Force login to make the site private - Gozer — Full changelog For each release, see the entries below. The latest version is always at the top. The current release notes also live in readme.txt under "== Changelog ==". = 2.1.0 = * New: "Visitor IP detection" setting — choose where the visitor IP is read from: direct connection (new default), CF-Connecting-IP, X-Real-IP, or X-Forwarded-For, for sites behind Cloudflare or a reverse proxy. * New: Optional reverse-DNS verification of search engine bots — a visitor claiming to be Googlebot, Bingbot, Slurp, YandexBot, Baiduspider or Applebot must pass forward-confirmed reverse DNS against the engine's official domains (cached per IP); unverifiable bots are blocked while it is on. * Improved: The "Search engine bots" setting now states plainly that the user agent can be forged and points to verification or disabling the exception for hermetic sites. * Improved: Recommendations banner synced with the AyudaWP catalog (updated plugin names and descriptions). * Fix: Security hardening of the allowed-IPs exception — the visitor IP was read from client-controlled proxy headers even on sites not behind a proxy, so a forged header could impersonate an allowed IP. Only the direct connection is trusted unless a proxy header is explicitly selected, and X-Forwarded-For uses the proxy-added address, not the client-editable first entry. = 2.0.0 = * New: Minimum access level — require a minimum role for logged-in users on the front-end; lower roles get a 403 instead of the content. Independent from dashboard capabilities. * New: Customizable 403 block screen (title + basic-HTML message) without editing the theme; a theme 403.php still wins. * Improved: Page cache hardening — DONOTCACHEPAGE and no-cache headers on all block paths (login, custom URL, 403); public exceptions stay cacheable; known page caches purged on plugin (de)activation and when private mode or settings change. * Improved: REST API, XML-RPC and AJAX exceptions now actually block logged-out visitors (previously they had no effect); /wp-json/ stops leaking content when off and XML-RPC is blocked by default. Logged-in users and IP/user-agent/token exceptions are respected. * Fix: An "Allowed paths" entry of "/" opened the whole site instead of only the homepage; it now matches the homepage alone, also on subdirectory installs. * Fix: Subdirectory installs doubled the site path in the post-login return URL (/site/site/), landing visitors on a 404 after signing in. * Fix: The virtual robots.txt (served as /?robots=1 on "plain" permalinks) was blocked even with the robots exception on; both virtual and physical robots.txt are now recognized. * Fix: "Allowed paths" were ignored on subdirectory installs; rules now also match with the install base prefixed, so "/contact/" matches "/site/contact/". * Fix: IP whitelist wildcards (e.g. 192.168.*) matched no real IPv4 address; a trailing * now covers the rest of the address as the docs promise. * Fix: "Redirect to custom URL" sent external addresses to wp-admin (wp_safe_redirect host allowlist); the configured host is now allowed so external redirects work. = 1.0.4 = * Fix: Security hardening of the access-control exceptions. Appending a query string such as `?x=wp-admin` or `?x=sitemap` to a protected URL could bypass the login requirement and expose the page to logged-out visitors. Login-page and sitemap detection now matches the parsed URL path only, never the raw request URI. Updating is strongly recommended for any site relying on Gozer to keep content private. = 1.0.3 = * Fix: Fixed promotional banner button alignment on WordPress 7.0 due to core CSS specificity changes * Tested up to WordPress 7.0 = 1.0.2 = * Improved: Better name to make it easier to find the plugin = 1.0.1 = * Improved: Tokens table layout for better responsiveness on smaller screens * Improved: Copy tokens button moved to Actions column for a better user experience * Improved: The recommendations banner now displays plugins and services randomly = 1.0.0 = * Initial release * Force login functionality with configurable exceptions * Admin bar indicator with quick toggle switch * System exceptions (REST API, WP-Cron, WP-CLI, AJAX, XML-RPC) * SEO exceptions (sitemaps, robots.txt, feeds, search bots) * Technical exceptions (HEAD requests, static files) * Custom exceptions (paths, IPs with CIDR/wildcards, user agents) * Temporary bypass tokens with expiration * Redirect options (login, 403, custom URL) * Two-column settings layout