY: 5000ms, etc.) - Validation Constants System: New
VALIDATION_LIMITSobject with 7 form validation ranges (LOGIN_ATTEMPTS: {min: 1, max: 20}, etc.) - Local DOM Element Optimization: Implemented local jQuery element constants with proper
$prefix convention for improved performance - Template Literals: Replaced string concatenation with modern template literals using
${variable}interpolation
- Arrow Function Standardization: Converted all function declarations to ES6 arrow functions with
const functionName = () => {}pattern - Destructuring Implementation: Systematic destructuring in 20+ functions across admin.js and password-validation.js
- jQuery Optimization: Local DOM element constants reduce repeated jQuery selections for better performance
- Function Documentation: Complete JSDoc documentation for all JavaScript functions in English
- Centralized Configuration: All timing values and validation limits now managed from single objects for easy maintenance
- Clean Object Access:
const { strings = {}, ajaxurl, nonce } = silverAssistSecurity || {}pattern throughout codebase - Consistent Patterns: Unified destructuring and constant usage patterns across all JavaScript files
- Improved Readability: Eliminated repetitive object property access with clean destructuring syntax
- ES6+ Examples: Added comprehensive before/after examples in copilot-instructions.md demonstrating destructuring patterns
- Mandatory Patterns: Updated coding guidelines to require destructuring and centralized constants for all new development
- jQuery Best Practices: Documented
$prefix convention for jQuery elements and timing constant requirements - Local vs Global Strategy: Established preference for local constants over global objects for better code organization
- Maintainability: Centralized constants eliminate hardcoded values scattered throughout the codebase
- Performance: Local DOM element caching reduces jQuery selector overhead
- Consistency: Unified patterns across all JavaScript functionality
- Future-Proof: Modern ES6+ syntax prepared for future JavaScript development
- Real-time Password Validation: New JavaScript-based live password strength validation for WordPress user profiles
- Password Validation UI: Custom CSS styling with success/error indicators using centralized CSS variables
- Weak Password Prevention: Automatic hiding of WordPress "confirm weak password" checkbox when strength enforcement is enabled
- Visual Feedback System: Color-coded validation messages with accessibility support and responsive design
- Headless Mode Indicator: New visual component showing GraphQL headless vs standard mode status with color-coded badges
- Mode Value Components: Interactive status indicators with hover effects and responsive container queries
- CSS Variables Integration: Complete integration with existing design system using logical properties for RTL/LTR support
- wp-config.php Override: Added
SILVER_ASSIST_HIDE_ADMINconstant to disable admin hiding in emergency situations - Emergency Disable Feature: Users can regain admin access when locked out by adding a single line to wp-config.php
- Recovery Documentation: Comprehensive step-by-step instructions for emergency access recovery
- Password Reset Security: Fixed login page errors during password reset flows - now properly allows password reset actions
- Enhanced Action Filtering: Improved handling of WordPress login actions (
resetpass,lostpassword,retrievepassword,checkemail) - Smart URL Token Management: Intelligent filtering that excludes password reset actions from admin hiding protection
- Asset Loading Optimization: Improved script and CSS loading with proper dependency management and cache busting
- Emergency Override System: Database settings can now be overridden via wp-config.php constant for emergency access
- Improved Error Handling: Better fallback mechanisms when custom admin paths are forgotten or misconfigured
- Enhanced Documentation: Clear recovery instructions displayed in admin panel with inline code examples
- Password Reset Flow: Fixed 404 errors and access issues during password reset process
- Admin Hide Compatibility: Resolved conflicts between admin hiding and legitimate password reset operations
- Action Parameter Handling: Fixed handling of WordPress action parameters in login security validation
