WordPress.org

Suomi

Lataa WordPress
WordPress.org

Plugin Directory

Guard Dog

Guard Dog

Adam Greenwell
Lataa

Kuvaus

Guard Dog is a comprehensive security plugin designed to protect your WordPress site from unauthorized access and brute-force attacks. With features like custom login URLs, two-factor authentication, and multiple CAPTCHA providers, Guard Dog provides enterprise-level security for any WordPress site.

Key Features:

  • Custom Login URLs – Hide your wp-admin and wp-login.php from attackers
  • Two-Factor Authentication (2FA) – TOTP-based authentication with recovery codes
  • Social Login (OAuth) – Sign in with Google, Microsoft, or Apple
  • Passkeys – Use device-based biometric authentication like Face ID, Touch ID or Windows Hello
  • Multiple CAPTCHA Providers – Support for Google reCAPTCHA v2/v3, hCaptcha, and Cloudflare Turnstile
  • Login Attempt Limiting – Prevent brute-force attacks with intelligent lockout
  • Access Control – IP-based whitelist/blacklist protection
  • Activity Monitoring – Comprehensive logging of security events
  • Temporary User Access – Create temporary WordPress users with time-limited, secure access
  • User Management – Advanced user permission controls

Why Choose Guard Dog?

  • Privacy-Focused – Multiple CAPTCHA options including privacy-first providers
  • WordPress.org Compliant – Built following WordPress coding standards
  • Enterprise-Ready – Scalable features suitable for any site size
  • User-Friendly – Intuitive interface with helpful documentation
  • Regular Updates – Actively maintained and updated

Perfect For:

  • Business websites requiring enhanced security
  • WordPress sites handling sensitive data
  • Multi-user sites with complex access requirements
  • Anyone wanting comprehensive protection without complexity

Additional Information

Support:
For support questions, please use the WordPress.org support forums.

Privacy:
Guard Dog respects user privacy and offers multiple privacy-focused CAPTCHA options. No data is transmitted to third parties except for CAPTCHA verification when enabled.

Security:
Guard Dog follows WordPress security best practices and undergoes regular security audits. All user input is sanitized and all output is escaped.

Third-Party Services

Guard Dog integrates with the following third-party services to provide CAPTCHA protection. These services are optional and only used when CAPTCHA features are enabled.

Google reCAPTCHA (v2 and v3)

What it is: Google’s CAPTCHA service that helps protect websites from spam and abuse.

What it’s used for:
– Verifying that login, registration, and password reset attempts are made by humans
– Preventing automated bot attacks on your WordPress forms

What data is sent and when:
– User interaction data (mouse movements, time spent on page) when CAPTCHA is solved
– IP address of the user
– Site domain for verification
– CAPTCHA response token

Privacy and Terms:
Google reCAPTCHA Privacy Policy
Google reCAPTCHA Terms of Service
Google reCAPTCHA Data Usage

Cloudflare Turnstile

What it is: Cloudflare’s privacy-first CAPTCHA alternative that doesn’t require user interaction.

What it’s used for:
– Invisible verification of human users during login, registration, and password reset
– Privacy-focused protection without tracking or cookies

What data is sent and when:
– Non-interactive browser signals when forms are submitted
– IP address for verification
– Site domain for validation

Privacy and Terms:
Cloudflare Privacy Policy
Cloudflare Terms of Service
Turnstile Documentation

hCaptcha

What it is: A privacy-focused CAPTCHA service that doesn’t track users across websites.

What it’s used for:
– Human verification during login, registration, and password reset forms
– Privacy-conscious alternative to Google reCAPTCHA

What data is sent and when:
– User interaction with CAPTCHA challenge
– IP address for verification
– Site domain for validation

Privacy and Terms:
hCaptcha Privacy Policy
hCaptcha Terms of Service
hCaptcha Data Processing

Google OAuth (Social Login)

What it is: Google’s OAuth 2.0 service that allows users to sign in using their Google account.

