Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3483739

Timestamp:

03/16/2026 11:00:53 AM (3 weeks ago)

Author:

jerryscg

Message:

Release 2.1.10 - learning suggestions and PHP 8.4 fix

Location:

vulntitan/trunk

Files:

: 9 edited

CHANGELOG.md (modified) (1 diff)
assets/js/firewall.js (modified) (11 diffs)
assets/js/firewall.min.js (modified) (11 diffs)
includes/Admin/Admin.php (modified) (1 diff)
includes/Admin/Ajax.php (modified) (3 diffs)
includes/Admin/Pages/Firewall.php (modified) (1 diff)
includes/Services/FirewallService.php (modified) (5 diffs)
readme.txt (modified) (2 diffs)
vulntitan.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

vulntitan/trunk/CHANGELOG.md

-                      r3483644
+                      r3483739
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.1.10] - 2026-03-16
+### Added
+- Added Learning Mode suggestions for WAF whitelisting with configurable thresholds and review-only approvals.
+- Added a Learning Suggestions panel with approve/dismiss actions.
+### Fixed
+- Fixed PHP 8.4 deprecation warning by making trusted proxy settings explicitly nullable.
 ## [2.1.9] - 2026-03-16

vulntitan/trunk/assets/js/firewall.js

-                      r3483644
+                      r3483739
     const $firewallWafCommandEnabled = $('#vulntitan-firewall-waf-command-enabled');
     const $firewallWafWhitelistPaths = $('#vulntitan-firewall-waf-whitelist-paths');
+    const $firewallLearningEnabled = $('#vulntitan-firewall-learning-enabled');
+    const $firewallLearningThreshold = $('#vulntitan-firewall-learning-threshold');
+    const $firewallLearningWindow = $('#vulntitan-firewall-learning-window');
+    const $firewallLearningRefresh = $('#vulntitan-firewall-learning-refresh');
+    const $firewallLearningList = $('#vulntitan-firewall-learning-list');
+    const $firewallLearningEmpty = $('#vulntitan-firewall-learning-empty');
     const $firewallTrustCloudflare = $('#vulntitan-firewall-trust-cloudflare');
     const $firewallTrustedProxies = $('#vulntitan-firewall-trusted-proxies');
 …
         allLogs: [],
         approvals: [],
+        learningSuggestions: [],
+        learningLoaded: false,
+        learningLoading: false,
         selectedLogId: '',
         visibleLogLimit: LOG_PAGE_SIZE,
 …
                 .prop('hidden', !isActive);
         });
+        if (normalizedTab === 'waf') {
+            maybeLoadLearningSuggestions(false);
+        }
+    }
 …
             Array.isArray(data.waf_whitelist_paths) ? data.waf_whitelist_paths.join('\n') : ''
         );
+        $firewallLearningEnabled.prop('checked', !!Number(data.learning_mode_enabled || 0));
+        $firewallLearningThreshold.val(Number(data.learning_suggestion_threshold || 3));
+        $firewallLearningWindow.val(Number(data.learning_suggestion_window_days || 7));
         $firewallTrustCloudflare.prop('checked', !!Number(data.trust_cloudflare || 0));
         $firewallTrustedProxies.val(
 …
             applySettings(data.settings || {});
             renderLoginAccess(data.login_access || {});
+            renderLearningSuggestions();
+        }
 …
         $firewallWafCommandEnabled.prop('disabled', !!isBusy);
         $firewallWafWhitelistPaths.prop('disabled', !!isBusy);
+        $firewallLearningEnabled.prop('disabled', !!isBusy);
+        $firewallLearningThreshold.prop('disabled', !!isBusy);
+        $firewallLearningWindow.prop('disabled', !!isBusy);
+        $firewallLearningRefresh.prop('disabled', !!isBusy);
         $firewallTrustCloudflare.prop('disabled', !!isBusy);
         $firewallTrustedProxies.prop('disabled', !!isBusy);
 …
+    }
+    function renderLearningSuggestions() {
+        if (!$firewallLearningList.length) {
+            return;
+        }
+        const enabled = $firewallLearningEnabled.is(':checked');
+        const suggestions = Array.isArray(state.learningSuggestions) ? state.learningSuggestions : [];
+        if (!enabled) {
+            $firewallLearningList.empty();
+            $firewallLearningEmpty
+                .text(i18n.firewall_learning_disabled || 'Learning suggestions are disabled.')
+                .show();
+            return;
+        }
+        if (!suggestions.length) {
+            $firewallLearningList.empty();
+            $firewallLearningEmpty
+                .text(i18n.firewall_learning_empty || 'No learning suggestions yet.')
+                .show();
+            return;
+        }
+        $firewallLearningEmpty.hide();
+        $firewallLearningList.html(suggestions.map(renderLearningItem).join(''));
+    }
+    function renderLearningItem(item) {
+        const pattern = String(item.pattern || '');
+        const lastSeen = item.last_seen_local || item.last_seen || '';
+        const count = Number(item.count || 0);
+        const ruleGroup = item.rule_group || '';
+        const ruleId = item.rule_id || '';
+        const action = item.approval_action || '';
+        const restRoute = item.approval_rest_route || '';
+        const actionLabel = action
+            ? `${i18n.firewall_approval_action || 'Action'}: ${action}`
+            : (restRoute ? `${i18n.firewall_approval_route || 'Route'}: ${restRoute}` : '');
+        return `
+            <div class="vulntitan-firewall-log-item vulntitan-firewall-approval-card">
+                <div class="vulntitan-firewall-log-head">
+                    <span class="vulntitan-firewall-log-badge is-warning">
+                        ${escapeHtml(i18n.firewall_learning_suggestion || 'Learning suggestion')}
+                    </span>
+                    <time class="vulntitan-firewall-log-time">${escapeHtml(lastSeen)}</time>
+                </div>
+                <div class="vulntitan-firewall-log-request">${escapeHtml(pattern || '/')}</div>
+                <div class="vulntitan-firewall-log-meta">
+                    <span class="vulntitan-firewall-log-meta-item">${escapeHtml(i18n.firewall_learning_hits || 'Hits')}: ${count}</span>
+                    ${ruleGroup ? `<span class="vulntitan-firewall-log-meta-item">Group: ${escapeHtml(ruleGroup)}</span>` : ''}
+                    ${ruleId ? `<span class="vulntitan-firewall-log-meta-item">Rule: ${escapeHtml(ruleId)}</span>` : ''}
+                    ${actionLabel ? `<span class="vulntitan-firewall-log-meta-item">${escapeHtml(actionLabel)}</span>` : ''}
+                </div>
+                <div class="vulntitan-firewall-approval-pattern">
+                    <span>${escapeHtml(i18n.firewall_approval_pattern || 'Whitelist pattern')}:</span>
+                    <code>${escapeHtml(pattern)}</code>
+                </div>
+                <div class="vulntitan-firewall-approval-actions">
+                    <button type="button" class="vulntitan-fw-btn vulntitan-fw-btn-primary" data-firewall-learning-allow="${escapeHtml(pattern)}">
+                        ${escapeHtml(i18n.firewall_learning_allow || 'Allow')}
+                    </button>
+                    <button type="button" class="vulntitan-fw-btn vulntitan-fw-btn-secondary" data-firewall-learning-dismiss="${escapeHtml(pattern)}">
+                        ${escapeHtml(i18n.firewall_learning_dismiss || 'Dismiss')}
+                    </button>
+                </div>
+            </div>
+        `;
+    }
+    function loadLearningSuggestions(options) {
+        if (!$firewallLearningList.length) {