- URL Generation: Improved URL filtering to properly exclude password reset and recovery actions
- GraphQL Component Styles: New headless mode indicator with hover effects and smooth transitions
- Spacing Variable Updates: Consistent spacing scale from xs (2px) to 3xl (24px) for better design consistency
- Logical Properties: International support with RTL/LTR automatic layout adjustment
- Container Queries: Modern responsive design using container-based breakpoints instead of viewport-only queries
- Layer-based Architecture: Improved CSS organization with
@layerfor better cascade control
- Emergency Access Guidance: Enhanced admin panel with clear wp-config.php recovery instructions
- Inline Code Examples: Visual code snippets showing exact constant syntax for emergency disable
- Translation Updates: Updated Spanish translations with emergency access terminology
- Responsive Design: Enhanced mobile and tablet support for all new UI components
- Spanish Translation Updates: Complete translation of emergency access recovery instructions
- POT Template Regeneration: Updated translation template with all new user-facing strings
- Translator Comments: Added proper context comments for complex placeholders and emergency instructions
- Version Synchronization: Updated Project-Id-Version to 1.1.6 across all translation files
- Version Synchronization: All plugin files updated to version 1.1.6 with consistent
@versiontags - Asset Organization: Better structure for CSS/JS files with modular approach and proper dependencies
- Documentation Coverage: Enhanced inline documentation for new password validation and GraphQL UI features
- WordPress Integration: Improved integration with WordPress native password strength meter
- Emergency Access Testing: New independent test script for verifying constant override functionality
- Reflection-based Testing: Advanced testing using PHP reflection to verify private property states
- Database Override Verification: Tests ensure wp-config.php constants properly override database settings
- Advanced Testing Script: New
test-graphql-security.shscript for comprehensive GraphQL security validation - CLI Parameter Support:
--domain URLparameter to specify GraphQL endpoint directly via command line - Automation Ready:
--no-confirmparameter for CI/CD workflows and automated testing - Complete Help System: Comprehensive
--help/-hdocumentation with usage examples - Multi-Configuration Support: Three configuration methods (CLI param, environment variable, default fallback)
- URL Validation: Robust URL format validation with security warnings for suspicious endpoints
- 7 Security Scenarios: Tests introspection protection, query depth limits, alias abuse prevention, directive limitations, field duplication limits, query complexity & timeout, and rate limiting
- Version Parameter Removal: Fixed
remove_version_query_string()in GeneralSecurity.php to handle multiple 'ver' parameters in URLs (e.g.,/file.css?ver=123?ver=456) - Regex Pattern Enhancement: Improved regex pattern to comprehensively remove all version query parameters for better security
- Query String Cleanup: Enhanced URL cleanup to properly handle malformed query strings with duplicate parameters
- Enhanced Error Handling: Removed
set -efrom update scripts to allow graceful continuation on non-critical errors - Version Script Robustness: Improved
update-version-simple.shwith better error recovery and user messaging - Version Checking Accuracy: Fixed
check-versions.shto search only file headers (first 20 lines) preventing false positives - macOS Compatibility: Enhanced perl-based substitution patterns for better macOS sed compatibility
- Deferred Modifications: Improved self-modifying script handling with deferred command execution
- CI/CD Ready Scripts: All scripts now support non-interactive execution with proper exit codes
- Better User Guidance: Enhanced error messages with clear examples and suggested solutions
- Graceful Error Recovery: Scripts continue processing even when encountering non-critical issues
- Version Consistency: Automated validation ensures all 17 plugin files maintain version synchronization
- Header Standards: Updated HEADER-STANDARDS.md with version 1.1.5 references and examples
