{"id":298697,"date":"2026-04-29T04:57:09","date_gmt":"2026-04-29T04:57:09","guid":{"rendered":"https:\/\/vi.wordpress.org\/plugins\/siteops\/"},"modified":"2026-05-15T06:58:44","modified_gmt":"2026-05-15T06:58:44","slug":"sitevorx","status":"publish","type":"plugin","link":"https:\/\/hr.wordpress.org\/plugins\/sitevorx\/","author":20572425,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.0","stable_tag":"1.1.0","tested":"6.9.4","requires":"5.5","requires_php":"7.4","requires_plugins":null,"header_name":"Sitevorx","header_author":"iNET","header_description":"All-in-one WordPress toolkit for optimization, security, SMTP, disk cleanup, and maintenance monitoring.","assets_banners_color":"","last_updated":"2026-05-15 06:58:44","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"https:\/\/inet.vn","rating":5,"author_block_rating":0,"active_installs":0,"downloads":312,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.2":{"tag":"1.0.2","author":"inetcorp","date":"2026-04-29 06:02:13"},"1.0.3":{"tag":"1.0.3","author":"inetcorp","date":"2026-04-29 06:21:54"},"1.0.4":{"tag":"1.0.4","author":"inetcorp","date":"2026-05-05 01:41:29"},"1.0.5":{"tag":"1.0.5","author":"inetcorp","date":"2026-05-05 08:55:53"},"1.0.6":{"tag":"1.0.6","author":"inetcorp","date":"2026-05-05 09:46:06"},"1.0.7":{"tag":"1.0.7","author":"inetcorp","date":"2026-05-05 10:00:06"},"1.1.0":{"tag":"1.1.0","author":"inetcorp","date":"2026-05-15 06:58:44"}},"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":2},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3517991,"resolution":"128x128","location":"assets","locale":"","width":1024,"height":1024},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3517991,"resolution":"256x256","location":"assets","locale":"","width":1024,"height":1024}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[3786,732,187,600,6696],"plugin_category":[41,52,54],"plugin_contributors":[261342],"plugin_business_model":[],"class_list":["post-298697","plugin","type-plugin","status-publish","hentry","plugin_tags-cleanup","plugin_tags-maintenance","plugin_tags-optimization","plugin_tags-security","plugin_tags-smtp","plugin_category-communication","plugin_category-performance","plugin_category-security-and-spam-protection","plugin_contributors-inetcorp","plugin_committers-inetcorp"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/sitevorx\/assets\/icon-128x128.png?rev=3517991","icon_2x":"https:\/\/ps.w.org\/sitevorx\/assets\/icon-256x256.png?rev=3517991","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Sitevorx<\/strong> is a lightweight, all-in-one WordPress plugin that helps you optimize performance, harden security, and manage your website from a single, modern dashboard. No bloat, no external dependencies \u2014 just the tools you need.<\/p>\n\n<h4>Security Center (NEW in 1.1.0)<\/h4>\n\n<ul>\n<li><strong>Security Score Dashboard<\/strong>: A single 0\u2013100 score that summarizes the hardening state of your site, with prioritized recommendations.<\/li>\n<li><strong>Core Integrity Checker<\/strong>: Compares every WordPress core file against the official <code>api.wordpress.org<\/code> MD5 checksums to detect modified, missing, or extra files.<\/li>\n<li><strong>HTTP Security Headers<\/strong>: One-click enable <code>X-Content-Type-Options<\/code>, <code>X-Frame-Options<\/code>, <code>Referrer-Policy<\/code>, and <code>Permissions-Policy<\/code> on the frontend.<\/li>\n<li><strong>Login Honeypot<\/strong>: Invisible bait field on <code>wp-login.php<\/code> that silently rejects spam bots without affecting real users.<\/li>\n<li><strong>User Enumeration Protection<\/strong>: Blocks <code>?author=N<\/code> probing and the public REST <code>\/wp\/v2\/users<\/code> endpoint for non-logged-in visitors.