+            return;
+        }
+        const config = $.extend({
+            silent: false,
+            force: false
+        }, options || {});
+        if (!$firewallLearningEnabled.is(':checked')) {
+            state.learningSuggestions = [];
+            renderLearningSuggestions();
+            return;
+        }
+        if (state.learningLoading) {
+            return;
+        }
+        if (state.learningLoaded && !config.force) {
+            renderLearningSuggestions();
+            return;
+        }
+        state.learningLoading = true;
+        if (!config.silent) {
+            setFeedback('info', i18n.firewall_learning_loading || 'Loading learning suggestions...');
+        }
+        $.post(VulnTitan.ajaxUrl, {
+            action: 'vulntitan_firewall_get_learning',
+            nonce: VulnTitan.nonce
+        }, function (response) {
+            if (!response || !response.success) {
+                const message = (response && response.data && response.data.message)
+                    ? response.data.message
+                    : (i18n.firewall_learning_failed || 'Failed to load learning suggestions.');
+                if (!config.silent) {
+                    setFeedback('error', message);
+                }
+                return;
+            }
+            const payload = response.data || {};
+            state.learningSuggestions = Array.isArray(payload.suggestions) ? payload.suggestions : [];
+            state.learningLoaded = true;
+            renderLearningSuggestions();
+            if (!config.silent) {
+                setFeedback('success', i18n.firewall_learning_updated || 'Learning suggestions updated.');
+            }
+        }).fail(function () {
+            if (!config.silent) {
+                setFeedback('error', i18n.firewall_learning_failed || 'Failed to load learning suggestions.');
+            }
+        }).always(function () {
+            state.learningLoading = false;
+        });
+    }
+    function maybeLoadLearningSuggestions(force) {
+        if (force) {
+            loadLearningSuggestions({ force: true, silent: true });
+            return;
+        }
+        if (!state.learningLoaded) {
+            loadLearningSuggestions({ silent: true });
+        } else {
+            renderLearningSuggestions();
+        }
+    }
     function saveSettings() {
         if (state.requestInFlight) {
 …
             waf_command_injection_enabled: $firewallWafCommandEnabled.is(':checked') ? 1 : 0,
             waf_whitelist_paths: String($firewallWafWhitelistPaths.val() || ''),
+            learning_mode_enabled: $firewallLearningEnabled.is(':checked') ? 1 : 0,
+            learning_suggestion_threshold: Number($firewallLearningThreshold.val() || 3),
+            learning_suggestion_window_days: Number($firewallLearningWindow.val() || 7),
             trust_cloudflare: $firewallTrustCloudflare.is(':checked') ? 1 : 0,
             trusted_proxies: String($firewallTrustedProxies.val() || ''),
 …
             });
+            const activeTab = String($firewallTabs.filter('.is-active').data('firewallTab') || '');
+            if (activeTab === 'waf' && $firewallLearningEnabled.is(':checked')) {
+                state.learningLoaded = false;
+                loadLearningSuggestions({
+                    silent: true,
+                    force: true
+                });
+            }
             const muInstall = payload.mu_loader_install || {};
             if (payload.notice) {
 …
+    }
+    function sendLearningAction(action, pattern, $button, confirmMessage, successMessage) {
+        const cleanPattern = String(pattern || '').trim();
+        if (!cleanPattern) {
+            setFeedback('error', i18n.firewall_approval_invalid || 'Invalid learning suggestion.');
+            return;
+        }
+        if (confirmMessage && !window.confirm(confirmMessage)) {
+            return;
+        }
+        if ($button && $button.length) {
+            $button.prop('disabled', true);
+        }
+        setFeedback('info', i18n.firewall_action_in_progress || 'Working...');
+        $.post(VulnTitan.ajaxUrl, {
+            action: action,
+            nonce: VulnTitan.nonce,
+            pattern: cleanPattern
+        }, function (response) {
+            if (!response || !response.success) {
+                const message = (response && response.data && response.data.message)
+                    ? response.data.message
+                    : (i18n.firewall_action_failed || 'Action failed.');
+                setFeedback('error', message);
+                return;
+            }
+            const payload = response.data || {};
+            if (payload.settings) {
+                applySettings(payload.settings);
+            }
+            if (Array.isArray(payload.suggestions)) {
+                state.learningSuggestions = payload.suggestions;
+                state.learningLoaded = true;
+                renderLearningSuggestions();
+            }
+            setFeedback('success', successMessage);
+        }).fail(function () {
+            setFeedback('error', i18n.firewall_action_failed || 'Action failed.');
+        }).always(function () {
+            if ($button && $button.length) {
+                $button.prop('disabled', false);
+            }
+        });
+    }
     function handleFeedToggle() {
         state.feedPaused = !state.feedPaused;
 …
     });
+    $firewallLearningRefresh.off('click').on('click', function () {
+        loadLearningSuggestions({
+            silent: false,
+            force: true
+        });
+    });
+    $firewallLearningEnabled.off('change').on('change', function () {
+        if ($firewallLearningEnabled.is(':checked')) {
+            state.learningLoaded = false;
+            loadLearningSuggestions({
+                silent: true,
+                force: true
+            });
+            return;
+        }
+        state.learningLoaded = false;
+        state.learningSuggestions = [];
+        renderLearningSuggestions();
+    });
+    $firewallLearningList.off('click', '[data-firewall-learning-allow]').on('click', '[data-firewall-learning-allow]', function () {
+        const $button = $(this);
+        const pattern = String($button.data('firewallLearningAllow') || '');
+        sendLearningAction(
+            'vulntitan_firewall_apply_learning',
+            pattern,
+            $button,
+            i18n.firewall_learning_confirm_allow || 'Allow this suggested pattern and add it to the WAF whitelist?',
+            i18n.firewall_approval_success || 'Whitelist updated.'
+        );
+    });
+    $firewallLearningList.off('click', '[data-firewall-learning-dismiss]').on('click', '[data-firewall-learning-dismiss]', function () {
+        const $button = $(this);
+        const pattern = String($button.data('firewallLearningDismiss') || '');
+        sendLearningAction(
+            'vulntitan_firewall_dismiss_learning',
+            pattern,
+            $button,
+            i18n.firewall_learning_confirm_dismiss || 'Dismiss this learning suggestion?',
+            i18n.firewall_learning_dismissed || 'Learning suggestion dismissed.'
+        );
+    });
     $firewallLoadMore.off('click', '[data-firewall-load-more]').on('click', '[data-firewall-load-more]', function () {
         state.visibleLogLimit += LOG_PAGE_SIZE;

