=== WF Sentinel - Ultimate WordPress Security ===
Contributors: webbfabriken
Tags: security, firewall, waf, brute force, login protection, threat intelligence
Requires at least: 5.6
Tested up to: 6.7
Requires PHP: 8.0
Stable tag: 3.9.13
License: Proprietary - see LICENSE.txt
License URI: https://wfsecuritycloud.com/wf-sentinel/license

Enterprise-grade firewall and brute-force protection, powered by a global
threat-intelligence network. Free to install on any WordPress site.

== Description ==

**WF Sentinel** is a battle-tested security plugin built and maintained by
Webbfabriken AB ("Sveriges säkraste webbyrå" — Sweden's most secure web
agency). The same security engine powers thousands of customer sites
operated by Webbfabriken.

We give the plugin away for free because every blocked attack on your site
helps improve the threat-intelligence we deliver to every other site
running WF Sentinel. Your data protects everyone — and the global network
protects you back.

= Features =

*   **Web Application Firewall (WAF)** with hundreds of rules covering
    SQL-injection, XSS, RCE, RFI, LFI, SSRF, XXE, NoSQL injection,
    template injection, command injection and more.
*   **Brute-force protection** for `/wp-login.php`, XML-RPC, and
    application-password endpoints. Lock out attackers after configurable
    failed-attempt thresholds.
*   **Cloud threat intelligence** — fetches updated rule sets and known-bad
    IP lists from WF SecurityCloud (modern API) and WFSecAPI (legacy API)
    with automatic fallback.
*   **Plugin-aware false-positive suppression** — auto-detects WooCommerce,
    Contact Form 7, Gravity Forms, WPForms, Elementor, Jetpack, WPGraphQL
    etc., and silences rules that commonly false-positive on those plugins.
*   **AI-scraper blocking** with built-in lists for GPTBot, ClaudeBot,
    Google-Extended, Bytespider, CCBot and many more.
*   **Search-engine whitelisting** with DNS reverse-lookup verification
    so Googlebot, Bingbot, etc. are never blocked.
*   **Multi-tier cache** — APCu, file, and WordPress transients for
    minimal request overhead.
*   **Emergency unblock** via signed URL parameter (lets you in even if
    you accidentally lock yourself out).
*   **Pause protection** toggle for maintenance windows.
*   **Block preview** page so you can preview the visitor's blocked screen.
*   **Security scan** dashboard checking core integrity, file
    permissions, exposed files, weak passwords and more.

= Free, but not "open source" =

WF Sentinel is provided free of charge for use on any WordPress site, but
it is NOT licensed under the GPL. You may not redistribute the code,
create derivatives, or reuse the source in another product. See
LICENSE.txt bundled with the plugin for full terms.

= Privacy =

When the plugin blocks a request it shares the attacker's IP and the
attack category (e.g. "SQL-INJECTION", "BRUTEFORCE") with Webbfabriken's
threat-intelligence services so we can update everyone else's protection.
We do NOT transmit form data, cookies, usernames, session content, or
any personal data of your legitimate visitors.

You can disable individual reporters in `config.php`, but doing so removes
you from the shared network and may reduce the protection you receive.

== Installation ==

1.  Upload the `wf-sentinel` folder to `/wp-content/plugins/`, OR
    upload the zip via *Plugins → Add New → Upload Plugin*.
2.  Activate **WF Sentinel** through the *Plugins* menu in WordPress.
3.  Go to **WF Security** in the WordPress admin sidebar to review the
    dashboard. Protection is enabled by default — no configuration is
    required for typical sites.

= Recommended next steps =

*   Visit *WF Security → Whitelist & Exclusions* to whitelist your office IP.
*   Set an *Admin email* under *Settings* to receive notifications about
    serious blocks.
*   Click *Block Preview* to see exactly what a blocked visitor sees,
    and customize the message if desired.

== Frequently Asked Questions ==

= Will this slow my site down? =

No. The plugin uses APCu (when available) or file-based cache so the
typical request overhead is well under 1 millisecond. Pre-WordPress
block checks are file-only and never hit the database.

= I'm locked out of my own site, what do I do? =

Use the emergency unblock URL printed in `wp-content/plugins/wf-sentinel/
cache/blocks/`. Each block file contains a token-based unblock link, or
you can simply delete the `.block` file matching your IP hash. If you have
shell access you can also `touch wp-content/plugins/wf-sentinel/.disable`
to fully disable the plugin without deactivating it.

= Does WF Sentinel work with my page builder / shop plugin? =

Yes. The plugin detects WooCommerce, Elementor, Divi, Contact Form 7,
Gravity Forms, WPForms, Jetpack, WPGraphQL and many others, and
automatically suppresses WAF rules that are known to false-positive on
them. False positives can be reported to support@webbfabriken.com.

= What does Webbfabriken do with my data? =

Only blocked-IP intelligence (IP, attack category, request URL/method/UA,
site-domain hash) is transmitted, and only to our own threat-intel APIs.
This data drives the global blocklist that every site running WF Sentinel
benefits from. We do not sell or share this data with third parties.

== Changelog ==

= 3.9.13 =
* Initial public release of WF Sentinel.
* Adapted from Webbfabriken's internal security platform with battle-tested
  WAF rules and false-positive suppressions.
* WF Central management integration removed for free-tier customer use.

== Upgrade Notice ==

= 3.9.13 =
First public release.