<\/li>\n<li><strong>Login Notification<\/strong>: Emails the administrator whenever an account with <code>manage_options<\/code> logs in successfully (1-hour cooldown per IP).<\/li>\n<li><strong>Login Attempt Limiter<\/strong>: Lock out IPs after repeated failed login attempts, with configurable threshold, lockout duration, and IP allowlist.<\/li>\n<li><strong>Secret Login URL<\/strong>: Hide the default <code>wp-login.php<\/code> behind a custom keyword.<\/li>\n<li><strong>Google reCAPTCHA v2 \/ v3<\/strong>: Protect the login form from bots, with a configurable v3 score threshold.<\/li>\n<li><strong>Disable XML-RPC<\/strong> and <strong>Disable File Editor<\/strong>: Block DDoS \/ brute-force vectors and stop code editing from the dashboard.<\/li>\n<\/ul>\n\n<h4>Speed Optimization<\/h4>\n\n<ul>\n<li><strong>Heartbeat Throttle<\/strong>: Slows the Heartbeat API to 60 seconds instead of disabling it, preserving autosave and post-locking.<\/li>\n<li><strong>System Tweaks<\/strong>: Lazy load images, limit post revisions, allow safe SVG uploads (with XXE-hardened sanitizer).<\/li>\n<li><strong>Database Cleanup<\/strong>: Remove revisions, spam comments, and expired transients in one click.<\/li>\n<li><strong>Malware Scanner<\/strong>: Scan your entire codebase and database for suspicious injections.<\/li>\n<\/ul>\n\n<h4>SMTP Configuration<\/h4>\n\n<ul>\n<li>Send emails via <strong>Gmail<\/strong> (App Password) or a <strong>custom SMTP server<\/strong> (SSL\/TLS).<\/li>\n<li>Built-in <strong>Test Email<\/strong> sender.<\/li>\n<li>Email delivery log with success\/failure tracking.<\/li>\n<li>Force From Name and From Email to prevent address drift.<\/li>\n<\/ul>\n\n<h4>Website Utilities<\/h4>\n\n<ul>\n<li>Inject tracking codes in <strong>Header\/Footer<\/strong> (Google Analytics, Facebook Pixel, etc.).<\/li>\n<li><strong>Content Protection<\/strong>: Disable right-click, text selection, and drag-and-drop.<\/li>\n<li><strong>Maintenance Mode<\/strong>: Display a professional \"under construction\" page to visitors.<\/li>\n<li><strong>Custom Login Logo<\/strong>: Replace the WordPress logo on the login screen with your own brand.<\/li>\n<\/ul>\n\n<h4>Disk Space Manager<\/h4>\n\n<ul>\n<li>Recursively scan your hosting for large files (&gt;50 MB).<\/li>\n<li>Auto-categorize files (backups, error logs, large media).<\/li>\n<li>Bulk delete to free up disk space instantly.<\/li>\n<\/ul>\n\n<h4>Floating Contact Buttons<\/h4>\n\n<ul>\n<li><strong>Phone Hotline<\/strong> button with animated icon.<\/li>\n<li><strong>Zalo<\/strong> chat button (auto-opens Zalo app).<\/li>\n<li><strong>Messenger<\/strong> chat button (m.me deep link).<\/li>\n<li>Fully responsive floating widget in the corner of your site.<\/li>\n<\/ul>\n\n<h4>Import \/ Export Settings<\/h4>\n\n<ul>\n<li><strong>Export<\/strong> all Sitevorx settings as a JSON file.<\/li>\n<li><strong>Import<\/strong> settings from another site in one click.<\/li>\n<li><strong>Reset<\/strong> all settings to factory defaults.<\/li>\n<\/ul>\n\n<h4>Scheduled Cleanup (WP-Cron)<\/h4>\n\n<ul>\n<li>Automatic cleanup: daily, twice daily, or weekly.<\/li>\n<li>Clears temp files, auto-drafts, spam, and optimizes database tables.<\/li>\n<li>Activity log showing the last 20 cleanup runs.<\/li>\n<\/ul>\n\n<h4>Maintenance &amp; Update Monitor<\/h4>\n\n<ul>\n<li>Track plugins and themes that need updating.<\/li>\n<li>Check WordPress core, PHP version, SSL status, and WP_DEBUG.<\/li>\n<li>Maintenance health score with actionable recommendations.<\/li>\n<\/ul>\n\n<h4>Server Info<\/h4>\n\n<ul>\n<li>View Web Server, PHP, MySQL, and WordPress versions at a glance.<\/li>\n<li>PHP limits: memory, execution time, input vars, upload size.<\/li>\n<li>List all loaded PHP extensions.<\/li>\n<li>Database size monitoring.