vulntitan/trunk/assets/js/firewall.min.js

-                      r3483644
+                      r3483739
     const $firewallWafCommandEnabled = $('#vulntitan-firewall-waf-command-enabled');
     const $firewallWafWhitelistPaths = $('#vulntitan-firewall-waf-whitelist-paths');
+    const $firewallLearningEnabled = $('#vulntitan-firewall-learning-enabled');
+    const $firewallLearningThreshold = $('#vulntitan-firewall-learning-threshold');
+    const $firewallLearningWindow = $('#vulntitan-firewall-learning-window');
+    const $firewallLearningRefresh = $('#vulntitan-firewall-learning-refresh');
+    const $firewallLearningList = $('#vulntitan-firewall-learning-list');
+    const $firewallLearningEmpty = $('#vulntitan-firewall-learning-empty');
     const $firewallTrustCloudflare = $('#vulntitan-firewall-trust-cloudflare');
     const $firewallTrustedProxies = $('#vulntitan-firewall-trusted-proxies');
 …
         allLogs: [],
         approvals: [],
+        learningSuggestions: [],
+        learningLoaded: false,
+        learningLoading: false,
         selectedLogId: '',
         visibleLogLimit: LOG_PAGE_SIZE,
 …
                 .prop('hidden', !isActive);
         });
+        if (normalizedTab === 'waf') {
+            maybeLoadLearningSuggestions(false);
+        }
+    }
 …
             Array.isArray(data.waf_whitelist_paths) ? data.waf_whitelist_paths.join('\n') : ''
         );
+        $firewallLearningEnabled.prop('checked', !!Number(data.learning_mode_enabled || 0));
+        $firewallLearningThreshold.val(Number(data.learning_suggestion_threshold || 3));
+        $firewallLearningWindow.val(Number(data.learning_suggestion_window_days || 7));
         $firewallTrustCloudflare.prop('checked', !!Number(data.trust_cloudflare || 0));
         $firewallTrustedProxies.val(
 …
+    }
+    function applyPayload(payload, options) {
+        const data = payload || {};
+        const config = $.extend({
+            syncSettings: true
+        }, options || {});
+        latestMuLoaderStatus = data.mu_loader || latestMuLoaderStatus;
+        state.allLogs = Array.isArray(data.logs) ? data.logs : [];
+        state.approvals = Array.isArray(data.approvals) ? data.approvals : [];
+        state.proxyStatus = data.proxy_status || state.proxyStatus || {};
+        state.lastUpdatedAt = new Date();
+        state.lastRefreshFailed = false;
+        if (config.syncSettings) {
+            applySettings(data.settings || {});
+            renderLoginAccess(data.login_access || {});
+            renderLearningSuggestions();
+        }
+        renderOverview(data.summary || {}, latestMuLoaderStatus || {});
+        renderFeed();
+        renderApprovals();
+        updateFeedChrome();
+        updateProxyWarnings();
+    }
+    function setBusyState(isBusy) {
+        state.hardBusy = !!isBusy;
+        $firewallRoot.toggleClass('is-busy', !!isBusy);
+        $firewallSaveSettings.prop('disabled', !!isBusy);
+        $firewallRefresh.prop('disabled', !!isBusy);
+        $firewallClearLogs.prop('disabled', !!isBusy);
+        $firewallFeedToggle.prop('disabled', !!isBusy);
+        $firewallFeedSearch.prop('disabled', !!isBusy);
+        $firewallFeedFilters.prop('disabled', !!isBusy);
+        $firewallLoadMore.find('[data-firewall-load-more]').prop('disabled', !!isBusy);
+        $firewallTabs.prop('disabled', !!isBusy);
+        $firewallEnabled.prop('disabled', !!isBusy);
+        $firewallLoginProtection.prop('disabled', !!isBusy);
+        $firewallCustomLoginSlug.prop('disabled', !!isBusy);
+        $firewallTwoFactorEnabled.prop('disabled', !!isBusy);
+        $firewallCaptchaProvider.prop('disabled', !!isBusy);
+        $firewallXmlrpcPolicy.prop('disabled', !!isBusy);
+        $firewallXmlrpcAllowlist.prop('disabled', !!isBusy);
+        $firewallWeakPasswordBlockingEnabled.prop('disabled', !!isBusy);
+        $firewallWafSqliEnabled.prop('disabled', !!isBusy);
+        $firewallWafCommandEnabled.prop('disabled', !!isBusy);
+        $firewallWafWhitelistPaths.prop('disabled', !!isBusy);
+        $firewallLearningEnabled.prop('disabled', !!isBusy);
+        $firewallLearningThreshold.prop('disabled', !!isBusy);
+        $firewallLearningWindow.prop('disabled', !!isBusy);
+        $firewallLearningRefresh.prop('disabled', !!isBusy);
+        $firewallTrustCloudflare.prop('disabled', !!isBusy);
+        $firewallTrustedProxies.prop('disabled', !!isBusy);
+        $firewallMaxAttempts.prop('disabled', !!isBusy);
+        $firewallLockoutMinutes.prop('disabled', !!isBusy);
+        $firewallCommentShieldEnabled.prop('disabled', !!isBusy);
+        $firewallCommentSuspiciousAction.prop('disabled', !!isBusy);
+        $firewallCommentMinSubmitSeconds.prop('disabled', !!isBusy);
+        $firewallCommentMaxLinks.prop('disabled', !!isBusy);
+        $firewallCommentRateLimitAttempts.prop('disabled', !!isBusy);
+        $firewallCommentRateLimitWindowMinutes.prop('disabled', !!isBusy);
+        $firewallLogRetention.prop('disabled', !!isBusy);
+        $firewallLockoutAllowlist.prop('disabled', !!isBusy);
+        $firewallWeeklySummaryEmailEnabled.prop('disabled', !!isBusy);
+        $firewallWeeklySummaryEmailRecipient.prop('disabled', !!isBusy);
+        refreshIdentityControlState();
+    }
+    function loadFirewallData(options) {
+        const config = $.extend({
+            showLoadingNotice: false,
+            hardBusy: false,
+            silentError: false,
+            clearFeedbackOnSuccess: false,
+            syncSettings: false
+        }, options || {});
+        if (state.requestInFlight) {
+            return;
+        }
+        if (config.hardBusy) {
+            setBusyState(true);
+        }
+        state.requestInFlight = true;
+        updateFeedChrome();
+        if (config.showLoadingNotice) {
+            setFeedback('info', i18n.firewall_refreshing || 'Refreshing firewall data...');
+        }
+        $.post(VulnTitan.ajaxUrl, {
+            action: 'vulntitan_firewall_get_data',
+            nonce: VulnTitan.nonce
+        }, function (response) {
+            if (!response || !response.success) {
+                state.lastRefreshFailed = true;
+                updateFeedChrome();
+                if (!config.silentError) {
+                    const message = (response && response.data && response.data.message)
+                        ? response.data.message
+                        : (i18n.firewall_load_failed || 'Failed to load firewall data.');
+                    setFeedback('error', message);
+                }
+                return;
+            }
+            applyPayload(response.data || {}, {
+                syncSettings: config.syncSettings
+            });
+            if (config.clearFeedbackOnSuccess) {
+                setFeedback('', '');
+            }
+        }).fail(function () {
+            state.lastRefreshFailed = true;
+            updateFeedChrome();
+            if (!config.silentError) {
+                setFeedback('error', i18n.firewall_load_failed || 'Failed to load firewall data.');
+            }
+        }).always(function () {
+            state.requestInFlight = false;
+            updateFeedChrome();
+            if (config.hardBusy) {
+                setBusyState(false);
+            }
+        });
+    }
     function renderApprovals() {
         if (!$firewallApprovalsList.length) {
 …
+    }
+    function applyPayload(payload, options) {
+        const data = payload || {};
+    function renderLearningSuggestions() {
+        if (!$firewallLearningList.length) {
+            return;
+        }
+        const enabled = $firewallLearningEnabled.is(':checked');
