Fixed

• WAF Extended Protection now shows nginx setup instructions. An nginx +
  PHP-FPM stack is reported by PHP as the fpm SAPI, so Hive treated it as
  fully auto-managed (via .user.ini) and hid the manual snippets — leaving
  nginx operators without instructions when the auto-written .user.ini did
  not take effect (the common case when user_ini.filename is disabled or the
  document root is not the scan path). When the auto-written directive is not
  yet running, the Server Setup tab now surfaces the manual options — the
  php.ini / PHP-FPM-pool line (php_admin_value[auto_prepend_file]) and the
  nginx fastcgi_param PHP_VALUE "auto_prepend_file=…" server block — and the
  WAF tab links to them.

Fixed

• Hidden login no longer breaks on trailing-slash sites. The login form
  action was generated as …/<slug> without a trailing slash. On a site whose
  permalinks use trailing slashes — and whose web server enforces them (common
  on nginx) — a POST to /<slug> is answered with a 301 redirect to /<slug>/,
  which the browser replays as a GET and silently drops the credentials. Sign-in
  then appeared to do nothing. The login URL now follows the site's permalink
  convention (user_trailingslashit()), so the form posts straight to /<slug>/
  and no redirect happens. Sites without trailing-slash permalinks are unchanged.
• Hidden login no longer breaks behind a page cache (WP Rocket & co.).
  When "Hide login" was active, the custom login slug is an ordinary URL, so
  page-cache plugins happily cached it. A cached login page is served as static
  HTML without PHP running, so wp-login.php never set the wordpress_test_cookie
  — the next sign-in then failed the cookie handshake ("Cookies are blocked…")
  and the login appeared to do nothing. The served login page now opts out of
  every known page cache: it defines the DONOTCACHE* constants and sends
  no-store / LiteSpeed bypass headers before rendering (covers WP Rocket, W3 Total
  Cache, WP Super Cache, WP Fastest Cache, Comet Cache, Cache Enabler, Hummingbird
  and LiteSpeed Cache), and the slug is also added to WP Rocket's never-cache URL
  list so a copy cannot be served from advanced-cache.php before init.

Fixed

• "API health degraded" no longer sticks forever after a one-off outage.
  The API success rate was a lifetime cumulative counter with no reset, so a
  single bad spell (e.g. a burst of failed calls) pinned the rate low for good
  and the dashboard kept reporting "degraded" long after the API had recovered.
  Health is now measured over a rolling window of the most recent calls (last 50
  within 7 days), so the metric reflects current behaviour and recovers on its
  own within a window's worth of successful calls. Lifetime usage counters are
  kept for the "Total API calls" figure and the monthly estimate.
• A runaway loop can no longer flood the security log. Repeated
  api_call_failed entries are now throttled per error type (at most one per
  minute), so a failure burst is summarised instead of writing tens of thousands
  of rows.
• API statistics are written in UTC (last_reset), matching the plugin-wide
  datetime convention.

Changed

• Added a "Reset API statistics" action to the API call usage card and a
  one-time upgrade step that clears a previously poisoned counter (only on
  installs that look stuck — healthy usage history is left untouched).

Fixed

• Extended Protection now covers every PHP endpoint on nginx, automatically.
  On nginx the guard was wired only through a hand-pasted location snippet,
  which protects just the one location block it lands in — so requests handled
  by their own blocks (wp-login.php, the cached front controller) slipped past
  the firewall while admin-ajax was covered. Hive now detects the PHP-FPM SAPI
  ahead of the nginx server string and writes a document-root .user.ini
  instead; PHP-FPM honours auto_prepend_file there for every request
  regardless of nginx location blocks, with no manual step. The nginx/php.ini
  snippet remains the fallback only for stacks without a FastCGI PHP SAPI.
• The pre-WordPress WAF guard (Extended Protection) no longer blocks signed-in
  editors saving content. The guard runs before WordPress via
  auto_prepend_file and previously inspected the request body unconditionally,
  so a logged-in user saving a post through admin-ajax.php or the REST API
  could trip the XSS/SQLi signature (HTTP 403, X-Rip-Waf). The guard now
  detects the wordpress_logged_in cookie and skips body inspection for
  authenticated requests (default on, option
  reportedip_hive_waf_dropin_skip_authenticated); URL and user-agent rules
  still run, and the in-WordPress engine remains the capability-aware backstop.
• Disabling the WAF engine (or switching to report-only) now also neutralises
  the pre-WordPress guard. The guard bakes the engine-enabled and report-only
  state in and self-heals on toggle, so the firewall can no longer keep
  enforcing after it was switched off in the admin.

Changed

• Softened the SMS 2FA backoff ladder so legitimate resends are no longer
  punished. The per-recipient ladder now climbs 0s → 30s → 1m → 2m → 5m → 15m (was 0s → 2m → 5m → 15m → 30m → 60m) — the gentle early rungs cover a
  slow or missed SMS, while escalation still throttles a genuine burst. Mirrors
  the matching change in the reportedip.de relay rate-limiter; the daily
  per-recipient hard cap and the monthly relay quota remain the cost ceiling.

