=== Trusti ===

Contributors: trustiwp, freemius

Tags: security, firewall, 2fa, brute force protection, vulnerability scanner

Requires at least: 5.0

Tested up to: 6.9

Stable tag: 1.0.4

Requires PHP: 7.4

License: GPLv2 or later

License URI: https://www.gnu.org/licenses/gpl-2.0.html

Network: true

Enterprise WordPress security with 2FA, brute force protection, vulnerability scanning, IP blocking, and automated threat response.



== Description ==



**Trusti** is a comprehensive WordPress security plugin that provides enterprise-level protection for your website. With advanced threat detection, real-time monitoring, automated threat response, and complete security hardening, Trusti ensures your site remains secure against modern cyber threats.


---

### ✅ Key features

- 🔐 **Two-Factor Authentication (2FA)** – TOTP support with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP-compatible app for enhanced login security with QR code setup

- 🎭 **Custom Admin URL Masking** – Hide your admin panel from potential attackers with custom login URLs

- 🛡️ **Brute Force Protection** – Advanced protection against automated login attempts with configurable thresholds and automatic IP blocking

- 🚫 **IP Blocking** – Granular control over who can access your site with manual and automatic IP management

- 🔒 **Security Headers** – X-Frame-Options, X-XSS-Protection, HSTS, Content Security Policy, Referrer Policy, and more

- 🤖 **User Agent Filtering** – Block malicious bots, scrapers, and automated threats with configurable user agent patterns

- 🚪 **XML-RPC Protection** – Disable vulnerable XML-RPC endpoints to prevent DDoS attacks and unauthorized access

- 🔍 **Pwned Password Detection** – Check user passwords against known data breaches using Have I Been Pwned API

- 📊 **Real-time Vulnerability Scanning** – Continuous monitoring of WordPress core, plugins, and themes for known vulnerabilities

- 🔎 **Core Integrity Scanner** – Detect unauthorized file modifications and potential compromises with checksum verification

- 📝 **Admin Activity Logging** – Complete audit trail of all administrative actions with timestamps and detailed information

- 🚨 **Multi-channel Notifications** – Instant alerts via Email, Slack, Pushover, Telegram, and Mailgun when security threats are detected

- 🏠 **Directory Hardening** – Protect sensitive directories with .htaccess rules and exception management

- 🌐 **Multisite Support** – Full compatibility with WordPress multisite installations with network-wide security management



─────────────────────────────────────



#### Authentication & Access Control

Protect your login process with two-factor authentication, custom admin URL masking, and brute force protection. Control access with IP blocking and automatic threat response.



---

### 🛠️ How it works

1. **Install and activate** Trusti from your WordPress admin.

2. **Configure core features** – Enable 2FA, security headers, and brute force protection.

3. **Set up notifications** – Configure email, Slack, Pushover, Telegram, or Mailgun alerts for security events.

4. **Run security scans** – Perform vulnerability and integrity scans to identify threats.

5. **Monitor and respond** – Review activity logs and respond to security alerts automatically.



---

### 🔐 Two-Factor Authentication (2FA)

**Trusti plugin comes with** **TOTP (Time-based One-Time Password)** support as the built-in 2FA method. Users can set up 2FA from their profile page using any TOTP-compatible authenticator app. Recommended apps include **Google Authenticator**, **Authy**, and **Microsoft Authenticator**, but any app that supports the TOTP standard will work.



---

### 🛡️ Security Headers

**Trusti plugin comes with** comprehensive security headers including:

- X-Frame-Options – Prevent clickjacking attacks

- X-XSS-Protection – Enable browser XSS filtering

- X-Content-Type-Options – Prevent MIME type sniffing

- Strict-Transport-Security (HSTS) – Force HTTPS connections

- Content-Security-Policy (CSP) – Control resource loading

- Referrer-Policy – Control referrer information

- Permissions-Policy – Control browser features and APIs

Each header can be individually configured or enabled with recommended defaults.



---

### 🚨 Notifications

**Trusti plugin comes with** multiple notification channels available for all users:

- **Email** – Built-in email notifications for all security events
- **Slack** – Real-time alerts in your Slack workspace
- **Pushover** – Mobile push notifications for instant alerts
- **Telegram** – Send notifications to Telegram channels or groups
- **Mailgun** – Professional email delivery via Mailgun API

You can configure notifications for various security events including brute force attacks and admin activity.



