Title: Sitevorx
Author: iNET
Published: 29. travnja 2026.
Last modified: 15. svibnja 2026.
---
Pretraga dodataka
# Sitevorx
Od [iNET](https://profiles.wordpress.org/inetcorp/)
[Preuzmi](https://downloads.wordpress.org/plugin/sitevorx.1.1.0.zip)
* [Detalji](https://hr.wordpress.org/plugins/sitevorx/#description)
* [Recenzije](https://hr.wordpress.org/plugins/sitevorx/#reviews)
* [Instalacija](https://hr.wordpress.org/plugins/sitevorx/#installation)
* [Razvoj](https://hr.wordpress.org/plugins/sitevorx/#developers)
[Podrška](https://wordpress.org/support/plugin/sitevorx/)
## Opis
**Sitevorx** is a lightweight, all-in-one WordPress plugin that helps you optimize
performance, harden security, and manage your website from a single, modern dashboard.
No bloat, no external dependencies — just the tools you need.
#### Security Center (NEW in 1.1.0)
* **Security Score Dashboard**: A single 0–100 score that summarizes the hardening
state of your site, with prioritized recommendations.
* **Core Integrity Checker**: Compares every WordPress core file against the official`
api.wordpress.org` MD5 checksums to detect modified, missing, or extra files.
* **HTTP Security Headers**: One-click enable `X-Content-Type-Options`, `X-Frame-
Options`, `Referrer-Policy`, and `Permissions-Policy` on the frontend.
* **Login Honeypot**: Invisible bait field on `wp-login.php` that silently rejects
spam bots without affecting real users.
* **User Enumeration Protection**: Blocks `?author=N` probing and the public REST`/
wp/v2/users` endpoint for non-logged-in visitors.
* **Login Notification**: Emails the administrator whenever an account with `manage_options`
logs in successfully (1-hour cooldown per IP).
* **Login Attempt Limiter**: Lock out IPs after repeated failed login attempts,
with configurable threshold, lockout duration, and IP allowlist.
* **Secret Login URL**: Hide the default `wp-login.php` behind a custom keyword.
* **Google reCAPTCHA v2 / v3**: Protect the login form from bots, with a configurable
v3 score threshold.
* **Disable XML-RPC** and **Disable File Editor**: Block DDoS / brute-force vectors
and stop code editing from the dashboard.
#### Speed Optimization
* **Heartbeat Throttle**: Slows the Heartbeat API to 60 seconds instead of disabling
it, preserving autosave and post-locking.
* **System Tweaks**: Lazy load images, limit post revisions, allow safe SVG uploads(
with XXE-hardened sanitizer).
* **Database Cleanup**: Remove revisions, spam comments, and expired transients
in one click.
* **Malware Scanner**: Scan your entire codebase and database for suspicious injections.
#### SMTP Configuration
* Send emails via **Gmail** (App Password) or a **custom SMTP server** (SSL/TLS).
* Built-in **Test Email** sender.
* Email delivery log with success/failure tracking.
* Force From Name and From Email to prevent address drift.
#### Website Utilities
* Inject tracking codes in **Header/Footer** (Google Analytics, Facebook Pixel,
etc.).
* **Content Protection**: Disable right-click, text selection, and drag-and-drop.
* **Maintenance Mode**: Display a professional “under construction” page to visitors.
* **Custom Login Logo**: Replace the WordPress logo on the login screen with your
own brand.
#### Disk Space Manager
* Recursively scan your hosting for large files (>50 MB).
* Auto-categorize files (backups, error logs, large media).
* Bulk delete to free up disk space instantly.
#### Floating Contact Buttons
* **Phone Hotline** button with animated icon.
* **Zalo** chat button (auto-opens Zalo app).
* **Messenger** chat button (m.me deep link).
* Fully responsive floating widget in the corner of your site.
#### Import / Export Settings
* **Export** all Sitevorx settings as a JSON file.
* **Import** settings from another site in one click.
* **Reset** all settings to factory defaults.
#### Scheduled Cleanup (WP-Cron)
* Automatic cleanup: daily, twice daily, or weekly.
* Clears temp files, auto-drafts, spam, and optimizes database tables.
* Activity log showing the last 20 cleanup runs.
#### Maintenance & Update Monitor
* Track plugins and themes that need updating.
* Check WordPress core, PHP version, SSL status, and WP_DEBUG.
* Maintenance health score with actionable recommendations.