What it’s used for:
– Authenticating WordPress users via their Google account
– Retrieving basic profile information (name, email) to link or create accounts

What data is sent and when:
– User is redirected to Google’s authorization server when clicking ”Sign in with Google”
– An authorization code is exchanged for an access token on your server
– Basic profile information (name, email, Google user ID) is retrieved from Google’s API
– No ongoing data sharing – data is only retrieved during the login process

Privacy and Terms:
Google OAuth Privacy Policy
Google OAuth Terms of Service
Google API Services User Data Policy

Microsoft Azure AD (Social Login)

What it is: Microsoft’s OAuth 2.0 service via Azure Active Directory that allows users to sign in using their Microsoft account.

What it’s used for:
– Authenticating WordPress users via their personal Microsoft account or organizational (work/school) account
– Retrieving basic profile information (name, email) to link or create accounts

What data is sent and when:
– User is redirected to Microsoft’s authorization server when clicking ”Sign in with Microsoft”
– An authorization code is exchanged for an access token and ID token (JWT) on your server
– Basic profile information (name, email, Azure object ID) is extracted from the ID token
– No ongoing data sharing – data is only retrieved during the login process

Privacy and Terms:
Microsoft Privacy Statement
Microsoft Services Agreement
Microsoft Identity Platform Documentation

Apple Sign In (Social Login)

What it is: Apple’s OAuth 2.0 / OpenID Connect service that allows users to sign in using their Apple ID.

What it’s used for:
– Authenticating WordPress users via their Apple ID
– Retrieving basic profile information (name, email) to link or create accounts

What data is sent and when:
– User is redirected to Apple’s authorization server when clicking ”Sign in with Apple”
– An authorization code is exchanged for an access token and ID token (JWT) on your server
– Basic profile information (email, user ID) is extracted from the ID token
– User’s name is only provided on first authorization; subsequent logins return only the user ID
– Apple may provide a private relay email address instead of the user’s real email
– No ongoing data sharing – data is only retrieved during the login process

Privacy and Terms:
Apple Privacy Policy
Sign in with Apple Guidelines
Apple Developer Program License Agreement

TOTP (Time-based One-Time Password) Standard

What it is: An open standard (RFC 6238) for generating time-based one-time passwords used in two-factor authentication.

What it’s used for:
– Generating secure, time-limited authentication codes for 2FA
– Providing backup authentication when primary 2FA methods are unavailable
– Enabling compatibility with popular authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, etc.)

What data is sent and when:
No external data transmission – TOTP codes are generated locally using the TOTP algorithm
Secret key generation – A unique secret key is generated locally when 2FA is enabled for a user
QR code generation – QR codes are generated locally for easy setup with authenticator apps
Code verification – Generated codes are verified locally against the stored secret key

Privacy and Terms:
RFC 6238 – TOTP Standard
Google Authenticator Privacy Policy (if using Google Authenticator app)
Authy Privacy Policy (if using Authy app)
Microsoft Authenticator Privacy Policy (if using Microsoft Authenticator app)

Data Handling Summary

When CAPTCHA is disabled: No data is sent to any third-party services.

When CAPTCHA is enabled: Only the specific provider you choose receives verification data. Data is not shared between providers or stored by Guard Dog beyond the verification process.

When 2FA is disabled: No external data transmission occurs.

When 2FA is enabled:
– All TOTP operations (code generation, verification) happen locally on your server
– No data is transmitted to external services for 2FA functionality
– Authenticator apps only receive the initial setup QR code or secret key
– Recovery codes are generated locally and stored securely

When Social Login is disabled: No data is sent to any OAuth provider.