<\/li>\n<\/ul>\n\n<h3>External Services<\/h3>\n\n<h4>Google reCAPTCHA (v2 and v3)<\/h4>\n\n<p>Sitevorx can optionally integrate with Google reCAPTCHA (v2 checkbox or v3 invisible \/ score-based) to protect the WordPress login form. This feature is disabled by default and only works when an administrator explicitly enables it, selects a version, and provides valid Google-issued API keys.<\/p>\n\n<p>When enabled, the plugin loads the Google reCAPTCHA JavaScript on the login screen and sends the generated verification token to Google's verification endpoint (<code>https:\/\/www.google.com\/recaptcha\/api\/siteverify<\/code>) during login validation. For v3, the configurable score threshold (filter <code>sitevorx_recaptcha_v3_score_threshold<\/code>, default <code>0.5<\/code>) is compared against Google's returned score.<\/p>\n\n<p>This service is provided by Google:\n* Service URL: https:\/\/www.google.com\/recaptcha\/\n* Verification endpoint: https:\/\/www.google.com\/recaptcha\/api\/siteverify\n* Terms of Service: https:\/\/policies.google.com\/terms\n* Privacy Policy: https:\/\/policies.google.com\/privacy<\/p>\n\n<h4>WordPress.org Core Checksums API<\/h4>\n\n<p>The <strong>Security Center \u2192 Ki\u1ec3m Tra To\u00e0n Di\u1ec7n \u2192 WordPress Core Integrity<\/strong> check (off by default; runs only when the admin clicks \"Ki\u1ec3m tra\") fetches the official MD5 checksums for the installed WordPress version from WordPress.org so it can flag modified or missing core files.<\/p>\n\n<ul>\n<li>Verification endpoint: https:\/\/api.wordpress.org\/core\/checksums\/1.0\/<\/li>\n<li>Request payload: only the installed WordPress version string (e.g. <code>6.4.2<\/code>) and the locale <code>en_US<\/code>. No site URL, user data, or content is sent.<\/li>\n<li>Operated by: WordPress.org<\/li>\n<li>Terms of Service: https:\/\/wordpress.org\/about\/privacy\/<\/li>\n<\/ul>\n\n<h3>Highlights<\/h3>\n\n<ul>\n<li><strong>All-in-one<\/strong>: Replaces 5-7 single-purpose plugins (SMTP, Security, Optimization, Cleanup, Maintenance).<\/li>\n<li><strong>Modern UI<\/strong>: Gradient banners, collapsible sidebar, toast notifications, fully responsive.<\/li>\n<li><strong>Secure by design<\/strong>: Nonce verification, input sanitization, CSRF protection, prepared database queries.<\/li>\n<li><strong>Lightweight<\/strong>: Modular architecture \u2014 only loads what you use. Zero frontend impact. No Composer or NPM required.<\/li>\n<li><strong>Localized<\/strong>: Full Vietnamese (vi) translation included via .po\/.mo files.<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>sitevorx<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install the ZIP file via <strong>Plugins &gt; Add New &gt; Upload Plugin<\/strong>.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> menu in WordPress.<\/li>\n<li>Navigate to the <strong>Sitevorx<\/strong> menu item in your admin sidebar.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20conflict%20with%20wp%20mail%20smtp%3F\"><h3>Does this plugin conflict with WP Mail SMTP?<\/h3><\/dt>\n<dd><p>Yes, both plugins hook into <code>phpmailer_init<\/code>. We recommend deactivating other SMTP plugins before using Sitevorx's built-in SMTP module.<\/p><\/dd>\n<dt id=\"does%20it%20detect%20real%20ips%20behind%20cloudflare%3F\"><h3>Does it detect real IPs behind Cloudflare?<\/h3><\/dt>\n<dd><p>Yes. Sitevorx reads the <code>CF-Connecting-IP<\/code> header to identify the real visitor IP behind Cloudflare's proxy.<\/p><\/dd>\n<dt id=\"i%20forgot%20my%20secret%20login%20url.%20how%20do%20i%20get%20back%20in%3F\"><h3>I forgot my secret login URL. How do I get back in?