---

### 🔍 Vulnerability Scanning

**Trusti plugin comes with** **Manual scanning** as the built-in scanning method. You can scan WordPress core and themes for known vulnerabilities on demand.



---

### 🔎 Core Integrity Scanner

**Trusti plugin comes with** **Manual scanning** as the built-in scanning method. You can scan WordPress core files for unauthorized modifications using official WordPress checksums.



---

### 🏠 Directory Hardening

**Trusti plugin comes with** directory hardening capabilities for Apache servers. You can protect sensitive directories (uploads, wp-includes, wp-content) with .htaccess rules and manage exceptions as needed.



---

### 🔒 Security Hardening

**Trusti plugin comes with** basic security hardening features including:

- Disable file editor in WordPress admin

- Disable application passwords

- Disable RSS and ATOM feeds

- Hide WordPress version from meta tags, RSS feeds, script and style URLs, admin bar, and other places



─────────────────────────────────────

---

### ⭐ Trusti Premium Features

**Trusti Premium** unlocks advanced security features and automation capabilities:

#### Security Hardening (Premium)

- **Disable user enumeration** – Prevent username discovery through author archives

- **Disable REST API user enumeration** – Restrict REST API user endpoints to logged-in users only, preventing user enumeration via REST API

- **Disable XML-RPC** – Completely disable XML-RPC endpoints

- **Hide login errors** – Prevent username enumeration through login error messages

#### Security Headers (Premium)

- **Hide Server Information** – Remove X-Powered-By header to hide PHP version information from potential attackers

#### Vulnerability Scanning (Premium)

- **Automatic scheduled scanning** – Set up daily, weekly, or custom scan schedules

- **Plugin vulnerability scanning** – Scan installed plugins for known security vulnerabilities

#### Core Integrity Scanner (Premium)

- **Automatic scheduled scanning** – Set up daily, weekly, or custom scan schedules for automatic integrity checks

#### Notifications (Premium)

- **Vulnerability Scanner Alerts** – Receive notifications when new vulnerabilities are detected

- **Core Integrity Scanner Alerts** – Receive notifications when core files are modified or corrupted

#### Emergency Access (Premium)

- **Emergency Access** – Secure emergency access functionality that allows administrators to unblock their IP address if accidentally blocked by any security module. Uses a secret string for authentication and logs all emergency access attempts for security monitoring.

---

== Frequently Asked Questions ==



= How do I enable Two-Factor Authentication (2FA) in Trusti? =

Navigate to **Trusti > Two-Factor Authentication** in your admin panel, enable 2FA, and configure which user roles should have 2FA available. Users can then set up 2FA from their profile page using any TOTP-compatible authenticator app (Google Authenticator, Authy, Microsoft Authenticator, or any other TOTP app).



= Can I use Trusti with WordPress multisite? =

Yes. Trusti is fully compatible with WordPress multisite installations and provides network-wide security management. Network administrators can configure security settings that apply to all sites in the network.



= How does Brute Force Protection work? =

Trusti monitors login attempts and automatically blocks IP addresses after a configurable number of failed attempts within a specified time period. You can configure the number of attempts, time window, and block duration. Blocked IPs are automatically denied access until the block expires or is manually removed.



= What security headers does Trusti provide? =

Trusti provides comprehensive security headers including X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), Referrer-Policy, and Permissions-Policy. Each header can be individually configured or enabled with recommended defaults.



= How do I unblock my IP if I'm accidentally locked out? =

**Method 1 (Premium - Recommended):** With **Trusti Premium**, you can use the **Emergency Access** feature by visiting your site with the emergency access secret string. The emergency access URL format is: `yoursite.com/?emergency=your-secret-string`

**Method 2 (All users - Alternative):** As an alternative, you can define `TRUSTI_EMERGENCY` constant in your `wp-config.php` file to unblock a specific IP address: `define( 'TRUSTI_EMERGENCY', 'YOUR_IP_ADDRESS' );`

**Important:** After unblocking your IP, remove the `TRUSTI_EMERGENCY` constant from `wp-config.php` for security. The premium emergency access method is recommended as it's more secure and provides better access control.



= Does Trusti slow down my website? =

No. Trusti is optimized for performance with minimal impact on site loading speed. All security checks are performed efficiently, and most features operate at the server level with minimal overhead. Security headers and IP blocking have virtually no performance impact.



