Changeset 3300103

iron-security/tags/2.3.3/README.txt

-                      r3296251
+                      r3300103
 Requires at least: 4.7
 Tested up to: 6.8
 Stable tag: 2.3.2
+Stable tag: 2.3.3
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 - Change default Admin ID
 - Block user enumeration
+- Change Default Admin Username
 **Files & Directory Protection**
 …
 = What makes Iron Security different from other WordPress security plugins? =
 Iron Security is designed to be lightweight, fast, and focused on practical features that matter most for securing your WordPress site.
+Iron Security is lightweight, fast, and focused on the most effective hardening techniques. Instead of bloated features, it delivers practical tools that directly protect your WordPress site from real threats.
 = Is Iron Security suitable for beginners? =
 Yes! Iron Security comes with an intuitive dashboard and clear explanations for each option. Whether you're a WordPress beginner or an experienced developer, you'll find it easy to use and configure.
 = How does the custom login URL help protect my site? =
 Changing the default `/wp-admin` or `/wp-login.php` URL makes it harder for bots and attackers to find your login page, reducing brute force attempts. You can set your own unique login slug in a few clicks from the plugin settings.
 = What happens when a user exceeds the allowed login attempts? =
 If a user exceeds the allowed number of login attempts, their IP will be temporarily blocked based on your configured lockout settings. You can customize the number of allowed attempts, lockout duration, and view attempt logs.
 = How does the Admin ID protection work? =
 By default, WordPress assigns user ID 1 to the first admin account — a known vulnerability targeted by bots. Iron Security lets you assign a different ID to your admin account, making it harder to guess and exploit.
 = Does Iron Security block XML-RPC and REST API? Why? =
 Yes, you can optionally disable XML-RPC and REST API — two common attack vectors. XML-RPC is often used in DDoS and brute force attacks, while REST API may expose user data. Disabling them improves security, especially if you don’t use them.
 = What are HTTP security headers and why should I enable them? =
 HTTP security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security provide an extra layer of browser-based protection. They help prevent XSS, clickjacking, and other code injection attacks. Iron Security lets you enable them easily from the dashboard.
+Absolutely. Iron Security features an intuitive dashboard with clear explanations for each setting. Whether you’re new to WordPress or a seasoned developer, you’ll find it easy to set up and use.
+= How does changing the login URL protect my site? =
+By replacing the default /wp-admin or /wp-login.php URLs, you reduce the risk of automated brute force attacks. Bots and attackers can’t easily locate your login page, adding an extra layer of protection.
+= What happens if someone exceeds the allowed login attempts? =
+Their IP will be temporarily blocked based on your configured settings. You can set how many failed attempts are allowed, how long the lockout lasts, and monitor the attempt logs directly from the plugin dashboard.
+= How does Admin ID protection work? =
+WordPress assigns the first admin user an ID of 1 — a known target for attacks. Iron Security helps you avoid this by allowing you to assign a different user ID to your admin account, reducing exposure to targeted exploits.
+= Can Iron Security block XML-RPC and REST API access? =
+Yes. These features can be optionally disabled. XML-RPC and REST API are common targets for attacks like brute force or user data enumeration. If you don’t use them, disabling them can significantly reduce your attack surface.
+= What are HTTP security headers, and why should I enable them? =
+HTTP security headers such as X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security enhance browser-level security. They help protect your site against XSS, clickjacking, and other injection-based attacks. Iron Security lets you enable these headers with just a few clicks.
 = Will Iron Security slow down my website? =
 Not at all. The plugin is built to be lightweight and uses efficient code practices. It doesn’t run background scans or heavy processes, so your site’s performance remains unaffected.
 = Can I use Iron Security on WooCommerce stores? =
 Absolutely. Iron Security is fully compatible with WooCommerce and protects your login area, admin panel, and core files without affecting your store’s functionality.
 = Where can I get support or report a bug? =
 You can submit issues or ask for help via the [support forum on WordPress.org](https://wordpress.org/support/plugin/iron-security/) or by contacting us directly at [https://wpiron.com](https://wpiron.com).
+No. Iron Security is performance-focused and doesn't include heavy scans or background processes. It’s designed to secure your site without impacting loading speed or user experience.
+= Is Iron Security compatible with WooCommerce? =
+Yes, Iron Security works seamlessly with WooCommerce. It protects your admin area, login forms, and critical files without interfering with your store's functionality or customer experience.
+= How can I get support or report a bug? =
+You can reach out via the WordPress.org support forum: https://wordpress.org/support/plugin/iron-security/ or contact our team directly at https://wpiron.com.
 = How often is Iron Security updated? =
+We actively maintain and improve Iron Security. You can expect regular updates for new features, security patches, and WordPress compatibility improvements.
+We actively maintain Iron Security to ensure compatibility with the latest WordPress releases. Expect regular updates with new features, security improvements, and bug fixes.
+= What is the benefit of disabling file editing in WordPress? =
+Disabling the file editor in the admin panel prevents attackers from injecting malicious code directly into theme or plugin files if they gain admin access. This is a simple but effective hardening step.
+= What does hiding the WordPress version do? =
+Iron Security removes the WordPress version from your website’s source code to reduce the risk of automated attacks targeting specific versions with known vulnerabilities.
+= How does Iron Security block AI crawlers? =
+The plugin adds specific rules to your robots.txt file to block AI and data scraping bots, helping protect your content from unauthorized use and training.
+= What does "Limit number of administrators" mean? =
+Limiting admin users helps reduce the number of high-privilege accounts on your site. The plugin notifies you if more than one admin account exists, encouraging better access control and role management.
+= How does session timeout protect my site? =
+If a logged-in user is inactive for a certain period, they are automatically logged out. This prevents unauthorized access from unattended sessions on shared or public devices.
+= Can I block user enumeration? =
+Yes. Iron Security prevents bots from discovering usernames through the `?author=` query parameter, a common tactic used in brute force and targeted attacks.
+= What does “Change default admin username” do? =
+If your admin account uses "admin" as the username, it becomes an easy target. Iron Security helps you safely change this default to something unique and secure.
+= What does "Prevent direct file access" mean? =
+The plugin restricts access to sensitive files like PHP templates and system files that should not be accessed directly, protecting your site from unauthorized requests.
+= Can I block PHP file uploads? =
+Yes. Iron Security allows you to block PHP file uploads in forms and media to prevent malicious scripts from being uploaded to your site.
+= What are plugin and core auto-updates, and why enable them? =
+Keeping your WordPress core and plugins updated is critical to staying secure. Iron Security allows you to enable automatic updates, so your site is always protected with the latest patches.
 …
 == Changelog ==
+= 2.3.3 =
+* Add functionality to change default admin username
 = 2.3.2 =
 * Gutenberg some blocks were disabled - fixed it.