<\/h3><\/dt>\n<dd><p>Open phpMyAdmin (or any database tool), find the <code>wp_options<\/code> table, and delete the row where <code>option_name<\/code> is <code>sitevorx_sec_login_key<\/code>. Then access <code>\/wp-login.php<\/code> as usual.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>New module: <strong>Trung T\u00e2m B\u1ea3o M\u1eadt<\/strong> (Security Center) \u2014 gom c\u00e1c t\u00ednh n\u0103ng b\u1ea3o m\u1eadt v\u00e0 b\u1ed5 sung Security Score, Headers, Honeypot, User Enumeration Protection, Login Notification, Core Integrity Checker.<\/li>\n<li>New: HTTP Security Headers (<code>X-Content-Type-Options<\/code>, <code>X-Frame-Options<\/code>, <code>Referrer-Policy<\/code>, <code>Permissions-Policy<\/code>) \u2014 ch\u1ec9 \u00e1p d\u1ee5ng tr\u00ean frontend.<\/li>\n<li>New: Login Honeypot \u2014 ch\u00e8n hidden field b\u1eaby bot v\u00e0o form \u0111\u0103ng nh\u1eadp, kh\u00f4ng \u1ea3nh h\u01b0\u1edfng ng\u01b0\u1eddi d\u00f9ng th\u1eadt.<\/li>\n<li>New: User Enumeration Protection \u2014 ch\u1eb7n <code>?author=N<\/code> v\u00e0 REST API <code>\/wp\/v2\/users<\/code> cho kh\u00e1ch.<\/li>\n<li>New: Login Notification \u2014 g\u1eedi email cho admin khi t\u00e0i kho\u1ea3n <code>manage_options<\/code> \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng (cooldown 1h\/IP).<\/li>\n<li>New: WordPress Core Integrity Checker \u2014 \u0111\u1ed1i chi\u1ebfu MD5 c\u00e1c file core v\u1edbi <code>api.wordpress.org\/core\/checksums\/1.0\/<\/code> \u0111\u1ec3 ph\u00e1t hi\u1ec7n file b\u1ecb s\u1eeda \u0111\u1ed5i ho\u1eb7c thi\u1ebfu (ch\u1ea1y theo y\u00eau c\u1ea7u, \u0111\u00e3 khai b\u00e1o trong External Services).<\/li>\n<li>UI: trang \"T\u1ed1i \u01b0u &amp; B\u1ea3o m\u1eadt\" \u0111\u1ed5i t\u00ean th\u00e0nh \"T\u1ed1i \u01b0u T\u1ed1c \u0110\u1ed9\"; menu sidebar v\u00e0 dashboard c\u00f3 card m\u1edbi cho Security Center.<\/li>\n<li>Compliance: ghi nh\u1eadn h\u00e0nh \u0111\u1ed9ng b\u1ea3o m\u1eadt th\u00f4ng qua audit log th\u1ed1ng nh\u1ea5t (<code>sitevorx_audit_log<\/code>), kh\u00f4ng l\u01b0u song song nhi\u1ec1u ring buffer.<\/li>\n<\/ul>\n\n<h4>1.0.11<\/h4>\n\n<ul>\n<li>Dashboard: each health issue now has a \"\u2192\" action link that jumps directly to the page where the admin can fix it (B\u1ea3o m\u1eadt, SMTP, B\u1ea3o tr\u00ec, Ti\u1ec7n \u00edch).<\/li>\n<li>Dashboard: new detection \u2014 <code>DISALLOW_WP_CRON<\/code> set in wp-config.php. Warns the admin that internal WP-Cron is off and an external cron must be calling wp-cron.php, otherwise scheduled cleanup will not run.<\/li>\n<li>Dashboard: new detection \u2014 recent SMTP failures. If SMTP logging is on, the dashboard counts non-success entries in the last 24h and links straight to the log tab.<\/li>\n<li>Dashboard: new detection \u2014 active login lockouts. Shows how many IPs are currently locked, with a one-click jump to the B\u1ea3o M\u1eadt tab where they can be unlocked.<\/li>\n<li>Audit log: diff summary now ignores default-off toggles on first save \u2014 only flags fields whose normalized on\/off state actually flipped, so the \"Ng\u1eef c\u1ea3nh\" column lists just what the admin changed.<\/li>\n<li>Hardening: lockout diagnostics SQL query now wraps the LIKE patterns with <code>$wpdb-&gt;prepare()<\/code> + <code>$wpdb-&gt;esc_like()<\/code> to satisfy Plugin Check, even though both patterns are hardcoded.<\/li>\n<\/ul>\n\n<h4>1.0.10<\/h4>\n\n<ul>\n<li>Audit log: the \"Ng\u1eef c\u1ea3nh\" column now describes what changed instead of dumping the full toggle state. Saving the security tab now records entries like \"B\u1eadt Kh\u00f3a XML-RPC, T\u1eaft reCAPTCHA \u0111\u0103ng nh\u1eadp, \u0110\u1ed5i s\u1ed1 l\u1ea7n sai t\u1ed1i \u0111a\" instead of <code>login_key=off | disable_editor=on | ...<\/code>.