Atlant Security

Changelog

1.1.9 – Typography Cleanup

• Stylistic: replaced 754 em-dashes (U+2014) with regular hyphens across all plugin descriptions, admin UI text, error messages, view templates, and translation strings. Pure cosmetic change with zero functional impact – improves consistency for translators and copy-paste-friendliness in support contexts.

1.1.8 – Default-Allow Policy for Vendor Bots

Two related fixes that codify a clear policy: the plugin will not block legitimate vendor bots (Google, Anthropic, OpenAI, Bing, etc.) unless the site operator explicitly opts in.

• Fixed: AI Crawler default rules. Out-of-the-box, the plugin previously had default_action: 'block' on GPTBot (OpenAI), ClaudeBot + anthropic-ai (Anthropic), Google-Extended (Google), and several others – meaning a fresh install silently blocked legitimate AI crawlers. ALL crawler default_actions are now ‘allow’. To block them, the site operator must:
  • Toggle “Block all AI crawlers” globally, or
  • Set per-crawler block rules on the AI Crawlers admin page, or
  • Click “Apply recommended” (which still opts in to blocking AI training crawlers, with clear documentation).
• Fixed: Honeypot reverse-DNS verification (added in 1.1.7) was fail-CLOSED. A transient DNS failure on the WordPress host could deny safe-bot status to a real Googlebot crawl and ban its IP – devastating for SEO. Now fail-OPEN: tri-state verdict (verified / mismatch / unknown) where only mismatch (definite spoof: rDNS exists and points elsewhere) denies safe-bot status. DNS errors and missing PTR records grant the bot the benefit of the doubt.
• Improved: The recommended_crawler_rules() preset is now explicitly documented as the ONLY place in the plugin that blocks vendor AI crawlers, and only when the operator clicks “Apply recommended.”

1.1.7 – Critical Audit Hardening

This release ships fixes for 14 CRITICAL and 12 HIGH-severity issues found during a full external audit of the codebase. Several of these were genuine showstoppers – including a fatal-at-login bug, IP-block bypass over IPv6, and an SSRF in the outbound monitor. Recommended upgrade for everyone.

