Changeset 3435758

Timestamp:

01/09/2026 09:30:04 AM (3 months ago)

Author:

nhrrob

Message:

Update to version 1.0.4 from GitHub

Location:

nhrrob-secure

Files:

• assets/screenshot-3.png (modified) (previous)
• assets/screenshot-4.png (modified) (previous)
• assets/screenshot-5.png (added)
• assets/screenshot-6.png (added)
• tags/1.0.4 (copied) (copied from nhrrob-secure/trunk)
• tags/1.0.4/assets (added)
• tags/1.0.4/assets/src (added)
• tags/1.0.4/assets/src/components (added)
• tags/1.0.4/assets/src/components/CustomLoginPage.js (added)
• tags/1.0.4/assets/src/components/FileProtection.js (added)
• tags/1.0.4/assets/src/components/LoginProtection.js (added)
• tags/1.0.4/assets/src/components/TwoFactorAuth.js (added)
• tags/1.0.4/assets/src/index.js (added)
• tags/1.0.4/assets/src/profile.css (added)
• tags/1.0.4/assets/src/style.css (added)
• tags/1.0.4/build (added)
• tags/1.0.4/build/admin.asset.php (added)
• tags/1.0.4/build/admin.css (added)
• tags/1.0.4/build/admin.js (added)
• tags/1.0.4/build/profile.asset.php (added)
• tags/1.0.4/build/profile.css (added)
• tags/1.0.4/build/profile.js (added)
• tags/1.0.4/includes (added)
• tags/1.0.4/includes/Admin (added)
• tags/1.0.4/includes/Admin.php (added)
• tags/1.0.4/includes/Admin/Api.php (added)
• tags/1.0.4/includes/Admin/Menu.php (added)
• tags/1.0.4/includes/App.php (added)
• tags/1.0.4/includes/Assets.php (added)
• tags/1.0.4/includes/Security.php (added)
• tags/1.0.4/includes/TwoFactor.php (added)
• tags/1.0.4/nhrrob-secure.php (modified) (2 diffs)
• tags/1.0.4/readme.txt (modified) (4 diffs)
• tags/1.0.4/tailwind.config.js (added)
• tags/1.0.4/templates (added)
• tags/1.0.4/templates/login-2fa-form.php (added)
• tags/1.0.4/templates/profile-2fa.php (added)
• trunk/assets (added)
• trunk/assets/src (added)
• trunk/assets/src/components (added)
• trunk/assets/src/components/CustomLoginPage.js (added)
• trunk/assets/src/components/FileProtection.js (added)
• trunk/assets/src/components/LoginProtection.js (added)
• trunk/assets/src/components/TwoFactorAuth.js (added)
• trunk/assets/src/index.js (added)
• trunk/assets/src/profile.css (added)
• trunk/assets/src/style.css (added)
• trunk/build (added)
• trunk/build/admin.asset.php (added)
• trunk/build/admin.css (added)
• trunk/build/admin.js (added)
• trunk/build/profile.asset.php (added)
• trunk/build/profile.css (added)
• trunk/build/profile.js (added)
• trunk/includes (added)
• trunk/includes/Admin (added)
• trunk/includes/Admin.php (added)
• trunk/includes/Admin/Api.php (added)
• trunk/includes/Admin/Menu.php (added)
• trunk/includes/App.php (added)
• trunk/includes/Assets.php (added)
• trunk/includes/Security.php (added)
• trunk/includes/TwoFactor.php (added)
• trunk/nhrrob-secure.php (modified) (2 diffs)
• trunk/readme.txt (modified) (4 diffs)
• trunk/tailwind.config.js (added)
• trunk/templates (added)
• trunk/templates/login-2fa-form.php (added)
• trunk/templates/profile-2fa.php (added)

nhrrob-secure/tags/1.0.4/nhrrob-secure.php

@@ -1 +1 @@
 <?php
 /**
- * Plugin Name: NHR Secure | Protect Admin, Debug Logs & Limit Logins
+ * Plugin Name: NHR Secure – Hide Admin, Limit Login & 2FA
  * Plugin URI: http://wordpress.org/plugins/nhrrob-secure/
  * Description: Lightweight WordPress security plugin that protects your admin area, hides debug logs, and limits login attempts. Minimal code, maximum protection.
  * Author: Nazmul Hasan Robin
  * Author URI: https://profiles.wordpress.org/nhrrob/
- * Version: 1.0.3
+ * Version: 1.0.4
  * Requires at least: 6.0
  * Requires PHP: 7.4
@@ -16 +16 @@
 if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 
-define( 'NHRROB_SECURE_VERSION', '1.0.3' );
-define( 'NHRROB_SECURE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+// Load Composer autoloader
+require_once __DIR__ . '/vendor/autoload.php';
 
 /**
- * Feature List
- * 1. Limit Login Attempts
- * 2. Custom Login Page (/hidden-access-52w instead of /wp-login.php)
- * 3. Protect Sensitive Files (debug.log)
+ * The main plugin class
  */
+final class NHRRob_Secure {
 
