Guard Dog
Guard Dog is a focused WordPress security plugin for the login door, authentication, sessions, and practical access workflows. With custom login URLs, two-factor authentication, passkeys, CAPTCHA providers, access control, and activity logging, Guard Dog helps site owners tighten the parts of WordPress that get bothered most. Key Features: Custom Login URLs – Hide your wp-admin and wp-login.php from attackers Two-Factor Authentication (2FA) – TOTP-based authentication with recovery codes Social Login (OAuth) – Sign in with Google, Microsoft, or Apple Passkeys – Use device-based biometric authentication like Face ID, Touch ID or Windows Hello Multiple CAPTCHA Providers – Support for Google reCAPTCHA v2/v3, hCaptcha, and Cloudflare Turnstile Login Attempt Limiting – Prevent brute-force attacks with intelligent lockout Access Control – IP-based whitelist/blacklist protection Activity Monitoring – Comprehensive logging of security events Temporary User Access – Create temporary WordPress users with time-limited, secure access Frontend Account Security – Shortcodes and blocks for login, passkeys, 2FA, and session controls Why Choose Guard Dog? Privacy-Focused – Multiple CAPTCHA options including privacy-first providers WordPress.org Compliant – Built following WordPress coding standards Site-Owned Controls – No central cloud platform required for core protections User-Friendly – Intuitive interface with helpful documentation Regular Updates – Actively maintained and updated Perfect For: Business websites requiring enhanced security WordPress sites handling sensitive data Multi-user sites with complex access requirements Anyone wanting practical login and account protection without a central SaaS dependency Frontend Shortcodes: [guard_dog_login_form] renders a public Guard Dog-managed login form [guard_dog_passkey_login] renders a standalone passkey sign-in button for custom login pages [guard_dog_two_factor] renders logged-in 2FA management [guard_dog_passkeys] renders logged-in passkey management [guard_dog_sessions] renders logged-in active-session management [guard_dog_account_security] renders the composite logged-in account security widget for 2FA, passkeys, and sessions [guard_dog_2fa] remains supported as the legacy alias for the account security widget Block-based themes can use the matching Guard Dog Login Form, Passkey Login, Two-Factor Auth, Passkeys, Sessions, and Account Security blocks. Additional Information Support: For support questions, please use the WordPress.org support forums. Privacy: Guard Dog respects user privacy and offers multiple privacy-focused options. Third-party services are only contacted when you enable features that need them, such as CAPTCHA, email delivery, social login, IP reputation, or geolocation. Security: Guard Dog follows WordPress security best practices. User input is sanitized and output is escaped throughout the plugin. Third-Party Services Guard Dog integrates with the following third-party services to provide CAPTCHA protection. These services are optional and only used when CAPTCHA features are enabled. Google reCAPTCHA (v2 and v3) What it is: Google’s CAPTCHA service that helps protect websites from spam and abuse. What it’s used for: – Verifying that login, registration, and password reset attempts are made by humans – Preventing automated bot attacks on your WordPress forms What data is sent and when: – User interaction data (mouse movements, time spent on page) when CAPTCHA is solved – IP address of the user – Site domain for verification – CAPTCHA response token Privacy and Terms: – Google reCAPTCHA Privacy Policy – Google reCAPTCHA Terms of Service – Google reCAPTCHA Data Usage Cloudflare Turnstile What it is: Cloudflare’s privacy-first CAPTCHA alternative that doesn’t require user interaction. What it’s used for: – Invisible verification of human users during login, registration, and password reset – Privacy-focused protection without tracking or cookies What data is sent and when: – Non-interactive browser signals when forms are submitted – IP address for verification – Site domain for validation Privacy and Terms: – Cloudflare Privacy Policy – Cloudflare Terms of Service – Turnstile Documentation hCaptcha What it is: A privacy-focused CAPTCHA service that doesn’t track users across websites. What it’s used for: – Human verification during login, registration, and password reset forms – Privacy-conscious alternative to Google reCAPTCHA What data is sent and when: – User interaction with CAPTCHA challenge – IP address for verification – Site domain for validation Privacy and Terms: – hCaptcha Privacy Policy – hCaptcha Terms of Service – hCaptcha Data Processing Google OAuth (Social Login) What it is: Google’s OAuth 2.0 service that allows users to sign in using their Google account. What it’s used for: – Authenticating WordPress users via their Google account – Retrieving basic profile information (name, email) to link or create accounts What data is sent and when: – User is redirected to Google’s authorization server when clicking “Sign in with Google” – An authorization code is exchanged for an access token on your server – Basic profile information (name, email, Google user ID) is retrieved from Google’s API – No ongoing data sharing – data is only retrieved during the login process Privacy and Terms: – Google OAuth Privacy Policy – Google OAuth Terms of Service – Google API Services User Data Policy Microsoft Azure AD (Social Login) What it is: Microsoft’s OAuth 2.0 service via Azure Active Directory that allows users to sign in using their Microsoft account. What it’s used for: – Authenticating WordPress users via their personal Microsoft account or organizational (work/school) account – Retrieving basic profile information (name, email) to link or create accounts What data is sent and when: – User is redirected to Microsoft’s authorization server when clicking “Sign in with Microsoft” – An authorization code is exchanged for an access token and ID token (JWT) on your server – Basic profile information (name, email, Azure object