When Social Login is enabled:
– Data is only sent to the configured providers (Google, Microsoft, Apple) during the login process
– Only basic profile information (name, email, user ID) is retrieved
– Social account links are stored locally in your WordPress database
– Users can unlink their social accounts from their profile at any time

User control: Users can choose which CAPTCHA provider to use, or disable CAPTCHA entirely. 2FA can be enabled/disabled per user, and users can choose their preferred authenticator app. Social login can be enabled/disabled by administrators, and users can manage their linked social accounts. All security features are optional and configurable.

Kuvankaappaukset

  • Change your WordPress login URL to your own string
  • Limit login attempts and set lockout duration
  • Enable email and app-based two-factor authentication methods
  • 2FA configuration from the user profile screen
  • Two-factor authentication on the login screen
  • Enable site-wide blocking, IP address blocking and username blocking
  • Create temporary user with granular access and expiration controls
  • Track site and system events with the Activity Log feature
  • Configure AWS SES, Mailgun, Resend, SendGrid, or Google as your email provider for two-factor messaging

Asennus

  1. Upload the guard-dog folder to the /wp-content/plugins/ directory
  2. Activate the plugin through the ’Plugins’ menu in WordPress
  3. Navigate to ’Guard Dog’ in your admin menu to configure settings
  4. Configure your desired security features step by step

Quick Setup:

  1. Change Login URL: Set a custom login URL immediately after activation
  2. Enable CAPTCHA: Choose and configure your preferred CAPTCHA provider
  3. Configure 2FA: Set up two-factor authentication for enhanced security
  4. Review Settings: Adjust login limits and access controls as needed

UKK

What if I get locked out of my site?

Guard Dog includes a temporary access feature that generates secure bypass links. These can be created before lockout occurs. If you’re already locked out, you can disable the plugin via FTP by renaming the plugin folder.

Which CAPTCHA provider should I choose?

  • Google reCAPTCHA v3 – Invisible, best user experience
  • Google reCAPTCHA v2 – Checkbox verification, widely supported
  • hCaptcha – Privacy-focused alternative to Google
  • Cloudflare Turnstile – Fast, privacy-first option

Is two-factor authentication required?

No, 2FA is optional but highly recommended. It can be enabled per-user and includes recovery codes for backup access.

Will this affect my site performance?

Guard Dog is optimized for performance. Features like database query optimization and intelligent caching ensure minimal impact on your site speed.

I’m getting false ”IP shift” alerts showing the same IP for every user

This happens when your site is behind a reverse proxy, CDN, or load balancer (common with hosts like Kinsta, WP Engine, Cloudflare, or AWS). The proxy sits between users and WordPress, so Guard Dog sometimes detects the proxy’s IP instead of the real visitor’s IP.

To fix this:

  1. Go to Guard Dog > Sessions > Settings
  2. Scroll to ”Reverse Proxy / Load Balancer”
  3. Set ”IP Detection Method” to match your setup:
    • Cloudflare – if your site uses Cloudflare (most common)
    • X-Forwarded-For – for most other proxies (Kinsta, WP Engine, Nginx, AWS ELB)
    • X-Real-IP – if your server uses Nginx as a reverse proxy
    • Auto – tries all headers automatically (default, works for most sites)
    • REMOTE_ADDR only – only use if you have NO proxy (direct connections only)
  4. Add your proxy’s IP addresses to ”Trusted Proxy IPs” (one per line, CIDR ranges supported)
  5. Check the ”Detected IP” row to verify your real IP is shown, not the proxy IP

Important: If you are unsure, leave the default ”Auto” setting. Only change this if you are experiencing false IP shift alerts or if your hosting provider has instructed you to use a specific header. Misconfiguring this can cause Guard Dog to see incorrect IP addresses, which affects IP-based blocking, login attempt tracking, and activity logs.

How do I find my proxy’s IP address?