<\/li>\n<li>Audit log: split \"L\u01b0u c\u1ea5u h\u00ecnh T\u1ed1i \u01b0u &amp; B\u1ea3o m\u1eadt\" into two distinct events \u2014 \"L\u01b0u c\u1ea5u h\u00ecnh T\u0103ng t\u1ed1c Website\" (T\u0103ng T\u1ed1c tab) and \"L\u01b0u c\u1ea5u h\u00ecnh B\u1ea3o m\u1eadt &amp; T\u01b0\u1eddng l\u1eeda\" (B\u1ea3o M\u1eadt tab) \u2014 so the timeline is easier to read.<\/li>\n<li>Audit log: manual cleanup entries now say which cleanup categories were picked (e.g. \"D\u1ecdn: b\u1ea3n nh\u00e1p, b\u00ecnh lu\u1eadn r\u00e1c \u2014 t\u1ed5ng 2 nh\u00f3m\") instead of <code>revisions=1 | spam=0 | transients=1 | items=2<\/code>.<\/li>\n<li>Audit log: new public helper <code>sitevorx_audit_summarize_diff()<\/code> for any module that wants to produce a similar before\/after change list.<\/li>\n<\/ul>\n\n<h4>1.0.9<\/h4>\n\n<ul>\n<li>Login lockout: maximum failed attempts and lockout duration are now admin-configurable (3\u201350 attempts, 5 minutes to 7 days). Defaults preserve previous behavior (5 attempts, 24 hours).<\/li>\n<li>Login lockout: new IP allowlist (one IPv4\/IPv6 per line) \u2014 listed IPs are never counted and never locked, so an administrator on a known IP cannot lock themselves out.<\/li>\n<li>Login lockout: \"IP \u0111ang b\u1ecb kh\u00f3a\" diagnostics panel under T\u1ed1i \u01b0u &amp; B\u1ea3o m\u1eadt \u2192 B\u1ea3o M\u1eadt &amp; T\u01b0\u1eddng L\u1eeda shows currently locked entries (hash + attempt count + expiry timestamp) with a per-row Unlock button. Unlock action is gated by manage_options + nonce and writes a <code>login_unlock<\/code> event to the audit log.<\/li>\n<li>Audit log: lockouts now write a <code>login_lockout<\/code> event the moment the threshold is hit, with IP, attempt count, last submitted username, and configured lockout window.<\/li>\n<li>Hardening: aligned the audit log's IP capture with <code>sitevorx_get_client_ip()<\/code> so Cloudflare's CF-Connecting-IP is only trusted when the matching CF-Ray header is present (not spoofable from arbitrary clients).<\/li>\n<li>i18n: restored Vietnamese diacritics in the reCAPTCHA failure messages and the two reCAPTCHA tab comments that had been mojibake-encoded.<\/li>\n<\/ul>\n\n<h4>1.0.8<\/h4>\n\n<ul>\n<li>Compliance: SMTP log listing now uses <code>$wpdb-&gt;prepare()<\/code> for the LIMIT clause to satisfy automated SQL-injection scanners.<\/li>\n<li>Compliance: removed PHP <code>@<\/code> error suppression on the malware scanner's file read; the scanner now checks <code>is_readable()<\/code> first and still gracefully skips unreadable files.<\/li>\n<li>Compliance: clarified External Services disclosure in readme.txt to cover both reCAPTCHA v2 and v3, and to name the <code>api\/siteverify<\/code> verification endpoint explicitly.<\/li>\n<li>New: Audit Log submenu (Sitevorx \u2192 Nh\u1eadt k\u00fd Ki\u1ec3m to\u00e1n) recording sensitive admin actions (settings save\/reset\/import, SMTP test, malware scan, scheduled cleanup change, manual cleanup run, disk file delete, log clear). Ring buffer of the 200 most recent entries, stored in the <code>sitevorx_audit_log<\/code> option (no new database table).<\/li>\n<li>Hardening: factory reset now preserves the audit trail by skipping the audit-log option, so administrators can review what was reset after the fact. Uninstall still drops the option on full removal.<\/li>\n<li>Dashboard: health overview now reflects runtime state, not just saved options. New warnings: scheduled cleanup enabled but no next run on cron (silent failure), SMTP mailer selected but missing credentials, reCAPTCHA toggle on but Site\/Secret key empty, Maintenance Mode active (visitors blocked), WP_DEBUG still on in production.<\/li>\n<li>Dashboard: SMTP and Cron status cards now show a red \"Thi\u1ebfu credential\" \/ \"L\u1ed7i l\u1ecbch\" badge when the saved option does not match runtime readiness, and the health score stops counting a broken cron or credentials-less mailer as a passing check.