=== Royaalaunch Security Shield ===
Contributors: rajeshrnair
Tags: security, xss, firewall, hardening, vulnerability, wordpress security, malware protection, access control
Requires at least: 5.5
Tested up to: 6.7
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A lightweight WordPress security hardening plugin that mitigates XSS, Broken Access Control, Unauthenticated REST, Sensitive Data Exposure, and Arbitrary File Read vulnerabilities — without requiring plugin updates.

== Description ==

**Royaalaunch Security Shield** is a powerful, lightweight security hardening plugin developed by [Rajesh R Nair](https://rajeshrnair.com) at [Royallaunch](https://royallaunch.in) — Kerala's Trusted Digital Partner Since 2011.

This plugin acts as a **virtual patch layer** for your WordPress site, mitigating known critical vulnerabilities in popular plugins — even before their authors release official updates. It requires **zero configuration** and activates instantly.

= 🛡️ What It Protects Against =

* **Cross-Site Scripting (XSS)** — Strict Content Security Policy headers block malicious script injection
* **Broken Access Control** — Capability checks enforced on sensitive AJAX/REST actions (Elementor)
* **Unauthenticated REST Vulnerabilities** — Blocks open REST endpoints (ElementsKit Mailchimp, MetForm, Chaty)
* **Sensitive Data Exposure** — Scrubs API keys and credentials from page source (Chaty)
* **Arbitrary File Read** — Restricts Smart Slider 3 export actions to Administrators only
* **Stored XSS via Import** — Sanitises upload filenames (All-in-One WP Migration)
* **Post SMTP event_type XSS** — Allowlist-validates the event_type parameter
* **User Enumeration** — Hides the /wp/v2/users REST endpoint from unauthenticated requests
* **XML-RPC Attacks** — Fully disables XML-RPC
* **WordPress Version Exposure** — Removes WP version fingerprinting from page source

= 🔌 Plugins Covered =

* All-in-One WP Migration and Backup (<= 7.97)
* Chaty (<= 3.5.1)
* Elementor Website Builder (<= 3.35.5)
* ElementsKit Lite (< 3.7.9)
* Gum Elementor Addon (<= 1.3.10)
* MetForm (<= 4.1.0)
* Move Addons for Elementor (<= 1.3.6)
* Post SMTP (<= 3.8.0)
* Rich Showcase for Google Reviews (<= 6.9.4.3)
* Smart Slider 3 (<= 3.5.1.33)
* Ultimate Addons for Elementor Lite (< 2.5.0)
* Video Playlist For YouTube (<= 6.7.1)

= ⚡ Key Features =

* **Zero Configuration** — Install and activate. No settings page needed.
* **Lightweight** — No database queries, no external calls, minimal performance impact.
* **Virtual Patching** — Protects immediately while you wait for official plugin updates.
* **Security Headers** — Adds Content-Security-Policy, X-Frame-Options, HSTS, and more.
* **Audit Log** — Optional lightweight security log at `wp-content/rss-security.log`.
* **Admin Notice** — Dashboard confirmation that protections are active.

= 👨‍💻 About the Developer =

Developed by **Rajesh R Nair**, Senior IT Consultant & Cybersecurity Expert based in Trivandrum, Kerala, India with 12+ years of experience and 2,450+ client engagements across 15+ countries.

* 🌐 Personal Portfolio: [rajeshrnair.com](https://rajeshrnair.com)
* 🏢 Company: [Royallaunch](https://royallaunch.in) — Digital Marketing & Custom Software Development Kerala
* 📞 Phone/WhatsApp: +91 7907038984
* ✉️ Email: info@royallaunch.in

> **Note:** This plugin is a virtual patch and buys time while you wait for official updates. Always update your plugins to the latest version when updates become available.

== Installation ==

= Automatic Installation =
1. Log in to your WordPress admin panel
2. Go to **Plugins → Add New**
3. Search for **Royaalaunch Security Shield**
4. Click **Install Now** then **Activate**

= Manual Installation =
1. Download the plugin ZIP file
2. Go to **Plugins → Add New → Upload Plugin**
3. Choose the ZIP file and click **Install Now**
4. Click **Activate Plugin**

= After Activation =
No configuration required. You will see a green notice in your WordPress dashboard confirming all protections are active.

== Frequently Asked Questions ==

= Do I still need to update my plugins? =
**Yes, absolutely.** This plugin is a virtual patch — it reduces your risk exposure while you wait for official updates, but it is not a permanent replacement for keeping plugins up to date.

= Will this plugin slow down my website? =
No. The plugin uses WordPress hooks and fires very early in the request lifecycle with minimal overhead. It makes no database queries and no external HTTP calls.

= Does this work with page builders like Elementor? =
Yes. The plugin specifically includes protections for Elementor, ElementsKit, Gum Elementor Addon, Move Addons, and Ultimate Addons for Elementor — while still allowing legitimate usage.

= Will it break my forms or contact submissions? =
No. MetForm protections only block unauthenticated REST requests without a valid nonce. Legitimate front-end form submissions include a nonce and will work normally.

= Where is the security log stored? =
At `wp-content/rss-security.log`. The log auto-rotates when it exceeds 1 MB. You can delete this file at any time — it will be recreated automatically.

= Is this plugin compatible with multisite? =
The plugin works on standard WordPress installations. Multisite compatibility is being tested and will be confirmed in a future release.

= Does it protect against future vulnerabilities? =
The global input sanitisation layer (Section 9) and security headers provide general protection against common XSS attack patterns beyond the listed plugins.

== Screenshots ==

1. Admin dashboard notice confirming all protections are active.
2. Security headers visible in browser developer tools.
3. Blocked unauthenticated REST API request with 401 response.

== Changelog ==

= 1.0.0 =
* Initial release
* 14 security hardening modules
* Covers 12 vulnerable plugins
* Content Security Policy headers
* XML-RPC disabled
* User enumeration blocked
* Global XSS input sanitisation
* Audit log support

== Upgrade Notice ==

= 1.0.0 =
Initial release. Install and activate — no configuration required.

== Credits ==

Developed by [Rajesh R Nair](https://rajeshrnair.com) · [Royallaunch](https://royallaunch.in), Trivandrum, Kerala, India.
Vulnerability data sourced from Patchstack.com security advisories.
