Hooks, assets, and Pro-ready support added. Update for smoother performance and future compatibility.<\/p>\n\n
Admin Safety Guard<\/strong> is a powerful yet lightweight WordPress security plugin that protects your login page and admin dashboard from hackers, bots, and brute-force attacks. It is built for anyone \u2014 from first-time bloggers to experienced developers \u2014 with a clean interface, clear settings, and features that work from the moment you activate it.<\/p>\n\n WordPress is the most popular website platform in the world, which also makes it the most targeted. Every day, thousands of automated bots scan WordPress sites looking for weak passwords, exposed login pages, and unpatched vulnerabilities. Admin Safety Guard closes those doors quickly and reliably, without slowing down your site or requiring any technical expertise.<\/p>\n\n [youtube https:\/\/www.youtube.com\/watch?v=KFNUmTHtODE]<\/p>\n\n\n\n Most successful WordPress attacks follow the same pattern:<\/p>\n\n Admin Safety Guard blocks every step of this attack chain \u2014 for free.<\/p>\n\n\n\n Limit Login Attempts (Active by Default)<\/strong>\nAutomatically block any IP address that fails too many login attempts. You control the number of allowed attempts, the lockout duration, and the message shown to blocked users. Brute-force attacks become impossible when attackers are locked out after 3 failed tries. Login Limit Attempts is the only feature enabled by default on fresh install, so your site is protected the moment you activate the plugin.<\/p>\n\n Custom Login URL<\/strong>\nMove your login page away from the default Two-Factor Authentication (2FA) via Email OTP<\/strong>\nAfter a user enters their correct password, a one-time passcode (OTP) is sent to their email address. They must enter that code to complete the login. Even if a hacker steals a password, they cannot get in without also accessing the user\u2019s email inbox. You can customise the OTP email subject and body to match your brand.<\/p>\n\n Google reCAPTCHA (v2 & v3)<\/strong>\nAdd Google reCAPTCHA to your login form to block automated bots in real time. Both reCAPTCHA v2 (the familiar checkbox) and v3 (invisible, score-based) are supported. Simply enter your site key and secret key from Google, choose your version, and reCAPTCHA will handle the rest silently in the background.<\/p>\n\n IP Blocking<\/strong>\nManually block specific IP addresses from accessing your login page entirely. If you notice a suspicious IP in your activity log or receive repeated failed login alerts, add that IP to the block list and it will be turned away immediately. Perfect for stopping known bad actors before they become a problem.<\/p>\n\n Login Logs & Activity Tracking<\/strong>\nSee exactly who is logging in to your site and when. The activity dashboard shows successful logins, failed login attempts, IP addresses, user agents, and timestamps in a clear, searchable table. You will always know if something unusual is happening on your site, and you have the evidence to act on it.<\/p>\n\n Security Analytics Dashboard<\/strong>\nThe built-in analytics dashboard gives you a real-time overview of your site\u2019s security health. It shows your overall Security Score (based on how many features you have enabled), recent login activity, failed login trends, and a breakdown of which security features are active versus inactive. It is the first page you see when you open the plugin, giving you immediate situational awareness.<\/p>\n\n Hide Admin Bar (by Role)<\/strong>\nChoose which user roles see the WordPress admin bar on the front end of your site. For example, you can hide the admin bar from subscribers and customers while keeping it visible for editors and administrators. This reduces information leakage and gives non-admin users a cleaner experience.<\/p>\n\n Password Protection (Site-Wide)<\/strong>\nLock your entire website behind a password. Visitors must enter the correct password before they can view any content. This is ideal for staging sites, coming-soon pages, client previews, or any situation where you want to restrict public access temporarily. You can set the access duration and exclude specific user roles from the password requirement.