- /**
- * ============================
- * Helper: Get client IP
- * ============================
- *
- * - Default: uses REMOTE_ADDR
- * - Enable proxy detection:
- *   add_filter( 'nhrrob_secure_enable_proxy_ip', '__return_true' );
- */
-function nhrrob_secure_get_ip() {
-    $ip   = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : 'unknown';
+    /**
+     * Plugin version
+     *
+     * @var string
+     */
+    const version = '1.0.4';
 
-    $enable_proxy = apply_filters( 'nhrrob_secure_enable_proxy_ip', false );
+    /**
+     * Class constructor
+     */
+    private function __construct() {
+        $this->define_constants();
 
-    if ( $enable_proxy ) {
-        if ( ! empty( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) {
-            $ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_CF_CONNECTING_IP'] ) );
-        } elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
-            $parts = explode( ',', sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) );
-            $ip = sanitize_text_field( trim( $parts[0] ) );
+        add_action( 'plugins_loaded', [ $this, 'init_plugin' ] );
+    }
+
+    /**
+     * Initialize a singleton instance
+     *
+     * @return \NHRRob_Secure
+     */
+    public static function init() {
+        static $instance = false;
+
+        if ( ! $instance ) {
+            $instance = new self();
+        }
+
+        return $instance;
+    }
+
+    /**
+     * Define the required plugin constants
+     *
+     * @return void
+     */
+    public function define_constants() {
+        define( 'NHRROB_SECURE_VERSION', self::version );
+        define( 'NHRROB_SECURE_FILE', __FILE__ );
+        define( 'NHRROB_SECURE_PATH', __DIR__ );
+        define( 'NHRROB_SECURE_PLUGIN_DIR', plugin_dir_path( NHRROB_SECURE_FILE ) );
+        define( 'NHRROB_SECURE_URL', plugins_url( '', NHRROB_SECURE_FILE ) );
+        define( 'NHRROB_SECURE_ASSETS', NHRROB_SECURE_URL . '/assets' );
+    }
+
+    /**
+     * Initialize the plugin
+     *
+     * @return void
+     */
+    public function init_plugin() {
+        
+        // Initialize security features
+        new \NHRRob\Secure\Security();
+
+        // Initialize 2FA features
+        new \NHRRob\Secure\TwoFactor();
+
+        // Initialize assets
+        new \NHRRob\Secure\Assets();
+
+        // Initialize REST API
+        new \NHRRob\Secure\Admin\Api();
+
+        // Initialize admin menu
+        if ( is_admin() ) {
+            new \NHRRob\Secure\Admin();
         }
     }
-
-    return apply_filters( 'nhrrob_secure_get_ip', $ip );
 }
 
+
 /**
- * ============================
- * Helper: Get limit login failed and block transients
- * ============================
+ * Initializes the main plugin
  *
- * @param string $username The username of the user.
- * @return array The array contains the failed_key, block_key, failed_value, and block_value.
+ * @return \NHRRob_Secure
  */
-function nhrrob_secure_get_limit_login_transients( $username ) {
-    $ip = nhrrob_secure_get_ip();
-    $username_clean = is_string( $username ) ? strtolower( sanitize_user( $username, true ) ) : 'unknown';
-    $md5 = md5( $ip . '|' . $username_clean );
-
-    $failed_key = 'nhrrob_secure_failed_' . $md5;
-    $failed_value = (int) get_transient( $failed_key );
-    $block_key = 'nhrrob_secure_block_' . $md5;
-    $block_value = get_transient( $block_key );
-    
-    return [ 
-        'failed_key' => $failed_key, 
-        'block_key' => $block_key, 
-        'failed_value' => $failed_value, 
-        'block_value' => $block_value,
-    ];
+function nhrrob_secure() {
+    return NHRRob_Secure::init();
 }
 