iron-security/tags/2.3.3/admin/class-iron-security-admin.php

-                      r3291538
+                      r3300103
                 plugin_dir_url( __FILE__ ) . 'css/admin.css',
                 array(),
                 time(),
+                $this->version,
                 'all' );
             wp_enqueue_style( $this->plugin_name . '-dashboard',
 …
                 plugin_dir_url( __FILE__ ) . 'css/transitions.css',
                 array(),
                 time(),
+                $this->version,
                 'all' );
+        }
 …
             plugin_dir_url( __FILE__ ) . 'js/iron-security-admin.js',
             array( 'jquery', 'wp-element', 'wp-components' ),
 //          $this->version,
             time(),
+            $this->version,
+//          time(),
             false
         );
 …
                 plugin_dir_url( __FILE__ ) . 'js/session-timeout.js',
                 array( 'jquery' ),
 //              $this->version,
                 time(),
+                $this->version,
+//              time(),
                 true
             );
 …
                 array( 'wp-element', 'wp-components', 'wp-i18n' ),
                 $this->version,
+//                time(),
                 true
             );
 …
                 array( 'wp-element', 'wp-components', 'wp-i18n' ),
                 $this->version,
+//                time(),
                 true
             );
 …
                 // Your content for login/logout tab
                 echo '<h3>Login/Logout Settings</h3>';
+                // add your logic here
+            }
+            // Add other tabs content conditions
+            }
             ?>
         </div>
 …
         $sanitized_input = array();
         foreach ( $input as $key => $value ) {
+            // Special handling for checkbox/toggle fields
             if ( in_array( $key, array(
                 'wpironis_disable_xmlrpc',
 …
             $secret = get_user_meta( $user->ID, 'google_authenticator_secret', true );
             if ( ! $secret ) {
                 return $user; // No 2FA setup for the user
+                return $user;
+            }
 …
+        }
+        // When enabled is true, we want to disable XML-RPC
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
         $options = get_option( 'wpironis_options', array() );
+        // Set to 1 to disable XML-RPC when toggle is enabled
         $options['wpironis_disable_xmlrpc'] = $enabled ? 1 : 0;
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_xmlrpc'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the WordPress version hiding setting
         $options['wpironis_hide_wp_version'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_hide_wp_version'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the security headers setting
         $options['wpironis_security_headers'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_security_headers'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the PHP uploads blocking setting
         $options['wpironis_block_php_uploads'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Handle .htaccess rules
         if ( $enabled ) {
             $this->wpironis_create_upload_protection();
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_block_php_uploads'] ) &&
 …
         $htaccess_path = $upload_dir['basedir'] . '/.htaccess';
+        // Define the rules
         $rules = "
 # Iron Security
 …
 ";
+        // Create or update .htaccess file
         if ( ! file_exists( $htaccess_path ) || is_writable( $htaccess_path ) ) {
             file_put_contents( $htaccess_path, $rules, LOCK_EX );
+        }
+        // Also create an index.php file to prevent directory listing
         $index_path = $upload_dir['basedir'] . '/index.php';
         if ( ! file_exists( $index_path ) ) {
 …
     public function wpironis_prevent_php_upload( $file ) {
+        // Get the current options
         $options = get_option( 'wpironis_options', array() );
+        // Check if PHP upload blocking is enabled
         if ( ! isset( $options['wpironis_block_php_uploads'] ) || $options['wpironis_block_php_uploads'] !== 1 ) {
             return $file;
+        }
+        // Ensure the file name is set and is a string
         if ( ! isset( $file['name'] ) || empty( $file['name'] ) || ! is_string( $file['name'] ) ) {
             $file['error'] = __( 'Invalid file name detected. Upload blocked.', 'iron-security' );
 …
+        }
+        // List of blocked extensions
         $blocked_extensions = array(
             'php',
 …
         $extension = strtolower( pathinfo( $file_path, PATHINFO_EXTENSION ) ?: '' );
+        // Check if the file extension is in the blocked list
         if ( in_array( $extension, $blocked_extensions, true ) ) {
             $file['error'] = sprintf(
 …
+        }
+        // Check for double extensions (e.g., file.jpg.php)
         $all_extensions = explode( '.', $file_path );
         if ( count( $all_extensions ) > 2 ) {
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_prevent_direct_access'] ) &&
 …
 ";
+        // Create or update root .htaccess file
         if ( ! file_exists( $root_htaccess_path ) || is_writable( $root_htaccess_path ) ) {
+            // If .htaccess exists, read its content
             $existing_content = file_exists( $root_htaccess_path ) ? file_get_contents( $root_htaccess_path ) : '';
+            // Check if our rules are already present
             if ( strpos( $existing_content, 'Iron Security - Prevent Direct File Access' ) === false ) {
+                // Add our rules after WordPress rules if they exist
                 if ( strpos( $existing_content, '# END WordPress' ) !== false ) {
                     $existing_content = str_replace( '# END WordPress',
 …
+        }
+        // Also protect wp-content directory
         $content_htaccess_path = WP_CONTENT_DIR . '/.htaccess';
         $content_rules         = "
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the file editor setting
         $options['wpironis_disable_file_editor'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Update wp-config.php to disable file editor
         if ( $enabled ) {
             $this->wpironis_disable_file_editor_in_config();
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_file_editor'] ) &&
 …
         $config_content = file_get_contents( $wp_config_path );
+        // Check if the constant is already defined
         if ( strpos( $config_content, 'DISALLOW_FILE_EDIT' ) === false ) {
+            // Find the line where we should add our constant
             $insert_point = strpos( $config_content, "/* That's all, stop editing!" );
 …
+            }
         } else {
+            // Update existing constant if it's set to false
             $config_content = preg_replace(
                 "/define\(\s*'DISALLOW_FILE_EDIT'\s*,\s*false\s*\);/",
 …
         $config_content = file_get_contents( $wp_config_path );
+        // Remove the constant definition if it exists
         $config_content = preg_replace(
             "/define\(\s*'DISALLOW_FILE_EDIT'\s*,\s*true\s*\);(\r\n|\n|\r)?/",
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom URL setting
         $options['enable_slug_change'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_slug_change'] ) &&
 …
+        }
         $url = sanitize_title( $_POST['url'] ); // Sanitize and convert spaces to hyphens
+        $url = sanitize_title( $_POST['url'] );
         if ( empty( $url ) ) {
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom URL
         $options['wpironis_custom_login_slug'] = $url;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_custom_login_slug'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the session timeout setting
         $options['enable_session_timeout'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_session_timeout'] ) &&
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the timeout value
         $options['session_timeout_value'] = $timeout;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['session_timeout_value'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit login attempts setting
         $options['enable_limit_login_attempts'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_limit_login_attempts'] ) &&
 …
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the settings
         $options['wpironis_limit_login_attempts'] = (string) $attempts;
         $options['wpironis_lockout_duration']     = (string) $duration;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the values were actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_limit_login_attempts'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the user enumeration protection setting
         $options['enable_user_enumeration'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_user_enumeration'] ) &&
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom error message
         $options['user_enumeration_message'] = $message;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['user_enumeration_message'] ) &&
 …
     public function wpironis_modify_login_errors( $error ) {
+        // Get the options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if user enumeration protection is enabled
         if ( ! empty( $options['enable_user_enumeration'] ) && $options['enable_user_enumeration'] === '1' ) {
+            // Get the custom message or use default
             $custom_message = ! empty( $options['user_enumeration_message'] )
                 ? $options['user_enumeration_message']
                 : 'Wrong Login credentials';
+            // Check if this is a password-related error for an existing username
             if ( strpos( $error, 'password you entered for' ) !== false ) {
                 return __( $custom_message, 'iron-security' );
 …
     public function wpironis_block_user_enumeration() {
+        // Get the options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if user enumeration protection is enabled
         if ( ! empty( $options['enable_user_enumeration'] ) && $options['enable_user_enumeration'] === '1' ) {
+            // Block access to author pages
             if ( is_author() ) {
                 wp_redirect( home_url(), 301 );
 …
+            }
+            // Block user enumeration through REST API
             add_filter( 'rest_endpoints', function ( $endpoints ) {
                 if ( isset( $endpoints['/wp/v2/users'] ) ) {
 …
             } );
+            // Block ?author=N queries
             if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) ) {
                 wp_redirect( home_url(), 301 );
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the REST API setting
         $options['wpironis_disable_rest_api'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_rest_api'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the plugin auto-update setting
         $options['wpironis_enable_plugin_autoupdate'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Configure plugin auto-updates
         $this->wpironis_configure_plugin_autoupdates( $enabled );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_enable_plugin_autoupdate'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the core auto-update setting
         $options['wpironis_enable_core_autoupdate'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Configure core auto-updates
         $this->wpironis_configure_core_autoupdates( $enabled );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_enable_core_autoupdate'] ) &&
 …
     private function wpironis_configure_plugin_autoupdates( $enabled ) {
         if ( $enabled ) {
+            // Enable auto-updates for all plugins using filter
             add_filter( 'auto_update_plugin', '__return_true' );
+            // Also set the auto_update_plugins option
             $all_plugins = array_keys( get_plugins() );
             update_site_option( 'auto_update_plugins', $all_plugins );
         } else {
+            // Disable auto-updates for all plugins
             add_filter( 'auto_update_plugin', '__return_false' );
+            // Clear the auto_update_plugins option
             update_site_option( 'auto_update_plugins', array() );
+        }
 …
     private function wpironis_configure_core_autoupdates( $enabled ) {
         if ( $enabled ) {
+            // Enable core auto-updates for all update types
             add_filter( 'allow_major_auto_core_updates', '__return_true' );
             add_filter( 'allow_minor_auto_core_updates', '__return_true' );
 …
             add_filter( 'auto_update_translation', '__return_true' );
+            // Update the core update settings
             update_site_option( 'auto_update_core_major', 'enabled' );
             update_site_option( 'auto_update_core_minor', 'enabled' );
             update_site_option( 'auto_update_core_dev', 'enabled' );
         } else {
+            // Disable core auto-updates
             add_filter( 'allow_major_auto_core_updates', '__return_false' );
             add_filter( 'allow_minor_auto_core_updates', '__return_false' );
 …
             add_filter( 'auto_update_translation', '__return_false' );
+            // Update the core update settings
             update_site_option( 'auto_update_core_major', 'disabled' );
             update_site_option( 'auto_update_core_minor', 'disabled' );
 …
+        }
+        // Update last activity time
         update_user_meta( get_current_user_id(), 'iron_security_last_activity', time() );
+    }
 …
+        }
+        // Get filter parameters
         $log_type   = isset( $_POST['log_type'] ) ? sanitize_text_field( $_POST['log_type'] ) : '';
         $status     = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';
 …
         $per_page   = isset( $_POST['per_page'] ) ? intval( $_POST['per_page'] ) : 50;
+        // Build filter arguments
         $args = array(
             'log_type'   => $log_type,
 …
         );
+        // Get logs with the specified filters
         $logs_data = Iron_Security_Logger::get_logs( $args );
+        // Get log summary
         $summary = $this->get_logs_summary();
 …
         $table_name = $wpdb->prefix . 'iron_security_logs';
+        // Get total count
         $total = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name" );
+        // Get count by status
         $success_count = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name WHERE status = 'success'" );
         $failure_count = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name WHERE status = 'failure'" );
 …
+        }
+        // Get filter parameters
         $log_type   = isset( $_POST['log_type'] ) ? sanitize_text_field( $_POST['log_type'] ) : '';
         $status     = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';
 …
         $date_to    = isset( $_POST['date_to'] ) ? sanitize_text_field( $_POST['date_to'] ) : '';
+        // Build filter arguments (with large per_page for export)
         $args = array(
             'log_type'   => $log_type,
 …
             'date_from'  => $date_from,
             'date_to'    => $date_to,
             'per_page'   => 10000, // Large number to get most/all logs
+            'per_page'   => 10000,
             'page'       => 1
         );
+        // Get all logs with the specified filters
         $logs_data = Iron_Security_Logger::get_logs( $args );
         $logs      = $logs_data['logs'];
+        // Set headers for CSV download
         header( 'Content-Type: text/csv' );
         header( 'Content-Disposition: attachment; filename="iron-security-logs-' . date( 'Y-m-d' ) . '.csv"' );
 …
         header( 'Expires: 0' );
+        // Create a file pointer connected to the output stream
         $output = fopen( 'php://output', 'w' );
+        // Output the column headings
         fputcsv( $output,
             array( 'ID', 'Date', 'Type', 'Username', 'User ID', 'IP Address', 'Message', 'Status', 'Extra Data' ) );
+        // Output each row of the data
         foreach ( $logs as $log ) {
             $log_type_labels = Iron_Security_Logger::get_log_types();
             $log_type_label  = isset( $log_type_labels[ $log['log_type'] ] ) ? $log_type_labels[ $log['log_type'] ] : $log['log_type'];
+            // Format extra data for CSV
             $extra_data = '';
             if ( ! empty( $log['extra_data'] ) ) {
 …
+        }
+        // Close the file pointer
         fclose( $output );
         exit;
 …
+        }
+        // Map the JavaScript camelCase to the database option name
         $option_map = [
             'contentTypeOptions'      => 'wpironis_security_header_content_type_options',
 …
         $option_name = $option_map[ $header_name ];
+        // Get current options
         $options = get_option( 'wpironis_options', array() );
+        // Update the specific security header setting
         $options[ $option_name ] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Generate a friendly name for the header for use in messages
         $header_friendly_names = [
             'contentTypeOptions'      => 'X-Content-Type-Options',
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options[ $option_name ] ) && $current_options[ $option_name ] === ( $enabled ? 1 : 0 ) ) {
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit admins setting
         $options['enable_limit_admins'] = $enabled ? '1' : '0';
+        // Save settings
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             );
+            // If the feature is enabled, include admin count and users list
             if ( $enabled ) {
                 $admin_users = get_users( array(
 …
             wp_send_json_success( $response_data );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_limit_admins'] ) &&
 …
                 );
+                // If the feature is enabled, include admin count and users list
                 if ( $enabled ) {
                     $admin_users = get_users( array(
 …
+        }
+        // Validate and sanitize inputs
         $max_admins    = isset( $_POST['max_admins'] ) ? absint( $_POST['max_admins'] ) : 1;
         $fallback_role = isset( $_POST['fallback_role'] ) ? sanitize_text_field( $_POST['fallback_role'] ) : 'editor';
+        // Ensure max_admins is at least 1
         if ( $max_admins < 1 ) {
             $max_admins = 1;
+        }
+        // Validate fallback role is a valid WordPress role
         $valid_roles = array( 'editor', 'author', 'contributor', 'subscriber' );
         if ( ! in_array( $fallback_role, $valid_roles ) ) {
 …
+        }
+        // Get current settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit admins settings
         $options['wpironis_max_admins']          = (string) $max_admins;
         $options['wpironis_admin_fallback_role'] = $fallback_role;
+        // Save settings
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
+        // Get admin users for the response
         $admin_users = get_users( array(
             'role' => 'administrator',
         ) );
+        // Count admins
         $admin_count = count( $admin_users );
+        // Prepare the user data to return
         $users = array();
         foreach ( $admin_users as $user ) {
 …
         if ( $updated ) {
+            // Enforce the limit now by checking current admin count
             $this->wpironis_enforce_admin_limit_now();
+            // Get updated admin count after enforcement
             $updated_admin_users = get_users( array(
                 'role' => 'administrator',
 …
             $updated_admin_count = count( $updated_admin_users );
+            // Prepare updated user list
             $updated_users = array();
             foreach ( $updated_admin_users as $user ) {
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_max_admins'] ) &&
 …
      */
     public function wpironis_enforce_admin_limit( $user_id, $role, $old_roles ) {
+        // Check if the new role is administrator
         if ( $role !== 'administrator' ) {
             return;
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // If the max has been reached, change this user's role to the fallback
         if ( $admin_count > $max_admins ) {
+            // Skip the current hook to avoid infinite loop
             remove_action( 'set_user_role', array( $this, 'wpironis_enforce_admin_limit' ), 10 );
+            // Downgrade the user to the fallback role
             $user = new WP_User( $user_id );
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
             );
+            // Add admin notice
             add_action( 'admin_notices', function () use ( $user, $fallback_role, $max_admins ) {
                 echo '<div class="notice notice-warning is-dismissible">';
 …
             } );
+            // Re-add the hook
             add_action( 'set_user_role', array( $this, 'wpironis_enforce_admin_limit' ), 10, 3 );
+        }
 …
      */
     public function wpironis_check_admin_limit_on_register( $user_id ) {
+        // Get the user object
         $user = new WP_User( $user_id );
+        // Check if the user is being registered as an admin
         if ( ! in_array( 'administrator', $user->roles ) ) {
             return;
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // If the max has been reached, change this user's role to the fallback
         if ( $admin_count > $max_admins ) {
+            // Downgrade the user to the fallback role
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
      */
     private function safe_log_security_event( $event_type, $message ) {
+        // Try to use the Logger class if it exists and has the method
         if ( class_exists( 'Iron_Security_Logger' ) && method_exists( 'Iron_Security_Logger', 'log_security_event' ) ) {
             Iron_Security_Logger::log_security_event( $event_type, $message );
         } else {
+            // Fallback logging to the WordPress error log
             error_log( sprintf( '[Iron Security] %s: %s', $event_type, $message ) );
+            // Attempt to log to a custom database table if it exists
             global $wpdb;
             $table_name = $wpdb->prefix . 'iron_security_logs';
+            // Check if the table exists before attempting to insert
             if ( $wpdb->get_var( "SHOW TABLES LIKE '$table_name'" ) === $table_name ) {
                 $wpdb->insert(
 …
      */
     private function wpironis_enforce_admin_limit_now() {
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Get all admins
         $admin_users = get_users( array(
             'role'    => 'administrator',
 …
         ) );
+        // Skip if we have fewer admins than the limit
         if ( count( $admin_users ) <= $max_admins ) {
             return;
+        }
+        // Keep track of how many admins we've processed
         $admin_count = 0;
+        // Process each admin user
         foreach ( $admin_users as $admin_user ) {
             $admin_count ++;
+            // Skip the first max_admins administrators (ordered by ID)
             if ( $admin_count <= $max_admins ) {