• Fixed (CRITICAL): Concurrent-session enforcement could fatal at login on hosts where notices are promoted to errors (undefined $tokens_to_remove variable in SessionSecurity).
• Fixed (CRITICAL): Every IP block in the database was bypassable on dual-stack servers via ::ffff:1.2.3.4 IPv4-mapped-IPv6 addresses. All IP comparisons now go through a normalization helper that collapses mapped addresses and canonicalises IPv6 representations.
• Fixed (CRITICAL): Outbound SSRF protection had a DNS-rebinding TOCTOU race – DNS resolved at check-time, cURL connected at use-time, allowing attacker-controlled records to flip between public and 169.254.169.254. cURL is now pinned to the vetted IP via CURLOPT_RESOLVE.
• Fixed (CRITICAL): Trusted-proxy list silently failed for CIDR entries (admins routinely list 10.0.0.0/8). CIDR support is now wired through the existing Whitelist::ip_in_cidr().
• Fixed (CRITICAL): Cloudflare integration auto-whitelisted ALL Cloudflare IP space – including 104.16.0.0/13 used by Cloudflare Pages. Removed; the integration now only validates the CF-Connecting-IP header source. Google/Microsoft auto-whitelists are now scoped: IP match AND verifiable bot UA.
• Fixed (CRITICAL): Quarantine destination was inside wp-content/uploads/ (web-accessible). Quarantined files were MORE accessible to attackers post-quarantine than pre-. Moved to wp-content/aswp-quarantine/ outside /uploads/ with stripped extensions, multi-server-config Deny rules.
• Fixed (CRITICAL): wp-config.php backup written by Rotate Secret Keys was directly HTTP-accessible on Apache hosts and contained the OLD plaintext keys. Backups now go to dirname(ABSPATH)/aswp-config-backups/ (outside web root) with a .txt extension.
• Fixed (CRITICAL): Rotate Secret Keys regex couldn’t replace key values containing single quotes – when it failed, a duplicate define() was injected, fatally breaking the site on next request. Replaced with a NAME-anchored line replacement plus atomic temp-file-then-rename write.
• Fixed (CRITICAL): Notifications webhook/Slack URLs only got wp_http_validate_url() (loopback-only). Added a resolver-based check that rejects ALL private, link-local, CGNAT, and cloud-metadata destinations.
• Fixed (CRITICAL): WAF JavaScript-URI rule had catastrophic-backtracking ReDoS via overlapping \s* runs. Pattern collapsed; long crafted cookies/URLs no longer hold PHP hostage.
• Fixed (CRITICAL): WAF disabled-rule list now defensively filtered against the rule whitelist on read – a poisoned option (e.g. via SQLi in another plugin) cannot disable arbitrary rules.
• Fixed (CRITICAL): Custom Login URL recovery token was stored in plaintext in wp_options. Now stored as SHA-256 hash; plaintext is shown to the admin exactly once at enable time. Old plaintext tokens are auto-migrated to hash on first verification.
• Fixed (CRITICAL): PostBreach restore_plugins was public (callable from anywhere) and trusted whatever was in aswp_disabled_plugins_backup without validation. Now private, validates every entry against the live get_plugins() list and on-disk file existence, with traversal protection.
• Fixed (CRITICAL): On uninstall, the plugin left wp-config.php.aswp-backup-* files on disk in the web root with old plaintext keys. Now all known backup paths and quarantine directories are scrubbed.
• Fixed (HIGH): 2FA enrollment-required users were given a fully authenticated WordPress session and were only confined via an admin-init redirect – bypassable via direct REST/XML-RPC calls. Session is now destroyed; enrollment-required users go through the same challenge flow as enrolled users.
• Fixed (HIGH): 2FA challenge nonce used wp_create_nonce which binds to the current user id – but at challenge time the user is logged out, so all nonces verified for ANY pending challenge (cross-user nonce reuse). Replaced with per-token HMAC bound to wp_salt('auth').
• Fixed (HIGH): Disabling 2FA required only the shared aswp_nonce and no re-authentication. Now requires (a) a dedicated nonce action and (b) a valid current TOTP / Email OTP / recovery code.
• Fixed (HIGH): IPManager block_ip() was a racy SELECT-then-INSERT under concurrent auto-blocking. Replaced with a single atomic INSERT ... ON DUPLICATE KEY UPDATE.
• Fixed (HIGH): IPManager is_blocked() and RequestLogger check_blocked() disagreed on rows where permanent=0 AND blocked_until IS NULL (legacy / race-state data). Aligned to treat NULL blocked_until as permanent.
• Fixed (HIGH): Honeypot Googlebot/Bingbot UA spoofing – any attacker could set User-Agent: Googlebot/2.1 and become exempt from honeypot bans. Major-search-engine bot UAs now require reverse-DNS verification (round-trip: PTR → suffix match → forward-resolve back to same IP), cached 24h.
• Fixed (HIGH): Notifications cross-request dedup did not work (static array is per-request). Added 5-minute transient dedup so a real attack can no longer flood every channel from every PHP-FPM worker.
• Fixed (HIGH): Concurrent scan invocations (cron + AJAX poll within the same second) could overwrite each other’s progress. Added 90-second transient mutex.
• Fixed (HIGH): Symlinks in scan paths could escape ABSPATH – realpath() containment now enforced before any file_get_contents().
• Fixed (HIGH): Outbound SSRF metadata-IP list expanded to cover Alibaba Cloud (100.100.100.200) and AWS IPv6 metadata.
• Fixed (HIGH): Whitelist::in_whitelist_table() used SHOW TABLES LIKE where _ is a wildcard – could false-positive on similarly named tables. Switched to information_schema.TABLES exact match.
• Fixed (HIGH): WAF multi_decode() now also resolves JS-style \uXXXX and \xNN escapes – closing an XSS-rule bypass that was specifically called out by the existing xss_encoded rule.
• Fixed (HIGH): WAF “skip on AJAX for logged-in users” toggle scoped to manage_options/edit_pages capability – a subscriber-level account (trivial to obtain on WooCommerce) no longer bypasses the entire WAF on AJAX.
• Fixed (HIGH): WAF tarpit cap reduced from 10s to 3s – coordinated burst attacks could previously saturate the entire max_children worker pool.
• Fixed (HIGH): WAF, login-security view, and Scanner now use raw wp_unslash() for matching paths/UAs (sanitize_text_field strips characters used by LFI/XSS payloads). Sanitisation only happens at write-to-database time.
• Fixed (MEDIUM): Custom Login URL slug pool no longer includes login and admin (slugs were structurally guessable). Added haven and vault as replacements.
• Fixed (MEDIUM): PostBreach terminate_sessions and rotate_secret_keys now return reload_required: true + a redirect to the login page – admin sees an immediate, clean redirect instead of stuck-403 silent-failure on subsequent AJAX calls.
• Fixed (MEDIUM): Daily security digest was silently dropped for users with the default medium severity threshold. Digest now bypasses the threshold filter.
• Improved: Audit-log row written on every false-positive mark/unmark and 2FA disable.