-/**
- * ============================
- * Helper: Render 404 Page
- * ============================
- */
-function nhrrob_secure_render_404() {
-    wp_safe_redirect( home_url( '404' ) );
-    exit;
-}
-
-/**
- * ============================================================
- * 1. LIMIT LOGIN ATTEMPTS (IP + Username)
- * ============================================================
- *
- * Tracks failed login attempts and blocks IP addresses that exceed the limit.
- *
- * Usage:
- * - Change the maximum allowed login attempts:
- *   add_filter( 'nhrrob_secure_login_attempts_limit', fn() => 10 );
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_limit_login_attempts', fn() => false );
- */
-function nhrrob_secure_limit_login_attempts_init() {
-    if ( ! apply_filters( 'nhrrob_secure_limit_login_attempts', true ) ) {
-        return;
-    }
-
-    add_action( 'wp_login_failed', function( $username ) {
-        $transients = nhrrob_secure_get_limit_login_transients( $username );
-        $failed_value = (int) $transients['failed_value'] + 1;
-
-        set_transient( $transients['failed_key'], $failed_value, HOUR_IN_SECONDS );
-
-        $limit = (int) apply_filters( 'nhrrob_secure_login_attempts_limit', 5 );
-
-        if ( $failed_value >= $limit ) {
-            set_transient( $transients['block_key'], true, 2 * HOUR_IN_SECONDS );
-        }
-    });
-
-    add_action( 'wp_login', function( $user_login ) {
-        $transients = nhrrob_secure_get_limit_login_transients( $user_login );
-        delete_transient( $transients['failed_key'] );
-        delete_transient( $transients['block_key'] );
-    });
-
-    add_filter( 'authenticate', function( $user, $username = null, $password = null ) {
-        $username_clean = is_string( $username ) ? strtolower( sanitize_user( $username, true ) ) : '';
-        if ( empty( $username_clean ) ) {
-            return $user;
-        }
-
-        $transients = nhrrob_secure_get_limit_login_transients( $username_clean );
-
-        if ( $transients['block_value'] ) {
-            return new WP_Error(
-                'nhrrob_secure_blocked',
-                __( 'Too many failed login attempts for this account from your IP. Try again later.', 'nhrrob-secure' )
-            );
-        }
-
-        return $user;
-    }, 30, 3 );
-}
-
-add_action( 'init', 'nhrrob_secure_limit_login_attempts_init' );
-
-/**
- * ============================================================
- * 2. CUSTOM LOGIN PAGE
- * ============================================================
- *
- * Changes default login URL from /wp-login.php to /hidden-access-52w
- *
- * Usage:
- * - Change the custom login URL:
- *   add_filter( 'nhrrob_secure_custom_login_url', fn() => '/my-custom-login' );
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_custom_login_page', '__return_false' );
- */
-function nhrrob_secure_custom_login_page_init() {
-    if ( ! apply_filters( 'nhrrob_secure_custom_login_page', true ) ) {
-        return;
-    }
-
-    // Block direct access to wp-login.php
-    $script_name = isset( $_SERVER['SCRIPT_NAME'] ) ? sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_NAME'] ) ) : '';
-    if ( strpos( $script_name, '/wp-login.php' ) !== false ) {
-        nhrrob_secure_render_404();
-    }
-    
-    // Block direct access to wp-admin for guests
-    add_action( 'init', function() {
-        $script_name = isset( $_SERVER['SCRIPT_NAME'] ) ? sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_NAME'] ) ) : '';
-        
-        if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && ! defined( 'DOING_CRON' ) ) {
-             // Allow admin-post.php for frontend form submissions
-             if ( strpos( $script_name, 'admin-post.php' ) === false ) {
-                 nhrrob_secure_render_404();
-             }
-        }
-    });
-
-    // Handle custom login URL (use template_redirect for proper WordPress context)
-    add_action( 'template_redirect', function() {
-        $custom_login_url = apply_filters( 'nhrrob_secure_custom_login_url', '/hidden-access-52w' );
-        $custom_login_url = trim( $custom_login_url, '/' );
-        $custom_login_url = '/' . ltrim( $custom_login_url, '/' );
-
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Normalize path (remove trailing slash for comparison)
-        $path_normalized = rtrim( $path, '/' );
-        $custom_login_url_normalized = rtrim( $custom_login_url, '/' );
-
-        // Check if request is for custom login URL
-        if ( $path_normalized === $custom_login_url_normalized || $path === $custom_login_url || $path === $custom_login_url . '/' ) {
-            // Preserve query string
-            $query_string = isset( $parsed_url['query'] ) ? '?' . $parsed_url['query'] : '';
-            
-            // Temporarily modify REQUEST_URI to load wp-login.php
-            $_SERVER['REQUEST_URI'] = '/wp-login.php' . $query_string;
-            
-            // Bring globals into scope for wp-login.php
-            global $error, $interim_login, $action, $wp_error, $user_login;
-            
-            // Override 404 status (since WP thinks this slug doesn't exist)
-            if ( function_exists( 'status_header' ) ) {
-                status_header( 200 );
-            }
-            if ( function_exists( 'nocache_headers' ) ) {
-                nocache_headers();
-            }
-
-
-            
-            // Load WordPress login
-            require_once( ABSPATH . 'wp-login.php' );
-            
-
-            
-            exit;
-        }
-    }, 1 );
-
-    // Rewrite wp-login.php URLs to custom login URL
-    add_filter( 'site_url', function( $url, $path, $scheme ) {
-        if ( strpos( $url, 'wp-login.php' ) !== false ) {
-            $custom_login_url = apply_filters( 'nhrrob_secure_custom_login_url', '/hidden-access-52w' );
-            $custom_login_url = trim( $custom_login_url, '/' ); 
-            $url = str_replace( 'wp-login.php', $custom_login_url, $url );
-            $url = str_replace( '//' . $custom_login_url, '/' . $custom_login_url, $url ); // fix potential double slash if any
-        }
-        return $url;
-    }, 10, 3 );
-}
-
-add_action( 'init', 'nhrrob_secure_custom_login_page_init', 0 );
-
-/**
- * ============================================================
- * 3. PROTECT DEBUG LOG FILE
- * ============================================================
- *
- * Blocks direct access to /wp-content/debug.log
- * Shows 403 Forbidden for all users
- *
- * Usage:
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_protect_debug_log', '__return_false' );
- */
-function nhrrob_secure_protect_debug_log_init() {
-    if ( ! apply_filters( 'nhrrob_secure_protect_debug_log', true ) ) {
-        return;
-    }
-
-    // Check early to catch direct file access
-    add_action( 'plugins_loaded', function() {
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Check if request is for debug.log in wp-content directory
-        if ( strpos( $path, '/wp-content/debug.log' ) !== false || 
-             ( strpos( $path, 'debug.log' ) !== false && strpos( $path, 'wp-content' ) !== false ) ) {
-            if ( function_exists( 'status_header' ) ) {
-                status_header( 403 );
-            } else {
-                http_response_code( 403 );
-            }
-            if ( function_exists( 'nocache_headers' ) ) {
-                nocache_headers();
-            }
-            header( 'Content-Type: text/html; charset=utf-8' );
-            die( '403 Forbidden' );
-        }
-    }, 1 );
-
-    // Also check in template_redirect as backup
-    add_action( 'template_redirect', function() {
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Check if request is for debug.log in wp-content directory
-        if ( strpos( $path, '/wp-content/debug.log' ) !== false || 
-             ( strpos( $path, 'debug.log' ) !== false && strpos( $path, 'wp-content' ) !== false ) ) {
-            status_header( 403 );
-            nocache_headers();
-            header( 'Content-Type: text/html; charset=utf-8' );
-            die( '403 Forbidden' );
-        }
-    }, 1 );
-}
-
-add_action( 'init', 'nhrrob_secure_protect_debug_log_init', 0 );
-
-/**
- * Enable/Disable Features
- * Example usages are shown below
- */
-
-// Turn off limit login attempts
-// add_filter( 'nhrrob_secure_limit_login_attempts', '__return_false' );
-
-// Turn off custom login page
-// add_filter( 'nhrrob_secure_custom_login_page', '__return_false' );
-
-// Turn off debug log protection
-// add_filter( 'nhrrob_secure_protect_debug_log', '__return_false' );
+// Call the plugin
+nhrrob_secure();