= Can I customize which security events trigger notifications? =

Yes. Trusti offers granular control over which security events trigger notifications and which channels are used. You can configure notifications for login failures, IP blocks, vulnerability detections, file modifications, and more. Each notification type can be enabled or disabled independently.



= How often should I run security scans? =

We recommend running vulnerability scans weekly and integrity scans daily for maximum protection. With **Trusti Premium**, you can configure automatic scanning schedules that run scans in the background without manual intervention.

= How does the Core Integrity Scanner work? =

The Core Integrity Scanner compares your WordPress core files against official WordPress checksums to detect unauthorized modifications. It can identify files that have been changed, added, or deleted, helping you detect potential security compromises or malware infections.


---

== Installation ==



= To install =

* Download the Trusti plugin file.

* Unzip the file into a folder on your hard drive.

* Upload the /trusti/ folder to the /wp-content/plugins/ folder on your site.

* Visit your Dashboard → Plugins and activate it there.



= To set up and configure Trusti =

1. Navigate to **Trusti > Dashboard** in your WordPress admin.

2. Review your security status and recommendations.

3. Enable all recommended security features from the **Recommendations** tab to get the best protection.

4. (Optional) Configure additional features:
   - Set up notifications for security events
   - Configure IP blocking and trusted proxies
   - Configure user agent blocking rules
   - Enable directory hardening for sensitive directories
   - Run initial security scans (vulnerability scan and core integrity scan)



---

== External services ==

This plugin connects to several third-party services to provide security features. All external connections are clearly documented below with information about what data is sent, when it is sent, and links to each service's terms of service and privacy policy.

* **Freemius** (freemius.com) manages upgrades to the premium license and handles premium licensing. This service is used when users purchase or manage premium licenses. No user data is sent to Freemius except license information. Terms of service: https://freemius.com/terms/ | Privacy policy: https://freemius.com/privacy/

* **WordPress.org API** (api.wordpress.org) is used to fetch WordPress core checksums for integrity scanning and to check for plugin/theme vulnerabilities. This service is used during manual or scheduled integrity scans. Only the WordPress version number and locale are sent. The check is performed when users run integrity scans or when scheduled scans are executed (premium feature). Terms of service: https://wordpress.org/about/terms/ | Privacy policy: https://wordpress.org/about/privacy/

* **WPVulnerability API** (www.wpvulnerability.com and www.wpvulnerability.net) is used to check for known vulnerabilities in WordPress core, plugins, themes, and PHP version. This service is used during manual or scheduled vulnerability scans. Only version numbers (WordPress version, plugin slugs, theme slugs, PHP version) are sent - no user data or site information is transmitted. The check is performed when users run vulnerability scans or when scheduled scans are executed (premium feature). Terms of service: https://www.wpvulnerability.net/terms/ | Privacy policy: https://www.wpvulnerability.com/privacy/ and https://www.wpvulnerability.net/privacy/

* **QR Server API** (api.qrserver.com) is used to generate QR codes for Two-Factor Authentication setup. This service is used when users set up 2FA from their profile page. Only the 2FA secret key (encoded in the QR code URL) is sent to generate the QR code image. The request is made when a user views the 2FA setup page. Terms of service: https://goqr.me/terms/ | Privacy policy: https://goqr.me/privacy/

* **Slack API** (hooks.slack.com) is used to send notifications to Slack channels when Slack notifications are enabled. This service is used to send security alerts and notifications. Notification content (alert type, message, site name, timestamp) is sent to the user's configured Slack webhook URL. Notifications are sent when configured security events occur (brute force attacks, IP blocks, vulnerability detections, etc.). Terms of service: https://slack.com/terms-of-service | Privacy policy: https://slack.com/privacy-policy

* **Pushover API** (api.pushover.net) is used to send push notifications when Pushover notifications are enabled (premium feature). This service is used to send security alerts and notifications. Notification content (alert type, message, site name, timestamp) is sent to Pushover. Notifications are sent when configured security events occur (brute force attacks, IP blocks, vulnerability detections, etc.). Terms of service: https://pushover.net/api#terms | Privacy policy: https://pushover.net/privacy

* **Telegram API** (api.telegram.org) is used to send notifications to Telegram channels or groups when Telegram notifications are enabled (premium feature). This service is used to send security alerts and notifications. Notification content (alert type, message, site name, timestamp) is sent to Telegram. Notifications are sent when configured security events occur (brute force attacks, IP blocks, vulnerability detections, etc.). Terms of service: https://telegram.org/tos | Privacy policy: https://telegram.org/privacy