<\/p>\n\n Privacy Hardening \u2014 Disable XML-RPC<\/strong>\nThe WordPress XML-RPC interface is a common target for brute-force and DDoS amplification attacks. With one toggle, you can disable it completely. Unless you rely on XML-RPC for mobile app publishing or specific third-party integrations, disabling it is a safe and recommended step for almost every WordPress site.<\/p>\n\n Login Page Customisation & Branding<\/strong>\nReplace the default WordPress logo on the login page with your own logo. Set the logo width, height, and URL. Choose from pre-built login page templates to give your login form a professional, branded appearance. This is especially useful for agencies delivering client sites and for anyone who wants a polished, consistent look.<\/p>\n\n Firewall & Malware Overview<\/strong>\nThe Firewall & Malware section gives you a central view of your site\u2019s firewall and malware protection status. It shows all related features in one place so you can see what is active and what still needs attention, making it easy to build up your security layer by layer.<\/p>\n\n\n\n Admin Safety Guard Pro<\/a> extends the plugin with advanced security tools designed for agencies, developers, and high-traffic sites.<\/p>\n\n Passwordless Login (Magic Links)<\/strong>\nLet users log in with a secure, one-time link sent to their email \u2014 no password needed. Magic links expire after a single use, making them more secure than passwords for many workflows.<\/p>\n\n 2FA via Mobile Authenticator App<\/strong>\nAdd Google Authenticator or Authy-compatible two-factor authentication to your login flow. Users scan a QR code once, then generate time-based OTP codes from their phone app. This is the same method used by banks and enterprise software.<\/p>\n\n Social Login<\/strong>\nAllow users to log in with their existing Google, Facebook, or other social media accounts. Reduce friction at sign-up and login, while keeping full control over which providers are allowed.<\/p>\n\n Database Table Prefix Check<\/strong>\nThe default WordPress database prefix Strong Password Enforcement<\/strong>\nSet a minimum password strength policy for your users. When they update their password, it must meet your requirements \u2014 rejecting weak, guessable passwords before they become a security risk.<\/p>\n\n Advanced Firewall & Malware Scanner<\/strong>\nScan your WordPress files and database for known malware signatures, suspicious code injections, and modified core files. Get alerts when threats are detected and take action directly from the plugin dashboard.<\/p>\n\n Upgrade to Pro<\/a><\/strong> to unlock all Pro features.<\/p>\n<\/blockquote>\n\n\n\n Bloggers & Content Creators<\/strong>\nYou focus on writing \u2014 not on managing server security. Admin Safety Guard protects your login page and admin area quietly in the background with zero ongoing maintenance required.<\/p>\n\n Small Business Owners<\/strong>\nYour website is your business. A hack can bring it down, damage your reputation, and cost you money. Admin Safety Guard gives you enterprise-level login protection without the enterprise price tag.<\/p>\n\n WooCommerce Store Owners<\/strong>\nAn online store holds customer data, payment details, and order history. Limit login attempts, add 2FA, and lock down your admin area so only you and your trusted team can get in.<\/p>\n\n Freelancers & Web Designers<\/strong>\nDeliver more secure sites to clients out of the box. Customise the login page with the client\u2019s branding, lock down the admin bar by role, and hand over a professional, secure WordPress installation every time.<\/p>\n\n Agencies & Development Teams<\/strong>\nManage security across multiple client sites with a consistent, repeatable setup. All features are toggle-based and clearly documented, making it easy to onboard new team members and maintain a security standard across your portfolio.