nhrrob-secure/tags/1.0.4/readme.txt

@@ -1 @@
-=== NHR Secure | Protect Admin, Debug Logs & Limit Logins ===
+=== NHR Secure – Hide Admin, Limit Login & 2FA ===
 Contributors: nhrrob
-Tags: security, admin, login, debug, protection
+Tags: security, hide admin, login protection, debug log, 2fa
 Requires at least: 6.0
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 1.0.3
+Stable tag: 1.0.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
-A lightweight WordPress security plugin that protects your admin area, hides debug logs, and limits login attempts.
-
+A lightweight WordPress security plugin to protect your admin area with a custom login URL, hide debug logs, limit login attempts, and add 2FA.
 == Description ==
 
@@ -18 +17 @@
 - Limit login attempts to prevent brute-force attacks.
 - Hide debug logs to prevent sensitive information disclosure.
+- Add 2FA to your WordPress site.
 
 **Features at a glance:**
 
-### ⚡ Limit Login Attempts
+### 🔒 Limit Login Attempts
 Stop brute-force attacks by temporarily blocking IPs after repeated failed login attempts.
+- Configurable attempt limit (1-20, default: 5)
+- Blocks based on IP + Username combination
+- Auto-unblock after 2 hours
 
-### 🌟 Lightweight & Minimal
-Designed to deliver maximum security with minimal code. No complex settings or configuration needed.
+### 🔐 Custom Login Page
+Hide wp-login.php and use a custom login URL.
+- Default custom URL: `/hidden-access-52w`
+- Blocks direct access to wp-login.php and wp-admin for guests
 
-### 💬 Simple & Effective
-Install, activate, and your site is protected instantly.
+### 🛡️ Protect Debug Log File
+Blocks direct access to `/wp-content/debug.log`
+- Returns 403 Forbidden for all users
+
+### ⚙️ Modern Settings Page
+Configure everything from a beautiful React-powered interface.
+- Located under **Tools → NHR Secure**
+- Enable/disable each feature
+
+### 🔐 Two-Factor Authentication (2FA)
+Enable two-factor authentication for users.
+- QR code is generated and displayed on the user profile page
+- User must enter the code from their 2FA app to login
+
+### ⚡ Lightweight & Minimal
+Designed to deliver maximum security with minimal code. No bloat, no complexity.
+- Compatible with most WordPress themes and plugins.
 
 == Installation ==
@@ -34 +54 @@
 1. Upload the `nhrrob-secure` plugin folder to your `/wp-content/plugins/` directory.
 2. Activate the plugin through the 'Plugins' menu in WordPress.
-3. Protection starts automatically — no configuration required.
-
+3. Navigate to **Tools → NHR Secure** to configure settings.
 
