Brainwerk SEO Suite

Changelog

1.0.0 — 2026-06-30

• Printable reports, no PDF software required: the report generator now produces a self-contained, branded HTML report that any browser saves as PDF. This removes an external PDF library dependency, so reports work on every install — including locked-down servers.
• Reports now include visitor countries: the report gained a “Top countries” block (flags + share bars) alongside the KPI grid, trend, sources and devices.
• Onboarding: a new “AI search readiness (GEO/AEO)” step lets you switch on the llms.txt manifest and FAQ schema right from the setup wizard.
• Accessibility: clearer screen-reader labels on the redirect, 404 and visitor-country controls; decorative icons are now correctly hidden from assistive tech.
• Hardening: database schema migrations now run only in the admin context (never triggered by a public front-end request), with a lock against concurrent runs.
• Pro: opt-in “SEO network” sensor pushes one aggregate snapshot per day to power an agency fleet overview and anonymous peer benchmarks (counts and percentages only — never per-visitor data). Search Console performance (clicks, impressions, position, top queries) now has its own card.

0.9.0 — 2026-06-29

• Generative Engine Optimization (GEO/AEO) — a new toolkit to get your content surfaced and cited by AI answer engines:
  • AI-crawler controls: one-click allow/block for GPTBot, OAI-SearchBot, ChatGPT-User, ClaudeBot, Claude-User, PerplexityBot, Google-Extended, Applebot-Extended, Bytespider, CCBot and more — written straight into robots.txt.
  • llms.txt manifest: optionally publish /llms.txt (+ /llms-full.txt), a Markdown map of your key pages and posts for AI crawlers — generated automatically and cached.
  • FAQ schema: add question/answer pairs per post/page in the editor; output as FAQPage JSON-LD (plus speakable on articles) for rich results and AI answers.
  • AI-engine traffic: visits arriving from ChatGPT, Gemini, Copilot, Perplexity, Claude and other assistants are now classified as their own “AI answer engines” source, with a dedicated breakdown on the Sources tab.
• Fix: saving settings on the Meta/Schema tab silently did nothing after a slug rename (the form data was read under the wrong key). Settings now save correctly again.

0.8.0 — 2026-06-29

• Visitor geolocation, now in Free: the Visitors tab gets a “Visitor countries” breakdown with flags and share-of-traffic bars, and recent visits show a country column. Country resolution runs entirely offline from a compact IP→country database bundled inside the plugin (built from DB-IP Lite, CC BY 4.0) — no external requests, so it works on locked-down/firewalled servers too. Covers both IPv4 and IPv6.
• Pro — region & city drill-down: with a Pro license, click any country to expand its top regions and cities, powered by MaxMind’s GeoLite2 City database (read with a bundled, dependency-free reader). Country-level data stays available on Free.
• Schema: visits and sessions gain region + city columns (DB upgrade to v4, applied automatically).
• Demo data: the demo seeder now emits internally-consistent country/region/city so the new geolocation views look populated out of the box.

0.7.7 — 2026-06-24

• Every e-mail now shares the same polished design: the traffic-spike alert, the scheduled report cover e-mails (auto weekly/monthly and re-sends) and the “send test” e-mail were plain text or a bare one-liner — they now use the same branded HTML shell as the digests (navy gradient header with logo, status-coloured hero band, clean facts table, call-to-action button and the made-in-EU footer). Consistent look across every notification the plugin sends.
• Richer traffic-spike alert: the anomaly alert now leads with a colour-coded hero (amber for a spike, red for an extreme spike) and a tidy breakdown — hour, human pageviews, z-score, rolling baseline and your alert threshold — plus a one-click button into the live dashboard. Slack/Discord/Teams webhook payloads are unchanged.
• Fix — /favicon.ico no longer counted as a page: favicon requests (and any other static asset that gets routed through WordPress) were recorded as visits and could top the “Top pages” report. They are now excluded from tracking (via is_favicon() plus a static-file-extension guard), so the report only shows real pages.
• Fix — broken in-app links (“Sorry, you are not allowed to access this page”): links that pointed to the old admin.php?page=seoforge slug — the onboarding “Start setup” button, Site Health fixes, the dashboard widget, report/e-mail buttons and others — led to a permission error because the admin page slug is brainwerk-seo-suite. All ~40 links now use the correct slug.

