=== KW Members Fortress ===
Contributors: basic777
Tags: private site, members only, force login, login required, file protection
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.7
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Make your whole WordPress site private — every page, feed, REST endpoint and uploaded file requires login — and prove it isn't leaking.

== Description ==

**KW Members Fortress** turns a standalone WordPress site into a private, members-only space. Visitors who aren't logged in can't reach **anything** except the login screen and the legal pages you choose to publish — not your pages, posts, archives, search, feeds, REST API, sitemaps, XML-RPC, and crucially **not your uploaded files** either.

Most "force login" plugins only gate the *pages* WordPress renders. They leave every file in `/wp-content/uploads/` reachable by anyone who has (or guesses) the URL — PDFs, images, documents. KW Members Fortress routes those file requests through WordPress and serves them **only to logged-in members**, then continuously **self-tests** that the seal is holding.

= What it does =

* **Whole-site gate** — logged-out requests are redirected to login: pages, posts, archives, search, feeds, REST, sitemaps, XML-RPC.
* **Protected file URLs** — direct hits to `/wp-content/uploads/…` are served only to members (Apache/LiteSpeed handled automatically; nginx shows you the one snippet to paste).
* **Leak self-test (canary)** — about once an hour the plugin makes a cookie-less request to one of its own upload URLs and raises a dashboard alarm if a file ever comes back without login. Silent misconfiguration becomes a visible warning.
* **Branded login screen** — set a background image, overlay colour/gradient, accent colour, and logo from the settings page. No file editing.
* **Footer & legal pages** — up to three footer items, each a built-in page (rendered theme-less and reachable while logged out) or an external link. Perfect for an Imprint / Privacy notice on an otherwise-private site.
* **Hardening (all optional, on by default)** — block logged-out admin-ajax, block user-enumeration, no-cache headers on blocked responses, and a progressive login throttle that auto-recovers.

= Good to know =

* No accounts, tiers, payments, or third-party services. One site, one membership wall.
* Runtime files are stored under `…/wp-content/uploads/kw-members-fortress/` — never in the plugin folder.
* The leak self-test only ever contacts **your own site's** URL; it is not an external service.

== Installation ==

1. Upload the plugin to `/wp-content/plugins/` (or install it from your dashboard) and activate it.
2. On **Apache / LiteSpeed** the upload-protection rule is written for you. On **nginx**, the plugin shows a short `location` snippet — paste it into your server block and reload nginx.
3. Visit **Members Fortress** in the admin menu to brand the login screen, add footer/legal pages, and review the **Lockdown** status (server type, public-asset folder, and the latest leak self-test result).
4. Log out in a separate browser to confirm the site is sealed.

**Caching:** because every visitor must be checked individually, full-page caching of the front end must be turned off (or the gate can be bypassed by a cached copy). The plugin sends no-cache headers on blocked responses, but a page cache in front of WordPress should not store logged-in/front-end pages.

== Frequently Asked Questions ==

= Does it really protect uploaded files, or just pages? =

Files too — that's the point. Requests to `/wp-content/uploads/…` are routed through WordPress and served only to logged-in members. The only exception is a small public sub-folder, `uploads/kw-members-fortress/`, which holds just your chosen login background and logo so they can load on the logged-out login screen.

= Why does it edit my root `.htaccess`? =

On Apache/LiteSpeed the upload-protection rule is added to `.htaccess` using WordPress' own marker API (the same mechanism core uses for permalinks), inside a clearly-marked block. Deactivating the plugin removes the block and restores normal file serving.

= What is the "leak self-test"? =

A tiny sentinel file lives in your normal uploads folder. About once an hour, while you're in the dashboard, the plugin requests that file's URL **without** sending your login cookies. If the file comes back, the gate isn't working and you get a red dashboard warning. It only ever contacts your own site — it is not a third-party service.

= I'm on nginx and files are still reachable. =

nginx configuration can't be edited from PHP, so the plugin shows the exact `location` snippet to add to your server block. Add it and reload nginx; the **Lockdown** tab and the self-test will confirm the seal.

= Can I show an Imprint / Privacy page to logged-out visitors? =

Yes. Under **Footer & Pages**, set a slot to **Built-in page**, give it a title and content, and it renders on its own theme-less page that's reachable without login (and `noindex`). Images embedded inside that content won't display to logged-out visitors, since uploads stay locked — use text and HTML.

= The login throttle locked me out. =

After several failed logins from one IP, a short, growing cool-down is applied; it expires on its own (no permanent lockout). Note that visitors sharing one office/NAT IP share the counter. You can turn the throttle off on the **Lockdown** tab.

= What happens when I deactivate or delete it? =

Deactivating removes the `.htaccess` rule and turns protection **off** — by design. Deleting honours the **Advanced → "remove all data"** option: leave it off to keep your settings, or turn it on to remove the settings and the public-asset folder on uninstall.

== Screenshots ==

1. The branded login screen (background, overlay, accent colour, logo, and footer links).
2. Lockdown tab — protection status, server type, public-asset folder, and the leak self-test result, plus the hardening toggles.
3. Login Screen tab — background image, overlay, colours, and logo.
4. Footer & Pages tab — three slots for built-in legal pages or external links.

== Changelog ==

= 1.0.7 =
* Initial public release.