- Script Documentation: Enhanced inline documentation for all development scripts
- Usage Examples: Added comprehensive examples for new GraphQL testing functionality
- Error Handling Docs: Documented improved error handling patterns and best practices
- Plugin Core: Updated main plugin file to version 1.1.5
- PHP Components: All src/ PHP files updated with
@version 1.1.5tags - Asset Files: CSS and JavaScript files synchronized to version 1.1.5
- Documentation: All version references updated across documentation files
- Build Scripts: Version management scripts updated to 1.1.5
- Error Handling: Enhanced error handling across all security components
- Code Consistency: Improved code consistency following project standards
- Performance: Maintained performance optimizations while adding new features
- Backward Compatibility: All changes maintain full backward compatibility
- URL Processing: Improved URL parameter processing for better security
- Input Validation: Enhanced validation patterns for security-critical functions
- Testing Coverage: New comprehensive testing tools for GraphQL security validation
- Production Ready: All new features built with production-ready standards
- WordPress Admin Protection: Hide
/wp-adminand/wp-login.phpfrom unauthorized users with custom URLs - 404 Redirect Protection: Direct access to standard admin URLs returns 404 errors for enhanced security
- Custom Path Configuration: User-configurable admin access paths (e.g.,
/my-secret-admin) - Security Keyword Filtering: Prevents use of common, easily guessable paths like 'admin', 'login', 'dashboard'
- Rewrite Rules Integration: Seamless WordPress rewrite rules for custom admin access
- Live Input Validation: Instant feedback while typing custom admin paths without form submission
- AJAX Validation System: Server-side validation with immediate user feedback
- Visual Indicators: Color-coded validation states (validating, valid, invalid) with animations
- Smart Error Messages: Specific error messages for different validation failures
- Preview URL Generation: Real-time preview of custom admin URL as user types
- Unified Query Parameter Handling: Implements
build_query_with_token()method for consistent URL manipulation across admin hiding features - DRY Principle Implementation: Clean architecture with
do_redirect_with_token()andadd_token_to_url()using shared parameter handling logic - Production-Ready Code: Built with clean, production-optimized code without debug logging for optimal performance
- Reusable Forbidden Paths: Centralized
$forbidden_admin_pathsclass property for consistent validation - Public API: Getter method
get_forbidden_admin_paths()for external access - Performance Optimization: Cached validation results and efficient AJAX responses
- Interactive Form Validation: Enhanced form validation with admin path checks before submission
- Responsive Design: Mobile-optimized validation indicators and error messages
- Progressive Enhancement: Graceful degradation for users with JavaScript disabled
- Auto-Save Integration: Admin path validation integrated with existing auto-save functionality
- Method Design: Implements reusable
build_query_with_token()method for query parameter handling - Parameter Deduplication: Built-in automatic removal of duplicate auth tokens in URL parameters
- Flexible Input Handling: Unified method supports both array (
$_GET) and string query parameter sources - Clean Implementation: Efficient codebase design following DRY principles from inception
- Production Standards: Built with production-ready code standards and no debug statements
- Complete Admin Hide Interface: All new admin hiding features fully translated to Spanish
- Real-Time Validation Messages: Localized error messages and validation feedback
- Security Notices: Important security warnings translated for Spanish-speaking users
- Updated Translation Files: Version 1.1.4 with 15+ new translated strings
- WP-CLI Integration: Automated translation file generation and compilation
- Binary Compilation: Updated
.mofiles for WordPress production use - Version Consistency: All translation files updated to match plugin version 1.1.4
- Clean File Structure: Removed backup files for optimized distribution
- User Education: Clear security notices about proper usage and limitations
