Title: FPX Security Guard
Author: mamuniu06
Published: <strong>July 12, 2026</strong>
Last modified: July 12, 2026

---

Search plugins

![](https://s.w.org/plugins/geopattern-icon/fpx-security-guard.svg)

# FPX Security Guard

 By [mamuniu06](https://profiles.wordpress.org/mamuniu06/)

[Download](https://downloads.wordpress.org/plugin/fpx-security-guard.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/fpx-security-guard/#description)
 * [Reviews](https://wordpress.org/plugins/fpx-security-guard/#reviews)
 *  [Installation](https://wordpress.org/plugins/fpx-security-guard/#installation)
 * [Development](https://wordpress.org/plugins/fpx-security-guard/#developers)

 [Support](https://wordpress.org/support/plugin/fpx-security-guard/)

## Description

FPX Security Guard protects your WordPress site with:

 * **Two-Factor Authentication (2FA)** — Standard TOTP support (Google Authenticator,
   Authy, Microsoft Authenticator, 1Password). Users enable it individually from
   their Profile page with QR-code setup, and receive 10 one-time recovery codes.
   Works fully offline — no external service or email required.
 * **Login Protection** — Limits failed login attempts per IP with configurable 
   lockout duration, generic error messages (no username/password hints), and a 
   hidden honeypot field that silently blocks bots.
 * **Firewall & Headers** — Sends modern security headers (X-Frame-Options, nosniff,
   Referrer-Policy, Permissions-Policy, HSTS on HTTPS) and blocks requests containing
   common SQL injection / XSS / path traversal patterns.
 * **Hide WordPress Info** — Removes the WP version from meta tags and asset URLs,
   blocks ?author=N user enumeration scans, and hides the public REST API users 
   endpoint.
 * **Hardening** — Disables XML-RPC (a common brute-force vector) and the built-
   in theme/plugin file editor.

**Want more?** [FPX Security Guard Pro](https://wp.freepdftxt.com/) adds daily File
Change Detection with malware-injection alerts — a background scanning service, 
hosted and sold separately from this free plugin.

All features can be toggled individually from Settings  FPX Security Guard. A lockout
log shows the last 20 blocked login attempts.

### External Services

This plugin’s optional **Country Block** feature (disabled by default) uses the 
free geo-location service ip-api.com to determine the country of a visitor’s IP 
address.

 * **What is sent:** Only the visitor’s IP address is sent to ip-api.com, and only
   when the Country Block feature is manually enabled by the site administrator 
   and a visitor’s country is not already cached.
 * **When:** On the first request from a given IP; the result is cached locally 
   for 24 hours, so repeat visitors trigger no external calls.
 * **No other data** (no personal info, no site data) is ever transmitted.

Service provider: ip-api.com — Terms: https://ip-api.com/docs/legal — Privacy: https://
ip-api.com/docs/legal

If the Country Block feature is disabled (the default), the plugin makes no external
requests whatsoever.

#### Does rate limiting slow down my site?

Rate limiting tracks each visitor’s request count using WordPress’s core Transients
API. If your host has a persistent object cache (Redis/Memcached), this data is 
stored there with no database writes at all. Without one, it falls back to the options
table like any request-level counter — the tracked data expires within seconds, 
so it never accumulates.

## Installation

 1. Upload the `fpx-security-guard` folder to `/wp-content/plugins/`, or upload the
    zip via Plugins  Add New  Upload Plugin.
 2. Activate the plugin through the Plugins menu.
 3. Configure options under Settings  FPX Security Guard.

## FAQ

### I’m locked out of two-factor authentication. How do I get back in?

There are three rescue paths, in order of ease:

 1. **Recovery codes** — enter one of your saved one-time recovery codes in the Authentication
    Code field on the login screen.
 2. **Ask an administrator** — any admin can open Users  your profile and reset your
    2FA with one click. You can then log in with just your password and set 2FA up 
    again.
 3. **Server access (site owners)** — add this line to your wp-config.php file: `define('
    FPXSG_DISABLE_2FA', true );` — this temporarily bypasses 2FA for all logins. Log
    in, reset your 2FA from your profile, then REMOVE the line again. Because it requires
    file access, only someone who controls the server can use it.

### Will this conflict with other security plugins?

Avoid running multiple firewall/login-limit plugins at once — features may overlap.

### I use Jetpack or a mobile app to publish.

Disable the “Disable XML-RPC” option in settings.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“FPX Security Guard” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ mamuniu06 ](https://profiles.wordpress.org/mamuniu06/)

[Translate “FPX Security Guard” into your language.](https://translate.wordpress.org/projects/wp-plugins/fpx-security-guard)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/fpx-security-guard/),
check out the [SVN repository](https://plugins.svn.wordpress.org/fpx-security-guard/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/fpx-security-guard/)
by [RSS](https://plugins.trac.wordpress.org/log/fpx-security-guard/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial release.
 * Login protection: per-IP attempt limits, lockouts, honeypot, generic error messages.
 * Two-Factor Authentication (TOTP): QR-code setup, recovery codes, low-code warnings,
   works offline.
 * DDoS/flood protection via per-IP rate limiting.
 * Firewall: malicious query blocking and modern security headers.
 * Country blocking (optional, via ip-api.com with local caching).
 * Comment spam protection: honeypot and link limits.
 * Hardening: XML-RPC off, file editor off, version hiding, user-enumeration blocking.
 * Bundled QRCode.js by davidshimjs (MIT license, GPL-compatible) for local QR rendering.

## Meta

 *  Version **1.0.0**
 *  Last updated **13 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [Brute Force](https://wordpress.org/plugins/tags/brute-force/)[firewall](https://wordpress.org/plugins/tags/firewall/)
   [hardening](https://wordpress.org/plugins/tags/hardening/)[login protection](https://wordpress.org/plugins/tags/login-protection/)
   [security](https://wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://wordpress.org/plugins/fpx-security-guard/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/fpx-security-guard/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/fpx-security-guard/reviews/)

## Contributors

 *   [ mamuniu06 ](https://profiles.wordpress.org/mamuniu06/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/fpx-security-guard/)