1.1.6 – Scanner Accuracy

• Fixed: Malware Scanner false-positive flood on fresh WordPress installs (community feedback). Three independent fixes:
  • WordPress core checksum verification – files matching the official MD5 checksums from api.wordpress.org are now skipped entirely. Modified core files are flagged as critical (core_modified rule), but vendor-provided WordPress core code no longer mis-fires the iframe / base64 / php signatures.
  • Path-based allowlist for known-safe core files: class-wp-embed.php, embed-template.php, oEmbed providers, customize code-editor control, and class-pclzip.php (which legitimately uses base64 fixtures).
  • Tightened signatures: hidden-iframe detection now requires an external (non-this-site) host OR JS-injected DOM construction – eliminates false matches on Stripe Elements, reCAPTCHA, payment widgets, and oEmbed code. Long-base64 detection now requires the base64 string to be wrapped in a code-execution wrapper – so plugin license keys, inline SVG, and minified JS no longer mis-fire.
• Fixed: mal_php_upload signature was incorrectly applied to plugins/themes whose path contained the substring “uploads” anywhere (e.g. /wp-content/plugins/foo/uploads/template.php). Now uses the actual wp_upload_dir() basedir for path comparison.
• Added: Mark as False Positive button on every file finding. Records (file, signature_id, current SHA-256) and skips that combination on future scans. Marks are automatically invalidated if the file’s hash drifts (so a malicious replacement of an “ignored” file is still caught).
• Added: Undo button on ignored findings to re-enable a signature on a file.
• Added: All false-positive marks are written to the audit log (action: scan_fp_mark / scan_fp_unmark).
• Added: External Services disclosure for the WordPress.org core-checksums API.

1.1.5

• Added: CAPTCHA bot protection on the login, registration, and lost-password forms – three providers supported: Google reCAPTCHA v2 (checkbox), Google reCAPTCHA v3 (invisible, score-based), and Cloudflare Turnstile (privacy-friendly, no Google dependency)
• Added: Per-form toggles so you can enable CAPTCHA on login only, or all three forms
• Added: Light / Dark / Auto theme picker for the CAPTCHA widget
• Added: reCAPTCHA v3 score threshold (0.0–1.0, default 0.5) – submissions below the threshold are rejected and logged as captcha_low_score events
• Improved: Whitelisted IPs always bypass CAPTCHA – anti-lockout safety net
• Improved: CAPTCHA verification runs at authenticate priority 20, BEFORE the brute-force lockout counter – so failing CAPTCHAs no longer trigger lockouts of legitimate users
• Improved: Failed CAPTCHA attempts logged as captcha_failed events with context (login / register / lostpassword)

1.1.4

• Added: CSV export on the Malware Scanner page – one-click downloads of full, untruncated File Findings and Database Findings (Reddit community suggestion). Paths, matched snippets, and details are no longer truncated – perfect for researching a hit in Excel/Numbers or sending to a security consultant before committing to Quarantine.
• Added: Tested up to bumped to WordPress 7.0
• Added: Scanner CSV exports are written to the audit log, so fleet admins can see when and by whom the full-detail extracts were downloaded
• Added: aswp_brand_name, aswp_brand_logo_url, aswp_brand_support_url filters so the Enterprise add-on can white-label the UI for agencies reselling the service
• Improved: CSV downloads include a UTF-8 BOM so Excel on Windows opens non-ASCII paths correctly

