MyFast Login Guard – Login Protection & Server Info

變更記錄

1.3.7

• Fixed: Suppressed undefined variable notices from WordPress core wp-login.php triggered when custom login slug is used.
• Fixed: WordPress admin notices no longer appear inside plugin pages.
• Fixed: Clear log button now shows for any writable log file, not only the WordPress debug log.
• Fixed: Clearing large log files (100MB+) no longer fails due to memory limits — now uses fopen truncate instead of loading file into memory.

1.3.6

• Renamed: Plugin renamed to MyFast Login Guard & Server Info with new slug myfast-login-guard and mflg_ prefix throughout.
• Fixed: All CSS class names updated from lssi- to mflg- prefix for uniqueness compliance.
• Fixed: Inline block removed from lockout log page — now uses enqueued lockouts.js.
• Fixed: Removed unused lockouts database table — lockout data stored cleanly in wp_options.
• Fixed: Activation/deactivation hooks converted from anonymous closures to named functions.
• Fixed: Transient cleanup queries now use $wpdb->prepare() for full PHPCS compliance.
• Fixed: Cloudflare cache purge hook removed entirely per WP.org reviewer requirement.
• Fixed: wp_cache_delete() added before wp_localize_script() to guarantee fresh settings on page load.
• Fixed: Login slug reserved-word validation added client-side with clear error message.
• Fixed: Emergency escape hatch constant renamed to MFLG_DISABLE_LOGIN_SLUG.
• Improved: Error log path detection now checks ini_get(‘error_log’) as first candidate.
• Improved: Server info table stacks label above value on mobile instead of horizontal scroll.
• Improved: Export for Support button min-height corrected on mobile.

1.3.1

• Fixed: Text domain reverted to login-shield-server-info to match plugin folder name (Plugin Check compliance).
• Fixed: Removed discouraged load_plugin_textdomain() call (auto-loaded by WordPress.org since WP 4.6).
• Fixed: Replaced fopen/fclose with WP_Filesystem in error-log.php and server-info.php.
• Fixed: Replaced parse_url() with wp_parse_url() in login-protect.php.
• Fixed: Added wp_unslash() to all $_SERVER reads in server-info.php.
• Fixed: Unescaped output — $status_label now uses wp_kses(), $icon uses wp_kses(), min() wrapped in esc_attr().
• Fixed: Ordered placeholders (%1$d, %2$s) and added translators comments in server-info.php and login-protect.php.
• Fixed: Added phpcs:ignore with justification for third-party hook names, read-only GET params, and socket fclose.
• Fixed: uninstall.php table variable renamed with lssi_ prefix.
• Fixed: Upgrade notices trimmed to under 300 characters.

1.3.0

• Updated text domain from login-shield-server-info to fastshield-security to match the approved WordPress.org plugin slug.

1.2.9

• Fixed: Updated “Tested up to” to WordPress 6.9.

1.2.8

• Fixed: Removed duplicate Plugin URI (was identical to Author URI) per WordPress.org submission requirements.

1.2.7

• Renamed plugin to MyFast Login Guard – Login Protection & Server Info to comply with WordPress.org naming guidelines.

1.2.6

• Security: Validate error log tab parameter against known tab whitelist before use in URL output (was sanitize_key only).
• Code quality: Added phpcs ignore with full justification comment for shell_exec inode check — path escaped via escapeshellarg(), output parsed as integers only.

1.2.5

• Fixed: Missing return statements after wp_send_json_error() in AJAX handlers — code after the error response could execute.
• Fixed: Uninstall now also removes the lssi_lockouts option from wp_options (previously only the DB table was dropped).
• Fixed: Removed dead lssi_utilities_page() function — the page was unreachable with no menu entry.
• Fixed: Removed wp-components from script dependencies (only wp-element is actually used).

1.2.4

• Fixed: Removed the Utilities submenu page which was causing 404 errors on some hosts. The AJAX cache clear remains available in Settings. Any bookmarked lssi-utilities URLs now redirect cleanly to Settings.

1.2.3

• Security: Rewrote IP detection to use REMOTE_ADDR as ground truth; CF-Connecting-IP is now only trusted when REMOTE_ADDR is a verified Cloudflare edge IP. X-Forwarded-For and X-Real-IP removed to prevent spoofing.
• Code quality: Moved login-page CSS from inline output to enqueued assets/css/login.css per WordPress coding standards.
• Usability: Added MFLG_DISABLE_LOGIN_SLUG constant as an emergency escape hatch for locked-out administrators.
• Docs: Expanded readme.txt FAQ with lockout recovery instructions and IP detection explanation.

1.2.2

• Mobile: Lockout log table now stacks as labelled cards on small screens.
• Mobile: Custom login slug and lockout email inputs stack full-width on mobile.
• Error log: Tabs moved inside the log card for discoverability on both mobile and desktop.

1.2.1

• Fixed: wp_login_failed hook signature made compatible with WordPress < 5.4.
• Fixed: authenticate filter now only runs on POST submissions, not every page load.
• Added: Attempts-remaining counter shown on the login page after a failed attempt.

1.2.0

• Added brute-force lockout engine: tracks failed attempts per IP, locks out after configurable threshold, sends email notification, auto-expires lockouts.
• Added Unlock and Clear All buttons to Lockout Log page.

1.1.9

• Fixed asset paths, admin menu parent slug, activation hook, and lssi_get() signature.

1.0.0

• Initial release.