+        const suggestions = Array.isArray(state.learningSuggestions) ? state.learningSuggestions : [];
+        if (!enabled) {
+            $firewallLearningList.empty();
+            $firewallLearningEmpty
+                .text(i18n.firewall_learning_disabled || 'Learning suggestions are disabled.')
+                .show();
+            return;
+        }
+        if (!suggestions.length) {
+            $firewallLearningList.empty();
+            $firewallLearningEmpty
+                .text(i18n.firewall_learning_empty || 'No learning suggestions yet.')
+                .show();
+            return;
+        }
+        $firewallLearningEmpty.hide();
+        $firewallLearningList.html(suggestions.map(renderLearningItem).join(''));
+    }
+    function renderLearningItem(item) {
+        const pattern = String(item.pattern || '');
+        const lastSeen = item.last_seen_local || item.last_seen || '';
+        const count = Number(item.count || 0);
+        const ruleGroup = item.rule_group || '';
+        const ruleId = item.rule_id || '';
+        const action = item.approval_action || '';
+        const restRoute = item.approval_rest_route || '';
+        const actionLabel = action
+            ? `${i18n.firewall_approval_action || 'Action'}: ${action}`
+            : (restRoute ? `${i18n.firewall_approval_route || 'Route'}: ${restRoute}` : '');
+        return `
+            <div class="vulntitan-firewall-log-item vulntitan-firewall-approval-card">
+                <div class="vulntitan-firewall-log-head">
+                    <span class="vulntitan-firewall-log-badge is-warning">
+                        ${escapeHtml(i18n.firewall_learning_suggestion || 'Learning suggestion')}
+                    </span>
+                    <time class="vulntitan-firewall-log-time">${escapeHtml(lastSeen)}</time>
+                </div>
+                <div class="vulntitan-firewall-log-request">${escapeHtml(pattern || '/')}</div>
+                <div class="vulntitan-firewall-log-meta">
+                    <span class="vulntitan-firewall-log-meta-item">${escapeHtml(i18n.firewall_learning_hits || 'Hits')}: ${count}</span>
+                    ${ruleGroup ? `<span class="vulntitan-firewall-log-meta-item">Group: ${escapeHtml(ruleGroup)}</span>` : ''}
+                    ${ruleId ? `<span class="vulntitan-firewall-log-meta-item">Rule: ${escapeHtml(ruleId)}</span>` : ''}
+                    ${actionLabel ? `<span class="vulntitan-firewall-log-meta-item">${escapeHtml(actionLabel)}</span>` : ''}
+                </div>
+                <div class="vulntitan-firewall-approval-pattern">
+                    <span>${escapeHtml(i18n.firewall_approval_pattern || 'Whitelist pattern')}:</span>
+                    <code>${escapeHtml(pattern)}</code>
+                </div>
+                <div class="vulntitan-firewall-approval-actions">
+                    <button type="button" class="vulntitan-fw-btn vulntitan-fw-btn-primary" data-firewall-learning-allow="${escapeHtml(pattern)}">
+                        ${escapeHtml(i18n.firewall_learning_allow || 'Allow')}
+                    </button>
+                    <button type="button" class="vulntitan-fw-btn vulntitan-fw-btn-secondary" data-firewall-learning-dismiss="${escapeHtml(pattern)}">
+                        ${escapeHtml(i18n.firewall_learning_dismiss || 'Dismiss')}
+                    </button>
+                </div>
+            </div>
+        `;
+    }
+    function loadLearningSuggestions(options) {
+        if (!$firewallLearningList.length) {
+            return;
+        }
         const config = $.extend({
+            syncSettings: true
+            silent: false,
+            force: false
         }, options || {});
+        latestMuLoaderStatus = data.mu_loader || latestMuLoaderStatus;
+        state.allLogs = Array.isArray(data.logs) ? data.logs : [];
+        state.approvals = Array.isArray(data.approvals) ? data.approvals : [];
+        state.proxyStatus = data.proxy_status || state.proxyStatus || {};
+        state.lastUpdatedAt = new Date();
+        state.lastRefreshFailed = false;
+        if (config.syncSettings) {
+            applySettings(data.settings || {});
+            renderLoginAccess(data.login_access || {});
+        }
+        renderOverview(data.summary || {}, latestMuLoaderStatus || {});
+        renderFeed();
+        renderApprovals();
+        updateFeedChrome();
+        updateProxyWarnings();
+    }
+    function setBusyState(isBusy) {
+        state.hardBusy = !!isBusy;
+        $firewallRoot.toggleClass('is-busy', !!isBusy);
+        $firewallSaveSettings.prop('disabled', !!isBusy);
+        $firewallRefresh.prop('disabled', !!isBusy);
+        $firewallClearLogs.prop('disabled', !!isBusy);
+        $firewallFeedToggle.prop('disabled', !!isBusy);
+        $firewallFeedSearch.prop('disabled', !!isBusy);
+        $firewallFeedFilters.prop('disabled', !!isBusy);
+        $firewallLoadMore.find('[data-firewall-load-more]').prop('disabled', !!isBusy);
+        $firewallTabs.prop('disabled', !!isBusy);
+        $firewallEnabled.prop('disabled', !!isBusy);
+        $firewallLoginProtection.prop('disabled', !!isBusy);
+        $firewallCustomLoginSlug.prop('disabled', !!isBusy);
+        $firewallTwoFactorEnabled.prop('disabled', !!isBusy);
+        $firewallCaptchaProvider.prop('disabled', !!isBusy);
+        $firewallXmlrpcPolicy.prop('disabled', !!isBusy);
+        $firewallXmlrpcAllowlist.prop('disabled', !!isBusy);
+        $firewallWeakPasswordBlockingEnabled.prop('disabled', !!isBusy);
+        $firewallWafSqliEnabled.prop('disabled', !!isBusy);
+        $firewallWafCommandEnabled.prop('disabled', !!isBusy);
+        $firewallWafWhitelistPaths.prop('disabled', !!isBusy);
+        $firewallTrustCloudflare.prop('disabled', !!isBusy);
+        $firewallTrustedProxies.prop('disabled', !!isBusy);
+        $firewallMaxAttempts.prop('disabled', !!isBusy);
+        $firewallLockoutMinutes.prop('disabled', !!isBusy);
+        $firewallCommentShieldEnabled.prop('disabled', !!isBusy);
+        $firewallCommentSuspiciousAction.prop('disabled', !!isBusy);
+        $firewallCommentMinSubmitSeconds.prop('disabled', !!isBusy);
+        $firewallCommentMaxLinks.prop('disabled', !!isBusy);
+        $firewallCommentRateLimitAttempts.prop('disabled', !!isBusy);
+        $firewallCommentRateLimitWindowMinutes.prop('disabled', !!isBusy);
+        $firewallLogRetention.prop('disabled', !!isBusy);
+        $firewallLockoutAllowlist.prop('disabled', !!isBusy);
+        $firewallWeeklySummaryEmailEnabled.prop('disabled', !!isBusy);
+        $firewallWeeklySummaryEmailRecipient.prop('disabled', !!isBusy);
+        refreshIdentityControlState();
+    }
+    function loadFirewallData(options) {
+        const config = $.extend({
+            showLoadingNotice: false,
+            hardBusy: false,
+            silentError: false,
+            clearFeedbackOnSuccess: false,
+            syncSettings: false
+        }, options || {});
+        if (state.requestInFlight) {
+            return;
+        }
+        if (config.hardBusy) {
+            setBusyState(true);
+        }
+        state.requestInFlight = true;
+        updateFeedChrome();
+        if (config.showLoadingNotice) {
+            setFeedback('info', i18n.firewall_refreshing || 'Refreshing firewall data...');
+        if (!$firewallLearningEnabled.is(':checked')) {
+            state.learningSuggestions = [];
+            renderLearningSuggestions();
+            return;
+        }
+        if (state.learningLoading) {
+            return;
+        }
+        if (state.learningLoaded && !config.force) {
+            renderLearningSuggestions();
+            return;
+        }
+        state.learningLoading = true;