#### Server Info
* View Web Server, PHP, MySQL, and WordPress versions at a glance.
* PHP limits: memory, execution time, input vars, upload size.
* List all loaded PHP extensions.
* Database size monitoring.
### External Services
#### Google reCAPTCHA (v2 and v3)
Sitevorx can optionally integrate with Google reCAPTCHA (v2 checkbox or v3 invisible/
score-based) to protect the WordPress login form. This feature is disabled by default
and only works when an administrator explicitly enables it, selects a version, and
provides valid Google-issued API keys.
When enabled, the plugin loads the Google reCAPTCHA JavaScript on the login screen
and sends the generated verification token to Google’s verification endpoint (`https://
www.google.com/recaptcha/api/siteverify`) during login validation. For v3, the configurable
score threshold (filter `sitevorx_recaptcha_v3_score_threshold`, default `0.5`)
is compared against Google’s returned score.
This service is provided by Google:
* Service URL: https://www.google.com/recaptcha/*
Verification endpoint: https://www.google.com/recaptcha/api/siteverify * Terms of
Service: https://policies.google.com/terms * Privacy Policy: https://policies.google.
com/privacy
#### WordPress.org Core Checksums API
The **Security Center Kiểm Tra Toàn Diện WordPress Core Integrity** check (off
by default; runs only when the admin clicks “Kiểm tra”) fetches the official MD5
checksums for the installed WordPress version from WordPress.org so it can flag
modified or missing core files.
* Verification endpoint: https://api.wordpress.org/core/checksums/1.0/
* Request payload: only the installed WordPress version string (e.g. `6.4.2`) and
the locale `en_US`. No site URL, user data, or content is sent.
* Operated by: WordPress.org
* Terms of Service: https://wordpress.org/about/privacy/
### Highlights
* **All-in-one**: Replaces 5-7 single-purpose plugins (SMTP, Security, Optimization,
Cleanup, Maintenance).
* **Modern UI**: Gradient banners, collapsible sidebar, toast notifications, fully
responsive.
* **Secure by design**: Nonce verification, input sanitization, CSRF protection,
prepared database queries.
* **Lightweight**: Modular architecture — only loads what you use. Zero frontend
impact. No Composer or NPM required.
* **Localized**: Full Vietnamese (vi) translation included via .po/.mo files.
## Instalacija
1. Upload the `sitevorx` folder to `/wp-content/plugins/`, or install the ZIP file
via **Plugins > Add New > Upload Plugin**.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Navigate to the **Sitevorx** menu item in your admin sidebar.
## ČPP
### Does this plugin conflict with WP Mail SMTP?
Yes, both plugins hook into `phpmailer_init`. We recommend deactivating other SMTP
plugins before using Sitevorx’s built-in SMTP module.
### Does it detect real IPs behind Cloudflare?
Yes. Sitevorx reads the `CF-Connecting-IP` header to identify the real visitor IP
behind Cloudflare’s proxy.
### I forgot my secret login URL. How do I get back in?
Open phpMyAdmin (or any database tool), find the `wp_options` table, and delete
the row where `option_name` is `sitevorx_sec_login_key`. Then access `/wp-login.
php` as usual.
## Recenzije
### [Very Good](https://wordpress.org/support/topic/very-good-7771/)
[kiennt1412](https://profiles.wordpress.org/kiennt1412/) 06. svibnja 2026.
Thật ra tôi là người Ấn Độ, sau khi dùng tôi thấy là Dễ dùng, dễ hiểu, dễ kiểm soát.
Cảm ơn đội ngũ.
### [Very good, help me alot](https://wordpress.org/support/topic/very-good-help-me-alot/)
[hoangnga](https://profiles.wordpress.org/wangphun/) 29. travnja 2026.
Thật ra tôi là người Việt, plugin này rất tiện, giúp tôi quản lý tập trung và gần
như không phải mở gì ngoài nó, cảm ơn đội ngũ phát triển
[ Pročitajte sve 2 recenzije ](https://wordpress.org/support/plugin/sitevorx/reviews/)
## Suradnici i Programeri
“Sitevorx” je softver otvorenog koda. Sljedeće osobe su doprinijele ovom dodatku.