<\/p>\n\n Developers & Site Administrators<\/strong>\nFine-tune every setting \u2014 login attempt limits, lockout durations, OTP email templates, reCAPTCHA version, redirect URLs, IP block lists, and more. Admin Safety Guard is built on WordPress hooks and filters, so it plays well with the rest of your stack.<\/p>\n\n\n\n For any issues, questions, or feature requests, please reach out via Support<\/a>.<\/p>\n\n\n\n This plugin uses the following third-party and external services:<\/p>\n\n 1) Google reCAPTCHA (Google LLC)<\/p>\n\n Purpose:\nUsed to protect forms from spam and automated abuse.<\/p>\n\n When it is used:\n- When reCAPTCHA is enabled in plugin settings\n- On login forms and support forms protected by reCAPTCHA<\/p>\n\n What data is sent:\n- User IP address\n- reCAPTCHA response token generated by Google\n- Browser information as required by Google reCAPTCHA<\/p>\n\n Service provider:\nGoogle LLC<\/p>\n\n Terms of Service:\nhttps:\/\/policies.google.com\/terms<\/p>\n\n Privacy Policy:\nhttps:\/\/policies.google.com\/privacy<\/p>\n\n 2) ThemePaste API (Plugin Author Service)<\/p>\n\n Purpose:\nUsed for:\n- Collecting optional admin email addresses for plugin updates and notifications\n- Sending support requests from the plugin support form\n- Collecting optional feedback when a user attempts to deactivate the plugin\n- Managing plugin-related notifications (only if the user provides contact details)<\/p>\n\n When it is used:\n- When a user submits the built-in support form\n- When a user opts to send diagnostic information\n- Submitting the optional deactivation feedback form<\/p>\n\n What data is sent:\n- Name\n- Email address\n- Phone number (if provided)\n- Message content\n- Site URL\n- Plugin name\n- Feedback text (if provided)\n- Support message content\n- Deactivation reason (if provided)<\/p>\n\n No data is sent without user action.<\/p>\n\n Service provider:\nThemePaste.com<\/p>\n\n Terms of Service:\nhttps:\/\/themepaste.com\/terms-condition<\/p>\n\n Privacy Policy:\nhttps:\/\/themepaste.com\/privacy-policy<\/p>\n\n This plugin includes compiled JavaScript bundles in:\n- assets\/admin\/build\/*.bundle.js<\/p>\n\n The original (human-readable) source files are included in this plugin under:\n- spa\/admin\/<\/p>\n\n Build Tools\n- Node.js (LTS recommended)\n- npm\n- Webpack + Babel<\/p>\n\n Source Entry Points\nThe admin SPA bundles are built from the following entry points:<\/p>\n\n Install Dependencies\nFrom the plugin root directory (or the directory where package.json exists):<\/p>\n\n 1) Install dependencies:\n npm install<\/p>\n\n Build (Production)\nTo generate the production bundles:<\/p>\n\n npm run build<\/p>\n\n Output Location\nWebpack outputs the compiled bundles to:<\/p>\n\n Important Notes\n- Do not edit files in assets\/admin\/build\/ directly. They are generated files.\n- Edit the source files under spa\/admin\/ and re-run the build command.\n- For WordPress.org distribution, production builds should be used (mode=production).<\/p>\n\n Website<\/a> Option 1 \u2014 Install from the WordPress Plugin Directory (Recommended)<\/strong><\/p>\n\n Option 2 \u2014 Upload Manually<\/strong><\/p>\n\n After Activation<\/strong><\/p>\n\n The plugin will automatically enable Limit Login Attempts with sensible defaults (3 attempts, 15-minute lockout) so your site is protected immediately. Head to Admin Safety Guard<\/strong> in your WordPress menu to explore and configure the rest of the features.<\/p>\n\n\n A: Yes. All features listed under \"Free Features\" above are completely free with no usage limits or hidden costs. A Pro version is available for advanced features such as magic link login, mobile app 2FA, social login, and malware scanning.<\/p><\/dd>\n A: No. Admin Safety Guard only loads its JavaScript and CSS assets on the plugin\u2019s own settings pages inside the admin area. It adds zero weight to your site\u2019s front-end pages. Security checks (like login attempt limits and custom URL routing) are handled in PHP with minimal overhead.<\/p><\/dd>\n A: The plugin sets a custom rewrite rule that points your new login slug (e.g. A: Yes. The plugin detects subdirectory installs and builds the correct URL for your setup automatically.