If you’re seeing false IP shift alerts, the alert email will contain the proxy IP (the ”new IP” that keeps appearing). You can also check the ”Detected IP” row on the Sessions settings page – if it shows your proxy’s IP instead of your real IP, that IP should be added to the Trusted Proxy IPs list. Common proxy IP ranges:

  • Cloudflare – see Cloudflare’s IP ranges
  • Kinsta – typically a Google Cloud IP (e.g., 34.x.x.x or 35.x.x.x)
  • AWS ELB/CloudFront – check your AWS console for load balancer IPs
  • Private networks – 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

Does it work with other security plugins?

Guard Dog is designed to work alongside other security plugins, though we recommend testing in a staging environment first to avoid conflicts.

What external services does Guard Dog use?

  • CAPTCHA (when enabled): Google reCAPTCHA, hCaptcha, or Cloudflare Turnstile.
  • Email (when Email 2FA enabled): Amazon SES, Mailgun, Resend, SendGrid, or Google SMTP.
  • Social Login (when enabled): Google OAuth, Microsoft Azure AD, and Apple Sign In (authorization and user profile).
  • IP Reputation (when enabled): DNS only: Spamhaus ZEN, CBL (abuseat.org), dan.me.uk (Tor). Optional geo: ip-api.com or ipinfo.io; geo can be turned off to use only DNS.
  • Geolocation (country from IP): When CDN/proxy headers do not provide country, ip-api.com or ipapi.co may be used (e.g. access control, activity log).

For details, data flows, and privacy policies, see the Privacy & Data Usage documentation in the docs folder.

Arvostelut

Great all in one protection with passkeys

11.2.2026 1 reply
After searching for quite some time for all kinds of plugins that could help with 2FA and/or Passkeys support for wordpress without having to pay for yet another plugin I found this Guard Dog plugin and apart from some caching problems it has been working like a charm! Thank you so much!
Lue kaikki 1 arvostelua.

Avustajat & Kehittäjät

“Guard Dog” perustuu avoimeen lähdekoodiin. Seuraavat henkilöt ovat osallistuneet tämän lisäosan kehittämiseen.

Avustajat

Käännä “Guard Dog” omalle kielellesi.

Oletko kiinnostunut kehitystyöstä?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Muutosloki

1.9.34

  • Expired sessions on frontend pages now silently degrade to logged-out state instead of redirecting to the login page

1.9.33

  • Add reverse proxy / load balancer configuration for accurate IP detection behind CDNs and proxies
  • New IP detection method setting: Auto, Cloudflare, X-Forwarded-For, X-Real-IP, or REMOTE_ADDR only
  • New trusted proxy IPs setting with CIDR range support to prevent IP spoofing via forwarded headers
  • Fix false IP shift alerts on sites behind reverse proxies (Kinsta, Google Cloud, AWS ELB, etc.)
  • Consolidate duplicate IP detection methods across plugin to use centralized proxy-aware logic
  • Add diagnostic ”Detected IP” display on settings page to verify proxy configuration

1.9.32

  • Isolate all vendor dependencies with PHP-Scoper namespace prefixing to prevent conflicts with other plugins
  • Improved session management handling when using caching layers like Varnish or Redis

1.9.31

  • Add Google (Gmail/Workspace) and SendGrid as email provider options
  • Minor login page styling update when social login buttons are present
  • Fix email provider detection on Login Security page

1.9.30

  • Add social login with Google, Microsoft, and Apple OAuth support
  • Allow users to sign in with their Google, Microsoft, or Apple account from the WordPress login page
  • Apple Sign In with JWT client secret and id_token-based authentication
  • Link and unlink social accounts from user profile
  • Optional auto-linking by email and auto-creation of new users
  • Social login bypasses 2FA when configured (follows passkey pattern)
  • Activity logging for social login events

1.9.20

  • Fix authentication failures (passkey login, 2FA) on sites using page caching (Varnish, Cloudflare, Nginx FastCGI)
  • Remove dependency on PHP sessions — all auth state now uses WordPress transients with secure one-time-use tokens
  • Resolve WordPress Site Health critical warning about session_start() usage