Suradnici
* [ iNET ](https://profiles.wordpress.org/inetcorp/)
[Prevedite “Sitevorx” na svoj jezik.](https://translate.wordpress.org/projects/wp-plugins/sitevorx)
### Zainteresirani ste za razvoj?
[Pregledajte kôd](https://plugins.trac.wordpress.org/browser/sitevorx/), pogledajte
[SVN spremište](https://plugins.svn.wordpress.org/sitevorx/)ili se pretplatite na
[dnevnik razvoja](https://plugins.trac.wordpress.org/log/sitevorx/) od [RSS](https://plugins.trac.wordpress.org/log/sitevorx/?limit=100&mode=stop_on_copy&format=rss).
## Dnevnik promjena
#### 1.1.0
* New module: **Trung Tâm Bảo Mật** (Security Center) — gom các tính năng bảo mật
và bổ sung Security Score, Headers, Honeypot, User Enumeration Protection, Login
Notification, Core Integrity Checker.
* New: HTTP Security Headers (`X-Content-Type-Options`, `X-Frame-Options`, `Referrer-
Policy`, `Permissions-Policy`) — chỉ áp dụng trên frontend.
* New: Login Honeypot — chèn hidden field bẫy bot vào form đăng nhập, không ảnh
hưởng người dùng thật.
* New: User Enumeration Protection — chặn `?author=N` và REST API `/wp/v2/users`
cho khách.
* New: Login Notification — gửi email cho admin khi tài khoản `manage_options`
đăng nhập thành công (cooldown 1h/IP).
* New: WordPress Core Integrity Checker — đối chiếu MD5 các file core với `api.
wordpress.org/core/checksums/1.0/` để phát hiện file bị sửa đổi hoặc thiếu (chạy
theo yêu cầu, đã khai báo trong External Services).
* UI: trang “Tối ưu & Bảo mật” đổi tên thành “Tối ưu Tốc Độ”; menu sidebar và dashboard
có card mới cho Security Center.
* Compliance: ghi nhận hành động bảo mật thông qua audit log thống nhất (`sitevorx_audit_log`),
không lưu song song nhiều ring buffer.
#### 1.0.11
* Dashboard: each health issue now has a “” action link that jumps directly to
the page where the admin can fix it (Bảo mật, SMTP, Bảo trì, Tiện ích).
* Dashboard: new detection — `DISALLOW_WP_CRON` set in wp-config.php. Warns the
admin that internal WP-Cron is off and an external cron must be calling wp-cron.
php, otherwise scheduled cleanup will not run.
* Dashboard: new detection — recent SMTP failures. If SMTP logging is on, the dashboard
counts non-success entries in the last 24h and links straight to the log tab.
* Dashboard: new detection — active login lockouts. Shows how many IPs are currently
locked, with a one-click jump to the Bảo Mật tab where they can be unlocked.
* Audit log: diff summary now ignores default-off toggles on first save — only
flags fields whose normalized on/off state actually flipped, so the “Ngữ cảnh”
column lists just what the admin changed.
* Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with `$wpdb-
>prepare()` + `$wpdb->esc_like()` to satisfy Plugin Check, even though both patterns
are hardcoded.
#### 1.0.10
* Audit log: the “Ngữ cảnh” column now describes what changed instead of dumping
the full toggle state. Saving the security tab now records entries like “Bật
Khóa XML-RPC, Tắt reCAPTCHA đăng nhập, Đổi số lần sai tối đa” instead of `login_key
=off | disable_editor=on | ...`.
* Audit log: split “Lưu cấu hình Tối ưu & Bảo mật” into two distinct events — “
Lưu cấu hình Tăng tốc Website” (Tăng Tốc tab) and “Lưu cấu hình Bảo mật & Tường
lửa” (Bảo Mật tab) — so the timeline is easier to read.
* Audit log: manual cleanup entries now say which cleanup categories were picked(
e.g. “Dọn: bản nháp, bình luận rác — tổng 2 nhóm”) instead of `revisions=1 |
spam=0 | transients=1 | items=2`.
* Audit log: new public helper `sitevorx_audit_summarize_diff()` for any module
that wants to produce a similar before/after change list.
#### 1.0.9
* Login lockout: maximum failed attempts and lockout duration are now admin-configurable(
3–50 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts,
24 hours).
* Login lockout: new IP allowlist (one IPv4/IPv6 per line) — listed IPs are never
counted and never locked, so an administrator on a known IP cannot lock themselves
out.
