Description
ZA Creative Login Shield is a comprehensive security plugin that protects your WordPress site against brute force attacks, unauthorized access, and credential stuffing. It provides multiple layers of defense with an intuitive dashboard.
Key Features
- Two-Factor Authentication (2FA) – Email OTP and Google Authenticator (TOTP) support with per-role enforcement.
- Login Rate Limiting – Automatically block IPs after configurable failed attempts with adjustable lockout duration.
- IP Blocking & Whitelist – Manual and automatic IP blocking with dedicated whitelist management and Cloudflare IP range import.
- Custom Login URL – Hide wp-admin and wp-login behind a custom slug to block automated attacks.
- Security Dashboard – Weighted security score (100 pts), 14-day stacked bar analytics, recommendations engine, and quick actions.
- Password Policy – Enforce minimum length, uppercase, lowercase, digits, and special characters.
- Session Management – Track active sessions with idle timeout enforcement.
- Device Fingerprinting – Detect and track known devices with alerts for new device logins.
- Emergency Lockdown – One-click full site lockdown with IP whitelist override.
- Country Intelligence – GeoIP lookup via ip-api.com to display country codes on login attempts and blocked IPs.
- Audit Trail – Complete action log for security events (settings changes, blocks, lockdown, reports).
- Scheduled Reports – Daily, weekly, or monthly email security summaries.
- Setup Wizard – Guided 5-step onboarding to configure core protections quickly.
- Dashboard Widgets – At-a-glance security score and recent activity on the WordPress admin dashboard.
- CSV Export – Export login attempt logs for external analysis.
Integrations
- Cloudflare – One-click import of Cloudflare IP ranges to restore real visitor IPs.
- ip-api.com – Free GeoIP country lookup (no API key required).
Privacy
This plugin stores the following information:
- Login attempt records
- IP addresses
- Device fingerprint identifiers (opt-in, disabled by default)
- Audit trail events
- Two-factor authentication status
All data is stored locally inside the WordPress database.
Country information may be retrieved via ip-api.com if GeoIP is enabled (opt-in, disabled by default). Cloudflare API requests (manual admin action) send no visitor data.
Site administrators are responsible for complying with local privacy laws.
Full data removal on uninstall (all database tables and options cleaned up).
External Services
This plugin uses the following external services:
Cloudflare API
- Purpose: Fetch Cloudflare IP ranges for restoring real visitor IPs behind Cloudflare proxy.
- Data Sent: None beyond the standard HTTP request to api.cloudflare.com.
- Trigger: Manual admin action (button click on settings page).
- Privacy Policy: https://www.cloudflare.com/privacypolicy/
- Terms of Service: https://www.cloudflare.com/website-terms/
ip-api.com
- Purpose: GeoIP country code lookup for login attempts and blocked IPs.
- Data Sent: Visitor IP address.
- Trigger: Any login attempt when GeoIP is enabled in settings (opt-in, disabled by default).
- Terms of Service: https://ip-api.com/docs/legal
- Privacy Policy: https://ip-api.com/docs/legal
Screenshots
Installation
- Upload the
za-creative-login-shieldfolder to the/wp-content/plugins/directory, or install directly through the WordPress plugin installer. - Activate the plugin through the ‘Plugins’ screen.
- Navigate to ZA Creative Login Shield in your WordPress admin sidebar to access the setup wizard and dashboard.
- Follow the 5-step setup wizard to configure your security settings, or configure each feature individually under ZA Creative Login Shield.
Minimum Requirements
- WordPress 5.8 or higher.
- PHP 7.4 or higher.
FAQ
-
Will this work with any WordPress theme?
-
Yes. ZA Creative Login Shield works with any WordPress theme. It does not modify theme templates and operates entirely through WordPress hooks and filters.
-
Does it conflict with other security plugins?
-
It is designed to complement other security measures like hosting-level firewalls. However, running multiple login protection plugins simultaneously may cause unexpected behavior. We recommend using ZA Creative as your primary login security solution.
-
Does it work with caching plugins?
-
Yes. The plugin respects WordPress hooks correctly and works with all major caching and CDN solutions.
-
How does the 2FA work?
-
Users can choose between Email OTP (one-time password sent via email) or Google Authenticator (TOTP via the Google Authenticator app). Each user can enable 2FA from their profile page, and administrators can enforce 2FA for specific user roles.
-
How does the custom login URL work?
-
The plugin creates a custom login page at a URL you define (default:
/be-login/). When enabled, the standard/wp-login.phpand/wp-admin/(for non-logged-in users) are blocked, effectively hiding your login page from automated bots. -
Does the plugin collect user data?
-
The plugin stores only security-related data (login attempts, IP addresses, session tokens, device fingerprints) in your WordPress database. No visitor data is sent to external services except optional GeoIP lookups via ip-api.com (when an IP is logged). An admin-initiated Cloudflare IP range fetch contacts api.cloudflare.com but sends no visitor data. GeoIP data is cached for 7 days and does not require an API key.
-
Can I delete all plugin data?
-
Yes. When you uninstall the plugin via WordPress, all database tables and options are automatically removed. This includes login logs, blocked IPs, 2FA status, sessions, device fingerprints, lockdown settings, and audit trail entries.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“ZA Creative Login Shield” is open source software. The following people have contributed to this plugin.
Contributors
Translate “ZA Creative Login Shield” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
4.0.3
- Removed Author URI and Plugin URI (timeout issues).
- Updated stable version to 4.0.3.
- Removed WooCommerce requires/tested headers.
- Fixed broken UTF-8 characters in readme.txt.
- Added Privacy section to readme.txt.
- Added esc_sql() to uninstall DROP TABLE queries.
- Database migration now detects missing columns on MySQL 5.7.
- Column-existence checks added to login recording methods.
4.0.2
- Complete plugin rename to ZA Creative Login Shield with new slug and text domain.
- Moved admin menu to Settings > ZA Creative Login Shield via add_options_page().
- Replaced wp_hash() with hash(‘sha256’) for device fingerprinting per security best practices.
- Hashed IP addresses in transient and cache keys to prevent database pollution.
- Removed all auth secret/salt usage from device tracking.
- Added External Services section to readme.txt documenting Cloudflare API and ip-api.com.
- Updated contributor information.
- Removed bundled screenshot and banner assets per WordPress.org guidelines.
- Full security review: sanitization, nonces, capabilities, escaping verified.
- Compliance with WordPress Plugin Directory Guidelines and Plugin Check requirements.
3.0.0
- Added audit trail with action filtering and clear functionality.
- Added country intelligence via ip-api.com GeoIP lookup.
- Added scheduled email security reports (daily/weekly/monthly).
2.9.0
- Added 5-step guided setup wizard replacing the old onboarding.
- Added WordPress Dashboard widgets (security score + recent activity).
- Added successful login recording to analytics chart.
2.1.0
- Added security score recommendations engine.
- Added dedicated IP whitelist management subpage.
1.9.0
- Added Cloudflare IP range import via AJAX.
- Redesigned dashboard with weighted score, 14-day chart, and quick action grid.
- Enhanced setup wizard with step indicators and AJAX step-saving.
1.0.0
- Initial release with 2FA (Email OTP + TOTP), login rate limiting, IP blocking, custom login URL, security dashboard, password policy, session management, device fingerprinting, emergency lockdown, and CSV export.