=== RS Remote Site Manager ===
Contributors: mslepko
Tags: management, dashboard, multisite, monitoring
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 2.4.1
Requires PHP: 8.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Connect your WordPress site to wp-admin.online remote Site Manager for centralized management.

== Description ==

RS Remote Site Manager allows you to manage multiple WordPress sites from a single dashboard as https://wp-admin.online. Monitor your WordPress versions, plugins, themes, and log in with one click.

**Features:**

* Centralized dashboard for all your WordPress sites
* Track WordPress core version
* Monitor installed plugins and themes
* Get notified about available updates
* One-click login to wp-admin
* Automatic daily sync

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/rootscope-remote-site-manager` directory, or install the plugin through the WordPress plugins screen directly.
2. Activate the plugin through the 'Plugins' screen in WordPress
3. Go to Tools -> Rootscope Remote Site Manager to configure the plugin
4. Enter your API Key and API Secret from your Rootscope Remote Site Manager dashboard and choose the Login Administrator account
5. Click "Verify Connection" to confirm the connection

== Screenshots ==

1. Central dashboard showing all connected WordPress sites and their health score
2. View all plugins and themes across your sites and track available updates
3. Monitor WordPress and PHP versions across all connected sites
4. Manage multiple WordPress sites from a single central dashboard

== Third-Party Service ==

This plugin connects to the [Rootscope Remote Site Manager](https://wp-admin.online) service to provide centralized WordPress site management. The following data is sent to the Rootscope Remote Site Manager API (`https://wp-admin.online/api/v1`):
* WordPress version and PHP version
* List of installed plugins and themes (names, versions, active status)
* Administrator usernames and display names (for one-click login)

Data is transmitted over HTTPS and authenticated using HMAC signatures. No data is sent until you configure your API credentials.

* [Terms of Service](https://wp-admin.online/terms)
* [Privacy Policy](https://wp-admin.online/privacy)

== Frequently Asked Questions ==

= Where do I get my API credentials? =

Log in to your Rootscope Remote Site Manager dashboard at https://wp-admin.online, add a new site, and you'll receive your API Key and API Secret.

= How often does the plugin sync data? =

The plugin automatically syncs data once daily. You can also trigger a manual sync from the settings page.

= Is my data secure? =

Yes. All communication between your site and Rootscope Remote Site Manager is encrypted via HTTPS and authenticated using HMAC signatures.

= How does the plugin resolve client IPs behind a reverse proxy or CDN? =

Login and failed-login events record the originating client IP. By default, the plugin uses `REMOTE_ADDR` directly, and only consults forwarded headers (`X-Forwarded-For`, `X-Real-IP`) when `REMOTE_ADDR` is a private or reserved address (i.e. the request reached PHP from a local reverse proxy).

If your site sits behind a public reverse proxy (load balancer, CDN, etc.), define one or both of the following constants in `wp-config.php` so the plugin knows which upstream addresses are trusted to set forwarded headers:

`define('RSADMIN_TRUSTED_PROXY_IPS', '203.0.113.0/24, 198.51.100.10');`

Accepts a comma-separated string or an array of IPs/CIDR ranges (IPv4 and IPv6). When `REMOTE_ADDR` matches an entry, the plugin walks `X-Forwarded-For` right-to-left and returns the first IP that is not itself a trusted proxy — this prevents an attacker from spoofing the leftmost value.

`define('RSADMIN_TRUSTED_CF_IPS', '173.245.48.0/20, 103.21.244.0/22');`

Required if you rely on Cloudflare's `CF-Connecting-IP` header. The plugin only honors that header when `REMOTE_ADDR` is in one of the configured Cloudflare edge ranges — without it, a non-Cloudflare proxy could forward a client-supplied `CF-Connecting-IP` value and falsify attribution. Use the official list at https://www.cloudflare.com/ips/. If you use the official Cloudflare WordPress plugin (which rewrites `REMOTE_ADDR` directly), you do not need to set this constant.

== Changelog ==

= 2.4.0 =
* Add site audit-scan endpoint with phased scanner: hook-integration detection, plugin source classification (wp.org / commercial / unknown), object-cache and page-cache signals, multisite detection, and capped mu-plugin scan
* Backup preflight now emits `binary_bytes_ratio` per table so the dashboard planner can size chunk ranges by SQL output bytes rather than row count (fixes OOM on BLOB-heavy tables like `itsec_distributed_storage`)
* wpdb chunk-dumper fallback caps batch size against a 2 MB byte budget before the first query, preventing fat-row pages from blowing memory mid-range (filterable via `rsadmin_backup_wpdb_batch_byte_budget`)
* Raise WP memory limit to the admin threshold at `dump-chunk` entry so single wide LONGBLOB rows fit during INSERT assembly on hosts with sub-256MB defaults

= 2.3.0 =
* Add bulk-quick update endpoint enabling the dashboard's Quick update mode (one HTTP call per chunk of plugin/theme updates, with per-slug success/skipped/failed results)
* Harden login IP resolution: gate `CF-Connecting-IP` to Cloudflare edges via new `RSADMIN_TRUSTED_CF_IPS` constant, walk `X-Forwarded-For` right-to-left skipping trusted proxies, support Cloudflare Pseudo IPv4 (`CF-Connecting-IPv6`), and prefer `X-Forwarded-For` over `X-Real-IP` in multi-hop setups

= 2.2.0 =
* Fix plugin updates and rollbacks failing with "Could not copy file" on WP Engine sites
* /update, /rollback, and rollback chunked endpoints now route through admin-ajax with the wpe-auth cookie

= 1.1.3 =
* Invalidate caches when API secret is saved

= 1.1.2 =
* Fixed api secret double-encryption when option didn't exist
* Preselect first admin account by default

= 1.1.1 =
* Use correct API URL constant, add dashboard link to registration notice
* Rename wpadmin_account_token to rsadmin_account_token for consistency
* Encrypt account token at rest, clean up on uninstall, fix changelog formatting
* Token registration

= 1.1.0 =
* Full site backups
* Uptime Checks
* Remote updates
* Bulk install using a token

= 1.0.0 =
* Initial release