 == Frequently Asked Questions ==
 
+= How do I access the settings page? =
+Navigate to **Tools → NHR Secure** in your WordPress admin dashboard.
+
 = Does it limit login attempts? =
-Yes. Repeated failed login attempts from the same IP will be temporarily blocked to prevent brute-force attacks.
+Yes. Repeated failed login attempts from the same IP will be temporarily blocked to prevent brute-force attacks. You can configure the limit (1-20 attempts) from the settings page.
 
-= Do I need other plugins? =
-No. NHR Secure is standalone and works independently.
+= What is the default custom login URL? =
+The default custom login URL is `/hidden-access-52w`. You can change this in the settings page under Tools → NHR Secure.
 
-= Will it affect my site performance? =
-No. NHR Secure is lightweight and designed to have minimal impact on your WordPress performance.
+= How does 2FA work? =
+2FA (Two-Factor Authentication) adds an extra layer of security to your WordPress site. When enabled, users must enter a code from their 2FA app (e.g., Google Authenticator, Authy) in addition to their username and password to log in.
 
+= Can I disable specific features? =
+Yes. You can enable or disable each feature from the settings page under Tools → NHR Secure.
 
 == Screenshots ==
@@ -53 +77 @@
 1. Failed login attempts are blocked.
 2. Custom login page.
-3. /wp-login.php or /wp-admin goes to 404.
-4. Debug log is hidden.
+3. Debug log is hidden.
+4. Modern React-powered settings page.
+5. Modern React-powered settings page - part 2.
+6. 2FA setup in user profile.
 
 
 == Changelog ==
+
+= 1.0.4 - 09/01/2026 =
+- Added: Modern React-powered settings page under Tools → NHR Secure
+- Added: Enable/disable all features from admin interface
+- Added: Configurable login attempts limit (1-20)
+- Added: Customizable login page URL from settings
+- Added: Two-factor authentication (2FA) feature
 
 = 1.0.3 - 05/01/2026 =

nhrrob-secure/trunk/nhrrob-secure.php

@@ -1 +1 @@
 <?php
 /**
- * Plugin Name: NHR Secure | Protect Admin, Debug Logs & Limit Logins
+ * Plugin Name: NHR Secure – Hide Admin, Limit Login & 2FA
  * Plugin URI: http://wordpress.org/plugins/nhrrob-secure/
  * Description: Lightweight WordPress security plugin that protects your admin area, hides debug logs, and limits login attempts. Minimal code, maximum protection.
  * Author: Nazmul Hasan Robin
  * Author URI: https://profiles.wordpress.org/nhrrob/
- * Version: 1.0.3
+ * Version: 1.0.4
  * Requires at least: 6.0
  * Requires PHP: 7.4
@@ -16 +16 @@
 if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 
-define( 'NHRROB_SECURE_VERSION', '1.0.3' );
-define( 'NHRROB_SECURE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+// Load Composer autoloader
+require_once __DIR__ . '/vendor/autoload.php';
 
 /**
- * Feature List
- * 1. Limit Login Attempts
- * 2. Custom Login Page (/hidden-access-52w instead of /wp-login.php)
- * 3. Protect Sensitive Files (debug.log)
+ * The main plugin class
  */
+final class NHRRob_Secure {
 
- /**
- * ============================
- * Helper: Get client IP
- * ============================
- *
- * - Default: uses REMOTE_ADDR
- * - Enable proxy detection:
- *   add_filter( 'nhrrob_secure_enable_proxy_ip', '__return_true' );
- */
-function nhrrob_secure_get_ip() {
-    $ip   = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : 'unknown';
+    /**
+     * Plugin version
+     *
+     * @var string
+     */
+    const version = '1.0.4';
 
-    $enable_proxy = apply_filters( 'nhrrob_secure_enable_proxy_ip', false );
+    /**
+     * Class constructor
+     */
+    private function __construct() {
+        $this->define_constants();
 
-    if ( $enable_proxy ) {
-        if ( ! empty( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) {
-            $ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_CF_CONNECTING_IP'] ) );
-        } elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
-            $parts = explode( ',', sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) );
-            $ip = sanitize_text_field( trim( $parts[0] ) );
+        add_action( 'plugins_loaded', [ $this, 'init_plugin' ] );
+    }
+
+    /**
+     * Initialize a singleton instance
+     *
+     * @return \NHRRob_Secure
+     */
+    public static function init() {
+        static $instance = false;
+
+        if ( ! $instance ) {
+            $instance = new self();
+        }
+
+        return $instance;
+    }
+
+    /**
+     * Define the required plugin constants
+     *
+     * @return void
+     */
+    public function define_constants() {
+        define( 'NHRROB_SECURE_VERSION', self::version );
+        define( 'NHRROB_SECURE_FILE', __FILE__ );
+        define( 'NHRROB_SECURE_PATH', __DIR__ );
+        define( 'NHRROB_SECURE_PLUGIN_DIR', plugin_dir_path( NHRROB_SECURE_FILE ) );
+        define( 'NHRROB_SECURE_URL', plugins_url( '', NHRROB_SECURE_FILE ) );
+        define( 'NHRROB_SECURE_ASSETS', NHRROB_SECURE_URL . '/assets' );
+    }
+
+    /**
+     * Initialize the plugin
+     *
+     * @return void
+     */
+    public function init_plugin() {
+        
+        // Initialize security features
+        new \NHRRob\Secure\Security();
+
+        // Initialize 2FA features
+        new \NHRRob\Secure\TwoFactor();
+
+        // Initialize assets
+        new \NHRRob\Secure\Assets();
+
+        // Initialize REST API
+        new \NHRRob\Secure\Admin\Api();
+
+        // Initialize admin menu
+        if ( is_admin() ) {
+            new \NHRRob\Secure\Admin();
         }
     }
-
-    return apply_filters( 'nhrrob_secure_get_ip', $ip );
 }
 