                 continue;
+            }
+            // Downgrade the user to the fallback role
             $admin_user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
+        }
+        // Check if this is a user create/update request
         $route = $request->get_route();
         if ( strpos( $route, '/wp/v2/users' ) === false ) {
 …
+        }
+        // Check if operation involves setting a role to administrator
         $params = $request->get_params();
         if ( ! isset( $params['roles'] ) || ! in_array( 'administrator', (array) $params['roles'] ) ) {
 …
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return $response;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // Get the user ID from the request
         $user_id = isset( $params['id'] ) ? $params['id'] : null;
+        // For user creation, the ID will be in the response
         if ( ! $user_id && isset( $response->data['id'] ) ) {
             $user_id = $response->data['id'];
+        }
+        // Get the user to check if they were already an admin
         $user      = get_user_by( 'id', $user_id );
         $was_admin = $user && in_array( 'administrator', $user->roles );
+        // If the user was not already an admin and the limit has been reached
         if ( ! $was_admin && $admin_count >= $max_admins ) {
+            // Update the user to the fallback role
             $user = new WP_User( $user_id );
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced_api',
 …
             );
+            // Update the response to reflect the actual role
             if ( isset( $response->data['roles'] ) ) {
                 $response->data['roles'] = array( $fallback_role );
+            }
+            // Add a message to the response
             if ( ! isset( $response->data['iron_security_message'] ) ) {
                 $response->data['iron_security_message'] = sprintf(
 …
      */
     public function wpironsec_get_admin_info() {
+        // Verify nonce
         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'iron_security_nonce' ) ) {
             wp_send_json_error( 'Invalid security token sent.' );
 …
+        }
+        // Check if user is authorized
         if ( ! current_user_can( 'manage_options' ) ) {
             wp_send_json_error( 'You do not have permission to perform this action.' );
 …
+        }
+        // Get administrator users
         $admin_users = get_users( array(
             'role' => 'administrator',
         ) );
+        // Prepare the user data to return
         $users = array();
         foreach ( $admin_users as $user ) {
 …
+        }
+        // Count
         $count = count( $admin_users );
+        // Send the response
         wp_send_json_success( array(
             'count'   => $count,
 …
+        }
+        // Get the differences to determine what was updated
         $changes = array();
+        // Check email change
         if ( $old_user_data->user_email !== $user->user_email ) {
             $changes['email'] = array(
 …
+        }
+        // Check display name change
         if ( $old_user_data->display_name !== $user->display_name ) {
             $changes['display_name'] = array(
 …
+        }
+        // Check URL change
         if ( $old_user_data->user_url !== $user->user_url ) {
             $changes['url'] = array(
 …
         if ( empty( $changes ) ) {
+            // Log general profile update if no specific changes detected
             $message = sprintf( 'User "%s" profile was updated', $user->user_login );
         } else {
+            // Log specific changes
             $fields  = array_keys( $changes );
             $message = sprintf( 'User "%s" profile was updated. Changed fields: %s',
 …
         global $wp_version;
+        // Only log this occasionally to avoid excessive logs
         $last_check = get_option( 'wpironis_last_version_check_log', 0 );
         if ( time() - $last_check < 86400 ) { // Once per day max
+        if ( time() - $last_check < 86400 ) {
             return;
+        }
 …
         global $pagenow;
+        // Only log certain admin actions to avoid excessive logging
         if ( ! is_admin() || ! current_user_can( 'edit_posts' ) ) {
             return;
 …
         $action = isset( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+        // Skip logging for common, routine actions
         $skip_actions = array( 'heartbeat', 'wp-refresh-post-lock', 'ajax-tag-search' );
         if ( in_array( $action, $skip_actions ) ) {
 …
+        }
+        // Log specific high-value actions only
         $important_actions = array(
             'update'            => 'Update',
 …
             $details = array(
                 'page'       => $pagenow,
                 'query_args' => $_GET // Including all query parameters for context
+                'query_args' => $_GET
             );
 …
+        }
+        // Log access to sensitive admin pages
         $sensitive_pages = array(
             'options.php'                            => 'Settings Update',
 …
         foreach ( $sensitive_pages as $page => $description ) {
+            // Check if we're on this page or if page with query matches
             if ( $pagenow === $page || ( strpos( $page, '?' ) !== false && strpos( $_SERVER['REQUEST_URI'],
                         $page ) !== false ) ) {
 …
      */
     public function detect_frame_embedding() {
+        // Only run this occasionally to avoid performance issues
         if ( ! is_admin() || mt_rand( 1, 10 ) !== 1 ) {
             return;
 …
             $home_url = home_url();
+            // Check if the referer is from a different domain
             if ( strpos( $referer, $site_url ) !== 0 && strpos( $referer, $home_url ) !== 0 ) {
+                // This could potentially be a clickjacking attempt
                 $referer_host = parse_url( $referer, PHP_URL_HOST );
                 $site_host    = parse_url( $site_url, PHP_URL_HOST );
 …
      */
     public function detect_suspicious_requests() {
+        // Only run this occasionally to avoid performance issues
         if ( mt_rand( 1, 10 ) !== 1 ) {
             return;
+        }
+        // Detect common attack patterns in URLs
         $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '';
         $user_agent  = isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : '';
+        // List of suspicious URL patterns with attack type and whether it's a regex
         $suspicious_patterns = array(
             'eval\('             => array( 'type' => 'PHP Injection', 'is_regex' => true ),
 …
+        }
+        // Check for known malicious or scanning user agents
         $malicious_agents = array(
             'nikto'           => 'Security Scanner',
 …
                     sprintf( 'Detected %s user agent: %s', $agent_type, $agent )
                 );
                 break; // Only log once per request
+                break;
+            }
+        }
 …
      */
     public function monitor_request_methods() {
+        // Only monitor in admin area or for login/register pages
         if ( ! is_admin() && ! in_array( $GLOBALS['pagenow'], array( 'wp-login.php', 'wp-register.php' ) ) ) {
             return;
 …
         $method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : '';
+        // Unusual request methods for WordPress admin
         $unusual_methods = array( 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH' );
 …
      */
     public function setup_rest_logging() {
+        // Add a filter to log API requests
         add_filter( 'rest_pre_dispatch', array( $this, 'log_rest_api_request' ), 10, 3 );
+    }
 …
         $route = $request->get_route();
+        // Skip some common, noisy routes
         $skip_routes = array(
             '/wp/v2/users/me',
 …
+        }
+        // Sensitive routes that should always be logged
         $sensitive_routes = array(
             '/wp/v2/users',
 …
+        }
+        // Always log writes (POST, PUT, DELETE) or sensitive routes
         $method = $request->get_method();
         if ( $is_sensitive || in_array( $method, array( 'POST', 'PUT', 'DELETE', 'PATCH' ) ) ) {
 …
      */
     public function log_http_api_errors( $response, $context, $class, $parsed_args, $url ) {
+        // Only log errors
         if ( ! is_wp_error( $response ) ) {
             return;
 …
         $error_message = $response->get_error_message();
+        // Don't log common timeout errors which may be normal
         if ( strpos( $error_code, 'timeout' ) !== false ) {
             return;
 …
      */
     public function detect_security_scanners() {
+        // Only run this check occasionally to avoid performance impact
         if ( mt_rand( 1, 20 ) !== 1 ) {
             return;
+        }
+        // Check for rapid-fire requests from the same IP
         $ip = $this->get_ip_address();
+        // Get the last time we recorded this IP
         $last_checked = get_transient( 'wpironis_ip_check_' . md5( $ip ) );
         $now          = time();
         if ( $last_checked ) {
+            // If this IP made a request very recently (within 1 second)
             if ( $now - $last_checked < 1 ) {
+                // Increment the counter for this IP
                 $count = get_transient( 'wpironis_ip_count_' . md5( $ip ) );
                 $count = $count ? $count + 1 : 1;
                 set_transient( 'wpironis_ip_count_' . md5( $ip ), $count, 300 ); // Keep count for 5 minutes
+                // If we've seen too many rapid requests, log it as a scanner
+                set_transient( 'wpironis_ip_count_' . md5( $ip ), $count, 300 );
                 if ( $count > 10 ) {
                     Iron_Security_Logger::log_suspicious_behavior(
 …
                     );
+                    // Reset counter to avoid logging repeatedly
                     set_transient( 'wpironis_ip_count_' . md5( $ip ), 0, 300 );
+                }
 …
+        }
+        // Update the last checked time for this IP
         set_transient( 'wpironis_ip_check_' . md5( $ip ), $now, 300 ); // Keep for 5 minutes
+        set_transient( 'wpironis_ip_check_' . md5( $ip ), $now, 300 );
+    }
 …
      */
     public function wpironis_handle_admin_id_protection_toggle() {
+        // Verify nonce
         if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
             wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current settings
         $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the settings
         $loginlogout_settings['enable_admin_id_protection'] = $enabled ? '1' : '0';
         $admin_id = '1'; // Default admin ID
+        // If enabling the feature
+        $admin_id = '1';
         if ( $enabled ) {
+            // Check if we already have a stored admin ID in settings
             if ( ! empty( $loginlogout_settings['current_admin_id'] ) ) {
                 $admin_id = $loginlogout_settings['current_admin_id'];
                 $message  = 'Admin ID protection enabled. Using current administrator ID: ' . $admin_id;
+                // Log this security event
                 $this->safe_log_security_event(
                     'settings_change',
 …
                     'success'
                 );
             } // Check if admin with ID 1 still exists
+            }
             elseif ( ! get_userdata( 1 ) ) {
+                // Admin ID 1 doesn't exist, try to find the first admin user
                 $admins = get_users( array( 'role' => 'administrator', 'number' => 1 ) );
                 if ( ! empty( $admins ) ) {
 …
                     $message                                  = 'Admin ID protection enabled. Using existing administrator ID: ' . $admin_id;
+                    // Log this security event
                     $this->safe_log_security_event(
                         'settings_change',
 …
                     );
                 } else {
+                    // No admin users found - this is unlikely but handle it
                     $loginlogout_settings['enable_admin_id_protection'] = '0';
                     wp_send_json_error( 'No administrator accounts found.' );
 …
                     return;
+                }
             } // If admin ID 1 exists and needs to be changed
+            }
             else {
                 try {
 …
                         $message = 'Admin ID protection enabled. Administrator ID changed from 1 to ' . $admin_id;
                     } else {
+                        // If we couldn't change the ID, disable the feature
                         $loginlogout_settings['enable_admin_id_protection'] = '0';
                         wp_send_json_error( 'Failed to change admin ID. Please try again.' );
 …
+            }
         } else {
+            // When disabling, just update the setting but don't change the ID back
+            // since that would be complex and potentially disruptive
             $admin_id = ! empty( $loginlogout_settings['current_admin_id'] ) ? $loginlogout_settings['current_admin_id'] : '1';
             $message  = 'Admin ID protection disabled. Note that the admin ID will remain changed.';
+            // Log this security event
             $this->safe_log_security_event(
                 'settings_change',
 …
+        }
+        // Save updated settings
         update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        // Return success with the admin ID
         wp_send_json_success( array(
             'message'  => $message,
 …
         global $wpdb;
+        // First check if user ID 1 exists
         $user = get_userdata( 1 );
         if ( ! $user ) {
 …
+        }
+        // Check if user is an administrator
         if ( ! in_array( 'administrator', $user->roles ) ) {
             error_log( 'Iron Security: Cannot change admin ID - User ID 1 is not an administrator' );
 …
+        }
+        // Start a transaction
         $wpdb->query( 'START TRANSACTION' );
         try {
+            // Get the highest user ID in the database
             $highest_id = $wpdb->get_var( "SELECT MAX(ID) FROM {$wpdb->users}" );
+            // New ID will be highest + a random offset between 100-999
             $new_id = (int) $highest_id + 1;
+            // Update user ID in users table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->users} SET ID = %d WHERE ID = 1",
 …
+            }
+            // Update user ID in usermeta table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->usermeta} SET user_id = %d WHERE user_id = 1",
 …
+            }
+            // Update user ID in posts table (for post author)
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->posts} SET post_author = %d WHERE post_author = 1",
 …
+            }
+            // Update user ID in comments table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->comments} SET user_id = %d WHERE user_id = 1",
 …
+            }
+            // Additional tables to check for user_id references
+            // WooCommerce orders if present
             if ( $wpdb->get_var( "SHOW TABLES LIKE '{$wpdb->prefix}woocommerce_orders'" ) ) {
                 $wpdb->query( $wpdb->prepare(
 …
+            }
+            // If using BuddyPress
             if ( $wpdb->get_var( "SHOW TABLES LIKE '{$wpdb->prefix}bp_activity'" ) ) {
                 $wpdb->query( $wpdb->prepare(
 …
+            }
+            // If we're here, everything succeeded
             $wpdb->query( 'COMMIT' );
+            // Clear caches
             wp_cache_delete( 1, 'users' );
             wp_cache_delete( 1, 'user_meta' );
 …
             wp_cache_delete( $new_id, 'user_meta' );
+            // Return the new ID
             return (string) $new_id;
         } catch ( Exception $e ) {
+            // Something went wrong, rollback
             $wpdb->query( 'ROLLBACK' );
+            // Log the error
             error_log( 'Iron Security: Failed to change admin ID: ' . $e->getMessage() );
+            // Rethrow the exception
             throw $e;
+        }
 …
+        }
+        // Correctly interpret "true" or "false" string from JS
         $enabled = isset( $_POST['enabled'] ) && $_POST['enabled'] === 'true';
+        // Save proper value to DB
         $general_settings                           = get_option( 'wpironis_options', array() );
         $general_settings['wpironis_block_ai_bots'] = $enabled ? 1 : 0;
         update_option( 'wpironis_options', $general_settings );
+        // Modify .htaccess
         $this->general_security->modifyHtaccessForAiBots( $enabled );
+        // Prepare response message
         $message = $enabled
             ? __( 'AI bot blocking has been enabled. Your site is now protected from AI bot crawlers.',
 …
+        }
+        // Fallback to glob if manifest doesn't exist or entry not found
         $dist_path = plugin_dir_path( __FILE__ ) . 'js/dist/';
         $files     = glob( $dist_path . $base_name . '.*.js' );
 …
+        }
+        // Final fallback to non-hashed filename
         return $base_name . '.bundle.js';
+    }
+    /**
+     * Handle toggle for changing admin username
+     */
+    public function wpironis_handle_change_admin_username_toggle() {
+        if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
+            wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
+            return;
+        }
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'You do not have permission to change this setting.' );
+            return;
+        }
+        $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        $loginlogout_settings['enable_change_admin_username'] = $enabled ? '1' : '0';
+        if ( $enabled && empty( $loginlogout_settings['wpironis_new_admin_username'] ) ) {
+            $loginlogout_settings['wpironis_new_admin_username'] = $this->wpironis_generate_random_username();
+        }
+        $updated = update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        $admin_usernames = $this->wpironis_get_admin_usernames();
+        if ( $updated ) {
+            $message = 'Admin username protection setting updated successfully';
+            $status = 'success';
+            if ( $enabled && !empty( $admin_usernames ) ) {
+                $message = 'Admin username protection enabled. Insecure usernames detected: ' . implode(', ', $admin_usernames);
+                $status = 'warning';
+            }
+            wp_send_json_success( array(
+                'message' => $message,
+                'status' => $status,
+                'admin_usernames' => $admin_usernames
+            ) );
+        } else {
+            wp_send_json_error( 'Failed to update admin username protection setting' );
+        }
+    }
+    /**
+     * Handle saving new admin username
+     */
+    public function wpironis_handle_change_admin_username_save() {
+        if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
+            wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
+            return;
+        }
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'You do not have permission to change admin username.' );
+            return;
+        }
+        $new_username = isset( $_POST['new_username'] ) ? sanitize_user( $_POST['new_username'] ) : '';
+        if ( empty( $new_username ) ) {
+            wp_send_json_error( 'Username cannot be empty.' );
+            return;
+        }
+        if ( !validate_username( $new_username ) ) {
+            wp_send_json_error( 'Invalid username. Please use only letters.' );
+            return;
+        }
+        if ( username_exists( $new_username ) ) {
+            wp_send_json_error( 'Username already exists. Please choose another username.' );
+            return;
+        }
+        $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        $loginlogout_settings['wpironis_new_admin_username'] = $new_username;
+        update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        $admin_usernames = $this->wpironis_get_admin_usernames();
+        $changed_users = array();
+        if ( !empty( $admin_usernames ) ) {
+            foreach ( $admin_usernames as $username ) {
+                $user = get_user_by( 'login', $username );
+                if ( $user ) {
+                    $unique_username = $this->wpironis_get_unique_username( $new_username );
+                    global $wpdb;
+                    $wpdb->update(
+                        $wpdb->users,
+                        array( 'user_login' => $unique_username ),
+                        array( 'ID' => $user->ID )
+                    );
+                    $this->safe_log_security_event( 'username_change', sprintf(
+                        'Changed username from %s to %s for user ID %d',
+                        $username,
+                        $unique_username,
+                        $user->ID
+                    ));
+                    clean_user_cache( $user->ID );
+                    $changed_users[] = array(
+                        'old_username' => $username,
+                        'new_username' => $unique_username,
+                        'display_name' => $user->display_name
+                    );
+                }
+            }
+        }
+        if ( !empty( $changed_users ) ) {
+            wp_send_json_success( array(
+                'message' => count( $changed_users ) . ' admin username(s) changed successfully.',
+                'changed_users' => $changed_users
+            ) );
+        } else {
+            wp_send_json_success( array(
+                'message' => 'New admin username saved. No insecure admin usernames found to change.'
+            ) );
+        }
+    }
+    /**
+     * Generate a random username with letters only
+     */
+    private function wpironis_generate_random_username() {
+        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        $username = '';
+        $length = rand(8, 12);
+        for ( $i = 0; $i < $length; $i++ ) {
+            $username .= $chars[rand(0, strlen($chars) - 1)];
+        }
+        return $this->wpironis_get_unique_username( $username );
+    }
+    /**
+     * Get a unique username by adding a number suffix if needed
+     */
+    private function wpironis_get_unique_username( $username ) {
+        $original_username = $username;
+        $suffix = 1;
+        while ( username_exists( $username ) ) {
+            $username = $original_username . $suffix;
+            $suffix++;
+        }
+        return $username;
+    }
+    /**
+     * Get usernames of admin users with common/default usernames
+     */
+    private function wpironis_get_admin_usernames() {
+        $insecure_usernames = array( 'admin', 'administrator', 'wordpress' );
+        $found_usernames = array();
+        foreach ( $insecure_usernames as $username ) {
+            $user = get_user_by( 'login', $username );
+            if ( $user && in_array( 'administrator', $user->roles ) ) {
+                $found_usernames[] = $username;
+            }
+        }
+        return $found_usernames;
+    }
+}

