=== GhostGate === Contributors: codegee0958 Tags: security, two-factor authentication, limit login attempts, rest api, xml-rpc Requires at least: 5.8 Tested up to: 6.8 Requires PHP: 7.4 Stable tag: 1.3.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Invisible, intelligent protection for WordPress. GhostGate hides your login page, blocks bots, and turns your site into a ghost fortress. == Description == **GhostGate** is a lightweight yet powerful WordPress security plugin that eliminates the login page as an attack surface. Instead of just defending, it **erases the entrance** entirely with dynamic login URLs and multi-layer access verification. - 🔒 Hide your login URL with a custom slug and time-based code - 🔑 Built-in 2FA via email verification - 🚫 Auto-block brute force attacks by IP - 🧱 Disable/limit unused endpoints like XML-RPC and REST API - 👤 Prevent user enumeration via REST, RSS, and author queries - 🔍 Visualize security status and detect conflicts - 📜 Activity logs with optional file rotation GhostGate doesn’t just defend — it disappears. Invisible to bots. Intuitive for users. 👉 **Full features / screenshots / pricing / docs**: https://arce-experience.com/product/ == Installation == 1. Upload the plugin folder to `/wp-content/plugins/ghostgate` 2. Activate the plugin via the Plugins menu 3. Go to **GhostGate > Settings** and configure your gate logic 4. Optionally enable 2FA, IP blocking, REST/API controls, and more Need help with setup? See the installation & setup video: https://arce-experience.com/product/ == Frequently Asked Questions == = Is GhostGate compatible with other security plugins? = Yes. It detects common conflicts and shows visual warnings. You can use it alongside plugins like Wordfence or iThemes. = What happens if I forget my login code or get locked out? = You can always access your site via recovery mode or disable the plugin via FTP if needed. = Does it affect performance? = GhostGate is built for speed. It only runs at login and admin hooks, keeping overhead minimal. == Screenshots == 1. Admin settings page with tabbed UI 2. Security status diagnostics 3. IP block log and unblock controls 4. Access code input screen for login URL (e.g., date-based code) 5. Security explanation tab == Privacy == GhostGate can store the following data locally on your site to provide rate-limiting and security auditing: - IP addresses (for temporary throttling / block lists) - Timestamps and event metadata (login attempts, REST/XML-RPC hits) - Optional log files under `wp-content/uploads/ghostgate/logs` (if enabled) No data is sent to third-party services. Site owners are responsible for informing users/visitors where required by local laws. You can clear blocks/logs from the admin UI or by deleting the log files. == Changelog == = 1.3.2 - 2025-09-24 = * Fix – Resolved “Undefined variable $user_login / $errors” warnings on the login screen when using the custom login slug or pre-login code screen. The plugin now pre-initializes wp-login.php globals and sets `$pagenow` before loading the core login template. * Fix – Prevented potential “headers already sent” issues by ensuring no output occurs before redirects or the core login inclusion in the 2FA/login slug flow. * Improvement – Hardened login flow compatibility with core by preparing required globals when the plugin takes over the authentication path. * Improvement – Minor internal refactors around request path normalization and IP detection to reduce edge cases in server environments. * Dev – No database changes. Backward compatible with 1.3.1. = 1.3.0 - 2025-09-22 = * Security: Strengthened “Hide wp-json structure” — allowlist now stores **only actually registered routes** (including regex routes) and never breaks parameterized patterns. * Fix: Route allowlist UI now correctly preserves selections for regex endpoints such as `/gbrl/v1/notify/(?P[^/]+)` and nested variants. * Fix: Resolved rare fatal error on “Unblock IP” admin action by hardening input handling (supports single `ip` and `ip[]`, sanitizes/validates IPv4/IPv6, safe redirect). * Dev: Added `ghostgate_sanitize_allowed_routes()` and `ghostgate_sanitize_allowed_prefixes()`; introduced a temporary bypass flag so the settings UI can enumerate all routes without being filtered by itself. * Dev: Always whitelists `/` root in `rest_endpoints` filter; normalized custom prefixes (auto-leading slash, condensed duplicate slashes). * Perf: Reduced overhead when building the REST route list on the settings page. * Tweak: Copy and help text polish in settings; minor CSS/UI adjustments. * Tested: Confirmed compatibility with WordPress 6.8. = 1.2.1 = * Tweak: Added brand header (logo + subtitle) to the code entry screen with Retina and dark mode support, plus minor a11y improvements. * Tweak: Minor CSS polish. = 1.2.0 = * New: Added an option to block direct access to preview URLs with a 403 response (Settings → GhostGate → “Block preview display”). * Dev: Added removal of the new option (ghostgate_block_preview) to uninstall.php. * Tweak: Minor adjustments to settings UI descriptions. = 1.1.1 = * Maintenance and compliance improvements (enqueue scripts/styles; minor fixes) * UI/diagnostics polish * Tested up to WordPress 6.8 = 1.1.0 = * REST/JSON structure stealth options (allowlist & prefix-based allow) * Improved status diagnostics and defaults for rate limits = 1.0.0 = * Initial public release * Dynamic login URL gate, 2FA email code * IP restriction + logs, REST API and XML-RPC shielding * Status analyzer and conflict detector ➡ Full changelog (latest): https://arce-experience.com/changelog/#ghostgate == Upgrade Notice == = 1.2.0 = Added an option to block direct access to preview URLs. It is OFF by default—enable it if needed. = 1.1.1 = Compliance and stability update. Please update to keep compatibility with the latest WordPress and to benefit from improved diagnostics.