+        if (!config.silent) {
+            setFeedback('info', i18n.firewall_learning_loading || 'Loading learning suggestions...');
+        }
         $.post(VulnTitan.ajaxUrl, {
             action: 'vulntitan_firewall_get_data',
+            action: 'vulntitan_firewall_get_learning',
             nonce: VulnTitan.nonce
         }, function (response) {
             if (!response || !response.success) {
+                state.lastRefreshFailed = true;
+                updateFeedChrome();
+                if (!config.silentError) {
+                    const message = (response && response.data && response.data.message)
+                        ? response.data.message
+                        : (i18n.firewall_load_failed || 'Failed to load firewall data.');
+                const message = (response && response.data && response.data.message)
+                    ? response.data.message
+                    : (i18n.firewall_learning_failed || 'Failed to load learning suggestions.');
+                if (!config.silent) {
                     setFeedback('error', message);
+                }
 …
+            }
+            applyPayload(response.data || {}, {
+                syncSettings: config.syncSettings
+            });
+            if (config.clearFeedbackOnSuccess) {
+                setFeedback('', '');
+            const payload = response.data || {};
+            state.learningSuggestions = Array.isArray(payload.suggestions) ? payload.suggestions : [];
+            state.learningLoaded = true;
+            renderLearningSuggestions();
+            if (!config.silent) {
+                setFeedback('success', i18n.firewall_learning_updated || 'Learning suggestions updated.');
+            }
         }).fail(function () {
+            state.lastRefreshFailed = true;
+            updateFeedChrome();
+            if (!config.silentError) {
+                setFeedback('error', i18n.firewall_load_failed || 'Failed to load firewall data.');
+            if (!config.silent) {
+                setFeedback('error', i18n.firewall_learning_failed || 'Failed to load learning suggestions.');
+            }
         }).always(function () {
+            state.requestInFlight = false;
+            updateFeedChrome();
+            if (config.hardBusy) {
+                setBusyState(false);
+            }
+            state.learningLoading = false;
         });
+    }
+    function maybeLoadLearningSuggestions(force) {
+        if (force) {
+            loadLearningSuggestions({ force: true, silent: true });
+            return;
+        }
+        if (!state.learningLoaded) {
+            loadLearningSuggestions({ silent: true });
+        } else {
+            renderLearningSuggestions();
+        }
+    }
 …
             waf_command_injection_enabled: $firewallWafCommandEnabled.is(':checked') ? 1 : 0,
             waf_whitelist_paths: String($firewallWafWhitelistPaths.val() || ''),
+            learning_mode_enabled: $firewallLearningEnabled.is(':checked') ? 1 : 0,
+            learning_suggestion_threshold: Number($firewallLearningThreshold.val() || 3),
+            learning_suggestion_window_days: Number($firewallLearningWindow.val() || 7),
             trust_cloudflare: $firewallTrustCloudflare.is(':checked') ? 1 : 0,
             trusted_proxies: String($firewallTrustedProxies.val() || ''),
 …
             });
+            const activeTab = String($firewallTabs.filter('.is-active').data('firewallTab') || '');
+            if (activeTab === 'waf' && $firewallLearningEnabled.is(':checked')) {
+                state.learningLoaded = false;
+                loadLearningSuggestions({
+                    silent: true,
+                    force: true
+                });
+            }
             const muInstall = payload.mu_loader_install || {};
             if (payload.notice) {
 …
+    }
+    function sendLearningAction(action, pattern, $button, confirmMessage, successMessage) {
+        const cleanPattern = String(pattern || '').trim();
+        if (!cleanPattern) {
+            setFeedback('error', i18n.firewall_approval_invalid || 'Invalid learning suggestion.');
+            return;
+        }
+        if (confirmMessage && !window.confirm(confirmMessage)) {
+            return;
+        }
+        if ($button && $button.length) {
+            $button.prop('disabled', true);
+        }
+        setFeedback('info', i18n.firewall_action_in_progress || 'Working...');
+        $.post(VulnTitan.ajaxUrl, {
+            action: action,
+            nonce: VulnTitan.nonce,
+            pattern: cleanPattern
+        }, function (response) {
+            if (!response || !response.success) {
+                const message = (response && response.data && response.data.message)
+                    ? response.data.message
+                    : (i18n.firewall_action_failed || 'Action failed.');
+                setFeedback('error', message);
+                return;
+            }
+            const payload = response.data || {};
+            if (payload.settings) {
+                applySettings(payload.settings);
+            }
+            if (Array.isArray(payload.suggestions)) {
+                state.learningSuggestions = payload.suggestions;
+                state.learningLoaded = true;
+                renderLearningSuggestions();
+            }
+            setFeedback('success', successMessage);
+        }).fail(function () {
+            setFeedback('error', i18n.firewall_action_failed || 'Action failed.');
+        }).always(function () {
+            if ($button && $button.length) {
+                $button.prop('disabled', false);
+            }
+        });
+    }
     function handleFeedToggle() {
         state.feedPaused = !state.feedPaused;
 …
     });
+    $firewallLearningRefresh.off('click').on('click', function () {
+        loadLearningSuggestions({
+            silent: false,
+            force: true
+        });
+    });
+    $firewallLearningEnabled.off('change').on('change', function () {
+        if ($firewallLearningEnabled.is(':checked')) {
+            state.learningLoaded = false;
+            loadLearningSuggestions({
+                silent: true,
+                force: true
+            });
+            return;
+        }
+        state.learningLoaded = false;
+        state.learningSuggestions = [];
+        renderLearningSuggestions();
+    });
+    $firewallLearningList.off('click', '[data-firewall-learning-allow]').on('click', '[data-firewall-learning-allow]', function () {
+        const $button = $(this);
+        const pattern = String($button.data('firewallLearningAllow') || '');
+        sendLearningAction(
+            'vulntitan_firewall_apply_learning',
+            pattern,
+            $button,
+            i18n.firewall_learning_confirm_allow || 'Allow this suggested pattern and add it to the WAF whitelist?',
+            i18n.firewall_approval_success || 'Whitelist updated.'
+        );
+    });
+    $firewallLearningList.off('click', '[data-firewall-learning-dismiss]').on('click', '[data-firewall-learning-dismiss]', function () {
+        const $button = $(this);
+        const pattern = String($button.data('firewallLearningDismiss') || '');
+        sendLearningAction(
+            'vulntitan_firewall_dismiss_learning',
+            pattern,
+            $button,
+            i18n.firewall_learning_confirm_dismiss || 'Dismiss this learning suggestion?',
+            i18n.firewall_learning_dismissed || 'Learning suggestion dismissed.'
+        );
+    });
     $firewallLoadMore.off('click', '[data-firewall-load-more]').on('click', '[data-firewall-load-more]', function () {
         state.visibleLogLimit += LOG_PAGE_SIZE;