+
 /**
- * ============================
- * Helper: Get limit login failed and block transients
- * ============================
+ * Initializes the main plugin
  *
- * @param string $username The username of the user.
- * @return array The array contains the failed_key, block_key, failed_value, and block_value.
+ * @return \NHRRob_Secure
  */
-function nhrrob_secure_get_limit_login_transients( $username ) {
-    $ip = nhrrob_secure_get_ip();
-    $username_clean = is_string( $username ) ? strtolower( sanitize_user( $username, true ) ) : 'unknown';
-    $md5 = md5( $ip . '|' . $username_clean );
-
-    $failed_key = 'nhrrob_secure_failed_' . $md5;
-    $failed_value = (int) get_transient( $failed_key );
-    $block_key = 'nhrrob_secure_block_' . $md5;
-    $block_value = get_transient( $block_key );
-    
-    return [ 
-        'failed_key' => $failed_key, 
-        'block_key' => $block_key, 
-        'failed_value' => $failed_value, 
-        'block_value' => $block_value,
-    ];
+function nhrrob_secure() {
+    return NHRRob_Secure::init();
 }
 
-/**
- * ============================
- * Helper: Render 404 Page
- * ============================
- */
-function nhrrob_secure_render_404() {
-    wp_safe_redirect( home_url( '404' ) );
-    exit;
-}
-
-/**
- * ============================================================
- * 1. LIMIT LOGIN ATTEMPTS (IP + Username)
- * ============================================================
- *
- * Tracks failed login attempts and blocks IP addresses that exceed the limit.
- *
- * Usage:
- * - Change the maximum allowed login attempts:
- *   add_filter( 'nhrrob_secure_login_attempts_limit', fn() => 10 );
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_limit_login_attempts', fn() => false );
- */
-function nhrrob_secure_limit_login_attempts_init() {
-    if ( ! apply_filters( 'nhrrob_secure_limit_login_attempts', true ) ) {
-        return;
-    }
-
-    add_action( 'wp_login_failed', function( $username ) {
-        $transients = nhrrob_secure_get_limit_login_transients( $username );
-        $failed_value = (int) $transients['failed_value'] + 1;
-
-        set_transient( $transients['failed_key'], $failed_value, HOUR_IN_SECONDS );
-
-        $limit = (int) apply_filters( 'nhrrob_secure_login_attempts_limit', 5 );
-
-        if ( $failed_value >= $limit ) {
-            set_transient( $transients['block_key'], true, 2 * HOUR_IN_SECONDS );
-        }
-    });
-
-    add_action( 'wp_login', function( $user_login ) {
-        $transients = nhrrob_secure_get_limit_login_transients( $user_login );
-        delete_transient( $transients['failed_key'] );
-        delete_transient( $transients['block_key'] );
-    });
-
-    add_filter( 'authenticate', function( $user, $username = null, $password = null ) {
-        $username_clean = is_string( $username ) ? strtolower( sanitize_user( $username, true ) ) : '';
-        if ( empty( $username_clean ) ) {
-            return $user;
-        }
-
-        $transients = nhrrob_secure_get_limit_login_transients( $username_clean );
-
-        if ( $transients['block_value'] ) {
-            return new WP_Error(
-                'nhrrob_secure_blocked',
-                __( 'Too many failed login attempts for this account from your IP. Try again later.', 'nhrrob-secure' )
-            );
-        }
-
-        return $user;
-    }, 30, 3 );
-}
-
-add_action( 'init', 'nhrrob_secure_limit_login_attempts_init' );
-
-/**
- * ============================================================
- * 2. CUSTOM LOGIN PAGE
- * ============================================================
- *
- * Changes default login URL from /wp-login.php to /hidden-access-52w
- *
- * Usage:
- * - Change the custom login URL:
- *   add_filter( 'nhrrob_secure_custom_login_url', fn() => '/my-custom-login' );
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_custom_login_page', '__return_false' );
- */
-function nhrrob_secure_custom_login_page_init() {
-    if ( ! apply_filters( 'nhrrob_secure_custom_login_page', true ) ) {
-        return;
-    }
-
-    // Block direct access to wp-login.php
-    $script_name = isset( $_SERVER['SCRIPT_NAME'] ) ? sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_NAME'] ) ) : '';
-    if ( strpos( $script_name, '/wp-login.php' ) !== false ) {
-        nhrrob_secure_render_404();
-    }
-    
-    // Block direct access to wp-admin for guests
-    add_action( 'init', function() {
-        $script_name = isset( $_SERVER['SCRIPT_NAME'] ) ? sanitize_text_field( wp_unslash( $_SERVER['SCRIPT_NAME'] ) ) : '';
-        
-        if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && ! defined( 'DOING_CRON' ) ) {
-             // Allow admin-post.php for frontend form submissions
-             if ( strpos( $script_name, 'admin-post.php' ) === false ) {
-                 nhrrob_secure_render_404();
-             }
-        }
-    });
-
