Description
MyFast Login Guard provides two things hosting clients actually need:
Login protection
- Rename your login page to a custom URL — direct access to /wp-login.php returns a 404
- Limit login attempts — lock out an IP after a configurable number of failures
- Configurable lockout duration (default: 5 attempts, 30-minute lockout)
- IP whitelist — your own IPs are never locked out
- Optional email notification when a lockout is triggered
- Manual unlock from the Lockout Log page
Server information and error log
- Full PHP environment: version, memory, OPcache, extensions, disabled functions, error log path
- WordPress environment: version, debug flags, memory limits, active plugin count
- Server details: software, IP, document root, HTTPS status, OS
- Database: MySQL/MariaDB version, database size
- Disk usage: total, used, free
- Scheduled cron events with overdue detection
- Error log viewer: reads WordPress debug.log (or PHP error log), filterable by Fatal / Warning / Notice, with one-click clear
Design principles
- No external API calls
- No cronjobs
- No .htaccess rewriting
- No front-end database queries
- Assets load only on the plugin’s own admin pages
Installation
- Upload the
myfast-login-guardfolder to/wp-content/plugins/ - Activate the plugin through the Plugins screen in WordPress
- Go to MyFast Login Guard in the admin menu to configure
FAQ
-
Will renaming my login page break anything?
-
No. WordPress internal redirects (logout, password reset, registration) continue to work. Only direct access to /wp-login.php returns a 404 for logged-out visitors.
-
What happens if I forget my custom login slug?
-
You have two options:
- Visit /wp-admin/ — WordPress will redirect you to the login page at the correct URL.
- Add
define( 'MFLG_DISABLE_LOGIN_SLUG', true );to your wp-config.php to temporarily restore /wp-login.php access without deactivating the plugin.
-
What happens if I lock myself out?
-
Add your IP address to the Whitelist IPs field in Settings. If you are already locked out, connect via FTP/SSH, open wp-config.php, and add:
define( ‘MFLG_DISABLE_LOGIN_SLUG’, true );
Then log in normally, unlock your IP from the Lockout Log page, and remove the constant. -
Does this replace a firewall or security plugin?
-
No. It is a lightweight complement — it stops brute-force login attempts and gives you visibility into your server environment. It does not scan files, block requests at the firewall level, or monitor for malware.
-
How are IP addresses detected?
-
The plugin uses
REMOTE_ADDR(the actual TCP connection IP) as the primary source. If the site is behind Cloudflare, theCF-Connecting-IPheader is trusted only when the connection originates from a verified Cloudflare IP range. Forwarded headers such asX-Forwarded-Forthat can be spoofed by clients are intentionally ignored. -
Is the lockout data cleaned up on uninstall?
-
Yes. Uninstalling the plugin removes all plugin settings and lockout records from
wp_options.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“MyFast Login Guard – Login Protection & Server Info” is open source software. The following people have contributed to this plugin.
Contributors
Translate “MyFast Login Guard – Login Protection & Server Info” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.3.6
- Renamed: Plugin renamed to MyFast Login Guard & Server Info with new slug myfast-login-guard and mflg_ prefix throughout.
- Fixed: All CSS class names updated from lssi- to mflg- prefix for uniqueness compliance.
- Fixed: Inline block removed from lockout log page — now uses enqueued lockouts.js.
- Fixed: Removed unused lockouts database table — lockout data stored cleanly in wp_options.
- Fixed: Activation/deactivation hooks converted from anonymous closures to named functions.
- Fixed: Transient cleanup queries now use $wpdb->prepare() for full PHPCS compliance.
- Fixed: Cloudflare cache purge hook removed entirely per WP.org reviewer requirement.
- Fixed: wp_cache_delete() added before wp_localize_script() to guarantee fresh settings on page load.
- Fixed: Login slug reserved-word validation added client-side with clear error message.
- Fixed: Emergency escape hatch constant renamed to MFLG_DISABLE_LOGIN_SLUG.