Fixed

• Stopped the runaway /relay-quota polling that could fire on every
  front-end request. A tier lookup on a cold or error-returning cache fell
  through to a live /relay-quota call, and that lookup runs on hot paths
  (firewall, security headers, bot verification), so a site under load polled
  the service thousands of times a minute. Tier reads are now served purely
  from cache — the status transient, the relay-quota transient, then the
  durable known-tier baseline — and never trigger a live call.

Changed

• A failed /relay-quota response now arms a short cooldown so it is not
  retried on the next request, the meta-bucket hourly rate limit also guards
  the call, and saving an API key refreshes the tier once in the background
  instead of letting a live front-end lookup discover it. Live refresh is owned
  solely by the six-hour cron and the key-save hook.

Fixed

• Every timestamp in the admin now renders in the site timezone. The
  "Timestamp" line inside a log row's details — and the coordinated-attack time
  window — were printed in raw UTC, off by the site offset from the localized
  row time and the rest of the WordPress admin. Both are now converted to the
  configured site timezone.

Fixed

• Auto-blocking no longer silently fails on servers whose database timezone
  is not UTC. Expiry and attempt timestamps are written in UTC but were
  compared against the MySQL session clock (NOW() / CURDATE()). On a
  non-UTC server this made the per-IP attempt counter never accumulate inside
  its window — so the failed-login and XML-RPC thresholds were never reached
  and no offender was ever blocked — and treated every freshly written block as
  already expired, leaving the block list empty during an active attack. Every
  datetime column and every comparison is now UTC-consistent.

Changed

• All stored datetimes are normalised to UTC across the database layer, the
  coordinated-attack detector, the queue recovery sweep, trusted-device expiry
  and the daily statistics. Admin tables (logs, blocked IPs, whitelist, audit
  trail, WAF exceptions) now render timestamps in the site timezone instead of
  raw UTC.

Changed

• Security dashboard reworked into a full analytics view. The Security
  Events, Threat Distribution and Recent Activity sections now draw on every
  sensor instead of five legacy categories. New: a headline strip (attacks
  blocked over 30 days / today, IPs currently blocked, active protection
  layers), a stacked timeline grouped into seven threat families with a
  7/30/90-day selector, a doughnut by attack vector, a WAF rule-group bar
  chart, a severity breakdown, and a Top Attackers table. Recent Activity
  entries now carry a severity badge and threat-family label. A single,
  frequency-capped card promotes the deeper analytics on higher plans.

Fixed

• Hardening Mode no longer triggers on routine background brute-force. The
  coordinated-attack detectors now count individual failed_login events over
  a real time window from the logs table instead of summing the cumulative
  per-IP counter from the attempts table, which over-counted any IP merely
  active in the window with its full lifetime total. Detection defaults were
  raised to realistic values (distributed: 10 distinct IPs and 50 attempts in
  10 minutes; burst: 8 IPs and 30 attempts in one minute) so a normal botnet
  baseline no longer tightens login thresholds network-wide. New installs pick
  up the new defaults; sites that previously saved the Hardening tab keep their
  stored values.

Added

• MainWP provisioning can switch a managed site into Community Network mode.
  A community flag on the reportedip_hive_provision job sets the operation
  mode alongside the API key, and the sync job now reports the current
  operation_mode so the dashboard reflects each child site's mode.

Changed

• WAF exception form is now self-explanatory. Each field carries an inline
  hint, the scope selector progressively reveals only the relevant field, and
  the ambiguous "Rule ID or group" field is split into a Rule ID input (single
  rule) and a Rule group dropdown populated from the engine's known categories —
  so it is clear what to enter and where the value comes from (the WAF block
  log, or the one-click "Allow" button). The exceptions FAQ was rewritten to
  explain what to configure, where to find a rule ID or group, how to pick a
  scope, and how the path/IP filters work.

Fixed

• API queue bulk actions work again. The queue tab wrapped its list table in
  a method="get" form while process_bulk_action() read $_POST, so selecting
  rows and applying Retry / Delete silently reloaded the page with no effect. The
  form is now method="post", matching the logs / blocked / whitelist tabs.
• "Retry all failed" now revives permanently-failed reports. The bulk reset
  excluded rows that had already reached max_attempts, so a manual retry of an
  all-exhausted queue reset nothing. A manual, admin-initiated retry now resets
  every failed row (overriding the automatic cron ceiling), consistent with the
  per-row retry; the tab's "Retry All Failed" button counts and enables on all
  failed rows.
• Coordinated-attack detections are logged once per sweep. The minute-bucket
  query and the rolling-window detector each logged a coordinated_attack_detected
  event for the same incident; only the strongest reason is logged now.

Added

• Block decisions are self-explanatory in the log. WAF blocks now record the
  matched value, the inspected target, the request method, URI and User-Agent,
  and the active paranoia level; the bot verifier records the verification reason
  (e.g. ptr_foreign_domain, ip_not_in_official_range) plus the real
  User-Agent; the 404 scan detector records method and User-Agent. A block
  decision is now diagnosable without reproducing the request.
• Failed relay-mail and API calls record a reason. Non-retryable relay-mail
  failures are logged (mail_relay_error) instead of being dropped, and
  api_call_failed carries a preview of the rejecting response body.