=== ArkHost Security Pack === Contributors: arkhost Tags: security, firewall, login, 2fa, malware Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html WordPress security without the nonsense. No upsells, no premium tier, no fake threat counters. == Description == A complete security plugin that's actually free. No "pro" version, no nag screens, no made-up threat statistics. = Login Protection = * Blocks IPs after failed login attempts * Custom login URL (hides wp-login.php) * Hides wp-admin from logged-out users * Honeypot field for bots * Hides login errors (stops username enumeration) * Email alerts for admin logins from new IPs * Country/IP restrictions on login page = IP Control = * Whitelist and blacklist * Auto-blacklist after repeated lockouts * IPv4, IPv6, CIDR supported = Geo Blocking = * Block countries * Uses free IP2Location LITE database * One-click download = Hardening = * Disable XML-RPC * Disable dashboard file editing * Disable application passwords * Restrict REST API to logged-in users * Remove WordPress version * Block user enumeration (?author=1 and REST API) * Disable pingbacks/trackbacks = Security Headers = X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS = Two-Factor Authentication = * TOTP (Google Authenticator, Authy, etc.) * Backup codes * Enforce for admins = File Integrity Monitoring = * Checks WordPress core files against official checksums * Daily scans * Email alerts on changes = Malware Scanner = * Scans plugins, themes, uploads * Pattern-based detection * Quarantine suspicious files * Weekly scans = Activity Log = * Login attempts, lockouts, blocks * IP, country, username, timestamp * Configurable retention * CSV export = Tools = * Export/import settings * Force logout all users * Test email * Delete readme.html/license.txt = Privacy = No tracking. No analytics. No telemetry. External connections: * WordPress.org API (core file checksums) * IP2Location (database download, only when you click it) == External services == This plugin connects to the following external services under specific circumstances: = WordPress.org Checksums API = * Service: api.wordpress.org/core/checksums/1.0/ * Used for: Verifying WordPress core file integrity by comparing local files against official checksums * Data sent: WordPress version and locale * When: During daily scheduled file integrity scans and when manually triggered by the admin * Privacy policy: https://wordpress.org/about/privacy/ = IP Detection Services = * Services: api.ipify.org, ifconfig.me, icanhazip.com * Used for: Detecting the server's public IP address for the "Whitelist My IP" tool * Data sent: Standard HTTP request (no personal data) * When: Only when an admin uses the "Whitelist My IP" feature in the Tools tab * Terms: https://www.ipify.org/ / https://ifconfig.me/ / https://icanhazip.com/ = IP2Location = * Service: download.ip2location.com * Used for: Downloading the free IP2Location LITE geolocation database for country-based blocking * Data sent: Standard HTTP request (optional: user's download token if configured) * When: Only when an admin clicks "Download IP2Location Database" in the IP Control tab * Terms of service: https://www.ip2location.com/terms * Privacy policy: https://www.ip2location.com/privacy == Installation == 1. Upload the plugin files to `/wp-content/plugins/arkhost-security-pack/` 2. Activate the plugin through the 'Plugins' screen 3. Configure under the Security menu == Frequently Asked Questions == = Is there a premium version? = No. This is the complete plugin. = Will it slow my site? = No. Checks run on login and admin access, not frontend page loads. = I locked myself out = Connect via FTP/SSH and rename the plugin folder. Log in normally. Fix your settings. = Does geo-blocking work without the database? = No. Download the free IP2Location LITE database from the plugin settings. = Can I use this with other security plugins? = Possible but likely to cause conflicts. We recommend using one security plugin at a time. == Screenshots == 1. Security status overview 2. Login protection settings 3. Activity log 4. Two-factor authentication setup 5. Malware scanner with quarantine == Changelog == = 1.1 = * Fixed: Custom login URL form submission redirecting to 404 page * Fixed: URL rewrite filters not being registered before login page render = 1.0 = * Initial release == Upgrade Notice == = 1.1 = Fixes custom login URL breaking on form submission (404 redirect). = 1.0 = Initial release.