* **Mailgun API** (api.mailgun.net) is used to send email notifications via Mailgun when Mailgun notifications are enabled (premium feature). This service is used to send security alerts and notifications via email. Email content (subject, body, recipient addresses, sender address) is sent to Mailgun. Emails are sent when configured security events occur (brute force attacks, IP blocks, vulnerability detections, etc.). Terms of service: https://www.mailgun.com/terms/ | Privacy policy: https://www.mailgun.com/privacy-policy/



== Changelog ==



= 1.0.4 =

* Fixed: Multisite – Blocked IPs Manager now consistently uses the correct (network-wide) blocked IPs table; resolves "expired" ghost entries and deletion inconsistencies when TRUSTI_EMERGENCY is defined

* Fixed: Emergency Access – "Emergency access string is required" error no longer appears when a string is already saved; the password field now visually shows masked characters (bullets) to indicate an existing string, clears on focus for entering a new value, and preserves the stored encrypted string when left unchanged


= 1.0.3 =

* Fixed: Emergency Access – Emergency Access String is never displayed after saving (stored encrypted; input is always empty/masked)

* Fixed: Multisite – Plugin "Settings" action link now points to Network Admin (added network admin action-links hook and uses multisite-aware admin URL helper)


= 1.0.2 =

* New: Security Hardening – Restrict REST API media endpoints to logged-in users only (optional, Pro)

* New: Core Integrity Scanner – Option to block direct web access to "Unknown Files" via .htaccess (Apache/LiteSpeed only); automatically syncs rules after scans and after Ignore/Delete actions

* Improved: Core Integrity Scanner – Added hint for common caching drop-ins (advanced-cache.php, object-cache.php, db.php) to reduce false alarms


= 1.0.1 =

* New: Force HTTPS Redirect – Automatically redirect all HTTP traffic to HTTPS with a 301 permanent redirect (Premium)

* New: HTTP Strict Transport Security (HSTS) in Security Headers – Configure max-age, includeSubDomains, and optional preload with in-admin guidance; requires HTTPS Site URL (Premium)

* New: Load Defaults button for User Agent block list – Quickly restore the default user agent patterns with one click

* New: Two-Factor Authentication – Regenerate Secret on your profile to issue a new TOTP secret and QR code (e.g. new device or after moving the database to another environment)

* New: Security Hardening – Restrict REST API media endpoints to logged-in users only (optional, Pro); blocks unauthenticated access to `/wp/v2/media` routes alongside existing user-endpoint protection

* Improved: Nonce verification for login-related modules (Pwned Passwords, Brute Force Protection, 2FA) now uses inline checks for better compatibility with security scanners

* Improved: Added WordPress core login nonce (log-in) verification for standard login form support

* Improved: Regenerate Secret confirmation now appears before the new 2FA secret is applied, so you can cancel safely

* Fixed: Removed unprefixed wp_ajax_install-plugin hook from Admin Activity Log (plugin installation logging already covered by upgrader hooks)

* Updated: Freemius SDK updated from 2.12.0 to 2.13.0 for improved stability and security



= 0.0.1 - Initial Release =

* Initial release of Trusti WordPress Security Suite

* Two-Factor Authentication (2FA) with TOTP support (Google Authenticator, Authy, Microsoft Authenticator, and any TOTP-compatible app)

* Custom Admin URL masking and security

* Brute Force Protection with configurable thresholds and automatic IP blocking

* Security Headers management (X-Frame-Options, X-XSS-Protection, HSTS, CSP, Referrer-Policy, Permissions-Policy)

* User Agent filtering and blocking with configurable user agent patterns

* XML-RPC protection and hardening

* Pwned Password detection using Have I Been Pwned API

* Vulnerability Scanner for WordPress core, plugins, and themes

* Core Integrity Scanner for file modification detection with checksum verification

* Admin Activity Logging with comprehensive audit trail

* Emergency Access functionality for IP unblocking (premium)

* Multi-channel notifications (Email free, Slack, Pushover, Telegram, and Mailgun premium)

* IP Blocking with manual and automatic management

* Directory Hardening with .htaccess rules and exception management

* Comprehensive security logging with configurable retention

* PHP 7.4+ support

* Multisite support with network-wide security management