<\/li>\n<\/ul>\n\n<h4>1.0.7<\/h4>\n\n<ul>\n<li>Fixed the Google reCAPTCHA key link so it opens the key creation screen instead of the last-used site analytics page.<\/li>\n<li>Updated the reCAPTCHA settings heading to match the available v2\/v3 selector.<\/li>\n<\/ul>\n\n<h4>1.0.6<\/h4>\n\n<ul>\n<li>Removed the Security Center module from the admin UI and runtime loader to avoid overlap with the existing Optimizer &amp; Security hardening controls.<\/li>\n<li>Disabled the unfinished WAF, 2FA, Security Headers, and Activity Log hooks by no longer loading the Security Center module.<\/li>\n<\/ul>\n\n<h4>1.0.5<\/h4>\n\n<ul>\n<li>Improved: Heartbeat optimization now throttles the API to 60 seconds instead of fully disabling it, preserving autosave and post-locking.<\/li>\n<li>Improved: SVG sanitizer now rejects DOCTYPE, ENTITY, SYSTEM, and PUBLIC declarations to defend against XXE attacks; admin-only upload still required.<\/li>\n<li>Improved: SMTP \"Force From Email\" now warns when the sender domain differs from the site domain (SPF\/DKIM mismatch hint).<\/li>\n<li>Improved: Scheduled cleanup skips <code>OPTIMIZE TABLE<\/code> on tables larger than 500MB to avoid long table locks on shared hosting.<\/li>\n<li>New: reCAPTCHA v3 (invisible, score-based) is now selectable alongside v2; configurable score threshold filter <code>sitevorx_recaptcha_v3_score_threshold<\/code> (default 0.5).<\/li>\n<li>Compliance: Added empty <code>index.php<\/code> files in <code>\/assets<\/code>, <code>\/includes<\/code>, <code>\/languages<\/code> for directory listing protection.<\/li>\n<\/ul>\n\n<h4>1.0.4<\/h4>\n\n<ul>\n<li>Fixed the in-plugin language switch so Vietnamese mode stays Vietnamese even when the WordPress site\/user locale is English.<\/li>\n<\/ul>\n\n<h4>1.0.3<\/h4>\n\n<ul>\n<li>Added dashboard, support, and rating links to the WordPress Plugins screen.<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Second pass on WordPress Plugin Directory automated review feedback:\n\n<ul>\n<li>Header\/footer script output now goes through <code>wp_kses()<\/code> with a strict allow-list (<code>sitevorx_kses_tracking_tags()<\/code>) that permits only tracking \/ verification markup (script, noscript, meta, link, iframe, img, a, div, span, p). Every attribute value is still run through <code>wp_kses_bad_protocol()<\/code> which strips <code>javascript:<\/code>, <code>data:<\/code> and <code>vbscript:<\/code> URLs.<\/li>\n<li>The \"Clear error log\" feature now targets the canonical <code>WP_CONTENT_DIR\/debug.log<\/code> location and uses the WordPress <code>WP_Filesystem<\/code> API. The plugin no longer writes anywhere outside <code>wp-content\/<\/code>.<\/li>\n<li>Escaped the secret login URL preview with <code>esc_url( home_url( '\/?' . $key ) )<\/code>.<\/li>\n<li>Removed the runtime <code>.po<\/code> -&gt; <code>.mo<\/code> translation compiler. The plugin previously regenerated <code>languages\/sitevorx-en_US.mo<\/code> on demand; that wrote to the plugin folder, which is not allowed. The compiled <code>.mo<\/code> is now shipped pre-built with the plugin and WordPress loads it normally.<\/li>\n<li>Removed the runtime machine-translation fallback. The plugin no longer contacts any translation service. The bundled <code>.mo<\/code> file is now the only source of English strings.<\/li>\n<li>Wrapped every remaining dynamic CSS class \/ inline style ternary (e.g. <code>echo $active ? 'on' : 'off'<\/code>) with <code>esc_attr()<\/code> across the sidebar, dashboard overview, SMTP\/Optimizer\/Utilities\/Disk Cleaner tab navigation, and server stat cards, so automated scanners can see the escape explicitly.