* Login lockout: “IP đang bị khóa” diagnostics panel under Tối ưu & Bảo mật Bảo
Mật & Tường Lửa shows currently locked entries (hash + attempt count + expiry
timestamp) with a per-row Unlock button. Unlock action is gated by manage_options
+ nonce and writes a `login_unlock` event to the audit log.
* Audit log: lockouts now write a `login_lockout` event the moment the threshold
is hit, with IP, attempt count, last submitted username, and configured lockout
window.
* Hardening: aligned the audit log’s IP capture with `sitevorx_get_client_ip()`
so Cloudflare’s CF-Connecting-IP is only trusted when the matching CF-Ray header
is present (not spoofable from arbitrary clients).
* i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the
two reCAPTCHA tab comments that had been mojibake-encoded.
#### 1.0.8
* Compliance: SMTP log listing now uses `$wpdb->prepare()` for the LIMIT clause
to satisfy automated SQL-injection scanners.
* Compliance: removed PHP `@` error suppression on the malware scanner’s file read;
the scanner now checks `is_readable()` first and still gracefully skips unreadable
files.
* Compliance: clarified External Services disclosure in readme.txt to cover both
reCAPTCHA v2 and v3, and to name the `api/siteverify` verification endpoint explicitly.
* New: Audit Log submenu (Sitevorx Nhật ký Kiểm toán) recording sensitive admin
actions (settings save/reset/import, SMTP test, malware scan, scheduled cleanup
change, manual cleanup run, disk file delete, log clear). Ring buffer of the
200 most recent entries, stored in the `sitevorx_audit_log` option (no new database
table).
* Hardening: factory reset now preserves the audit trail by skipping the audit-
log option, so administrators can review what was reset after the fact. Uninstall
still drops the option on full removal.
* Dashboard: health overview now reflects runtime state, not just saved options.
New warnings: scheduled cleanup enabled but no next run on cron (silent failure),
SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site/Secret
key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production.
* Dashboard: SMTP and Cron status cards now show a red “Thiếu credential” / “Lỗi
lịch” badge when the saved option does not match runtime readiness, and the health
score stops counting a broken cron or credentials-less mailer as a passing check.
#### 1.0.7
* Fixed the Google reCAPTCHA key link so it opens the key creation screen instead
of the last-used site analytics page.
* Updated the reCAPTCHA settings heading to match the available v2/v3 selector.
#### 1.0.6
* Removed the Security Center module from the admin UI and runtime loader to avoid
overlap with the existing Optimizer & Security hardening controls.
* Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by
no longer loading the Security Center module.
#### 1.0.5
* Improved: Heartbeat optimization now throttles the API to 60 seconds instead
of fully disabling it, preserving autosave and post-locking.
* Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations
to defend against XXE attacks; admin-only upload still required.
* Improved: SMTP “Force From Email” now warns when the sender domain differs from
the site domain (SPF/DKIM mismatch hint).
* Improved: Scheduled cleanup skips `OPTIMIZE TABLE` on tables larger than 500MB
to avoid long table locks on shared hosting.
* New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable
score threshold filter `sitevorx_recaptcha_v3_score_threshold` (default 0.5).
* Compliance: Added empty `index.php` files in `/assets`, `/includes`, `/languages`
for directory listing protection.
#### 1.0.4
* Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even
when the WordPress site/user locale is English.
#### 1.0.3
* Added dashboard, support, and rating links to the WordPress Plugins screen.
#### 1.0.2
* Second pass on WordPress Plugin Directory automated review feedback:
- Header/footer script output now goes through `wp_kses()` with a strict allow-
list (`sitevorx_kses_tracking_tags()`) that permits only tracking / verification
markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every
attribute value is still run through `wp_kses_bad_protocol()` which strips`
javascript:`, `data:` and `vbscript:` URLs.
- The “Clear error log” feature now targets the canonical `WP_CONTENT_DIR/debug.
log` location and uses the WordPress `WP_Filesystem` API. The plugin no longer
writes anywhere outside `wp-content/`.
- Escaped the secret login URL preview with `esc_url( home_url( '/?' . $key ))`.
- Removed the runtime `.po` -> `.mo` translation compiler. The plugin previously
regenerated `languages/sitevorx-en_US.mo` on demand; that wrote to the plugin
folder, which is not allowed. The compiled `.mo` is now shipped pre-built
with the plugin and WordPress loads it normally.
- Removed the runtime machine-translation fallback. The plugin no longer contacts
any translation service. The bundled `.mo` file is now the only source of
English strings.