- Improved: Error log path detection now checks ini_get(‘error_log’) as first candidate.
- Improved: Server info table stacks label above value on mobile instead of horizontal scroll.
- Improved: Export for Support button min-height corrected on mobile.
1.3.1
- Fixed: Text domain reverted to login-shield-server-info to match plugin folder name (Plugin Check compliance).
- Fixed: Removed discouraged load_plugin_textdomain() call (auto-loaded by WordPress.org since WP 4.6).
- Fixed: Replaced fopen/fclose with WP_Filesystem in error-log.php and server-info.php.
- Fixed: Replaced parse_url() with wp_parse_url() in login-protect.php.
- Fixed: Added wp_unslash() to all $_SERVER reads in server-info.php.
- Fixed: Unescaped output — $status_label now uses wp_kses(), $icon uses wp_kses(), min() wrapped in esc_attr().
- Fixed: Ordered placeholders (%1$d, %2$s) and added translators comments in server-info.php and login-protect.php.
- Fixed: Added phpcs:ignore with justification for third-party hook names, read-only GET params, and socket fclose.
- Fixed: uninstall.php table variable renamed with lssi_ prefix.
- Fixed: Upgrade notices trimmed to under 300 characters.
1.3.0
- Updated text domain from login-shield-server-info to fastshield-security to match the approved WordPress.org plugin slug.
1.2.9
- Fixed: Updated “Tested up to” to WordPress 6.9.
1.2.8
- Fixed: Removed duplicate Plugin URI (was identical to Author URI) per WordPress.org submission requirements.
1.2.7
- Renamed plugin to MyFast Login Guard – Login Protection & Server Info to comply with WordPress.org naming guidelines.
1.2.6
- Security: Validate error log tab parameter against known tab whitelist before use in URL output (was sanitize_key only).
- Code quality: Added phpcs ignore with full justification comment for shell_exec inode check — path escaped via escapeshellarg(), output parsed as integers only.
1.2.5
- Fixed: Missing return statements after wp_send_json_error() in AJAX handlers — code after the error response could execute.
- Fixed: Uninstall now also removes the lssi_lockouts option from wp_options (previously only the DB table was dropped).
- Fixed: Removed dead lssi_utilities_page() function — the page was unreachable with no menu entry.
- Fixed: Removed wp-components from script dependencies (only wp-element is actually used).
1.2.4
- Fixed: Removed the Utilities submenu page which was causing 404 errors on some hosts. The AJAX cache clear remains available in Settings. Any bookmarked lssi-utilities URLs now redirect cleanly to Settings.
1.2.3
- Security: Rewrote IP detection to use REMOTE_ADDR as ground truth; CF-Connecting-IP is now only trusted when REMOTE_ADDR is a verified Cloudflare edge IP. X-Forwarded-For and X-Real-IP removed to prevent spoofing.
- Code quality: Moved login-page CSS from inline output to enqueued assets/css/login.css per WordPress coding standards.
- Usability: Added MFLG_DISABLE_LOGIN_SLUG constant as an emergency escape hatch for locked-out administrators.
- Docs: Expanded readme.txt FAQ with lockout recovery instructions and IP detection explanation.
1.2.2
- Mobile: Lockout log table now stacks as labelled cards on small screens.
- Mobile: Custom login slug and lockout email inputs stack full-width on mobile.
- Error log: Tabs moved inside the log card for discoverability on both mobile and desktop.
1.2.1
- Fixed: wp_login_failed hook signature made compatible with WordPress < 5.4.
- Fixed: authenticate filter now only runs on POST submissions, not every page load.
- Added: Attempts-remaining counter shown on the login page after a failed attempt.
1.2.0
- Added brute-force lockout engine: tracks failed attempts per IP, locks out after configurable threshold, sends email notification, auto-expires lockouts.
- Added Unlock and Clear All buttons to Lockout Log page.
1.1.9
- Fixed asset paths, admin menu parent slug, activation hook, and lssi_get() signature.
1.0.0
- Initial release.