0.7.6 — 2026-06-21

• E-mail reports — graphical daily & weekly digests: the report e-mails are now beautifully designed HTML (brand header, KPI tiles with period-over-period trend arrows, traffic-source bars, top pages, Core Web Vitals ratings, human-vs-bot split) — everything at a glance. New daily digest in addition to the weekly one; configure recipient + cadence and send a test from Tools → E-mail reports.
• Fix — Core Web Vitals, engagement & new-visitor tracking now actually work: these metrics queried database columns that were never created or populated (they silently returned 0 and logged “unknown column” errors). The schema now includes lcp_ms/cls_x1000/inp_ms/is_engaged/is_new_visitor (DB upgrade to v3, applied automatically), new-visitor detection runs server-side, engagement + Core Web Vitals (LCP/INP/CLS, real field data) are captured via the front-end beacon (beacon/hybrid tracking mode). Verified on a staging install.
• Hardening & cleanup (from an internal audit): Multisite isolation fix so a subsite admin can no longer delete/toggle another site’s redirect by id; removed a dead “link check” cron that fired into the void; report crons are now cleared on deactivation; minor robustness fixes.
• AI — Mistral AI support (EU-based) + provider choice: AI suggestions can now run on Mistral AI — an EU-based provider, so your content stays in the EU — in addition to Anthropic (Claude). Choose your provider and model in the AI tab; Mistral is the new default for fresh installs. Still bring-your-own-key, encrypted at rest, fully opt-in.
• Pro — Executive report (CEO / CTO): a one-click, print-ready branded report for leadership. Pick an Executive (CEO), Technical (CTO) or Full/Board preset, choose a period, and present it or save it as PDF from the browser. Includes period-over-period deltas, human-vs-bot split, traffic mix, geographic reach, top/entry/exit pages, Core Web Vitals ratings (overall and by device), new-vs-returning audience and a privacy/compliance summary — rendered entirely from your own first-party data, no external service. The Free build shows a preview/upsell.
• Multisite: the analytics tabs (Dashboard, Visitors, Sources, Pages) and the at-a-glance dashboard widget now scope visitor stats per site. A new site selector lets you switch between this site, the entire network (aggregated), or any single subsite; the choice is remembered per user. Previously every subsite admin saw network-wide totals.
• Multisite: the network Dashboard adds a per-site breakdown table (pageviews / unique visitors / sessions per subsite) with a one-click drill-down into each site.
• Fix: SEOFORGE_VERSION was still reporting 0.7.4; it is now back in sync with the plugin header.

0.7.5 — 2026-06-19

• Security/SQL: every plugin-owned table name that was previously interpolated into a query string is now passed through the $wpdb->prepare() %i identifier placeholder (WordPress 6.2+) instead of string interpolation. Conditional WHERE builders and the breakdown/percentile switches were restructured so each $wpdb->prepare() call receives a string literal with placeholders only — no SQL string is built in a variable. The only remaining interpolation is the dynamic post_type IN (...) list, which uses generated %s placeholders bound through prepare() (an IN() list cannot use %i). Requires at least WordPress 6.2.

0.7.4 — 2026-06-14

• Security: removed the last two cases of a column identifier being interpolated into SQL. The breakdown query (Seoforge_Stats::group_count()) and the Core Web Vitals percentile query (Seoforge_Reports::percentile()) now select a separate, fully literal query string per allowed column — the SQL identifier is never taken from a variable. All values continue to be bound through $wpdb->prepare().

0.7.3 — 2026-06-13

• Enqueue: the Reports tab no longer outputs an inline <script>; its quick-range helper moved into the enqueued assets/js/admin.js.
• i18n: the last seoforge text-domain string now uses brainwerk-seo-suite, matching the plugin slug.
• Security: report admin-post handlers sanitize the nonce with sanitize_text_field( wp_unslash() ) and unslash/sanitize all request values; the post meta box sanitizes its submitted array at input.

0.7.2 — 2026-06-10

• Security: table names passed to the internal table-resolver are now validated against the fixed whitelist of plugin tables before being used in SQL.
• Security: the migration coordinator builds its post-type IN (...) list from dynamically generated %s placeholders via $wpdb->prepare() instead of escaping + interpolation.
• Security: internal report/stats helpers validate metric and group-by column names against fixed whitelists before using them as SQL identifiers.