iron-security/tags/2.3.3/admin/js/components/Dashboard.jsx

r3288628	r3300103
135	135	);
136	136
137		~~console.log(settings)~~
138	137
139	138	if (isLoading \|\| !settings) {

iron-security/tags/2.3.3/admin/js/components/FileDirectoryProectionSettings.jsx

r3288628	r3300103
12	12
13	13	useEffect(() => {
14		// Update settings when they change
	14
15	15	setIsPhpUploadBlocked(settings.wpironis_options?.wpironis_block_php_uploads === 1);
16	16	setIsDirectAccessPrevented(settings.wpironis_options?.wpironis_prevent_direct_access === 1);

iron-security/tags/2.3.3/admin/js/components/GeneralSettings.jsx

-                      r3288628
+                      r3300103
     useEffect(() => {
+        // Update all state values when settings change
         setIsXmlrpcEnabled(settings.wpironis_options?.wpironis_disable_xmlrpc === 1);
         setIsWpVersionHidden(settings.wpironis_options?.wpironis_hide_wp_version === 1);
 …
             const data = await response.json();
-            console.log('Response:', data); // Debug log
             if (data.success) {

iron-security/tags/2.3.3/admin/js/components/HttpSecurityHeadersSettings.jsx

r3288628	r3300103
19	19
20	20	useEffect(() => {
21		// Update header settings when settings change
	21
22	22	setHeaderSettings({
23	23	contentTypeOptions: settings.wpironis_options?.wpironis_security_header_content_type_options === 1,

iron-security/tags/2.3.3/admin/js/components/LoginLogoutSettings.jsx

-                      r3288628
+                      r3300103
     const [isLoadingAdminInfo, setIsLoadingAdminInfo] = useState(false);
+    const [isChangeAdminUsernameEnabled, setIsChangeAdminUsernameEnabled] = useState(
+        loginLogoutSettings.enable_change_admin_username === '1'
+    );
+    const [newAdminUsername, setNewAdminUsername] = useState(
+        loginLogoutSettings.wpironis_new_admin_username || ''
+    );
+    const [adminUsernameStatus, setAdminUsernameStatus] = useState(null);
     const getAdminCountStatus = () => {
 …
     useEffect(() => {
         const loginLogoutSettings = settings?.login_logout || {};
+        // Update all state values when settings change
         setIsCustomUrlEnabled(loginLogoutSettings.enable_slug_change === '1');
         setCustomUrl(loginLogoutSettings.wpironis_custom_login_slug || 'wp-admin');
 …
             setIsAdminIdProtectionEnabled(true);
+        }
+        if (loginLogoutSettings.enable_change_admin_username === '1') {
+            setIsChangeAdminUsernameEnabled(true);
+        }
+        if (loginLogoutSettings.wpironis_new_admin_username) {
+            setNewAdminUsername(loginLogoutSettings.wpironis_new_admin_username);
+        }
     }, [settings]);
 …
             console.error('Error:', error);
             showNotification(error.message || 'Failed to update custom URL setting', 'error');
             setIsCustomUrlEnabled(!enabled); // Revert the toggle
+            setIsCustomUrlEnabled(!enabled);
         } finally {
             setIsSaving(false);
 …
             console.error('Error:', error);
             showNotification(error.message || 'Failed to update session timeout setting', 'error');
             setIsSessionTimeoutEnabled(!enabled); // Revert the toggle
+            setIsSessionTimeoutEnabled(!enabled);
         } finally {
             setIsSaving(false);
 …
             setIsSaving(false);
+        }
+    };
+    const handleChangeAdminUsernameToggle = async (enabled) => {
+        setIsSaving(true);
+        try {
+            const formData = new FormData();
+            formData.append('action', 'iron_security_toggle_change_admin_username');
+            formData.append('enabled', enabled);
+            formData.append('nonce', settings.nonce);
+            const response = await fetch(ajaxurl, {
+                method: 'POST',
+                body: formData,
+                credentials: 'same-origin'
+            });
+            const data = await response.json();
+            if (data.success) {
+                setIsChangeAdminUsernameEnabled(enabled);
+                if (enabled && data.data.admin_usernames && data.data.admin_usernames.length > 0) {
+                    setAdminUsernameStatus({
+                        message: `Insecure admin usernames detected: ${data.data.admin_usernames.join(', ')}. Change them to improve security.`,
+                        type: 'warning'
+                    });
+                    if (!newAdminUsername) {
+                        generateRandomUsername();
+                    }
+                } else if (enabled) {
+                    setAdminUsernameStatus({
+                        message: 'No insecure admin usernames detected.',
+                        type: 'info'
+                    });
+                } else {
+                    setAdminUsernameStatus(null);
+                }
+                showNotification(data.data.message || 'Change admin username setting updated successfully');
+            } else {
+                throw new Error(data.data || 'Failed to update setting');
+            }
+        } catch (error) {
+            console.error('Error:', error);
+            showNotification(error.message || 'Failed to update change admin username setting', 'error');
+            setIsChangeAdminUsernameEnabled(!enabled);
+        } finally {
+            setIsSaving(false);
+        }
+    };
+    const handleSaveAdminUsername = async () => {
+        setIsSaving(true);
+        try {
+            const formData = new FormData();
+            formData.append('action', 'iron_security_save_change_admin_username');
+            formData.append('new_username', newAdminUsername);
+            formData.append('nonce', settings.nonce);
+            const response = await fetch(ajaxurl, {
+                method: 'POST',
+                body: formData,
+                credentials: 'same-origin'
+            });
+            const data = await response.json();
+            if (data.success) {
+                if (data.data.changed_users && data.data.changed_users.length > 0) {
+                    const changedUsers = data.data.changed_users;
+                    let message = 'The following admin usernames were changed:\n';
+                    changedUsers.forEach(user => {
+                        message += `• ${user.old_username} → ${user.new_username}`;
+                        if (user.display_name) {
+                            message += ` (${user.display_name})`;
+                        }
+                        message += '\n';
+                    });
+                    setAdminUsernameStatus({
+                        message: 'Admin usernames successfully changed.',
+                        type: 'info'
+                    });
+                    showNotification(data.data.message || 'Admin usernames changed successfully');
+                    setTimeout(() => {
+                        alert(message);
+                    }, 500);
+                } else {
+                    setAdminUsernameStatus({
+                        message: 'New admin username saved. No insecure admin usernames found to change.',
+                        type: 'info'
+                    });
+                    showNotification(data.data.message || 'New admin username saved successfully');
+                }
+            } else {
+                throw new Error(data.data || 'Failed to save new admin username');
+            }
+        } catch (error) {
+            console.error('Error:', error);
+            showNotification(error.message || 'Failed to save new admin username', 'error');
+        } finally {
+            setIsSaving(false);
+        }
+    };
+    const generateRandomUsername = () => {
+        const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        let result = '';
+        const length = 8 + Math.floor(Math.random() * 8);
+        for (let i = 0; i < length; i++) {
+            result += chars.charAt(Math.floor(Math.random() * chars.length));
+        }
+        setNewAdminUsername(result);
     };
 …
                         </div>
                     )}
+                    <SettingToggle
+                        label="Change Default Admin Username"
+                        description="Change admin username if you have accounts with usernames like 'admin' or 'administrator' to prevent targeted attacks."
+                        checked={isChangeAdminUsernameEnabled}
+                        onChange={handleChangeAdminUsernameToggle}
+                        disabled={isSaving}
+                    />
+                    {isChangeAdminUsernameEnabled && (
+                        <div className="wpironis-custom-url-input">
+                            <div className="admin-username-info">
+                                <p className="description">
+                                    <strong>Default admin usernames like 'admin' or 'administrator' are frequently targeted in brute force attacks.</strong>
+                                    Change them to enhance your site's security.
+                                </p>
+                                {adminUsernameStatus && (
+                                    <p className={`description ${adminUsernameStatus.type}`}>
+                                        <span className={`dashicons dashicons-${adminUsernameStatus.type === 'warning' ? 'warning' : 'info'}`}></span>
+                                        {adminUsernameStatus.message}
+                                    </p>
+                                )}
+                                <div className="wpironis-input-group">
+                                    <label htmlFor="new-admin-username">New Username:</label>
+                                    <input
+                                        type="text"
+                                        id="new-admin-username"
+                                        value={newAdminUsername}
+                                        onChange={(e) => setNewAdminUsername(e.target.value.replace(/[^a-zA-Z]/g, ''))}
+                                        placeholder="Enter new username (letters only)"
+                                        disabled={isSaving}
+                                    />
+                                    <button
+                                        className="button button-secondary"
+                                        onClick={generateRandomUsername}
+                                        disabled={isSaving}
+                                        style={{ marginLeft: '5px' }}
+                                    >
+                                        Generate Random
+                                    </button>
+                                    <button
+                                        className="button button-primary"
+                                        onClick={handleSaveAdminUsername}
+                                        disabled={isSaving || !newAdminUsername}
+                                        style={{ marginLeft: '5px' }}
+                                    >
+                                        {isSaving ? 'Saving...' : 'Save Username'}
+                                    </button>
+                                </div>
+                            </div>
+                        </div>
+                    )}
                 </div>
             </div>

iron-security/tags/2.3.3/admin/js/dist/manifest.json

r3296251	r3300103
1	1	{
2		"dashboard.js": "dashboard.~~d4938437720f6eface82~~.js",
	2	"dashboard.js": "dashboard.409171eb914877d3afe7.js",
3	3	"vendors.js": "vendors.91782840b9e9337a9a5f.js"
4	4	}

iron-security/tags/2.3.3/includes/class-iron-security.php

-                      r3291538
+                      r3300103
         $this->loader->add_action( 'admin_menu', $plugin_admin, 'wpironis_plugin_menu' );
+        // Login Logout
         $this->loader->add_action( 'init', $plugin_admin, 'wpironis_redirect_login' );
         $this->loader->add_action( 'admin_init', $plugin_admin, 'wpironis_plugin_settings_init' );
 …
         $this->loader->add_filter( 'wp_handle_upload_prefilter', $plugin_admin, 'wpironis_prevent_php_upload' );
+        // AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_xmlrpc',
             $plugin_admin,
 …
             'wpironis_handle_core_autoupdate_toggle' );
+        // Custom admin URL AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_custom_url',
             $plugin_admin,
 …
             'wpironis_handle_custom_url_save' );
+        // Session timeout AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_session_timeout',
             $plugin_admin,
 …
             'wpironis_handle_session_timeout_save' );
+        // Limit login attempts AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_limit_login',
             $plugin_admin,
 …
             'wpironis_handle_limit_login_save' );
+        // Limit admins AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_limit_admins',
             $plugin_admin,
 …
             'wpironis_handle_limit_admins_save' );
+        // Admin ID protection AJAX handler
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_admin_id_protection',
             $plugin_admin,
             'wpironis_handle_admin_id_protection_toggle' );
+        // Admin role limitation hook
+        $this->loader->add_action( 'wp_ajax_iron_security_toggle_change_admin_username',
+            $plugin_admin,
+            'wpironis_handle_change_admin_username_toggle' );
+        $this->loader->add_action( 'wp_ajax_iron_security_save_change_admin_username',
+            $plugin_admin,
+            'wpironis_handle_change_admin_username_save' );
         $this->loader->add_action( 'set_user_role',
             $plugin_admin,
 …
 ,
 );
+        // Hook into user creation/update for admin limit
         $this->loader->add_action( 'user_register',
             $plugin_admin,
 …
 );
-        // REST API filter for admin limit
         $this->loader->add_filter( 'rest_request_after_callbacks',
             $plugin_admin,
 …
             'wpironis_handle_user_enum_message_save' );
+        // Also add filters for auto-updates on plugin initialization
         $options = get_option( 'wpironis_options', array() );
+        // Configure plugin auto-updates based on saved setting
         if ( ! empty( $options['wpironis_enable_plugin_autoupdate'] ) && $options['wpironis_enable_plugin_autoupdate'] === 1 ) {
             add_filter( 'auto_update_plugin', '__return_true' );
 …
+        }
+        // Configure core auto-updates based on saved setting
         if ( ! empty( $options['wpironis_enable_core_autoupdate'] ) && $options['wpironis_enable_core_autoupdate'] === 1 ) {
             add_filter( 'allow_major_auto_core_updates', '__return_true' );
 …
         $this->loader->add_action( 'init', $plugin_public, 'wpironis_init' );
+        // Add REST API restriction hooks
         $this->loader->add_filter( 'rest_authentication_errors', $plugin_public, 'wpironis_restrict_rest_api' );
         $this->loader->add_filter( 'rest_endpoints', $plugin_public, 'wpironis_disable_rest_endpoints' );

iron-security/tags/2.3.3/iron-security.php

-                      r3296251
+                      r3300103
  * Plugin URI:        https://wpiron.com
  * Description:       Iron Security is a powerful WordPress security plugin to protect your site from common threats. Lock down your site with login protection, file security, and HTTP headers — all in one lightweight plugin.
  * Version:           2.3.2
+ * Version:           2.3.3
  * Author:            wpiron
  * Author URI:        https://wpiron.com/
 …
+}
 define( 'IRON_SECURITY_VERSION', '2.3.2' );
+define( 'IRON_SECURITY_VERSION', '2.3.3' );
 function wpiisec_activate_iron_security() {