1.9.11

  • Add user enumeration protection feature with multi-vector blocking

1.9.1

  • Add support for Passkeys
  • Add session and session management support with suspicious activity detection
  • Improve user flow when password policy is set and enforce 2FA is enabled

1.9.01

  • Fix a bug causing the Access Denied page to lose styling when using the built-in customizer feature

1.9.0

  • Add feature to set password strength policy and block reusing passwords
  • Add feature to require user email verification before login with customizable link expiration
  • Update email provider feature to allow using for all WordPress emails

1.8.48

  • Improve access control to block entire countries
  • Add caching for access control rules

1.8.47

  • Improve log exporting
  • Ensure WordPress 6.9 compatibility

1.8.46

  • Add feature to customize access denied page with built-in customizer or template override

1.8.45

  • Add feature to customize email template for two-factor auth code with built-in customizer or template override

1.8.44

  • Add WooCommerce events to Activity Log
  • Improve site-wide blocking message customization

1.8.433

  • Fix activity log error that could occur when updating a navigation menu

1.8.432

  • Fix ”Unknown Event” event name logging in the Activity Log section to display the proper event name

1.8.431

  • Minor 2FA login form styling

1.8.43

  • Resolve AWS SDK conflict with other plugins that may use AWS environment variables
  • Refactor 2FA login flow to improve security

1.8.42

  • Code quality improvements to meet WordPress coding standards

1.8.41

  • Code quality improvements to meet WordPress coding standards

1.8.4

  • Improve Activity Log admin interface
  • Improve front-end styling for two-factor authentication methods when logging in

1.8.325

  • Added additional two-factor authentication method via email
  • Added email provider configuration for use with two-factor via email authentication

1.8.312

  • Under-the-hood refactoring of plugin settings templates

1.8.31

  • Update readme.txt describing third party libraries in use and what they do

1.8.3

  • Under-the-hood performance improvements and updates for WordPress plugin directory compliance

1.8.2

  • Improved debug logging to prevent potential PHP errors

1.8.1

  • Update activity log settings to add additional event types
  • Improve shortcode 2FA widget for use in custom themes using a custom login page

1.8.0

  • Custom login URL feature refactored to be server agnostic
  • Improve custom login URL support when using CAPTCHA and 2FA

1.7.0

  • Enhanced debug logging system with multiple log levels and export ability
  • Styling improvements applied to settings page

1.6.0

  • Added Cloudflare Turnstile CAPTCHA support
  • Enhanced activity logging system
  • NEW: Complete temporary user access system – create actual WordPress users with time limits
  • Improved temporary access security with automatic user cleanup
  • Better mobile responsiveness for admin interface
  • Performance optimizations for large sites

1.5.0

  • Added hCaptcha support for privacy-focused protection
  • Enhanced two-factor authentication with recovery codes
  • Improved user interface and user experience
  • Better internationalization support
  • Bug fixes and security enhancements

1.4.0

  • Implemented comprehensive activity monitoring
  • Added advanced IP access control features
  • Enhanced temporary access system
  • Improved admin interface design
  • Performance optimizations

1.3.0

  • Added two-factor authentication (TOTP)
  • Enhanced login attempt limiting
  • Improved admin interface
  • Better error handling and logging
  • Security improvements

1.2.0

  • Added Google reCAPTCHA v3 support
  • Enhanced custom login URL features
  • Improved user management
  • Better admin interface
  • Performance optimizations

1.1.0

  • Added login attempt limiting
  • Enhanced access control features
  • Improved admin interface
  • Bug fixes and optimizations

1.0.0

  • Initial release
  • Custom login URLs
  • Basic access control
  • Google reCAPTCHA v2 support
  • Activity logging

Metatiedot

Arvosanat

5 out of 5 stars.

Add my review

See all reviews

Tuki

Viimeisen kahden kuukauden aikana ratkaistut ongelmat:

1 / 1

Tukifoorumi