vulntitan/trunk/includes/Admin/Admin.php

-                      r3483333
+                      r3483739
                     'firewall_approval_no_pattern' => esc_html__('No safe auto-approval pattern available.', 'vulntitan'),
                     'firewall_approval_invalid' => esc_html__('Invalid approval request.', 'vulntitan'),
+                    'firewall_learning_loading' => esc_html__('Loading learning suggestions...', 'vulntitan'),
+                    'firewall_learning_updated' => esc_html__('Learning suggestions updated.', 'vulntitan'),
+                    'firewall_learning_failed' => esc_html__('Failed to load learning suggestions.', 'vulntitan'),
+                    'firewall_learning_empty' => esc_html__('No learning suggestions yet.', 'vulntitan'),
+                    'firewall_learning_disabled' => esc_html__('Learning suggestions are disabled.', 'vulntitan'),
+                    'firewall_learning_suggestion' => esc_html__('Learning suggestion', 'vulntitan'),
+                    'firewall_learning_hits' => esc_html__('Hits', 'vulntitan'),
+                    'firewall_learning_last_seen' => esc_html__('Last seen', 'vulntitan'),
+                    'firewall_learning_allow' => esc_html__('Allow', 'vulntitan'),
+                    'firewall_learning_dismiss' => esc_html__('Dismiss', 'vulntitan'),
+                    'firewall_learning_dismissed' => esc_html__('Learning suggestion dismissed.', 'vulntitan'),
+                    'firewall_learning_confirm_allow' => esc_html__('Allow this suggested pattern and add it to the WAF whitelist?', 'vulntitan'),
+                    'firewall_learning_confirm_dismiss' => esc_html__('Dismiss this learning suggestion?', 'vulntitan'),
+                    'firewall_learning_refresh' => esc_html__('Refresh suggestions', 'vulntitan'),
                 ],
             ]);

vulntitan/trunk/includes/Admin/Ajax.php

-                      r3483644
+                      r3483739
         add_action('wp_ajax_vulntitan_firewall_unblock_ip', [$this, 'firewallUnblockIp']);
         add_action('wp_ajax_vulntitan_firewall_allowlist_ip', [$this, 'firewallAllowlistIp']);
+        add_action('wp_ajax_vulntitan_firewall_get_learning', [$this, 'firewallGetLearning']);
+        add_action('wp_ajax_vulntitan_firewall_apply_learning', [$this, 'firewallApplyLearning']);
+        add_action('wp_ajax_vulntitan_firewall_dismiss_learning', [$this, 'firewallDismissLearning']);
+    }
 …
             'waf_command_injection_enabled' => isset($_POST['waf_command_injection_enabled']) ? (int) wp_unslash($_POST['waf_command_injection_enabled']) : 1,
             'waf_whitelist_paths' => isset($_POST['waf_whitelist_paths']) ? (string) wp_unslash($_POST['waf_whitelist_paths']) : '',
+            'learning_mode_enabled' => isset($_POST['learning_mode_enabled']) ? (int) wp_unslash($_POST['learning_mode_enabled']) : 0,
+            'learning_suggestion_threshold' => isset($_POST['learning_suggestion_threshold']) ? (int) wp_unslash($_POST['learning_suggestion_threshold']) : 3,
+            'learning_suggestion_window_days' => isset($_POST['learning_suggestion_window_days']) ? (int) wp_unslash($_POST['learning_suggestion_window_days']) : 7,
             'trust_cloudflare' => isset($_POST['trust_cloudflare']) ? (int) wp_unslash($_POST['trust_cloudflare']) : 0,
             'trusted_proxies' => isset($_POST['trusted_proxies']) ? (string) wp_unslash($_POST['trusted_proxies']) : '',
 …
             'allowlisted' => !$alreadyAllowlisted,
             'settings' => $settings,
+        ]);
+    }
+    public function firewallGetLearning(): void
+    {
+        check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $settings = FirewallService::getSettings();
+        $enabled = !empty($settings['learning_mode_enabled']);
+        $suggestions = $enabled ? FirewallService::getLearningSuggestions(30) : [];
+        wp_send_json_success([
+            'enabled' => $enabled ? 1 : 0,
+            'suggestions' => $suggestions,
+        ]);
+    }
+    public function firewallApplyLearning(): void
+    {
+        check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $pattern = isset($_POST['pattern']) ? trim((string) wp_unslash($_POST['pattern'])) : '';
+        if ($pattern === '') {
+            wp_send_json_error(['message' => esc_html__('Invalid learning suggestion.', 'vulntitan')], 400);
+        }
+        $result = FirewallService::applyLearningSuggestion($pattern);
+        if (empty($result['success'])) {
+            wp_send_json_error(['message' => esc_html__('Invalid learning suggestion.', 'vulntitan')], 400);
+        }
+        wp_send_json_success([
+            'settings' => $result['settings'] ?? FirewallService::getSettings(),
+            'suggestions' => FirewallService::getLearningSuggestions(30),
+        ]);
+    }
+    public function firewallDismissLearning(): void
+    {
+        check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $pattern = isset($_POST['pattern']) ? trim((string) wp_unslash($_POST['pattern'])) : '';
+        if ($pattern === '') {
+            wp_send_json_error(['message' => esc_html__('Invalid learning suggestion.', 'vulntitan')], 400);
+        }
+        if (!FirewallService::dismissLearningSuggestion($pattern)) {
+            wp_send_json_error(['message' => esc_html__('Invalid learning suggestion.', 'vulntitan')], 400);
+        }
+        wp_send_json_success([
+            'suggestions' => FirewallService::getLearningSuggestions(30),
         ]);
+    }