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Security hardening per WordPress Plugin Review feedback:\n\n<ul>\n<li>Added <code>sanitize_text_field()<\/code> wrapper around every nonce value passed to <code>wp_verify_nonce()<\/code>.<\/li>\n<li>Sanitized <code>$_POST<\/code> raw script fields (header\/footer injection) with a dedicated helper (<code>sitevorx_sanitize_raw_script<\/code>) before <code>update_option()<\/code>; save path remains gated by the <code>unfiltered_html<\/code> capability.<\/li>\n<li>Replaced <code>esc_url_raw()<\/code> with <code>esc_url()<\/code> for inline CSS output in the custom login logo.<\/li>\n<li>Escaped every translated\/output string that previously used <code>__()<\/code> inside <code>echo<\/code>\/<code>printf<\/code>\/<code>sprintf<\/code>: now wrapped with <code>esc_html__()<\/code>, <code>esc_html( sprintf(...) )<\/code>, or the <code>sitevorx_kses_basic()<\/code> helper (allowlisted <code>&lt;strong&gt;<\/code>, <code>&lt;a&gt;<\/code>, <code>&lt;br&gt;<\/code>, <code>&lt;code&gt;<\/code>, ...).<\/li>\n<li>Hardened the JSON import flow with explicit <code>wp_unslash()<\/code> + <code>wp_check_invalid_utf8()<\/code> before <code>json_decode()<\/code>; per-field sanitization was already enforced on every decoded value.<\/li>\n<li>Escaped integer counters and dynamic CSS class\/style values with <code>(int)<\/code>, <code>esc_attr()<\/code>, and <code>esc_html()<\/code> across all admin screens.<\/li>\n<li>Sanitized the <code>heavy_files[]<\/code> array from the disk cleaner with <code>array_map( 'sanitize_text_field', wp_unslash(...) )<\/code>.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial public release.<\/li>\n<li>Full security audit: nonce verification, capability checks, input sanitization on all forms.<\/li>\n<li>Malware scanner for files and database.<\/li>\n<li>System optimizer with scheduled WP-Cron cleanup.<\/li>\n<li>Maintenance &amp; Update monitor module.<\/li>\n<li>Modern Flex\/Grid responsive dashboard UI.<\/li>\n<li>Complete Vietnamese localization.<\/li>\n<li>Dashboard: complete UI redesign \u2014 hero banner, storage visualization bars, health progress, feature module cards with status badges, 6-card server info grid.<\/li>\n<li>Dashboard: \"Xem dung l\u01b0\u1ee3ng chi ti\u1ebft\" links directly to Detailed Storage tab.<\/li>\n<li>Disk Space Manager: two-tab interface \u2014 \"File C\u1ee1 L\u1edbn (&gt;50 MB)\" (scan &amp; delete) and \"Dung L\u01b0\u1ee3ng Chi Ti\u1ebft\" (WP Content breakdown by plugins\/themes\/uploads\/other + top-10 DB tables + Refresh).<\/li>\n<li>Security: added validation \u2014 cannot enable \"\u0110\u1ed5i \u0110\u01b0\u1eddng D\u1eabn \u0110\u0103ng Nh\u1eadp\" or \"Kh\u00f3a T\u1ef1 \u0110\u1ed9ng \u0110\u0103ng Nh\u1eadp\" without filling required fields; shows error instead of silently reverting.<\/li>\n<li>i18n: bundled language files included for English and Vietnamese.<\/li>\n<li>i18n: added new translation strings for all new UI elements.<\/li>\n<\/ul>","raw_excerpt":"An all-in-one WordPress toolkit for site optimization, security hardening, SMTP configuration, disk cleanup, and maintenance monitoring.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/298697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=298697"}],"author":[{"embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/inetcorp"}],"wp:attachment":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=298697"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=298697"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=298697"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=298697"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=298697"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=298697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}