ArkHost Security Pack

Description

A complete security plugin that’s actually free. No “pro” version, no nag screens, no made-up threat statistics.

Login Protection

• Blocks IPs after failed login attempts
• Custom login URL (hides wp-login.php)
• Hides wp-admin from logged-out users
• Honeypot field for bots
• Hides login errors (stops username enumeration)
• Email alerts for admin logins from new IPs
• Country/IP restrictions on login page

IP Control

• Whitelist and blacklist
• Auto-blacklist after repeated lockouts
• IPv4, IPv6, CIDR supported

Geo Blocking

• Block countries
• Uses free IP2Location LITE database
• One-click download

Hardening

• Disable XML-RPC
• Disable dashboard file editing
• Disable application passwords
• Restrict REST API to logged-in users
• Remove WordPress version
• Block user enumeration (?author=1 and REST API)
• Disable pingbacks/trackbacks

Security Headers

X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS

Two-Factor Authentication

• TOTP (Google Authenticator, Authy, etc.)
• Backup codes
• Enforce for admins

File Integrity Monitoring

• Checks WordPress core files against official checksums
• Daily scans
• Email alerts on changes

Malware Scanner

• Scans plugins, themes, uploads
• Pattern-based detection
• Quarantine suspicious files
• Weekly scans

Activity Log

• Login attempts, lockouts, blocks
• IP, country, username, timestamp
• Configurable retention
• CSV export

Tools

• Export/import settings
• Force logout all users
• Test email
• Delete readme.html/license.txt

Privacy

No tracking. No analytics. No telemetry.

External connections:
* WordPress.org API (core file checksums)
* IP2Location (database download, only when you click it)

External services

This plugin connects to the following external services under specific circumstances:

WordPress.org Checksums API

• Service: api.wordpress.org/core/checksums/1.0/
• Used for: Verifying WordPress core file integrity by comparing local files against official checksums
• Data sent: WordPress version and locale
• When: During daily scheduled file integrity scans and when manually triggered by the admin
• Privacy policy: https://wordpress.org/about/privacy/

IP Detection Services

• Services: api.ipify.org, ifconfig.me, icanhazip.com
• Used for: Detecting the server’s public IP address for the “Whitelist My IP” tool
• Data sent: Standard HTTP request (no personal data)
• When: Only when an admin uses the “Whitelist My IP” feature in the Tools tab
• Terms: https://www.ipify.org/ / https://ifconfig.me/ / https://icanhazip.com/

IP2Location

• Service: download.ip2location.com
• Used for: Downloading the free IP2Location LITE geolocation database for country-based blocking
• Data sent: Standard HTTP request (optional: user’s download token if configured)
• When: Only when an admin clicks “Download IP2Location Database” in the IP Control tab
• Terms of service: https://www.ip2location.com/terms
• Privacy policy: https://www.ip2location.com/privacy