iron-security/trunk/README.txt

-                      r3296251
+                      r3300103
 Requires at least: 4.7
 Tested up to: 6.8
 Stable tag: 2.3.2
+Stable tag: 2.3.3
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 - Change default Admin ID
 - Block user enumeration
+- Change Default Admin Username
 **Files & Directory Protection**
 …
 = What makes Iron Security different from other WordPress security plugins? =
 Iron Security is designed to be lightweight, fast, and focused on practical features that matter most for securing your WordPress site.
+Iron Security is lightweight, fast, and focused on the most effective hardening techniques. Instead of bloated features, it delivers practical tools that directly protect your WordPress site from real threats.
 = Is Iron Security suitable for beginners? =
 Yes! Iron Security comes with an intuitive dashboard and clear explanations for each option. Whether you're a WordPress beginner or an experienced developer, you'll find it easy to use and configure.
 = How does the custom login URL help protect my site? =
 Changing the default `/wp-admin` or `/wp-login.php` URL makes it harder for bots and attackers to find your login page, reducing brute force attempts. You can set your own unique login slug in a few clicks from the plugin settings.
 = What happens when a user exceeds the allowed login attempts? =
 If a user exceeds the allowed number of login attempts, their IP will be temporarily blocked based on your configured lockout settings. You can customize the number of allowed attempts, lockout duration, and view attempt logs.
 = How does the Admin ID protection work? =
 By default, WordPress assigns user ID 1 to the first admin account — a known vulnerability targeted by bots. Iron Security lets you assign a different ID to your admin account, making it harder to guess and exploit.
 = Does Iron Security block XML-RPC and REST API? Why? =
 Yes, you can optionally disable XML-RPC and REST API — two common attack vectors. XML-RPC is often used in DDoS and brute force attacks, while REST API may expose user data. Disabling them improves security, especially if you don’t use them.
 = What are HTTP security headers and why should I enable them? =
 HTTP security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security provide an extra layer of browser-based protection. They help prevent XSS, clickjacking, and other code injection attacks. Iron Security lets you enable them easily from the dashboard.
+Absolutely. Iron Security features an intuitive dashboard with clear explanations for each setting. Whether you’re new to WordPress or a seasoned developer, you’ll find it easy to set up and use.
+= How does changing the login URL protect my site? =
+By replacing the default /wp-admin or /wp-login.php URLs, you reduce the risk of automated brute force attacks. Bots and attackers can’t easily locate your login page, adding an extra layer of protection.
+= What happens if someone exceeds the allowed login attempts? =
+Their IP will be temporarily blocked based on your configured settings. You can set how many failed attempts are allowed, how long the lockout lasts, and monitor the attempt logs directly from the plugin dashboard.
+= How does Admin ID protection work? =
+WordPress assigns the first admin user an ID of 1 — a known target for attacks. Iron Security helps you avoid this by allowing you to assign a different user ID to your admin account, reducing exposure to targeted exploits.
+= Can Iron Security block XML-RPC and REST API access? =
+Yes. These features can be optionally disabled. XML-RPC and REST API are common targets for attacks like brute force or user data enumeration. If you don’t use them, disabling them can significantly reduce your attack surface.
+= What are HTTP security headers, and why should I enable them? =
+HTTP security headers such as X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security enhance browser-level security. They help protect your site against XSS, clickjacking, and other injection-based attacks. Iron Security lets you enable these headers with just a few clicks.
 = Will Iron Security slow down my website? =
 Not at all. The plugin is built to be lightweight and uses efficient code practices. It doesn’t run background scans or heavy processes, so your site’s performance remains unaffected.
 = Can I use Iron Security on WooCommerce stores? =
 Absolutely. Iron Security is fully compatible with WooCommerce and protects your login area, admin panel, and core files without affecting your store’s functionality.
 = Where can I get support or report a bug? =
 You can submit issues or ask for help via the [support forum on WordPress.org](https://wordpress.org/support/plugin/iron-security/) or by contacting us directly at [https://wpiron.com](https://wpiron.com).
+No. Iron Security is performance-focused and doesn't include heavy scans or background processes. It’s designed to secure your site without impacting loading speed or user experience.
+= Is Iron Security compatible with WooCommerce? =
+Yes, Iron Security works seamlessly with WooCommerce. It protects your admin area, login forms, and critical files without interfering with your store's functionality or customer experience.
+= How can I get support or report a bug? =
+You can reach out via the WordPress.org support forum: https://wordpress.org/support/plugin/iron-security/ or contact our team directly at https://wpiron.com.
 = How often is Iron Security updated? =
+We actively maintain and improve Iron Security. You can expect regular updates for new features, security patches, and WordPress compatibility improvements.
+We actively maintain Iron Security to ensure compatibility with the latest WordPress releases. Expect regular updates with new features, security improvements, and bug fixes.
+= What is the benefit of disabling file editing in WordPress? =
+Disabling the file editor in the admin panel prevents attackers from injecting malicious code directly into theme or plugin files if they gain admin access. This is a simple but effective hardening step.
+= What does hiding the WordPress version do? =
+Iron Security removes the WordPress version from your website’s source code to reduce the risk of automated attacks targeting specific versions with known vulnerabilities.
+= How does Iron Security block AI crawlers? =
+The plugin adds specific rules to your robots.txt file to block AI and data scraping bots, helping protect your content from unauthorized use and training.
+= What does "Limit number of administrators" mean? =
+Limiting admin users helps reduce the number of high-privilege accounts on your site. The plugin notifies you if more than one admin account exists, encouraging better access control and role management.
+= How does session timeout protect my site? =
+If a logged-in user is inactive for a certain period, they are automatically logged out. This prevents unauthorized access from unattended sessions on shared or public devices.
+= Can I block user enumeration? =
+Yes. Iron Security prevents bots from discovering usernames through the `?author=` query parameter, a common tactic used in brute force and targeted attacks.
+= What does “Change default admin username” do? =
+If your admin account uses "admin" as the username, it becomes an easy target. Iron Security helps you safely change this default to something unique and secure.
+= What does "Prevent direct file access" mean? =
+The plugin restricts access to sensitive files like PHP templates and system files that should not be accessed directly, protecting your site from unauthorized requests.
+= Can I block PHP file uploads? =
+Yes. Iron Security allows you to block PHP file uploads in forms and media to prevent malicious scripts from being uploaded to your site.
+= What are plugin and core auto-updates, and why enable them? =
+Keeping your WordPress core and plugins updated is critical to staying secure. Iron Security allows you to enable automatic updates, so your site is always protected with the latest patches.
 …
 == Changelog ==
+= 2.3.3 =
+* Add functionality to change default admin username
 = 2.3.2 =
 * Gutenberg some blocks were disabled - fixed it.