ID) is extracted from the ID token – No ongoing data sharing – data is only retrieved during the login process Privacy and Terms: – Microsoft Privacy Statement – Microsoft Services Agreement – Microsoft Identity Platform Documentation Apple Sign In (Social Login) What it is: Apple’s OAuth 2.0 / OpenID Connect service that allows users to sign in using their Apple ID. What it’s used for: – Authenticating WordPress users via their Apple ID – Retrieving basic profile information (name, email) to link or create accounts What data is sent and when: – User is redirected to Apple’s authorization server when clicking “Sign in with Apple” – An authorization code is exchanged for an access token and ID token (JWT) on your server – Basic profile information (email, user ID) is extracted from the ID token – User’s name is only provided on first authorization; subsequent logins return only the user ID – Apple may provide a private relay email address instead of the user’s real email – No ongoing data sharing – data is only retrieved during the login process Privacy and Terms: – Apple Privacy Policy – Sign in with Apple Guidelines – Apple Developer Program License Agreement TOTP (Time-based One-Time Password) Standard What it is: An open standard (RFC 6238) for generating time-based one-time passwords used in two-factor authentication. What it’s used for: – Generating secure, time-limited authentication codes for 2FA – Providing backup authentication when primary 2FA methods are unavailable – Enabling compatibility with popular authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, etc.) What data is sent and when: – No external data transmission – TOTP codes are generated locally using the TOTP algorithm – Secret key generation – A unique secret key is generated locally when 2FA is enabled for a user – QR code generation – QR codes are generated locally for easy setup with authenticator apps – Code verification – Generated codes are verified locally against the stored secret key Privacy and Terms: – RFC 6238 – TOTP Standard – Google Authenticator Privacy Policy (if using Google Authenticator app) – Authy Privacy Policy (if using Authy app) – Microsoft Authenticator Privacy Policy (if using Microsoft Authenticator app) Data Handling Summary When CAPTCHA is disabled: No data is sent to any third-party services. When CAPTCHA is enabled: Only the specific provider you choose receives verification data. Data is not shared between providers or stored by Guard Dog beyond the verification process. When 2FA is disabled: No external data transmission occurs. When 2FA is enabled: – All TOTP operations (code generation, verification) happen locally on your server – No data is transmitted to external services for 2FA functionality – Authenticator apps only receive the initial setup QR code or secret key – Recovery codes are generated locally and stored securely When Social Login is disabled: No data is sent to any OAuth provider. When Social Login is enabled: – Data is only sent to the configured providers (Google, Microsoft, Apple) during the login process – Only basic profile information (name, email, user ID) is retrieved – Social account links are stored locally in your WordPress database – Users can unlink their social accounts from their profile at any time User control: Users can choose which CAPTCHA provider to use, or disable CAPTCHA entirely. 2FA can be enabled/disabled per user, and users can choose their preferred authenticator app. Social login can be enabled/disabled by administrators, and users can manage their linked social accounts. All security features are optional and configurable.
Top keywords
- data27×1.91%
- login27×1.91%
- google23×1.63%
- user20×1.42%
- privacy18×1.27%
- captcha16×1.13%
- guard16×1.13%
- dog15×1.06%
- guard dog15×1.06%
- microsoft14×0.99%
- id13×0.92%
- users13×0.92%
WP-OTP
With WP-OTP you can easily set up 2 Factor Authentication with One Time Passwords for your WordPress login. This extra layer makes your WordPress site a lot more secure. The new stealth mode allows for invisible OTP code entry, making your login screen look like any other, no extra OTP code input field. Getting started After installing and activating the plugin, every user can enable WP-OTP on their profile page. It’s as easy as scanning the provided QR Code or entering the OTP secret to any OTP generator app. Then just activate it by entering the generated OTP and voilà, all set up. Now, the login requires an OTP code to succeed. Each user gets their own secret key to authenticate with, giving them control over their login security. Development This plugin is completely open source and a work of passion. If you would like to be part of it and join in, make your way over to the project page now. Also, if you have an idea you would like to see in this plugin or if you’ve found a bug, please let me know. Configuration WP_OTP_STEALTH: Set this to true to enable stealth OTP mode. Filters There are a multitude of filters to be adjusted. wp_otp_qr_code_provisioning_uri: URI for online QR Code rendering (must contain {PROVISIONING_URI} placeholder for QR Code data). wp_otp_login_form_text: Text for input field on the login screen. wp_otp_login_form_text_sub: Subtext for the input field on the login screen. wp_otp_login_form_invalid_code_text: Error text for an invalid code input on the login screen. wp_otp_code_expiration_window: Set the window of code verification expiration. wp_otp_recovery_codes_count: Number of recovery codes to generate. wp_otp_recovery_codes_length: Length of the recovery codes. wp_otp_secret_length: Length of the secret key. Minimum requirements WordPress 4.6, PHP 7.4. Donate / Support All donations are much appreciated, thank you 🙏 Get professional support for this plugin with a Tidelift subscription Tidelift helps make open source sustainable for maintainers while giving companies assurances about security, maintenance, and licensing for their dependencies. Security To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.
Top keywords
- otp16×4.15%
- code11×2.85%
- login10×2.59%
- wp9×