vulntitan/trunk/includes/Admin/Pages/Firewall.php

-                      r3483644
+                      r3483739
                                                     </label>
                                                 </div>
+                                                <div class="vulntitan-firewall-section">
+                                                    <div class="vulntitan-firewall-section-title"><?php esc_html_e('Learning Mode', 'vulntitan'); ?></div>
+                                                    <div class="vulntitan-firewall-section-desc"><?php esc_html_e('Generate smart allowlist suggestions from repeated admin-triggered WAF blocks. This never auto-whitelists—everything requires approval.', 'vulntitan'); ?></div>
+                                                    <label class="vulntitan-firewall-toggle">
+                                                        <input type="checkbox" id="vulntitan-firewall-learning-enabled" class="vulntitan-firewall-checkbox">
+                                                        <span><?php esc_html_e('Enable learning suggestions', 'vulntitan'); ?></span>
+                                                    </label>
+                                                    <div class="vulntitan-firewall-field-grid">
+                                                        <label class="vulntitan-firewall-field">
+                                                            <span class="vulntitan-firewall-field-label"><?php esc_html_e('Minimum hits to suggest', 'vulntitan'); ?></span>
+                                                            <input type="number" id="vulntitan-firewall-learning-threshold" class="vulntitan-firewall-input" min="2" max="20" value="3">
+                                                        </label>
+                                                        <label class="vulntitan-firewall-field">
+                                                            <span class="vulntitan-firewall-field-label"><?php esc_html_e('Lookback window (days)', 'vulntitan'); ?></span>
+                                                            <input type="number" id="vulntitan-firewall-learning-window" class="vulntitan-firewall-input" min="1" max="30" value="7">
+                                                        </label>
+                                                        <div class="vulntitan-firewall-field">
+                                                            <span class="vulntitan-firewall-field-label"><?php esc_html_e('Suggestions', 'vulntitan'); ?></span>
+                                                            <button type="button" class="vulntitan-fw-btn vulntitan-fw-btn-secondary" id="vulntitan-firewall-learning-refresh"><?php esc_html_e('Refresh suggestions', 'vulntitan'); ?></button>
+                                                            <small class="vulntitan-firewall-field-help"><?php esc_html_e('Learning only analyzes WAF blocks triggered by logged-in administrators.', 'vulntitan'); ?></small>
+                                                        </div>
+                                                    </div>
+                                                </div>
+                                                <div class="vulntitan-firewall-section">
+                                                    <div class="vulntitan-firewall-section-title"><?php esc_html_e('Learning Suggestions', 'vulntitan'); ?></div>
+                                                    <div class="vulntitan-firewall-section-desc"><?php esc_html_e('Review suggested whitelist patterns derived from repeated WAF blocks. Approving adds a pattern to the WAF whitelist.', 'vulntitan'); ?></div>
+                                                    <div id="vulntitan-firewall-learning-empty" class="vulntitan-firewall-approvals-empty">
+                                                        <?php esc_html_e('Learning suggestions are disabled.', 'vulntitan'); ?>
+                                                    </div>
+                                                    <div id="vulntitan-firewall-learning-list" class="vulntitan-firewall-log-list"></div>
+                                                </div>
                                             </section>