1.1.3 – Security Hardening

• Security: Custom Login URL grace cookie is now HMAC-signed (bound to user ID + wp_salt); the old “aswp_admin_grace=active” value can no longer bypass the hidden login URL
• Security: Two-Factor Authentication is now actually enforced for roles listed in “Required Roles” – users who have not enrolled are confined to profile.php on login until they set up TOTP or Email OTP
• Security: Outbound request log strips query strings and redacts Slack/Discord/Telegram webhook paths before storage – MaxMind license keys, API tokens, signed-URL signatures, and webhook secrets are no longer written to the database
• Security: SSRF protection always blocks outbound requests to private/internal IP ranges, regardless of the monitor’s log/enforce mode
• Security: SSRF DNS resolution now checks both IPv4 (A) and IPv6 (AAAA) records – previously only A records were inspected, letting a hostname with a public A record but a private AAAA record bypass the check on IPv6-preferring hosts
• Security: Concurrent session limiting now keys fingerprint/activity maps by the same verifier hash WordPress uses internally – previously the limiter could never actually destroy old sessions because it mixed raw tokens with verifier hashes
• Security: Loopback addresses (127.0.0.1, ::1) are no longer auto-whitelisted when the site is configured behind a reverse proxy or Cloudflare – on proxied hosts every visitor would otherwise appear as trusted
• Security: REST API write-block default policy now allows authenticated users with the edit_posts capability (editors, authors) so Gutenberg and the block editor keep working; only unauthenticated writes are refused
• Security: Post-Breach “Rotate Secret Keys” now rewrites wp-config.php directly (with a timestamped backup) instead of storing the new keys in wp_options where WordPress never reads them; falls back to a copy-paste snippet if the file is not writable
• Security: 2FA recovery codes are now generated and stored lowercased so user-entered codes verify correctly – previously the mixed-case display and lowercased verification hashed different strings, causing valid codes to fail
• Added: Trusted proxy IP setting in Settings › Reverse-Proxy / Load-Balancer – required for correct visitor IP detection behind Nginx, HAProxy, AWS ALB, and other reverse proxies
• Added: weekly cron schedule registration – required by the weekly Cloudflare / Google / Microsoft / GeoIP refresh jobs which WordPress core does not ship as a default interval
• Improved: Cloudflare / Google / Microsoft IP-range refresh cron callbacks now skip the outbound fetch when the matching integration toggle is disabled
• Improved: Multi-line settings (currently: trusted proxy IPs) preserve newlines on save instead of being collapsed by sanitize_text_field()

1.1.2

• Added: About page with 5-Layer Defense Architecture, competitive features list, attack vector coverage, and plugin information
• Improved: Dashboard decluttered – informational panels moved to About page for a cleaner operational view
• Improved: About page lists 15 unique competitive features with descriptions
• Fixed: Setup wizard no longer auto-redirects on plugin activation or reactivation
• Fixed: Setup wizard accessible from sidebar navigation at any time

1.1.1

• Improved: Visitor log table uses percentage-based column widths for fluid layout across screen sizes
• Improved: Filter bar and results info bar spacing tightened
• Fixed: Setup wizard admin notice removed – no longer floats above page layout

1.1.0

• Improved: Stat cards compacted – smaller icons, tighter padding, reduced font sizes
• Improved: Page header, grid column, and IP list padding reduced for denser layout
• Fixed: Session timeout now correctly respects “Exempt Administrators” setting for idle timeout and session fingerprint binding (was only checked for concurrent session limits)
• Fixed: Session security settings description updated to reflect full admin bypass scope

1.0.9

• Improved: Inner sidebar width reduced from 240px to 200px with tighter item padding
• Improved: Table headers shortened (IP Address > IP, Country > flag only, etc.)
• Improved: Top IPs widget uses compact 24x24px icon buttons instead of full-width buttons
• Improved: Dashboard grid right column uses responsive minmax sizing
• Improved: Page content padding and table cell padding reduced globally

1.0.8

• Fixed: Visitor log column widths – JS table-resize no longer overrides CSS-defined column classes
• Fixed: Added CSS column width classes to all table headers (visitor log + dashboard live visitors)
• Fixed: Dashboard live visitors table shows flag only (removed redundant country code text)

1.0.7

• Added: Inner sidebar navigation (Nexus SEO style) – all plugin pages accessible from a persistent left panel
• Added: WordPress sidebar shows single “Atlant Security” entry instead of 23 submenu items
• Added: Sidebar brand header with logo, active page highlighting, version footer
• Added: Responsive sidebar – collapses to horizontal nav on screens below 1024px
• Fixed: Plugin footer now renders inside page layout instead of WP’s admin footer area
• Fixed: “Sorry, you are not allowed to access this page” error caused by removing WordPress $submenu entries – now uses CSS-based hiding to preserve permission checks