-    // Handle custom login URL (use template_redirect for proper WordPress context)
-    add_action( 'template_redirect', function() {
-        $custom_login_url = apply_filters( 'nhrrob_secure_custom_login_url', '/hidden-access-52w' );
-        $custom_login_url = trim( $custom_login_url, '/' );
-        $custom_login_url = '/' . ltrim( $custom_login_url, '/' );
-
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Normalize path (remove trailing slash for comparison)
-        $path_normalized = rtrim( $path, '/' );
-        $custom_login_url_normalized = rtrim( $custom_login_url, '/' );
-
-        // Check if request is for custom login URL
-        if ( $path_normalized === $custom_login_url_normalized || $path === $custom_login_url || $path === $custom_login_url . '/' ) {
-            // Preserve query string
-            $query_string = isset( $parsed_url['query'] ) ? '?' . $parsed_url['query'] : '';
-            
-            // Temporarily modify REQUEST_URI to load wp-login.php
-            $_SERVER['REQUEST_URI'] = '/wp-login.php' . $query_string;
-            
-            // Bring globals into scope for wp-login.php
-            global $error, $interim_login, $action, $wp_error, $user_login;
-            
-            // Override 404 status (since WP thinks this slug doesn't exist)
-            if ( function_exists( 'status_header' ) ) {
-                status_header( 200 );
-            }
-            if ( function_exists( 'nocache_headers' ) ) {
-                nocache_headers();
-            }
-
-
-            
-            // Load WordPress login
-            require_once( ABSPATH . 'wp-login.php' );
-            
-
-            
-            exit;
-        }
-    }, 1 );
-
-    // Rewrite wp-login.php URLs to custom login URL
-    add_filter( 'site_url', function( $url, $path, $scheme ) {
-        if ( strpos( $url, 'wp-login.php' ) !== false ) {
-            $custom_login_url = apply_filters( 'nhrrob_secure_custom_login_url', '/hidden-access-52w' );
-            $custom_login_url = trim( $custom_login_url, '/' ); 
-            $url = str_replace( 'wp-login.php', $custom_login_url, $url );
-            $url = str_replace( '//' . $custom_login_url, '/' . $custom_login_url, $url ); // fix potential double slash if any
-        }
-        return $url;
-    }, 10, 3 );
-}
-
-add_action( 'init', 'nhrrob_secure_custom_login_page_init', 0 );
-
-/**
- * ============================================================
- * 3. PROTECT DEBUG LOG FILE
- * ============================================================
- *
- * Blocks direct access to /wp-content/debug.log
- * Shows 403 Forbidden for all users
- *
- * Usage:
- * - Turn off the feature:
- *   add_filter( 'nhrrob_secure_protect_debug_log', '__return_false' );
- */
-function nhrrob_secure_protect_debug_log_init() {
-    if ( ! apply_filters( 'nhrrob_secure_protect_debug_log', true ) ) {
-        return;
-    }
-
-    // Check early to catch direct file access
-    add_action( 'plugins_loaded', function() {
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Check if request is for debug.log in wp-content directory
-        if ( strpos( $path, '/wp-content/debug.log' ) !== false || 
-             ( strpos( $path, 'debug.log' ) !== false && strpos( $path, 'wp-content' ) !== false ) ) {
-            if ( function_exists( 'status_header' ) ) {
-                status_header( 403 );
-            } else {
-                http_response_code( 403 );
-            }
-            if ( function_exists( 'nocache_headers' ) ) {
-                nocache_headers();
-            }
-            header( 'Content-Type: text/html; charset=utf-8' );
-            die( '403 Forbidden' );
-        }
-    }, 1 );
-
-    // Also check in template_redirect as backup
-    add_action( 'template_redirect', function() {
-        $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-        $parsed_url = wp_parse_url( $request_uri );
-        $path = isset( $parsed_url['path'] ) ? $parsed_url['path'] : '';
-
-        // Check if request is for debug.log in wp-content directory
-        if ( strpos( $path, '/wp-content/debug.log' ) !== false || 
-             ( strpos( $path, 'debug.log' ) !== false && strpos( $path, 'wp-content' ) !== false ) ) {
-            status_header( 403 );
-            nocache_headers();
-            header( 'Content-Type: text/html; charset=utf-8' );
-            die( '403 Forbidden' );
-        }
-    }, 1 );
-}
-
-add_action( 'init', 'nhrrob_secure_protect_debug_log_init', 0 );
-
-/**
- * Enable/Disable Features
- * Example usages are shown below
- */
-
-// Turn off limit login attempts
-// add_filter( 'nhrrob_secure_limit_login_attempts', '__return_false' );
-
-// Turn off custom login page
-// add_filter( 'nhrrob_secure_custom_login_page', '__return_false' );
-
-// Turn off debug log protection
-// add_filter( 'nhrrob_secure_protect_debug_log', '__return_false' );
+// Call the plugin
+nhrrob_secure();