iron-security/trunk/admin/class-iron-security-admin.php

-                      r3291538
+                      r3300103
                 plugin_dir_url( __FILE__ ) . 'css/admin.css',
                 array(),
                 time(),
+                $this->version,
                 'all' );
             wp_enqueue_style( $this->plugin_name . '-dashboard',
 …
                 plugin_dir_url( __FILE__ ) . 'css/transitions.css',
                 array(),
                 time(),
+                $this->version,
                 'all' );
+        }
 …
             plugin_dir_url( __FILE__ ) . 'js/iron-security-admin.js',
             array( 'jquery', 'wp-element', 'wp-components' ),
 //          $this->version,
             time(),
+            $this->version,
+//          time(),
             false
         );
 …
                 plugin_dir_url( __FILE__ ) . 'js/session-timeout.js',
                 array( 'jquery' ),
 //              $this->version,
                 time(),
+                $this->version,
+//              time(),
                 true
             );
 …
                 array( 'wp-element', 'wp-components', 'wp-i18n' ),
                 $this->version,
+//                time(),
                 true
             );
 …
                 array( 'wp-element', 'wp-components', 'wp-i18n' ),
                 $this->version,
+//                time(),
                 true
             );
 …
                 // Your content for login/logout tab
                 echo '<h3>Login/Logout Settings</h3>';
+                // add your logic here
+            }
+            // Add other tabs content conditions
+            }
             ?>
         </div>
 …
         $sanitized_input = array();
         foreach ( $input as $key => $value ) {
+            // Special handling for checkbox/toggle fields
             if ( in_array( $key, array(
                 'wpironis_disable_xmlrpc',
 …
             $secret = get_user_meta( $user->ID, 'google_authenticator_secret', true );
             if ( ! $secret ) {
                 return $user; // No 2FA setup for the user
+                return $user;
+            }
 …
+        }
+        // When enabled is true, we want to disable XML-RPC
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
         $options = get_option( 'wpironis_options', array() );
+        // Set to 1 to disable XML-RPC when toggle is enabled
         $options['wpironis_disable_xmlrpc'] = $enabled ? 1 : 0;
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_xmlrpc'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the WordPress version hiding setting
         $options['wpironis_hide_wp_version'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_hide_wp_version'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the security headers setting
         $options['wpironis_security_headers'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_security_headers'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the PHP uploads blocking setting
         $options['wpironis_block_php_uploads'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Handle .htaccess rules
         if ( $enabled ) {
             $this->wpironis_create_upload_protection();
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_block_php_uploads'] ) &&
 …
         $htaccess_path = $upload_dir['basedir'] . '/.htaccess';
+        // Define the rules
         $rules = "
 # Iron Security
 …
 ";
+        // Create or update .htaccess file
         if ( ! file_exists( $htaccess_path ) || is_writable( $htaccess_path ) ) {
             file_put_contents( $htaccess_path, $rules, LOCK_EX );
+        }
+        // Also create an index.php file to prevent directory listing
         $index_path = $upload_dir['basedir'] . '/index.php';
         if ( ! file_exists( $index_path ) ) {
 …
     public function wpironis_prevent_php_upload( $file ) {
+        // Get the current options
         $options = get_option( 'wpironis_options', array() );
+        // Check if PHP upload blocking is enabled
         if ( ! isset( $options['wpironis_block_php_uploads'] ) || $options['wpironis_block_php_uploads'] !== 1 ) {
             return $file;
+        }
+        // Ensure the file name is set and is a string
         if ( ! isset( $file['name'] ) || empty( $file['name'] ) || ! is_string( $file['name'] ) ) {
             $file['error'] = __( 'Invalid file name detected. Upload blocked.', 'iron-security' );
 …
+        }
+        // List of blocked extensions
         $blocked_extensions = array(
             'php',
 …
         $extension = strtolower( pathinfo( $file_path, PATHINFO_EXTENSION ) ?: '' );
+        // Check if the file extension is in the blocked list
         if ( in_array( $extension, $blocked_extensions, true ) ) {
             $file['error'] = sprintf(
 …
+        }
+        // Check for double extensions (e.g., file.jpg.php)
         $all_extensions = explode( '.', $file_path );
         if ( count( $all_extensions ) > 2 ) {
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_prevent_direct_access'] ) &&
 …
 ";
+        // Create or update root .htaccess file
         if ( ! file_exists( $root_htaccess_path ) || is_writable( $root_htaccess_path ) ) {
+            // If .htaccess exists, read its content
             $existing_content = file_exists( $root_htaccess_path ) ? file_get_contents( $root_htaccess_path ) : '';
+            // Check if our rules are already present
             if ( strpos( $existing_content, 'Iron Security - Prevent Direct File Access' ) === false ) {
+                // Add our rules after WordPress rules if they exist
                 if ( strpos( $existing_content, '# END WordPress' ) !== false ) {
                     $existing_content = str_replace( '# END WordPress',
 …
+        }
+        // Also protect wp-content directory
         $content_htaccess_path = WP_CONTENT_DIR . '/.htaccess';
         $content_rules         = "
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the file editor setting
         $options['wpironis_disable_file_editor'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Update wp-config.php to disable file editor
         if ( $enabled ) {
             $this->wpironis_disable_file_editor_in_config();
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_file_editor'] ) &&
 …
         $config_content = file_get_contents( $wp_config_path );
+        // Check if the constant is already defined
         if ( strpos( $config_content, 'DISALLOW_FILE_EDIT' ) === false ) {
+            // Find the line where we should add our constant
             $insert_point = strpos( $config_content, "/* That's all, stop editing!" );
 …
+            }
         } else {
+            // Update existing constant if it's set to false
             $config_content = preg_replace(
                 "/define\(\s*'DISALLOW_FILE_EDIT'\s*,\s*false\s*\);/",
 …
         $config_content = file_get_contents( $wp_config_path );
+        // Remove the constant definition if it exists
         $config_content = preg_replace(
             "/define\(\s*'DISALLOW_FILE_EDIT'\s*,\s*true\s*\);(\r\n|\n|\r)?/",
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom URL setting
         $options['enable_slug_change'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_slug_change'] ) &&
 …
+        }
         $url = sanitize_title( $_POST['url'] ); // Sanitize and convert spaces to hyphens
+        $url = sanitize_title( $_POST['url'] );
         if ( empty( $url ) ) {
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom URL
         $options['wpironis_custom_login_slug'] = $url;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_custom_login_slug'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the session timeout setting
         $options['enable_session_timeout'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_session_timeout'] ) &&
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the timeout value
         $options['session_timeout_value'] = $timeout;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['session_timeout_value'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit login attempts setting
         $options['enable_limit_login_attempts'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_limit_login_attempts'] ) &&
 …
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the settings
         $options['wpironis_limit_login_attempts'] = (string) $attempts;
         $options['wpironis_lockout_duration']     = (string) $duration;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the values were actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_limit_login_attempts'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the user enumeration protection setting
         $options['enable_user_enumeration'] = $enabled ? '1' : '0';
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_user_enumeration'] ) &&
 …
+        }
+        // Get current options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the custom error message
         $options['user_enumeration_message'] = $message;
+        // Save the updated options
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['user_enumeration_message'] ) &&
 …
     public function wpironis_modify_login_errors( $error ) {
+        // Get the options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if user enumeration protection is enabled
         if ( ! empty( $options['enable_user_enumeration'] ) && $options['enable_user_enumeration'] === '1' ) {
+            // Get the custom message or use default
             $custom_message = ! empty( $options['user_enumeration_message'] )
                 ? $options['user_enumeration_message']
                 : 'Wrong Login credentials';
+            // Check if this is a password-related error for an existing username
             if ( strpos( $error, 'password you entered for' ) !== false ) {
                 return __( $custom_message, 'iron-security' );
 …
     public function wpironis_block_user_enumeration() {
+        // Get the options
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if user enumeration protection is enabled
         if ( ! empty( $options['enable_user_enumeration'] ) && $options['enable_user_enumeration'] === '1' ) {
+            // Block access to author pages
             if ( is_author() ) {
                 wp_redirect( home_url(), 301 );
 …
+            }
+            // Block user enumeration through REST API
             add_filter( 'rest_endpoints', function ( $endpoints ) {
                 if ( isset( $endpoints['/wp/v2/users'] ) ) {
 …
             } );
+            // Block ?author=N queries
             if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) ) {
                 wp_redirect( home_url(), 301 );
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the REST API setting
         $options['wpironis_disable_rest_api'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_disable_rest_api'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the plugin auto-update setting
         $options['wpironis_enable_plugin_autoupdate'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Configure plugin auto-updates
         $this->wpironis_configure_plugin_autoupdates( $enabled );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_enable_plugin_autoupdate'] ) &&
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current options or initialize array
         $options = get_option( 'wpironis_options', array() );
+        // Update the core auto-update setting
         $options['wpironis_enable_core_autoupdate'] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Configure core auto-updates
         $this->wpironis_configure_core_autoupdates( $enabled );
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options['wpironis_enable_core_autoupdate'] ) &&
 …
     private function wpironis_configure_plugin_autoupdates( $enabled ) {
         if ( $enabled ) {
+            // Enable auto-updates for all plugins using filter
             add_filter( 'auto_update_plugin', '__return_true' );
+            // Also set the auto_update_plugins option
             $all_plugins = array_keys( get_plugins() );
             update_site_option( 'auto_update_plugins', $all_plugins );
         } else {
+            // Disable auto-updates for all plugins
             add_filter( 'auto_update_plugin', '__return_false' );
+            // Clear the auto_update_plugins option
             update_site_option( 'auto_update_plugins', array() );
+        }
 …
     private function wpironis_configure_core_autoupdates( $enabled ) {
         if ( $enabled ) {
+            // Enable core auto-updates for all update types
             add_filter( 'allow_major_auto_core_updates', '__return_true' );
             add_filter( 'allow_minor_auto_core_updates', '__return_true' );
 …
             add_filter( 'auto_update_translation', '__return_true' );
+            // Update the core update settings
             update_site_option( 'auto_update_core_major', 'enabled' );
             update_site_option( 'auto_update_core_minor', 'enabled' );
             update_site_option( 'auto_update_core_dev', 'enabled' );
         } else {
+            // Disable core auto-updates
             add_filter( 'allow_major_auto_core_updates', '__return_false' );
             add_filter( 'allow_minor_auto_core_updates', '__return_false' );
 …
             add_filter( 'auto_update_translation', '__return_false' );
+            // Update the core update settings
             update_site_option( 'auto_update_core_major', 'disabled' );
             update_site_option( 'auto_update_core_minor', 'disabled' );
 …
+        }
+        // Update last activity time
         update_user_meta( get_current_user_id(), 'iron_security_last_activity', time() );
+    }
 …
+        }
+        // Get filter parameters
         $log_type   = isset( $_POST['log_type'] ) ? sanitize_text_field( $_POST['log_type'] ) : '';
         $status     = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';
 …
         $per_page   = isset( $_POST['per_page'] ) ? intval( $_POST['per_page'] ) : 50;
+        // Build filter arguments
         $args = array(
             'log_type'   => $log_type,
 …
         );
+        // Get logs with the specified filters
         $logs_data = Iron_Security_Logger::get_logs( $args );
+        // Get log summary
         $summary = $this->get_logs_summary();
 …
         $table_name = $wpdb->prefix . 'iron_security_logs';
+        // Get total count
         $total = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name" );
+        // Get count by status
         $success_count = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name WHERE status = 'success'" );
         $failure_count = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name WHERE status = 'failure'" );
 …
+        }
+        // Get filter parameters
         $log_type   = isset( $_POST['log_type'] ) ? sanitize_text_field( $_POST['log_type'] ) : '';
         $status     = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';
 …
         $date_to    = isset( $_POST['date_to'] ) ? sanitize_text_field( $_POST['date_to'] ) : '';
+        // Build filter arguments (with large per_page for export)
         $args = array(
             'log_type'   => $log_type,
 …
             'date_from'  => $date_from,
             'date_to'    => $date_to,
             'per_page'   => 10000, // Large number to get most/all logs
+            'per_page'   => 10000,
             'page'       => 1
         );
+        // Get all logs with the specified filters
         $logs_data = Iron_Security_Logger::get_logs( $args );
         $logs      = $logs_data['logs'];
+        // Set headers for CSV download
         header( 'Content-Type: text/csv' );
         header( 'Content-Disposition: attachment; filename="iron-security-logs-' . date( 'Y-m-d' ) . '.csv"' );
 …
         header( 'Expires: 0' );
+        // Create a file pointer connected to the output stream
         $output = fopen( 'php://output', 'w' );
+        // Output the column headings
         fputcsv( $output,
             array( 'ID', 'Date', 'Type', 'Username', 'User ID', 'IP Address', 'Message', 'Status', 'Extra Data' ) );
+        // Output each row of the data
         foreach ( $logs as $log ) {
             $log_type_labels = Iron_Security_Logger::get_log_types();
             $log_type_label  = isset( $log_type_labels[ $log['log_type'] ] ) ? $log_type_labels[ $log['log_type'] ] : $log['log_type'];
+            // Format extra data for CSV
             $extra_data = '';
             if ( ! empty( $log['extra_data'] ) ) {
 …
+        }
+        // Close the file pointer
         fclose( $output );
         exit;
 …
+        }
+        // Map the JavaScript camelCase to the database option name
         $option_map = [
             'contentTypeOptions'      => 'wpironis_security_header_content_type_options',
 …
         $option_name = $option_map[ $header_name ];
+        // Get current options
         $options = get_option( 'wpironis_options', array() );
+        // Update the specific security header setting
         $options[ $option_name ] = $enabled ? 1 : 0;
+        // Save the updated options
         $updated = update_option( 'wpironis_options', $options );
+        // Generate a friendly name for the header for use in messages
         $header_friendly_names = [
             'contentTypeOptions'      => 'X-Content-Type-Options',
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_options' );
             if ( isset( $current_options[ $option_name ] ) && $current_options[ $option_name ] === ( $enabled ? 1 : 0 ) ) {
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit admins setting
         $options['enable_limit_admins'] = $enabled ? '1' : '0';
+        // Save settings
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
 …
             );
+            // If the feature is enabled, include admin count and users list
             if ( $enabled ) {
                 $admin_users = get_users( array(
 …
             wp_send_json_success( $response_data );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['enable_limit_admins'] ) &&
 …
                 );
+                // If the feature is enabled, include admin count and users list
                 if ( $enabled ) {
                     $admin_users = get_users( array(
 …
+        }
+        // Validate and sanitize inputs
         $max_admins    = isset( $_POST['max_admins'] ) ? absint( $_POST['max_admins'] ) : 1;
         $fallback_role = isset( $_POST['fallback_role'] ) ? sanitize_text_field( $_POST['fallback_role'] ) : 'editor';
+        // Ensure max_admins is at least 1
         if ( $max_admins < 1 ) {
             $max_admins = 1;
+        }
+        // Validate fallback role is a valid WordPress role
         $valid_roles = array( 'editor', 'author', 'contributor', 'subscriber' );
         if ( ! in_array( $fallback_role, $valid_roles ) ) {
 …
+        }
+        // Get current settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the limit admins settings
         $options['wpironis_max_admins']          = (string) $max_admins;
         $options['wpironis_admin_fallback_role'] = $fallback_role;
+        // Save settings
         $updated = update_option( 'wpironis_plugin_settings_loginlogout', $options );
+        // Get admin users for the response
         $admin_users = get_users( array(
             'role' => 'administrator',
         ) );
+        // Count admins
         $admin_count = count( $admin_users );
+        // Prepare the user data to return
         $users = array();
         foreach ( $admin_users as $user ) {
 …
         if ( $updated ) {
+            // Enforce the limit now by checking current admin count
             $this->wpironis_enforce_admin_limit_now();
+            // Get updated admin count after enforcement
             $updated_admin_users = get_users( array(
                 'role' => 'administrator',
 …
             $updated_admin_count = count( $updated_admin_users );
+            // Prepare updated user list
             $updated_users = array();
             foreach ( $updated_admin_users as $user ) {
 …
             ) );
         } else {
+            // Check if the value was actually the same (no update needed)
             $current_options = get_option( 'wpironis_plugin_settings_loginlogout' );
             if ( isset( $current_options['wpironis_max_admins'] ) &&
 …
      */
     public function wpironis_enforce_admin_limit( $user_id, $role, $old_roles ) {
+        // Check if the new role is administrator
         if ( $role !== 'administrator' ) {
             return;
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // If the max has been reached, change this user's role to the fallback
         if ( $admin_count > $max_admins ) {
+            // Skip the current hook to avoid infinite loop
             remove_action( 'set_user_role', array( $this, 'wpironis_enforce_admin_limit' ), 10 );
+            // Downgrade the user to the fallback role
             $user = new WP_User( $user_id );
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
             );
+            // Add admin notice
             add_action( 'admin_notices', function () use ( $user, $fallback_role, $max_admins ) {
                 echo '<div class="notice notice-warning is-dismissible">';
 …
             } );
+            // Re-add the hook
             add_action( 'set_user_role', array( $this, 'wpironis_enforce_admin_limit' ), 10, 3 );
+        }
 …
      */
     public function wpironis_check_admin_limit_on_register( $user_id ) {
+        // Get the user object
         $user = new WP_User( $user_id );
+        // Check if the user is being registered as an admin
         if ( ! in_array( 'administrator', $user->roles ) ) {
             return;
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // If the max has been reached, change this user's role to the fallback
         if ( $admin_count > $max_admins ) {
+            // Downgrade the user to the fallback role
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
      */
     private function safe_log_security_event( $event_type, $message ) {
+        // Try to use the Logger class if it exists and has the method
         if ( class_exists( 'Iron_Security_Logger' ) && method_exists( 'Iron_Security_Logger', 'log_security_event' ) ) {
             Iron_Security_Logger::log_security_event( $event_type, $message );
         } else {
+            // Fallback logging to the WordPress error log
             error_log( sprintf( '[Iron Security] %s: %s', $event_type, $message ) );
+            // Attempt to log to a custom database table if it exists
             global $wpdb;
             $table_name = $wpdb->prefix . 'iron_security_logs';
+            // Check if the table exists before attempting to insert
             if ( $wpdb->get_var( "SHOW TABLES LIKE '$table_name'" ) === $table_name ) {
                 $wpdb->insert(
 …
      */
     private function wpironis_enforce_admin_limit_now() {
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Get all admins
         $admin_users = get_users( array(
             'role'    => 'administrator',
 …
         ) );
+        // Skip if we have fewer admins than the limit
         if ( count( $admin_users ) <= $max_admins ) {
             return;
+        }
+        // Keep track of how many admins we've processed
         $admin_count = 0;
+        // Process each admin user
         foreach ( $admin_users as $admin_user ) {
             $admin_count ++;
+            // Skip the first max_admins administrators (ordered by ID)
             if ( $admin_count <= $max_admins ) {
                 continue;
+            }
+            // Downgrade the user to the fallback role
             $admin_user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced',
 …