- Wrapped every remaining dynamic CSS class / inline style ternary (e.g. `echo
$active ? 'on' : 'off'`) with `esc_attr()` across the sidebar, dashboard overview,
SMTP/Optimizer/Utilities/Disk Cleaner tab navigation, and server stat cards,
so automated scanners can see the escape explicitly.
#### 1.0.1
* Security hardening per WordPress Plugin Review feedback:
- Added `sanitize_text_field()` wrapper around every nonce value passed to `
wp_verify_nonce()`.
- Sanitized `$_POST` raw script fields (header/footer injection) with a dedicated
helper (`sitevorx_sanitize_raw_script`) before `update_option()`; save path
remains gated by the `unfiltered_html` capability.
- Replaced `esc_url_raw()` with `esc_url()` for inline CSS output in the custom
login logo.
- Escaped every translated/output string that previously used `__()` inside `
echo`/`printf`/`sprintf`: now wrapped with `esc_html__()`, `esc_html( sprintf(...))`,
or the `sitevorx_kses_basic()` helper (allowlisted ``, ``, `
`, ``, …).
- Hardened the JSON import flow with explicit `wp_unslash()` + `wp_check_invalid_utf8()`
before `json_decode()`; per-field sanitization was already enforced on every
decoded value.
- Escaped integer counters and dynamic CSS class/style values with `(int)`, `
esc_attr()`, and `esc_html()` across all admin screens.
- Sanitized the `heavy_files[]` array from the disk cleaner with `array_map('
sanitize_text_field', wp_unslash(...) )`.
#### 1.0.0
* Initial public release.
* Full security audit: nonce verification, capability checks, input sanitization
on all forms.
* Malware scanner for files and database.
* System optimizer with scheduled WP-Cron cleanup.
* Maintenance & Update monitor module.
* Modern Flex/Grid responsive dashboard UI.
* Complete Vietnamese localization.
* Dashboard: complete UI redesign — hero banner, storage visualization bars, health
progress, feature module cards with status badges, 6-card server info grid.
* Dashboard: “Xem dung lượng chi tiết” links directly to Detailed Storage tab.
* Disk Space Manager: two-tab interface — “File Cỡ Lớn (>50 MB)” (scan & delete)
and “Dung Lượng Chi Tiết” (WP Content breakdown by plugins/themes/uploads/other
+ top-10 DB tables + Refresh).
* Security: added validation — cannot enable “Đổi Đường Dẫn Đăng Nhập” or “Khóa
Tự Động Đăng Nhập” without filling required fields; shows error instead of silently
reverting.
* i18n: bundled language files included for English and Vietnamese.
* i18n: added new translation strings for all new UI elements.
## Meta
* Version **1.1.0**
* Zadnje ažuriranje **prije 1 tjedan**
* Aktivnih instalacija **Manje od 10**
* WordPress inačica ** 5.5 ili viša **
* Testirano do **6.9.4**
* PHP inačica ** 7.4 ili viša **
* Language
* [English (US)](https://wordpress.org/plugins/sitevorx/)
* Oznaka
* [cleanup](https://hr.wordpress.org/plugins/tags/cleanup/)[maintenance](https://hr.wordpress.org/plugins/tags/maintenance/)
[optimization](https://hr.wordpress.org/plugins/tags/optimization/)[security](https://hr.wordpress.org/plugins/tags/security/)
[smtp](https://hr.wordpress.org/plugins/tags/smtp/)
* [Napredni pogled](https://hr.wordpress.org/plugins/sitevorx/advanced/)
## Ocjena
5 out of 5 stars.
* [ 2 5-star reviews ](https://wordpress.org/support/plugin/sitevorx/reviews/?filter=5)
* [ 0 4-star reviews ](https://wordpress.org/support/plugin/sitevorx/reviews/?filter=4)
* [ 0 3-star reviews ](https://wordpress.org/support/plugin/sitevorx/reviews/?filter=3)
* [ 0 2-star reviews ](https://wordpress.org/support/plugin/sitevorx/reviews/?filter=2)
* [ 0 1-star reviews ](https://wordpress.org/support/plugin/sitevorx/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/sitevorx/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/sitevorx/reviews/)
## Suradnici
* [ iNET ](https://profiles.wordpress.org/inetcorp/)
## Podrška
Želite nešto reći? Potrebna vam je pomoć?
[Pregledaj forum za podršku](https://wordpress.org/support/plugin/sitevorx/)