nhrrob-secure/trunk/readme.txt

@@ -1 @@
-=== NHR Secure | Protect Admin, Debug Logs & Limit Logins ===
+=== NHR Secure – Hide Admin, Limit Login & 2FA ===
 Contributors: nhrrob
-Tags: security, admin, login, debug, protection
+Tags: security, hide admin, login protection, debug log, 2fa
 Requires at least: 6.0
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 1.0.3
+Stable tag: 1.0.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
-A lightweight WordPress security plugin that protects your admin area, hides debug logs, and limits login attempts.
-
+A lightweight WordPress security plugin to protect your admin area with a custom login URL, hide debug logs, limit login attempts, and add 2FA.
 == Description ==
 
@@ -18 +17 @@
 - Limit login attempts to prevent brute-force attacks.
 - Hide debug logs to prevent sensitive information disclosure.
+- Add 2FA to your WordPress site.
 
 **Features at a glance:**
 
-### ⚡ Limit Login Attempts
+### 🔒 Limit Login Attempts
 Stop brute-force attacks by temporarily blocking IPs after repeated failed login attempts.
+- Configurable attempt limit (1-20, default: 5)
+- Blocks based on IP + Username combination
+- Auto-unblock after 2 hours
 
-### 🌟 Lightweight & Minimal
-Designed to deliver maximum security with minimal code. No complex settings or configuration needed.
+### 🔐 Custom Login Page
+Hide wp-login.php and use a custom login URL.
+- Default custom URL: `/hidden-access-52w`
+- Blocks direct access to wp-login.php and wp-admin for guests
 
-### 💬 Simple & Effective
-Install, activate, and your site is protected instantly.
+### 🛡️ Protect Debug Log File
+Blocks direct access to `/wp-content/debug.log`
+- Returns 403 Forbidden for all users
+
+### ⚙️ Modern Settings Page
+Configure everything from a beautiful React-powered interface.
+- Located under **Tools → NHR Secure**
+- Enable/disable each feature
+
+### 🔐 Two-Factor Authentication (2FA)
+Enable two-factor authentication for users.
+- QR code is generated and displayed on the user profile page
+- User must enter the code from their 2FA app to login
+
+### ⚡ Lightweight & Minimal
+Designed to deliver maximum security with minimal code. No bloat, no complexity.
+- Compatible with most WordPress themes and plugins.
 
 == Installation ==
@@ -34 +54 @@
 1. Upload the `nhrrob-secure` plugin folder to your `/wp-content/plugins/` directory.
 2. Activate the plugin through the 'Plugins' menu in WordPress.
-3. Protection starts automatically — no configuration required.
-
+3. Navigate to **Tools → NHR Secure** to configure settings.
 
 == Frequently Asked Questions ==
 
+= How do I access the settings page? =
+Navigate to **Tools → NHR Secure** in your WordPress admin dashboard.
+
 = Does it limit login attempts? =
-Yes. Repeated failed login attempts from the same IP will be temporarily blocked to prevent brute-force attacks.
+Yes. Repeated failed login attempts from the same IP will be temporarily blocked to prevent brute-force attacks. You can configure the limit (1-20 attempts) from the settings page.
 
-= Do I need other plugins? =
-No. NHR Secure is standalone and works independently.
+= What is the default custom login URL? =
+The default custom login URL is `/hidden-access-52w`. You can change this in the settings page under Tools → NHR Secure.
 
-= Will it affect my site performance? =
-No. NHR Secure is lightweight and designed to have minimal impact on your WordPress performance.
+= How does 2FA work? =
+2FA (Two-Factor Authentication) adds an extra layer of security to your WordPress site. When enabled, users must enter a code from their 2FA app (e.g., Google Authenticator, Authy) in addition to their username and password to log in.
 
+= Can I disable specific features? =
+Yes. You can enable or disable each feature from the settings page under Tools → NHR Secure.
 
 == Screenshots ==
@@ -53 +77 @@
 1. Failed login attempts are blocked.
 2. Custom login page.
-3. /wp-login.php or /wp-admin goes to 404.
-4. Debug log is hidden.
+3. Debug log is hidden.
+4. Modern React-powered settings page.
+5. Modern React-powered settings page - part 2.
+6. 2FA setup in user profile.
 
 
 == Changelog ==
+
+= 1.0.4 - 09/01/2026 =
+- Added: Modern React-powered settings page under Tools → NHR Secure
+- Added: Enable/disable all features from admin interface
+- Added: Configurable login attempts limit (1-20)
+- Added: Customizable login page URL from settings
+- Added: Two-factor authentication (2FA) feature
 
 = 1.0.3 - 05/01/2026 =