<\/p><\/dd>\n A: Every time a user enters the wrong password, the plugin records the attempt against that IP address. Once the number of failed attempts reaches your configured limit (default: 3), that IP address is locked out for the duration you set (default: 15 minutes). After the lockout period, they can try again. You can also manually block IP addresses permanently from the IP Blocking settings.<\/p><\/dd>\n A: Limit Login Attempts blocks on a per-IP basis, which stops the vast majority of automated attacks. For more sophisticated threats, enabling a custom login URL so bots cannot even find your login page adds a second layer of defence.<\/p><\/dd>\n A: No. You enable the OTP via Email toggle in the Two-Factor Authentication settings. Once enabled, it applies to all login attempts on your site. If you want role-specific or user-specific control, that is available in the Pro version.<\/p><\/dd>\n A: Yes. In the Two-Factor Authentication settings you can edit both the email subject line and the email body. Use the A: XML-RPC is an older interface that lets external apps communicate with WordPress. It is frequently used in brute-force and DDoS amplification attacks because it allows multiple login attempts in a single request. Disabling it is safe for most sites. The only time you need XML-RPC is if you use the official WordPress mobile app for publishing, or a specific third-party service that requires it. Check with your tools before disabling.<\/p><\/dd>\n A: It depends on your preference. reCAPTCHA v2 shows a visible checkbox (\"I\u2019m not a robot\") which users must tick \u2014 straightforward and clear. reCAPTCHA v3 is invisible and runs silently in the background, scoring visitors based on behaviour. v3 offers a better user experience but requires you to set a score threshold. Both are fully supported.<\/p><\/dd>\n A: No. You can exclude specific user roles (e.g. Administrator, Editor) from the password requirement. Users in excluded roles will access the site normally without being shown the password gate. You can also choose to exclude all logged-in users at once.<\/p><\/dd>\n A: Yes. The Login Logs & Activity Tracking section shows a detailed table of all login events \u2014 both successful and failed \u2014 including the username, IP address, browser\/device (user agent), and timestamp. You can use this information to identify suspicious activity and block problem IPs.<\/p><\/dd>\n A: The Security Score is a percentage (0\u2013100) calculated based on how many available security features you have enabled. The more features you activate, the higher your score. It gives you a quick, at-a-glance understanding of your site\u2019s current protection level and shows which areas still need attention.<\/p><\/dd>\n A: Yes. In the Hide Admin Bar settings, you choose which roles should have the admin bar hidden on the front end of your site. For example, you might hide it from Subscribers and Customers while keeping it visible for Editors and Administrators.<\/p><\/dd>\n A: Yes. The plugin is fully compatible with WooCommerce. All features \u2014 login limits, 2FA, custom login URL, IP blocking, and activity logs \u2014 work alongside WooCommerce without any conflicts.<\/p><\/dd>\n A: Yes, in most cases. Admin Safety Guard focuses specifically on login security and admin area protection. It does not interfere with firewall rules or malware scanning from other plugins. If you use another plugin that also offers limit login attempts or custom login URLs, disable that specific feature in one of the two plugins to avoid conflicts.<\/p><\/dd>\n A: Post in the WordPress.org support forum<\/a> for free support. For priority email support and Pro features, visit themepaste.com\/contact<\/a>.<\/p>\n\n<\/dd>\n\n<\/dl>\n\n\n [new] Added deactivation email feature on plugin activation<\/p>\n\n [new] Release the pro version\n[new] Compotable with pro version<\/p>\n\n [new] Added extendable action and filter hooks [new] Auto permalink flush for custom login\/logout URLs [new] Subdirectory support [fix] Minor bug fixes<\/p>\n\n [fix] Build issue resolved<\/p>\n\nWhy WordPress Sites Get Hacked \u2014 And How Admin Safety Guard Stops It<\/h3>\n\n