1.0.6

• Improved: All plugin admin pages now send no-cache headers to prevent stale data from caching plugins
• Fixed: Top Pages widget CSS class mismatch causing broken styling
• Fixed: Top IPs widget now excludes whitelisted IPs from the list

1.0.5

• Fixed: decodeEntities function scoping bug in admin.js causing HTML entity rendering issues

1.0.4

• Added: GeoIP country resolution – MaxMind GeoLite2-Country integration with pure-PHP MMDB reader, auto-download, weekly auto-update, and dedicated admin page with test lookup
• Added: Custom Login URL module – move wp-login.php to a custom slug with automatic redirect of the default login page
• Added: Password Policy module – configurable minimum length, character requirements, common password blocking, and passphrase generator
• Added: Force SSL Admin as a plugin-managed setting (defines FORCE_SSL_ADMIN constant at runtime)
• Added: Auto-Update Plugins and Auto-Update Themes toggles in Settings and Hardening checklist
• Improved: Admin sidebar pages reordered alphabetically for easier navigation
• Improved: Post-Breach Command Center layout – lockdown status widget moved into Critical Actions grid
• Improved: Hardening checklist – Force SSL Admin now toggleable from the checklist (was “Manual fix required”)
• Fixed: Post-Breach page SQL queries referenced nonexistent table name (aswp_ip_blocks > aswp_blocked_ips)
• Fixed: Post-Breach blocked IP count query used wrong column names (expires_at > permanent/blocked_until)
• Fixed: Database migration duplicate-key error that broke all AJAX endpoints (visitor log, dashboard widgets)
• Fixed: Settings loss on plugin reactivation – WAF mode, auto-blocks, and setup wizard no longer reset
• Fixed: Timezone mismatch between stat cards and live visitors (gmdate/NOW vs current_time)
• Fixed: Text domain loaded too early warning on WordPress 6.7+ (moved to init hook)
• Fixed: Plugin deletion wiped all data – uninstall now requires explicit opt-in via deactivation dialog or Settings toggle
• Fixed: ALTER TABLE ADD INDEX SQL errors corrupting AJAX JSON responses when WP_DEBUG_DISPLAY is on
• Fixed: Consistent timezone handling across all 12 modules
• Fixed: Correlated subquery in update_blocked_counts cron job – replaced with single JOIN
• Fixed: Daily digest cron hook not cleared on plugin deactivation
• Fixed: GeoIP database directory cleanup in uninstall.php
• Internal: Complete codebase prefix migration from fwwp_ to aswp_ with automatic database migration on upgrade

1.0.3

• Added: Honeypot module with hidden link trap, fake login page, comment honeypot, CF7 integration
• Added: 3-layer safe bot protection for honeypots (robots.txt, nofollow, UA detection)
• Added: Security Headers admin page with letter-grade scoring
• Added: Two-Factor Authentication admin page with TOTP and Email OTP
• Added: Notifications admin page (Email, Slack, Webhook, Daily Digest)
• Fixed: Top IPs widget now shows VirusTotal link, Block button, and Details button
• Fixed: IP Detail Modal – added max-height, scroll, wider layout
• Fixed: Blocked IPs now correctly log 403 status code instead of 200
• Fixed: TwoFA role handling for comma-separated role strings

1.0.2

• Added: 5 new security modules – AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard
• Added: 5 new admin pages with full settings UI for each module
• Improved: Dashboard with live visitors auto-refresh, traffic chart, top IPs/pages widgets

1.0.1

• Added: Setup Wizard with 7-step guided configuration
• Added: IP Detail Modal on Dashboard
• Improved: Dashboard stat cards, browser distribution chart
• Fixed: Setup wizard pagination and button responsiveness

1.0.0

• Initial release with 17 security modules
• Web Application Firewall with 28+ attack pattern rules
• Brute force protection with progressive lockout
• Malware scanner (file and database)
• Post-breach recovery toolkit (12 actions)
• IP blocking and whitelisting
• Visitor log with filtering and pagination
• Admin audit log
• WordPress hardening (6 toggles)
• Rate limiter (11 endpoint categories)
• Real-time security dashboard