Guard — WordPress Login Protection
Block brute-force attacks, bots, and unauthorized access. Lightweight, zero external API calls.
Everything You Need for Protection
Guard protects your site from common login attacks. Zero external APIs, minimal server load.
Login Limits
Auto-lockout after a configurable number of failed login attempts.
Login Log
Complete log with IP, username, status, and timestamp. Searchable and sortable.
IP Blacklist
Manually block suspicious IP addresses. Permanently or for a set duration.
Hide Errors
Replaces "Wrong password" and "No such user" with a generic error message.
XML-RPC Block
Full or partial XML-RPC blocking — the main brute-force attack vector.
Honeypot Trap
Invisible field on the login form. Bots fill it — and get blocked instantly.
Need More Protection?
Guard PRO adds advanced security features for serious projects.
GeoIP Blocking
Block entire countries. IP detection via ip-api.com with caching.
Two-Factor Authentication
TOTP (Google Authenticator). QR code + backup codes for each user.
Notifications
Email and Telegram alerts on IP blocks, admin logins, failure thresholds.
Custom Login URL
Replace /wp-login.php with your own address. Default URL returns 404.
reCAPTCHA / hCaptcha
reCAPTCHA v3 or hCaptcha integration on the login form.
Attack Detector
Detects credential stuffing and distributed brute-force attacks.
Free vs PRO
| Feature | Free | PRO |
|---|---|---|
| Login attempt limits | ✓ | ✓ |
| Login log | ✓ | ✓ |
| IP blacklist | ✓ | ✓ |
| Hide login errors | ✓ | ✓ |
| XML-RPC blocking | ✓ | ✓ |
| Honeypot trap | ✓ | ✓ |
| Dashboard with charts | ✓ | ✓ |
| IP whitelist | — | ✓ |
| Country blocking | — | ✓ |
| Two-factor authentication | — | ✓ |
| Email notifications | — | ✓ |
| Telegram notifications | — | ✓ |
| Custom login URL | — | ✓ |
| reCAPTCHA / hCaptcha | — | ✓ |
| Attack detector | — | ✓ |
How It Works
Install
Download Guard from the WordPress directory or install the ZIP manually.
Configure
Set attempt limits, lockout duration, and additional parameters.
Forget About It
Guard works automatically. Visit the dashboard to see your stats.
Privacy
Guard Free does not connect to any external services. All data is stored locally in your WordPress database. IP addresses are logged solely for attack protection and are automatically deleted after a configurable period (30 days by default).
FAQ
Does this plugin slow down my site?
No. Guard performs one indexed DB query per login attempt. Zero external API calls.
What if I lock myself out?
Lockouts are temporary (30 minutes by default). To unblock early, delete the record from wp_lwg_blocked_ips via phpMyAdmin.
Does it work with Cloudflare?
Yes. Guard checks CF-Connecting-IP, X-Forwarded-For, and X-Real-IP headers to detect the real visitor IP.
Can I permanently block an IP?
Yes. Go to Guard → Blocked IPs and add the address manually.
Support the project
All plugins have a free version.
If they help you — consider supporting development.