== WPress Zone ==
Author: ModulesPanel
Author URI: https://modulespanel.com
Version: 1.0.0
Requires at least: 5.8
Tested up to: 6.7
Requires PHP: 7.4
License: Proprietary

== Description ==

WPress Zone connects your WordPress site to your monitoring dashboard and keeps it under continuous watch. Every 5 minutes it collects site health data, runs security scans, and reports back — so you can spot problems before your visitors do.

It is designed to work as the on-site agent for a self-hosted or SaaS monitoring dashboard. Once installed and configured with your dashboard's endpoint and secret key, everything runs automatically in the background with no ongoing setup required.

== Features ==

= Site Metrics =
- WordPress version, PHP version, database version
- Active theme name and version
- Plugin counts (total, active, outdated)
- Theme counts
- Memory limit, WP_DEBUG state, timezone, permalink structure
- Multisite detection, site language
- WordPress core update status (checks WordPress.org API once per day, cached)

= Plugin & Theme Tracking =
- Full list of installed plugins with current version, latest version, active status, and update availability
- Full list of installed themes with current version, latest version, active status, and update availability
- Automatic cache invalidation when plugins are installed, updated, activated, or deactivated

= Security Scans =
- PHP and executable file detection in the uploads directory
- Heuristic malicious code detection across WordPress files
- WordPress core checksum verification against the official WordPress.org checksums API
- File change detection: new files, modified files (MD5 hash comparison), with fallback to mtime
- Plugin installation detection (groups bulk new files into a single install event)
- Plugin upgrade/downgrade detection with old and new version numbers
- Theme installation detection
- Writable directory audit (flags wp-admin, wp-includes, plugins, themes, root, wp-config.php if writable)
- Exposed .git folder detection

= Server Health =
- CPU usage percentage (via load average and core count)
- Memory usage percentage
- Disk usage percentage
- 1-minute load average
- WordPress Site Health score (good / recommended / critical), using WordPress's native test suite

= One-Click Admin Login (SSO) =
- JWT-based Single Sign-On lets your monitoring dashboard log in to WordPress admin with one click
- Tokens are single-use (replay protection via transient) and validated with HS256
- SSO can be enabled or disabled from plugin settings
- Supports both pretty permalink and query string URL formats

= Reliability =
- All scans run on WP-Cron every 5 minutes with per-job throttling to prevent overlapping runs
- File change results are batched (up to 1,000 files per request) to avoid large payloads
- First scan silently establishes a baseline — no false "new file" alerts on initial install
- Cron jobs are cleanly unscheduled on plugin deactivation

== Requirements ==

- WordPress 5.8 or higher
- PHP 7.4 or higher
- A monitoring dashboard that accepts the WPress Zone REST API payload format

== Installation ==

1. Upload the wpress-zone folder to /wp-content/plugins/
2. Activate the plugin through the Plugins menu in WordPress admin
3. Go to Settings > WPress Zone
4. Enter your monitoring dashboard endpoint URL and secret key
5. Click "Test Connection" to verify the connection
6. Click "Send Now" to push an initial data snapshot

The plugin will then run automatically on its 5-minute cron schedule.

== Configuration ==

All settings are managed under Settings > WPress Zone:

- **Endpoint URL** — the URL of your monitoring dashboard that receives data
- **Secret Key** — shared secret used to sign outbound requests and validate SSO tokens
- **SSO** — enable or disable one-click login from your dashboard

== Frequently Asked Questions ==

= Does this plugin work without a monitoring dashboard? =
No. This plugin is the on-site agent component. It requires a compatible monitoring dashboard to send data to.

= How often does data get sent? =
Every 5 minutes, controlled by WP-Cron. Each job has individual throttle logic to prevent duplicate runs.

= Is the SSO login secure? =
Yes. Tokens are signed with HS256, validated on each request, and are single-use. Once a token is consumed, it cannot be replayed within a 5-minute window.

= Will the file scan slow down my site? =
The file change scan runs in the background via WP-Cron, not during page loads. Large files (>5MB) and binary files are skipped. Directories like wp-admin, wp-includes, and vendor are excluded.

= What happens on the first scan after activation? =
The first file change scan silently builds a baseline. No files are reported as new or modified until the second scan, preventing false alerts.

= Does this plugin store any data externally? =
The plugin sends site data to the endpoint URL you configure in settings. No data is sent to any third-party service by this plugin itself.

== Changelog ==

= 1.0.0 =
* Initial release