- Recovery Instructions: Guidance for users who forget custom admin paths
- Database Recovery: Instructions for FTP-based feature disabling if needed
- Layered Security Reminder: Emphasis on using with strong passwords and other security measures
- Input Sanitization: All user inputs properly sanitized using WordPress functions
- Nonce Verification: CSRF protection for all AJAX validation requests
- Permission Checks: Administrative capability verification for security operations
- Error Handling: Comprehensive error handling with secure fallback responses
- Production Security: Complete removal of debug statements prevents information disclosure
- URL Parameter Security: Enhanced auth token handling prevents parameter manipulation
- silverassist/wp-github-updater: Updated to v1.0.1 with improved changelog formatting
- Enhanced Changelog Display: Better HTML rendering of markdown in WordPress plugin update modal
- Improved User Experience: More readable release notes during automatic updates
- Git Attributes: Added comprehensive
.gitattributesfile for better release management - Cross-platform Compatibility: Consistent line endings (LF) across all platforms
- Cleaner Archives: GitHub automatic releases now exclude development files
- Binary File Handling: Proper Git configuration for images and compiled files
- External Package: Migrated to reusable
silverassist/wp-github-updaterComposer package - Code Reusability: Centralized update logic for use across multiple Silver Assist plugins
- Optimized Distribution: Smart vendor directory inclusion with production-only dependencies
- Automatic Updates: Seamless GitHub-based plugin updates with no breaking changes
- Multi-location Loading: Robust translation system supporting global and local language directories
- Proper Hook Timing: Fixed "translation loading too early" warnings with
inithook integration - Fallback System: Three-tier translation loading (global → local → fallback) for maximum compatibility
- User Locale Support: Enhanced user experience with
get_user_locale()integration
- Smart Vendor Copying: Only essential files included in distribution ZIP (excludes tests, docs, .git)
- Production Dependencies: Automated
composer install --no-devduring build process - Size Optimization: Reduced ZIP size while maintaining full functionality (~98KB optimized)
- Autoloader Integration: Seamless Composer autoloader integration with custom PSR-4 loader
- Updater Class Refactoring: Simplified to extend external package with minimal configuration
- Dependency Management: Clean separation between development and production dependencies
- Package Configuration: Centralized updater configuration with plugin-specific settings
- Automatic Vendor Inclusion: Build script intelligently includes only necessary Composer dependencies
- Self-contained Installation: Plugin ZIP includes all required external packages
- WordPress Compatibility: No manual Composer installation required by end users
- Clean Architecture: Maintains plugin folder structure without version suffixes
- Composer Integration: Full support for external packages in WordPress plugin context
- Development Workflow: Maintained separate dev/production dependency management
- Build Automation: One-command release generation with optimized output
- WordPress 6.7+ Ready: Resolved all translation loading warnings
- Filter Integration: Customizable translation directory and locale detection
- Performance Optimized: Efficient translation file loading with proper caching
- Type Safety: Maintained strict PHP 8+ type declarations throughout refactoring
- Error Handling: Robust error handling for Composer autoloader integration
- WordPress Standards: Full compliance maintained with coding standards
- Zero Breaking Changes: All existing functionality preserved
- API Consistency: No changes to public plugin interfaces
- Configuration Preservation: All user settings maintained during updates
Silver Assist Security Essentials v1.1.1 is the first stable and fully functional release of our comprehensive WordPress security plugin. This plugin addresses three critical security vulnerabilities commonly found in WordPress security audits with modern PHP 8+ architecture, centralized configuration management, and robust GraphQL protection.