+        }
+        // Check if this is a user create/update request
         $route = $request->get_route();
         if ( strpos( $route, '/wp/v2/users' ) === false ) {
 …
+        }
+        // Check if operation involves setting a role to administrator
         $params = $request->get_params();
         if ( ! isset( $params['roles'] ) || ! in_array( 'administrator', (array) $params['roles'] ) ) {
 …
+        }
+        // Get the settings
         $options = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Check if the feature is enabled
         if ( ! isset( $options['enable_limit_admins'] ) || $options['enable_limit_admins'] !== '1' ) {
             return $response;
+        }
+        // Get maximum allowed admins
         $max_admins = isset( $options['wpironis_max_admins'] ) ? absint( $options['wpironis_max_admins'] ) : 1;
+        // Get the fallback role
         $fallback_role = isset( $options['wpironis_admin_fallback_role'] ) ? $options['wpironis_admin_fallback_role'] : 'editor';
+        // Count current admins
         $admin_count = $this->wpironis_count_admins();
+        // Get the user ID from the request
         $user_id = isset( $params['id'] ) ? $params['id'] : null;
+        // For user creation, the ID will be in the response
         if ( ! $user_id && isset( $response->data['id'] ) ) {
             $user_id = $response->data['id'];
+        }
+        // Get the user to check if they were already an admin
         $user      = get_user_by( 'id', $user_id );
         $was_admin = $user && in_array( 'administrator', $user->roles );
+        // If the user was not already an admin and the limit has been reached
         if ( ! $was_admin && $admin_count >= $max_admins ) {
+            // Update the user to the fallback role
             $user = new WP_User( $user_id );
             $user->set_role( $fallback_role );
+            // Log the event safely
             $this->safe_log_security_event(
                 'admin_limit_enforced_api',
 …
             );
+            // Update the response to reflect the actual role
             if ( isset( $response->data['roles'] ) ) {
                 $response->data['roles'] = array( $fallback_role );
+            }
+            // Add a message to the response
             if ( ! isset( $response->data['iron_security_message'] ) ) {
                 $response->data['iron_security_message'] = sprintf(
 …
      */
     public function wpironsec_get_admin_info() {
+        // Verify nonce
         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'iron_security_nonce' ) ) {
             wp_send_json_error( 'Invalid security token sent.' );
 …
+        }
+        // Check if user is authorized
         if ( ! current_user_can( 'manage_options' ) ) {
             wp_send_json_error( 'You do not have permission to perform this action.' );
 …
+        }
+        // Get administrator users
         $admin_users = get_users( array(
             'role' => 'administrator',
         ) );
+        // Prepare the user data to return
         $users = array();
         foreach ( $admin_users as $user ) {
 …
+        }
+        // Count
         $count = count( $admin_users );
+        // Send the response
         wp_send_json_success( array(
             'count'   => $count,
 …
+        }
+        // Get the differences to determine what was updated
         $changes = array();
+        // Check email change
         if ( $old_user_data->user_email !== $user->user_email ) {
             $changes['email'] = array(
 …
+        }
+        // Check display name change
         if ( $old_user_data->display_name !== $user->display_name ) {
             $changes['display_name'] = array(
 …
+        }
+        // Check URL change
         if ( $old_user_data->user_url !== $user->user_url ) {
             $changes['url'] = array(
 …
         if ( empty( $changes ) ) {
+            // Log general profile update if no specific changes detected
             $message = sprintf( 'User "%s" profile was updated', $user->user_login );
         } else {
+            // Log specific changes
             $fields  = array_keys( $changes );
             $message = sprintf( 'User "%s" profile was updated. Changed fields: %s',
 …
         global $wp_version;
+        // Only log this occasionally to avoid excessive logs
         $last_check = get_option( 'wpironis_last_version_check_log', 0 );
         if ( time() - $last_check < 86400 ) { // Once per day max
+        if ( time() - $last_check < 86400 ) {
             return;
+        }
 …
         global $pagenow;
+        // Only log certain admin actions to avoid excessive logging
         if ( ! is_admin() || ! current_user_can( 'edit_posts' ) ) {
             return;
 …
         $action = isset( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+        // Skip logging for common, routine actions
         $skip_actions = array( 'heartbeat', 'wp-refresh-post-lock', 'ajax-tag-search' );
         if ( in_array( $action, $skip_actions ) ) {
 …
+        }
+        // Log specific high-value actions only
         $important_actions = array(
             'update'            => 'Update',
 …
             $details = array(
                 'page'       => $pagenow,
                 'query_args' => $_GET // Including all query parameters for context
+                'query_args' => $_GET
             );
 …
+        }
+        // Log access to sensitive admin pages
         $sensitive_pages = array(
             'options.php'                            => 'Settings Update',
 …
         foreach ( $sensitive_pages as $page => $description ) {
+            // Check if we're on this page or if page with query matches
             if ( $pagenow === $page || ( strpos( $page, '?' ) !== false && strpos( $_SERVER['REQUEST_URI'],
                         $page ) !== false ) ) {
 …
      */
     public function detect_frame_embedding() {
+        // Only run this occasionally to avoid performance issues
         if ( ! is_admin() || mt_rand( 1, 10 ) !== 1 ) {
             return;
 …
             $home_url = home_url();
+            // Check if the referer is from a different domain
             if ( strpos( $referer, $site_url ) !== 0 && strpos( $referer, $home_url ) !== 0 ) {
+                // This could potentially be a clickjacking attempt
                 $referer_host = parse_url( $referer, PHP_URL_HOST );
                 $site_host    = parse_url( $site_url, PHP_URL_HOST );
 …
      */
     public function detect_suspicious_requests() {
+        // Only run this occasionally to avoid performance issues
         if ( mt_rand( 1, 10 ) !== 1 ) {
             return;
+        }
+        // Detect common attack patterns in URLs
         $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '';
         $user_agent  = isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : '';
+        // List of suspicious URL patterns with attack type and whether it's a regex
         $suspicious_patterns = array(
             'eval\('             => array( 'type' => 'PHP Injection', 'is_regex' => true ),
 …
+        }
+        // Check for known malicious or scanning user agents
         $malicious_agents = array(
             'nikto'           => 'Security Scanner',
 …
                     sprintf( 'Detected %s user agent: %s', $agent_type, $agent )
                 );
                 break; // Only log once per request
+                break;
+            }
+        }
 …
      */
     public function monitor_request_methods() {
+        // Only monitor in admin area or for login/register pages
         if ( ! is_admin() && ! in_array( $GLOBALS['pagenow'], array( 'wp-login.php', 'wp-register.php' ) ) ) {
             return;
 …
         $method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : '';
+        // Unusual request methods for WordPress admin
         $unusual_methods = array( 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH' );
 …
      */
     public function setup_rest_logging() {
+        // Add a filter to log API requests
         add_filter( 'rest_pre_dispatch', array( $this, 'log_rest_api_request' ), 10, 3 );
+    }
 …
         $route = $request->get_route();
+        // Skip some common, noisy routes
         $skip_routes = array(
             '/wp/v2/users/me',
 …
+        }
+        // Sensitive routes that should always be logged
         $sensitive_routes = array(
             '/wp/v2/users',
 …
+        }
+        // Always log writes (POST, PUT, DELETE) or sensitive routes
         $method = $request->get_method();
         if ( $is_sensitive || in_array( $method, array( 'POST', 'PUT', 'DELETE', 'PATCH' ) ) ) {
 …
      */
     public function log_http_api_errors( $response, $context, $class, $parsed_args, $url ) {
+        // Only log errors
         if ( ! is_wp_error( $response ) ) {
             return;
 …
         $error_message = $response->get_error_message();
+        // Don't log common timeout errors which may be normal
         if ( strpos( $error_code, 'timeout' ) !== false ) {
             return;
 …
      */
     public function detect_security_scanners() {
+        // Only run this check occasionally to avoid performance impact
         if ( mt_rand( 1, 20 ) !== 1 ) {
             return;
+        }
+        // Check for rapid-fire requests from the same IP
         $ip = $this->get_ip_address();
+        // Get the last time we recorded this IP
         $last_checked = get_transient( 'wpironis_ip_check_' . md5( $ip ) );
         $now          = time();
         if ( $last_checked ) {
+            // If this IP made a request very recently (within 1 second)
             if ( $now - $last_checked < 1 ) {
+                // Increment the counter for this IP
                 $count = get_transient( 'wpironis_ip_count_' . md5( $ip ) );
                 $count = $count ? $count + 1 : 1;
                 set_transient( 'wpironis_ip_count_' . md5( $ip ), $count, 300 ); // Keep count for 5 minutes
+                // If we've seen too many rapid requests, log it as a scanner
+                set_transient( 'wpironis_ip_count_' . md5( $ip ), $count, 300 );
                 if ( $count > 10 ) {
                     Iron_Security_Logger::log_suspicious_behavior(
 …
                     );
+                    // Reset counter to avoid logging repeatedly
                     set_transient( 'wpironis_ip_count_' . md5( $ip ), 0, 300 );
+                }
 …
+        }
+        // Update the last checked time for this IP
         set_transient( 'wpironis_ip_check_' . md5( $ip ), $now, 300 ); // Keep for 5 minutes
+        set_transient( 'wpironis_ip_check_' . md5( $ip ), $now, 300 );
+    }
 …
      */
     public function wpironis_handle_admin_id_protection_toggle() {
+        // Verify nonce
         if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
             wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
 …
         $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        // Get current settings
         $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        // Update the settings
         $loginlogout_settings['enable_admin_id_protection'] = $enabled ? '1' : '0';
         $admin_id = '1'; // Default admin ID
+        // If enabling the feature
+        $admin_id = '1';
         if ( $enabled ) {
+            // Check if we already have a stored admin ID in settings
             if ( ! empty( $loginlogout_settings['current_admin_id'] ) ) {
                 $admin_id = $loginlogout_settings['current_admin_id'];
                 $message  = 'Admin ID protection enabled. Using current administrator ID: ' . $admin_id;
+                // Log this security event
                 $this->safe_log_security_event(
                     'settings_change',
 …
                     'success'
                 );
             } // Check if admin with ID 1 still exists
+            }
             elseif ( ! get_userdata( 1 ) ) {
+                // Admin ID 1 doesn't exist, try to find the first admin user
                 $admins = get_users( array( 'role' => 'administrator', 'number' => 1 ) );
                 if ( ! empty( $admins ) ) {
 …
                     $message                                  = 'Admin ID protection enabled. Using existing administrator ID: ' . $admin_id;
+                    // Log this security event
                     $this->safe_log_security_event(
                         'settings_change',
 …
                     );
                 } else {
+                    // No admin users found - this is unlikely but handle it
                     $loginlogout_settings['enable_admin_id_protection'] = '0';
                     wp_send_json_error( 'No administrator accounts found.' );
 …
                     return;
+                }
             } // If admin ID 1 exists and needs to be changed
+            }
             else {
                 try {
 …
                         $message = 'Admin ID protection enabled. Administrator ID changed from 1 to ' . $admin_id;
                     } else {
+                        // If we couldn't change the ID, disable the feature
                         $loginlogout_settings['enable_admin_id_protection'] = '0';
                         wp_send_json_error( 'Failed to change admin ID. Please try again.' );
 …
+            }
         } else {
+            // When disabling, just update the setting but don't change the ID back
+            // since that would be complex and potentially disruptive
             $admin_id = ! empty( $loginlogout_settings['current_admin_id'] ) ? $loginlogout_settings['current_admin_id'] : '1';
             $message  = 'Admin ID protection disabled. Note that the admin ID will remain changed.';
+            // Log this security event
             $this->safe_log_security_event(
                 'settings_change',
 …
+        }
+        // Save updated settings
         update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        // Return success with the admin ID
         wp_send_json_success( array(
             'message'  => $message,
 …
         global $wpdb;
+        // First check if user ID 1 exists
         $user = get_userdata( 1 );
         if ( ! $user ) {
 …
+        }
+        // Check if user is an administrator
         if ( ! in_array( 'administrator', $user->roles ) ) {
             error_log( 'Iron Security: Cannot change admin ID - User ID 1 is not an administrator' );
 …
+        }
+        // Start a transaction
         $wpdb->query( 'START TRANSACTION' );
         try {
+            // Get the highest user ID in the database
             $highest_id = $wpdb->get_var( "SELECT MAX(ID) FROM {$wpdb->users}" );
+            // New ID will be highest + a random offset between 100-999
             $new_id = (int) $highest_id + 1;
+            // Update user ID in users table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->users} SET ID = %d WHERE ID = 1",
 …
+            }
+            // Update user ID in usermeta table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->usermeta} SET user_id = %d WHERE user_id = 1",
 …
+            }
+            // Update user ID in posts table (for post author)
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->posts} SET post_author = %d WHERE post_author = 1",
 …
+            }
+            // Update user ID in comments table
             $result = $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->comments} SET user_id = %d WHERE user_id = 1",
 …
+            }
+            // Additional tables to check for user_id references
+            // WooCommerce orders if present
             if ( $wpdb->get_var( "SHOW TABLES LIKE '{$wpdb->prefix}woocommerce_orders'" ) ) {
                 $wpdb->query( $wpdb->prepare(
 …
+            }
+            // If using BuddyPress
             if ( $wpdb->get_var( "SHOW TABLES LIKE '{$wpdb->prefix}bp_activity'" ) ) {
                 $wpdb->query( $wpdb->prepare(
 …
+            }
+            // If we're here, everything succeeded
             $wpdb->query( 'COMMIT' );
+            // Clear caches
             wp_cache_delete( 1, 'users' );
             wp_cache_delete( 1, 'user_meta' );
 …
             wp_cache_delete( $new_id, 'user_meta' );
+            // Return the new ID
             return (string) $new_id;
         } catch ( Exception $e ) {
+            // Something went wrong, rollback
             $wpdb->query( 'ROLLBACK' );
+            // Log the error
             error_log( 'Iron Security: Failed to change admin ID: ' . $e->getMessage() );
+            // Rethrow the exception
             throw $e;
+        }
 …
+        }
+        // Correctly interpret "true" or "false" string from JS
         $enabled = isset( $_POST['enabled'] ) && $_POST['enabled'] === 'true';
+        // Save proper value to DB
         $general_settings                           = get_option( 'wpironis_options', array() );
         $general_settings['wpironis_block_ai_bots'] = $enabled ? 1 : 0;
         update_option( 'wpironis_options', $general_settings );
+        // Modify .htaccess
         $this->general_security->modifyHtaccessForAiBots( $enabled );
+        // Prepare response message
         $message = $enabled
             ? __( 'AI bot blocking has been enabled. Your site is now protected from AI bot crawlers.',
 …
+        }
+        // Fallback to glob if manifest doesn't exist or entry not found
         $dist_path = plugin_dir_path( __FILE__ ) . 'js/dist/';
         $files     = glob( $dist_path . $base_name . '.*.js' );
 …
+        }
+        // Final fallback to non-hashed filename
         return $base_name . '.bundle.js';
+    }
+    /**
+     * Handle toggle for changing admin username
+     */
+    public function wpironis_handle_change_admin_username_toggle() {
+        if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
+            wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
+            return;
+        }
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'You do not have permission to change this setting.' );
+            return;
+        }
+        $enabled = isset( $_POST['enabled'] ) ? filter_var( $_POST['enabled'], FILTER_VALIDATE_BOOLEAN ) : false;
+        $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        $loginlogout_settings['enable_change_admin_username'] = $enabled ? '1' : '0';
+        if ( $enabled && empty( $loginlogout_settings['wpironis_new_admin_username'] ) ) {
+            $loginlogout_settings['wpironis_new_admin_username'] = $this->wpironis_generate_random_username();
+        }
+        $updated = update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        $admin_usernames = $this->wpironis_get_admin_usernames();
+        if ( $updated ) {
+            $message = 'Admin username protection setting updated successfully';
+            $status = 'success';
+            if ( $enabled && !empty( $admin_usernames ) ) {
+                $message = 'Admin username protection enabled. Insecure usernames detected: ' . implode(', ', $admin_usernames);
+                $status = 'warning';
+            }
+            wp_send_json_success( array(
+                'message' => $message,
+                'status' => $status,
+                'admin_usernames' => $admin_usernames
+            ) );
+        } else {
+            wp_send_json_error( 'Failed to update admin username protection setting' );
+        }
+    }
+    /**
+     * Handle saving new admin username
+     */
+    public function wpironis_handle_change_admin_username_save() {
+        if ( ! check_ajax_referer( 'iron_security_nonce', 'nonce', false ) ) {
+            wp_send_json_error( 'Invalid security token. Please refresh the page and try again.' );
+            return;
+        }
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'You do not have permission to change admin username.' );
+            return;
+        }
+        $new_username = isset( $_POST['new_username'] ) ? sanitize_user( $_POST['new_username'] ) : '';
+        if ( empty( $new_username ) ) {
+            wp_send_json_error( 'Username cannot be empty.' );
+            return;
+        }
+        if ( !validate_username( $new_username ) ) {
+            wp_send_json_error( 'Invalid username. Please use only letters.' );
+            return;
+        }
+        if ( username_exists( $new_username ) ) {
+            wp_send_json_error( 'Username already exists. Please choose another username.' );
+            return;
+        }
+        $loginlogout_settings = get_option( 'wpironis_plugin_settings_loginlogout', array() );
+        $loginlogout_settings['wpironis_new_admin_username'] = $new_username;
+        update_option( 'wpironis_plugin_settings_loginlogout', $loginlogout_settings );
+        $admin_usernames = $this->wpironis_get_admin_usernames();
+        $changed_users = array();
+        if ( !empty( $admin_usernames ) ) {
+            foreach ( $admin_usernames as $username ) {
+                $user = get_user_by( 'login', $username );
+                if ( $user ) {
+                    $unique_username = $this->wpironis_get_unique_username( $new_username );
+                    global $wpdb;
+                    $wpdb->update(
+                        $wpdb->users,
+                        array( 'user_login' => $unique_username ),
+                        array( 'ID' => $user->ID )
+                    );
+                    $this->safe_log_security_event( 'username_change', sprintf(
+                        'Changed username from %s to %s for user ID %d',
+                        $username,
+                        $unique_username,
+                        $user->ID
+                    ));
+                    clean_user_cache( $user->ID );
+                    $changed_users[] = array(
+                        'old_username' => $username,
+                        'new_username' => $unique_username,
+                        'display_name' => $user->display_name
+                    );
+                }
+            }
+        }
+        if ( !empty( $changed_users ) ) {
+            wp_send_json_success( array(
+                'message' => count( $changed_users ) . ' admin username(s) changed successfully.',
+                'changed_users' => $changed_users
+            ) );
+        } else {
+            wp_send_json_success( array(
+                'message' => 'New admin username saved. No insecure admin usernames found to change.'
+            ) );
+        }
+    }
+    /**
+     * Generate a random username with letters only
+     */
+    private function wpironis_generate_random_username() {
+        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        $username = '';
+        $length = rand(8, 12);
+        for ( $i = 0; $i < $length; $i++ ) {
+            $username .= $chars[rand(0, strlen($chars) - 1)];
+        }
+        return $this->wpironis_get_unique_username( $username );
+    }
+    /**
+     * Get a unique username by adding a number suffix if needed
+     */
+    private function wpironis_get_unique_username( $username ) {
+        $original_username = $username;
+        $suffix = 1;
+        while ( username_exists( $username ) ) {
+            $username = $original_username . $suffix;
+            $suffix++;
+        }
+        return $username;
+    }
+    /**
+     * Get usernames of admin users with common/default usernames
+     */
+    private function wpironis_get_admin_usernames() {
+        $insecure_usernames = array( 'admin', 'administrator', 'wordpress' );
+        $found_usernames = array();
+        foreach ( $insecure_usernames as $username ) {
+            $user = get_user_by( 'login', $username );
+            if ( $user && in_array( 'administrator', $user->roles ) ) {
+                $found_usernames[] = $username;
+            }
+        }
+        return $found_usernames;
+    }
+}