0.7.1 — 2026-06-03

• Security: Schema.org JSON-LD is now emitted with slash-escaping (no JSON_UNESCAPED_SLASHES), so a value containing </script> can no longer break out of the inline application/ld+json block. \/ and \uXXXX remain valid JSON-LD.

0.7.0 — 2026-05-21

• Rebranded to Brainwerk SEO Suite (was: SEOForge). Display name + text-domain + plugin filename updated.
• Security: nonce verification in the post meta box now goes through sanitize_text_field( wp_unslash() ) (pluggable-function hardening).
• Security: $_COOKIE reads in the tracker now go through sanitize_text_field( wp_unslash() ) in addition to the existing hex-filter.
• Security: SVG sparkline attributes in the dashboard widget now use esc_attr() for chart coordinates.
• Security: WP-CLI export --out=<path> is now restricted to a wp-content/uploads/seoforge/ subdirectory (and writes only the basename) so it cannot clobber arbitrary paths.
• wp.org compliance: removed the Pro-only bearer-key path from the REST permission_callback. The Free REST API is admin-cookie/nonce only. Pro external dashboards stay in the separate Premium build.
• wp.org compliance: removed load_plugin_textdomain() — WordPress 4.6+ auto-loads translations for plugins hosted on wp.org by slug.
• wp.org compliance: weekly digest now uses admin_url() instead of a hard-coded /wp-admin/ path.
• Docs: readme now documents the optional Anthropic (Claude) API integration as an == External services == section, with what is sent, when, how to disable, and links to Anthropic’s Terms / Privacy.

0.6.0 — 2026-05-19

• Freemius integration live-wired end-to-end (real product IDs, SDK in freemius/, is_live=true).
• Paid plans Starter (€59/yr, 1 site) and Agency (€199/yr, 25 sites) with auto-generated pricing table.
• New sanity row in the Tools tab reports SDK / opt-in / license state.
• Premium build script (bin/build-premium.sh) for Freemius Deploy.
• Fix: Seoforge_License::is_pro() now uses is_paying() so Pro modules load in both Free and Premium builds with a valid license.
• uninstall.php logic migrated to Freemius after_uninstall hook (per Freemius Deploy guideline).

0.5.0 — 2026-05-10

• CI alignment with the ShieldForge UX (Hero banner, tab groups, action items, iOS toggles, tooltips, dark mode, mobile, sanity card).
• bin/bump-version.{sh,ps1} + bin/build-free.{sh,ps1} + .distignore.
• Pre-launch sanity check (17 checks across versioning, cron, DB, privacy, tracking, sitemap, coexistence, file hygiene, readme, translations).
• i18n: POT + de_DE PO/MO shipped.
• PHPUnit tests for Seoforge_Crypto + Seoforge_Analyzer.

0.4.0 — 2026-05-07

• Migration wizard for Yoast / RankMath / AIOSEO (metadata + redirects).
• JS-beacon tracking mode with scroll depth + outbound clicks.
• Seoforge_Health setup-health score on the Dashboard.
• UX polish for non-technical site owners.

0.3.0 — 2026-05-07

• Pre-aggregated daily table for O(1) dashboard queries.
• Transient caches with auto-flush on mutations.
• License-key encryption at rest (AES-256-CBC).
• Streamed CSV exports (visits, sessions, 404, redirects).
• Bulk redirect import from CSV.
• WP-CLI commands (wp seoforge ...).
• Demo seeder + live-visitors widget.
• REST API (/wp-json/seoforge/v1/...).

0.2.0 — 2026-05-07

• Coexistence layer detects Yoast / RankMath / AIOSEO / The SEO Framework / SEOPress and stands down passively.
• License + Pro module foundation.
• Pro stubs: Geo-Lookup, webhooks, anomaly detection, Search Console.
• Marketing landing page (landing/index.html).

0.1.0 — 2026-05-07

• Initial release: tracker, sessions, stats, meta, schema, sitemap, robots, redirects, 404 log, on-page analyzer, weekly digest, onboarding wizard, tools tab.