- DefaultConfig Class: Single source of truth for all plugin settings with two-tier configuration approach
- GraphQLConfigManager: Singleton pattern for centralized GraphQL configuration management with intelligent caching
- Performance Optimization: Reduced configuration overhead through centralized caching and unified option handling
- Configuration Consistency: Eliminated duplicate configuration logic across all components
- PSR-4 Autoloading: Organized namespace structure (
SilverAssist\Security\{ComponentType}\{ClassName}) - Strict Type Declarations: Full PHP 8+ type safety with union types and match expressions
- WordPress Function Integration: Proper
\prefixes for all WordPress functions in namespaced contexts - Use Statement Standards: Alphabetical sorting and same-namespace exclusion rules across all PHP files
- String Consistency: Modern string interpolation patterns and double quote consistency throughout codebase
- Singleton Patterns: Efficient resource management and configuration centralization
- Brute Force Protection: Configurable IP-based login attempt limiting (1-20 attempts)
- Session Management: Advanced session timeout control (5-120 minutes)
- User Enumeration Protection: Standardized error messages prevent user discovery
- Strong Password Enforcement: Mandatory complex password requirements (12+ chars, mixed case, numbers, symbols)
- Bot and Crawler Blocking: Advanced detection and blocking of automated reconnaissance tools
- Security Scanner Defense: Protection against Nmap, Nikto, WPScan, and similar security scanners
- 404 Response System: Returns "Not Found" responses to suspicious requests to hide admin interface
- Automatic HTTPOnly Flags: Applied to all WordPress authentication cookies
- Secure Cookie Configuration: Automatic secure flags for HTTPS sites
- SameSite Protection: CSRF attack prevention through SameSite cookie attributes
- Domain Validation: Proper cookie scoping and security
- Hybrid GraphQL Protection: Complete integration with WPGraphQL plugin
- Centralized Configuration Management: Single source of truth for all GraphQL settings through GraphQLConfigManager
- Intelligent Query Analysis: Enhanced complexity estimation with field counting, connection analysis, and nesting detection
- Introspection Control: Production-safe introspection blocking with WPGraphQL coordination
- Query Depth Limits: Configurable depth validation (1-20 levels, default: 8) with WPGraphQL native integration
- Query Complexity Control: Advanced complexity scoring system (10-1000 points, default: 100)
- Query Timeout Protection: Execution timeout enforcement (1-30 seconds, default: 5)
- Adaptive Rate Limiting: Intelligent rate limiting (30 requests/minute per IP) with headless CMS support
- Alias Abuse Protection: Prevention of query alias multiplication attacks
- Field Duplication Blocking: Protection against field duplication DoS attempts
- Directive Limitation: Control over GraphQL directive usage
- Headless CMS Mode: Specialized configuration for headless WordPress implementations
- WPGraphQL Native Integration: Seamless coordination with WPGraphQL's built-in security features
- PSR-4 Autoloading: Organized namespace structure (
SilverAssist\Security\{ComponentType}\{ClassName}) - Strict Type Declarations: Full PHP 8+ type safety with union types and match expressions
- Singleton Patterns: Efficient resource management and configuration centralization
- Component-based Architecture: Modular design with clear separation of concerns
- GraphQLConfigManager: Centralized configuration system for all GraphQL settings
- Intelligent Caching: Performance optimization through transient-based caching
- WPGraphQL Detection: Automatic plugin detection and compatibility checking
- Security Evaluation: Real-time security assessment and recommendations
- Configuration HTML Generation: Formatted display for admin interface integration
- WordPress Coding Standards: Full compliance with WordPress PHP coding standards
- Hook System Integration: Proper use of WordPress actions and filters with appropriate priorities
- Database Operations: WordPress options API and transients (no custom tables)
- Admin Interface: Native WordPress admin UI patterns and styling
- Internationalization: Complete i18n support with Spanish translation included
- Security Best Practices: Input sanitization, output escaping, nonce verification, and capability checks
- Live Security Monitoring: AJAX-powered dashboard updates every 5 seconds
- Visual Compliance Indicators: Clear status display for each security vulnerability
- Interactive Controls: Toggle switches and sliders for configuration
- Statistics Display: Real-time metrics for failed logins, blocked IPs, and GraphQL queries
- Multi-language Support: Full English and Spanish interface support
- WordPress: 6.5+ (tested up to latest)
- PHP: 8.0+ (optimized for PHP 8.3)
- WPGraphQL: Optional but recommended for GraphQL features
- Browser Support: Modern browsers with JavaScript enabled for admin interface
- Composer Support: Complete development environment with PHPCS, PHPUnit
- GitHub Integration: Direct updates from SilverAssist/silver-assist-security repository
- Automatic Updates: Version checking and notification system
- Debug Logging: Comprehensive debug information for troubleshooting
- Translation Support: Complete i18n implementation with WP-CLI integration
This release represents a complete, production-ready WordPress security solution that addresses critical vulnerabilities while maintaining high performance and WordPress compatibility standards.