iron-security/trunk/admin/js/components/Dashboard.jsx

r3288628	r3300103
135	135	);
136	136
137		~~console.log(settings)~~
138	137
139	138	if (isLoading \|\| !settings) {

iron-security/trunk/admin/js/components/FileDirectoryProectionSettings.jsx

r3288628	r3300103
12	12
13	13	useEffect(() => {
14		// Update settings when they change
	14
15	15	setIsPhpUploadBlocked(settings.wpironis_options?.wpironis_block_php_uploads === 1);
16	16	setIsDirectAccessPrevented(settings.wpironis_options?.wpironis_prevent_direct_access === 1);

iron-security/trunk/admin/js/components/GeneralSettings.jsx

-                      r3288628
+                      r3300103
     useEffect(() => {
+        // Update all state values when settings change
         setIsXmlrpcEnabled(settings.wpironis_options?.wpironis_disable_xmlrpc === 1);
         setIsWpVersionHidden(settings.wpironis_options?.wpironis_hide_wp_version === 1);
 …
             const data = await response.json();
-            console.log('Response:', data); // Debug log
             if (data.success) {

iron-security/trunk/admin/js/components/HttpSecurityHeadersSettings.jsx

r3288628	r3300103
19	19
20	20	useEffect(() => {
21		// Update header settings when settings change
	21
22	22	setHeaderSettings({
23	23	contentTypeOptions: settings.wpironis_options?.wpironis_security_header_content_type_options === 1,

iron-security/trunk/admin/js/components/LoginLogoutSettings.jsx

-                      r3288628
+                      r3300103
     const [isLoadingAdminInfo, setIsLoadingAdminInfo] = useState(false);
+    const [isChangeAdminUsernameEnabled, setIsChangeAdminUsernameEnabled] = useState(
+        loginLogoutSettings.enable_change_admin_username === '1'
+    );
+    const [newAdminUsername, setNewAdminUsername] = useState(
+        loginLogoutSettings.wpironis_new_admin_username || ''
+    );
+    const [adminUsernameStatus, setAdminUsernameStatus] = useState(null);
     const getAdminCountStatus = () => {
 …
     useEffect(() => {
         const loginLogoutSettings = settings?.login_logout || {};
+        // Update all state values when settings change
         setIsCustomUrlEnabled(loginLogoutSettings.enable_slug_change === '1');
         setCustomUrl(loginLogoutSettings.wpironis_custom_login_slug || 'wp-admin');
 …
             setIsAdminIdProtectionEnabled(true);
+        }
+        if (loginLogoutSettings.enable_change_admin_username === '1') {
+            setIsChangeAdminUsernameEnabled(true);
+        }
+        if (loginLogoutSettings.wpironis_new_admin_username) {
+            setNewAdminUsername(loginLogoutSettings.wpironis_new_admin_username);
+        }
     }, [settings]);
 …
             console.error('Error:', error);
             showNotification(error.message || 'Failed to update custom URL setting', 'error');
             setIsCustomUrlEnabled(!enabled); // Revert the toggle
+            setIsCustomUrlEnabled(!enabled);
         } finally {
             setIsSaving(false);
 …
             console.error('Error:', error);
             showNotification(error.message || 'Failed to update session timeout setting', 'error');
             setIsSessionTimeoutEnabled(!enabled); // Revert the toggle
+            setIsSessionTimeoutEnabled(!enabled);
         } finally {
             setIsSaving(false);
 …
             setIsSaving(false);
+        }
+    };
+    const handleChangeAdminUsernameToggle = async (enabled) => {
+        setIsSaving(true);
+        try {
+            const formData = new FormData();
+            formData.append('action', 'iron_security_toggle_change_admin_username');
+            formData.append('enabled', enabled);
+            formData.append('nonce', settings.nonce);
+            const response = await fetch(ajaxurl, {
+                method: 'POST',
+                body: formData,
+                credentials: 'same-origin'
+            });
+            const data = await response.json();
+            if (data.success) {
+                setIsChangeAdminUsernameEnabled(enabled);
+                if (enabled && data.data.admin_usernames && data.data.admin_usernames.length > 0) {
+                    setAdminUsernameStatus({
+                        message: `Insecure admin usernames detected: ${data.data.admin_usernames.join(', ')}. Change them to improve security.`,
+                        type: 'warning'
+                    });
+                    if (!newAdminUsername) {
+                        generateRandomUsername();
+                    }
+                } else if (enabled) {
+                    setAdminUsernameStatus({
+                        message: 'No insecure admin usernames detected.',
+                        type: 'info'
+                    });
+                } else {
+                    setAdminUsernameStatus(null);
+                }
+                showNotification(data.data.message || 'Change admin username setting updated successfully');
+            } else {
+                throw new Error(data.data || 'Failed to update setting');
+            }
+        } catch (error) {
+            console.error('Error:', error);
+            showNotification(error.message || 'Failed to update change admin username setting', 'error');
+            setIsChangeAdminUsernameEnabled(!enabled);
+        } finally {
+            setIsSaving(false);
+        }
+    };
+    const handleSaveAdminUsername = async () => {
+        setIsSaving(true);
+        try {
+            const formData = new FormData();
+            formData.append('action', 'iron_security_save_change_admin_username');
+            formData.append('new_username', newAdminUsername);
+            formData.append('nonce', settings.nonce);
+            const response = await fetch(ajaxurl, {
+                method: 'POST',
+                body: formData,
+                credentials: 'same-origin'
+            });
+            const data = await response.json();
+            if (data.success) {
+                if (data.data.changed_users && data.data.changed_users.length > 0) {
+                    const changedUsers = data.data.changed_users;
+                    let message = 'The following admin usernames were changed:\n';
+                    changedUsers.forEach(user => {
+                        message += `• ${user.old_username} → ${user.new_username}`;
+                        if (user.display_name) {
+                            message += ` (${user.display_name})`;
+                        }
+                        message += '\n';
+                    });
+                    setAdminUsernameStatus({
+                        message: 'Admin usernames successfully changed.',
+                        type: 'info'
+                    });
+                    showNotification(data.data.message || 'Admin usernames changed successfully');
+                    setTimeout(() => {
+                        alert(message);
+                    }, 500);
+                } else {
+                    setAdminUsernameStatus({
+                        message: 'New admin username saved. No insecure admin usernames found to change.',
+                        type: 'info'
+                    });
+                    showNotification(data.data.message || 'New admin username saved successfully');
+                }
+            } else {
+                throw new Error(data.data || 'Failed to save new admin username');
+            }
+        } catch (error) {
+            console.error('Error:', error);
+            showNotification(error.message || 'Failed to save new admin username', 'error');
+        } finally {
+            setIsSaving(false);
+        }
+    };
+    const generateRandomUsername = () => {
+        const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        let result = '';
+        const length = 8 + Math.floor(Math.random() * 8);
+        for (let i = 0; i < length; i++) {
+            result += chars.charAt(Math.floor(Math.random() * chars.length));
+        }
+        setNewAdminUsername(result);
     };
 …
                         </div>
                     )}
+                    <SettingToggle
+                        label="Change Default Admin Username"
+                        description="Change admin username if you have accounts with usernames like 'admin' or 'administrator' to prevent targeted attacks."
+                        checked={isChangeAdminUsernameEnabled}
+                        onChange={handleChangeAdminUsernameToggle}
+                        disabled={isSaving}
+                    />
+                    {isChangeAdminUsernameEnabled && (
+                        <div className="wpironis-custom-url-input">
+                            <div className="admin-username-info">
+                                <p className="description">
+                                    <strong>Default admin usernames like 'admin' or 'administrator' are frequently targeted in brute force attacks.</strong>
+                                    Change them to enhance your site's security.
+                                </p>
+                                {adminUsernameStatus && (
+                                    <p className={`description ${adminUsernameStatus.type}`}>
+                                        <span className={`dashicons dashicons-${adminUsernameStatus.type === 'warning' ? 'warning' : 'info'}`}></span>
+                                        {adminUsernameStatus.message}
+                                    </p>
+                                )}
+                                <div className="wpironis-input-group">
+                                    <label htmlFor="new-admin-username">New Username:</label>
+                                    <input
+                                        type="text"
+                                        id="new-admin-username"
+                                        value={newAdminUsername}
+                                        onChange={(e) => setNewAdminUsername(e.target.value.replace(/[^a-zA-Z]/g, ''))}
+                                        placeholder="Enter new username (letters only)"
+                                        disabled={isSaving}
+                                    />
+                                    <button
+                                        className="button button-secondary"
+                                        onClick={generateRandomUsername}
+                                        disabled={isSaving}
+                                        style={{ marginLeft: '5px' }}
+                                    >
+                                        Generate Random
+                                    </button>
+                                    <button
+                                        className="button button-primary"
+                                        onClick={handleSaveAdminUsername}
+                                        disabled={isSaving || !newAdminUsername}
+                                        style={{ marginLeft: '5px' }}
+                                    >
+                                        {isSaving ? 'Saving...' : 'Save Username'}
+                                    </button>
+                                </div>
+                            </div>
+                        </div>
+                    )}
                 </div>
             </div>

iron-security/trunk/admin/js/dist/manifest.json

r3296251	r3300103
1	1	{
2		"dashboard.js": "dashboard.~~d4938437720f6eface82~~.js",
	2	"dashboard.js": "dashboard.409171eb914877d3afe7.js",
3	3	"vendors.js": "vendors.91782840b9e9337a9a5f.js"
4	4	}

iron-security/trunk/includes/class-iron-security.php

-                      r3291538
+                      r3300103
         $this->loader->add_action( 'admin_menu', $plugin_admin, 'wpironis_plugin_menu' );
+        // Login Logout
         $this->loader->add_action( 'init', $plugin_admin, 'wpironis_redirect_login' );
         $this->loader->add_action( 'admin_init', $plugin_admin, 'wpironis_plugin_settings_init' );
 …
         $this->loader->add_filter( 'wp_handle_upload_prefilter', $plugin_admin, 'wpironis_prevent_php_upload' );
+        // AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_xmlrpc',
             $plugin_admin,
 …
             'wpironis_handle_core_autoupdate_toggle' );
+        // Custom admin URL AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_custom_url',
             $plugin_admin,
 …
             'wpironis_handle_custom_url_save' );
+        // Session timeout AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_session_timeout',
             $plugin_admin,
 …
             'wpironis_handle_session_timeout_save' );
+        // Limit login attempts AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_limit_login',
             $plugin_admin,
 …
             'wpironis_handle_limit_login_save' );
+        // Limit admins AJAX handlers
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_limit_admins',
             $plugin_admin,
 …
             'wpironis_handle_limit_admins_save' );
+        // Admin ID protection AJAX handler
         $this->loader->add_action( 'wp_ajax_iron_security_toggle_admin_id_protection',
             $plugin_admin,
             'wpironis_handle_admin_id_protection_toggle' );
+        // Admin role limitation hook
+        $this->loader->add_action( 'wp_ajax_iron_security_toggle_change_admin_username',
+            $plugin_admin,
+            'wpironis_handle_change_admin_username_toggle' );
+        $this->loader->add_action( 'wp_ajax_iron_security_save_change_admin_username',
+            $plugin_admin,
+            'wpironis_handle_change_admin_username_save' );
         $this->loader->add_action( 'set_user_role',
             $plugin_admin,
 …
 ,
 );
+        // Hook into user creation/update for admin limit
         $this->loader->add_action( 'user_register',
             $plugin_admin,
 …
 );
-        // REST API filter for admin limit
         $this->loader->add_filter( 'rest_request_after_callbacks',
             $plugin_admin,
 …
             'wpironis_handle_user_enum_message_save' );
+        // Also add filters for auto-updates on plugin initialization
         $options = get_option( 'wpironis_options', array() );
+        // Configure plugin auto-updates based on saved setting
         if ( ! empty( $options['wpironis_enable_plugin_autoupdate'] ) && $options['wpironis_enable_plugin_autoupdate'] === 1 ) {
             add_filter( 'auto_update_plugin', '__return_true' );
 …
+        }
+        // Configure core auto-updates based on saved setting
         if ( ! empty( $options['wpironis_enable_core_autoupdate'] ) && $options['wpironis_enable_core_autoupdate'] === 1 ) {
             add_filter( 'allow_major_auto_core_updates', '__return_true' );
 …
         $this->loader->add_action( 'init', $plugin_public, 'wpironis_init' );
+        // Add REST API restriction hooks
         $this->loader->add_filter( 'rest_authentication_errors', $plugin_public, 'wpironis_restrict_rest_api' );
         $this->loader->add_filter( 'rest_endpoints', $plugin_public, 'wpironis_disable_rest_endpoints' );

iron-security/trunk/iron-security.php

-                      r3296251
+                      r3300103
  * Plugin URI:        https://wpiron.com
  * Description:       Iron Security is a powerful WordPress security plugin to protect your site from common threats. Lock down your site with login protection, file security, and HTTP headers — all in one lightweight plugin.
  * Version:           2.3.2
+ * Version:           2.3.3
  * Author:            wpiron
  * Author URI:        https://wpiron.com/
 …
+}
 define( 'IRON_SECURITY_VERSION', '2.3.2' );
+define( 'IRON_SECURITY_VERSION', '2.3.3' );
 function wpiisec_activate_iron_security() {

Plugin Directory

Context Navigation

Legend:

iron-security/tags/2.3.3/README.txt

iron-security/tags/2.3.3/admin/class-iron-security-admin.php

iron-security/tags/2.3.3/admin/js/components/Dashboard.jsx

iron-security/tags/2.3.3/admin/js/components/FileDirectoryProectionSettings.jsx

iron-security/tags/2.3.3/admin/js/components/GeneralSettings.jsx

iron-security/tags/2.3.3/admin/js/components/HttpSecurityHeadersSettings.jsx

iron-security/tags/2.3.3/admin/js/components/LoginLogoutSettings.jsx

iron-security/tags/2.3.3/admin/js/dist/manifest.json

iron-security/tags/2.3.3/includes/class-iron-security.php

iron-security/tags/2.3.3/iron-security.php

iron-security/trunk/README.txt

iron-security/trunk/admin/class-iron-security-admin.php

iron-security/trunk/admin/js/components/Dashboard.jsx

iron-security/trunk/admin/js/components/FileDirectoryProectionSettings.jsx

iron-security/trunk/admin/js/components/GeneralSettings.jsx

iron-security/trunk/admin/js/components/HttpSecurityHeadersSettings.jsx

iron-security/trunk/admin/js/components/LoginLogoutSettings.jsx

iron-security/trunk/admin/js/dist/manifest.json

iron-security/trunk/includes/class-iron-security.php

iron-security/trunk/iron-security.php

Download in other formats: