Security: Add Google reCAPTCHA v2 to login and lost password forms

DEPENDENCIES.md

@@ -48,8 +48,37 @@ location ~ /wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
 
 The plugin stores converted WebP files in `/wp-content/uploads-webpc/` mirroring the structure of `/wp-content/uploads/`.
 
+## WordPress Plugins (Security)
+
+| Plugin | Version | Purpose |
+|--------|---------|---------|
+| All In One WP Security | 5.4.4 | Login protection, basic firewall, user enumeration blocking |
+
+### AIOS Configuration Summary
+
+**Login Protection:**
+- Max login attempts: 10
+- Retry time period: 5 minutes
+- Lockout length: 30 minutes (max 60)
+- Instant lockout usernames: admin, administrator, test
+- Generic login error messages: enabled
+- Email notifications: enabled
+- Login honeypot: enabled
+
+**Hardening:**
+- File editing disabled
+- WP generator meta removed
+- Default WP file access prevented
+- User enumeration blocked
+- Unauthorized REST API blocked
+- Clickjacking protection enabled
+- Directory indexing disabled
+
+**Note:** Many features (5G/6G firewall, IP blacklisting, advanced brute force) are intentionally disabled as Sucuri WAF will handle these at the edge.
+
 ## Notes
 
 - No external APIs or services are used for image processing
 - All image conversion happens locally on the server
 - WordPress core handles thumbnail generation for all registered image sizes
+- Security hardening complements (not duplicates) Sucuri WAF features

contract/Contracts/WordPress-Website/_scratch/site_analysis/IMPLEMENTATION-PLAN.md

@@ -808,21 +808,51 @@ This implementation plan is a draft for review. Please confirm:
 - Site icon/favicon managed via WordPress Customizer (Appearance > Customize > Site Identity)
 - Theme color set to #0A0A0A (background dark) for mobile browser chrome
 
-### Phase 6: Performance & Security - COMPLETED (Partial)
+### Phase 6: Performance & Security - COMPLETED
 - [x] WebP image conversion via "Converter for Media" plugin
 - [x] Nginx rewrite rules for serving WebP to supported browsers
 - [x] Server dependencies documented in DEPENDENCIES.md
+- [x] AIOS (All In One WP Security) plugin installed and configured
 - [ ] Caching plugin - SKIPPED (not requested)
-- [ ] Security plugin - SKIPPED (not requested)
 - [ ] Backups plugin - SKIPPED (not requested)
 
-**Technical Details:**
+**WebP Conversion:**
 - Plugin: Converter for Media v6.3.2
 - Conversion method: PHP GD/Imagick (both available, WebP supported)
 - WebP files stored in: `/wp-content/uploads-webpc/`
 - Nginx serves WebP when browser sends `Accept: image/webp` header
 - No external APIs or services used (fully local processing)
 
+**Security (AIOS) Configuration:**
+- Plugin: All In One WP Security v5.4.4
+- Login lockdown: 10 attempts in 5 minutes = 30 min lockout (max 60 min)
+- Instant lockout usernames: admin, administrator, test
+- Generic login error messages enabled
+- Email notifications on lockout enabled
+- Login honeypot enabled
+- Registration honeypot enabled
+- Comment spam bot blocking enabled
+- User enumeration prevention enabled
+- Unauthorized REST API requests blocked
+- File editing disabled in admin
+- WP generator meta removed
+- Default WP file access prevented (readme.html, license.txt, etc.)
+- Debug log file access blocked
+- Directory index views disabled
+- Clickjacking protection (X-Frame-Options)
+- 404 logging enabled
+- Basic firewall enabled
+- XML-RPC pingback disabled
+
+**NOT enabled (conservative approach):**
+- Renamed login page (can break plugins/bookmarks)
+- Cookie-based brute force prevention (can lock out legitimate users)
+- Forced logout after X minutes
+- CAPTCHA on forms (can hurt UX)
+- 5G/6G firewall rules (Sucuri WAF will handle this)
+- File change detection scanning (resource intensive)
+- IP blacklisting (Sucuri WAF will handle this)
+
 **Files Created:**
 - /var/www/html/DEPENDENCIES.md (server dependency documentation)