\n
wp-login.php<\/code> address.<\/li>\nFree Features<\/h3>\n\n
wp-login.php<\/code> address. Bots and automated scanners will never find your login page because it simply does not exist at the expected location. You can set any slug you like, and the plugin handles redirect rules automatically. You can also set a custom redirect URL for after login and after logout.<\/p>\n\nPro Features<\/h3>\n\n
wp_<\/code> is well-known to attackers and makes SQL injection easier. This Pro tool detects your current prefix and guides you through changing it to a unique, random value to close that vulnerability.<\/p>\n\n\n
Who Is Admin Safety Guard For?<\/h3>\n\n
What Makes Admin Safety Guard Different?<\/h3>\n\n
\n
Support<\/h3>\n\n
External Services<\/h3>\n\n
Development \/ Source Code<\/h3>\n\n
\n
\n
Links<\/h3>\n\n
\nDocumentation<\/a>
\nPro Version<\/a>
\nFacebook<\/a>
\nPinterest<\/a>
\nLinkedIn<\/a>
\nInstagram<\/a><\/p>\n\n\n\n
\n
.zip<\/code> file from WordPress.org.<\/li>\n.zip<\/code> file and click Install Now<\/strong>.<\/li>\n\n
Q: Is Admin Safety Guard free?<\/h3><\/dt>\n
Q: Will this plugin slow down my WordPress site?<\/h3><\/dt>\n
Q: What happens when I change my login URL?<\/h3><\/dt>\n
\/my-login<\/code>) to the WordPress login system. The old wp-login.php<\/code> URL will redirect visitors away. Your existing bookmarks will need to be updated to the new URL. The plugin flushes WordPress permalink rules automatically when you save the setting.<\/p><\/dd>\nQ: Does the custom login URL work in a WordPress subdirectory install?<\/h3><\/dt>\n
Q: How does Limit Login Attempts work?<\/h3><\/dt>\n
Q: Does Limit Login Attempts work against bots that change their IP address?<\/h3><\/dt>\n
Q: Is Two-Factor Authentication (2FA) required for all users?<\/h3><\/dt>\n
Q: Can I customise the 2FA email that gets sent to users?<\/h3><\/dt>\n
{otp}<\/code> placeholder where you want the code to appear, and {site_name}<\/code> for your site\u2019s name.<\/p><\/dd>\nQ: What does disabling XML-RPC do, and is it safe?<\/h3><\/dt>\n
Q: Does reCAPTCHA v2 or v3 work better for login pages?<\/h3><\/dt>\n
Q: Will Password Protection affect my logged-in users?<\/h3><\/dt>\n
Q: Can I see who has been trying to log in to my site?<\/h3><\/dt>\n
Q: What is the Security Score shown on the dashboard?<\/h3><\/dt>\n
Q: Can I hide the admin bar from certain user roles?<\/h3><\/dt>\n
Q: Is Admin Safety Guard compatible with WooCommerce?<\/h3><\/dt>\n
Q: Is Admin Safety Guard compatible with other security plugins like Wordfence or iThemes Security?<\/h3><\/dt>\n
Q: How do I get support if something is not working?<\/h3><\/dt>\n
1.2.8 \u2013 Bug Fixes & Default Feature Activation<\/h4>\n\n
\n
1.2.7 \u2013 UI & Content Update<\/h4>\n\n
\n
1.2.6 \u2013 Performance & Security Update<\/h4>\n\n
\n
1.2.5 \u2013 Security & Stability Update<\/h4>\n\n
\n
1.2.4 \u2013 Maintenance Update<\/h4>\n\n
\n
1.2.3 \u2013 Maintenance Update<\/h4>\n\n
\n
1.2.2 \u2013 Maintenance Update<\/h4>\n\n
\n
1.2.1 \u2013 Security & Compliance Update<\/h4>\n\n
\n
1.2.0<\/h4>\n\n
\n
1.1.9<\/h4>\n\n
\n
1.1.8<\/h4>\n\n
\n
1.1.7<\/h4>\n\n
\n
1.1.6<\/h4>\n\n
\n
1.1.5<\/h4>\n\n
\n
1.1.4<\/h4>\n\n
\n
1.1.3<\/h4>\n\n
\n
login_init<\/code>.<\/li>\nwp_signon()<\/code> so WordPress handles Remember Me cookies correctly.<\/li>\n1.1.2<\/h4>\n\n
\n
wp_set_auth_cookie()<\/code> now uses correct $remember flag for persistent login.<\/li>\n1.1.0<\/h4>\n\n
\n
1.0.9<\/h4>\n\n
1.0.6, 1.0.8<\/h4>\n\n
1.0.5<\/h4>\n\n
\n[new] Ready to integrate Pro version
\n[new] Conditionally loaded all assets
\n[new] Added default logo URL, width, and height
\n[fix] Fixed logo issue from customizer
\n[fix] General improvements and bug fixes<\/p>\n\n1.0.4<\/h4>\n\n
\n[new] Admin Notice added
\n[new] Setup Wizard
\n[new] Documentation link added<\/p>\n\n1.0.3<\/h4>\n\n
\n[new] Tooltip in failed login table
\n[new] Auto-redirect after max login attempts
\n[fix] Custom login\/logout URLs
\n[fix] Lockout message
\n[fix] Failed login table issues<\/p>\n\n1.0.2<\/h4>\n\n
1.0.1<\/h4>\n\n
1.0.0<\/h4>\n\n
\n