vulntitan/trunk/includes/Services/FirewallService.php

-                      r3483644
+                      r3483739
     protected const OPTION_MU_STATUS = 'vulntitan_firewall_mu_status';
     protected const OPTION_SCHEMA_VERSION = 'vulntitan_firewall_schema_version';
+    protected const OPTION_LEARNING_DISMISSED = 'vulntitan_firewall_learning_dismissed';
     protected const MU_LOADER_FILENAME = 'vulntitan-firewall.php';
     protected const DEFAULT_LOG_RETENTION_DAYS = 30;
 …
             'waf_command_injection_enabled' => 1,
             'waf_whitelist_paths' => [],
+            'learning_mode_enabled' => 0,
+            'learning_suggestion_threshold' => 3,
+            'learning_suggestion_window_days' => 7,
             'trust_cloudflare' => 0,
             'trusted_proxies' => [],
 …
+    }
+    public static function getLearningSuggestions(int $limit = 20): array
+    {
+        $settings = self::getSettings();
+        if (empty($settings['learning_mode_enabled'])) {
+            return [];
+        }
+        if (!self::ensureTable()) {
+            return [];
+        }
+        global $wpdb;
+        $safeLimit = max(1, min(50, $limit));
+        $minHits = max(2, min(20, (int)($settings['learning_suggestion_threshold'] ?? 3)));
+        $windowDays = max(1, min(30, (int)($settings['learning_suggestion_window_days'] ?? 7)));
+        $threshold = gmdate('Y-m-d H:i:s', time() - ($windowDays * DAY_IN_SECONDS));
+        $likePattern = '%"approval_status":"pending"%';
+        $queryLimit = max(200, min(2000, $safeLimit * 80));
+        $tableName = self::getTableName();
+        $rows = $wpdb->get_results(
+            $wpdb->prepare(
+                "SELECT id, rule_group, rule_id, request_method, request_host, request_uri, request_path, details, created_at
+                 FROM {$tableName}
+                 WHERE event_type = 'request_blocked'
+                   AND rule_group IN ('waf_sqli', 'waf_command_injection', 'waf')
+                   AND details LIKE %s
+                   AND created_at >= %s
+                 ORDER BY id DESC
+                 LIMIT {$queryLimit}",
+                $likePattern,
+                $threshold
+            ),
+            ARRAY_A
+        );
+        if (!is_array($rows) || !$rows) {
+            return [];
+        }
+        $dismissed = self::getLearningDismissedPatterns();
+        $whitelist = $settings['waf_whitelist_paths'] ?? [];
+        if (!is_array($whitelist)) {
+            $whitelist = [];
+        }
+        $grouped = [];
+        foreach ($rows as $row) {
+            $details = self::decodeDetails((string)($row['details'] ?? ''));
+            if (($details['approval_status'] ?? '') !== 'pending') {
+                continue;
+            }
+            $row['details'] = $details;
+            $pattern = self::buildApprovalPattern($row);
+            if ($pattern === '') {
+                continue;
+            }
+            if (in_array($pattern, $whitelist, true) || in_array($pattern, $dismissed, true)) {
+                continue;
+            }
+            $key = strtolower($pattern);
+            if (!isset($grouped[$key])) {
+                $grouped[$key] = [
+                    'pattern' => $pattern,
+                    'count' => 0,
+                    'rule_group' => (string)($row['rule_group'] ?? ''),
+                    'rule_id' => (string)($row['rule_id'] ?? ''),
+                    'approval_action' => isset($details['approval_action']) ? self::sanitizeShortText((string) $details['approval_action'], 80) : '',
+                    'approval_rest_route' => isset($details['approval_rest_route']) ? self::sanitizeShortText((string) $details['approval_rest_route'], 160) : '',
+                    'request_path' => (string)($row['request_path'] ?? ''),
+                    'request_uri' => (string)($row['request_uri'] ?? ''),
+                    'last_seen' => (string)($row['created_at'] ?? ''),
+                ];
+            }
+            $grouped[$key]['count']++;
+            if ((string)($row['created_at'] ?? '') > (string)$grouped[$key]['last_seen']) {
+                $grouped[$key]['last_seen'] = (string)($row['created_at'] ?? '');
+            }
+        }
+        $filtered = array_filter($grouped, function ($item) use ($minHits) {
+            return (int)($item['count'] ?? 0) >= $minHits;
+        });
+        if (!$filtered) {
+            return [];
+        }
+        $sorted = array_values($filtered);
+        usort($sorted, function ($a, $b) {
+            $countDiff = (int)($b['count'] ?? 0) - (int)($a['count'] ?? 0);
+            if ($countDiff !== 0) {
+                return $countDiff;
+            }
+            return strcmp((string)($b['last_seen'] ?? ''), (string)($a['last_seen'] ?? ''));
+        });
+        $sorted = array_slice($sorted, 0, $safeLimit);
+        foreach ($sorted as &$item) {
+            $item['last_seen_local'] = self::toLocalDate((string)($item['last_seen'] ?? ''));
+        }
+        unset($item);
+        return $sorted;
+    }
+    public static function applyLearningSuggestion(string $pattern): array
+    {
+        $pattern = self::normalizeLearningPattern($pattern);
+        if ($pattern === '') {
+            return [
+                'success' => false,
+                'message' => 'invalid_pattern',
+            ];
+        }
+        $settings = self::getSettings();
+        $whitelist = $settings['waf_whitelist_paths'] ?? [];
+        if (!is_array($whitelist)) {
+            $whitelist = [];
+        }
+        if (!in_array($pattern, $whitelist, true)) {
+            $whitelist[] = $pattern;
+            $settings = self::saveSettings([
+                'waf_whitelist_paths' => $whitelist,
+            ]);
+        }
+        self::removeLearningDismissedPattern($pattern);
+        return [
+            'success' => true,
+            'settings' => $settings,
+        ];
+    }
+    public static function dismissLearningSuggestion(string $pattern): bool
+    {
+        $pattern = self::normalizeLearningPattern($pattern);
+        if ($pattern === '') {
+            return false;
+        }
+        $dismissed = self::getLearningDismissedPatterns();
+        if (!in_array($pattern, $dismissed, true)) {
+            $dismissed[] = $pattern;
+        }
+        self::storeLearningDismissedPatterns($dismissed);
+        return true;
+    }
+    protected static function normalizeLearningPattern(string $pattern): string
+    {
+        $pattern = trim($pattern);
+        if ($pattern === '') {
+            return '';
+        }
+        $normalized = self::sanitizeWhitelistPaths([$pattern]);
+        return $normalized[0] ?? '';
+    }
+    protected static function getLearningDismissedPatterns(): array
+    {
+        $stored = get_option(self::OPTION_LEARNING_DISMISSED, []);
+        if (!is_array($stored)) {
+            $stored = [];
+        }
+        return self::sanitizeWhitelistPaths($stored);
+    }
+    protected static function storeLearningDismissedPatterns(array $patterns): void
+    {
+        $patterns = self::sanitizeWhitelistPaths($patterns);
+        if (count($patterns) > 200) {
+            $patterns = array_slice($patterns, -200);
+        }
+        update_option(self::OPTION_LEARNING_DISMISSED, $patterns, false);
+    }
+    protected static function removeLearningDismissedPattern(string $pattern): void
+    {
+        $pattern = self::normalizeLearningPattern($pattern);
+        if ($pattern === '') {
+            return;
+        }
+        $dismissed = self::getLearningDismissedPatterns();
+        $filtered = array_values(array_filter($dismissed, function ($item) use ($pattern) {
+            return $item !== $pattern;
+        }));
+        if ($filtered !== $dismissed) {
+            self::storeLearningDismissedPatterns($filtered);
+        }
+    }
     protected static function buildApprovalPattern(array $row): string
+    {
 …
+    }
     protected static function getTrustedProxyIps(array $settings = null): array
+    protected static function getTrustedProxyIps(?array $settings = null): array
+    {
         $trusted = [];
 …
             'waf_command_injection_enabled' => !empty($settings['waf_command_injection_enabled']) ? 1 : 0,
             'waf_whitelist_paths' => $wafWhitelistPaths,
+            'learning_mode_enabled' => !empty($settings['learning_mode_enabled']) ? 1 : 0,
+            'learning_suggestion_threshold' => max(2, min(20, (int)($settings['learning_suggestion_threshold'] ?? $defaults['learning_suggestion_threshold']))),
+            'learning_suggestion_window_days' => max(1, min(30, (int)($settings['learning_suggestion_window_days'] ?? $defaults['learning_suggestion_window_days']))),
             'trust_cloudflare' => !empty($settings['trust_cloudflare']) ? 1 : 0,
             'trusted_proxies' => $trustedProxies,

vulntitan/trunk/readme.txt

-                      r3483644
+                      r3483739
 Tested up to: 6.9
 Requires PHP: 7.4
 Stable tag: 2.1.9
+Stable tag: 2.1.10
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= v2.1.10 - 16 Mar, 2026 =
+* Added Learning Mode suggestions for WAF whitelisting, with configurable thresholds and review-only approvals.
+* Added a Learning Suggestions panel and actions to approve or dismiss suggested patterns.
+* Fixed a PHP 8.4 deprecation warning by making trusted proxy settings nullable explicitly.
 = v2.1.9 - 16 Mar, 2026 =
 * Added Proxy/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs.

vulntitan/trunk/vulntitan.php

-                      r3483644
+                      r3483739
  * Plugin URI: https://vulntitan.com/vulntitan/
  * Description: VulnTitan is a WordPress security plugin with vulnerability scanning, malware detection, file integrity monitoring, comment anti-spam protection, and a built-in firewall with WAF payload rules and login protection.
  * Version: 2.1.9
+ * Version: 2.1.10
  * Author: Jaroslav Svetlik
  * Author URI: https://vulntitan.com
 …
 // Define plugin constants
 define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.9');
+define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.10');
 define('VULNTITAN_PLUGIN_BASENAME', plugin_basename(__FILE__));
 define('VULNTITAN_PLUGIN_DIR', untrailingslashit(plugin_dir_path(__FILE__)));

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory