Title: Gatewarden
Author: Tudor Constantin
Published: <strong>July 15, 2026</strong>
Last modified: July 15, 2026

---

Search plugins

![](https://ps.w.org/gatewarden/assets/banner-772x250.jpg?rev=3609002)

![](https://ps.w.org/gatewarden/assets/icon-256x256.jpg?rev=3609002)

# Gatewarden

 By [Tudor Constantin](https://profiles.wordpress.org/tud0r/)

[Download](https://downloads.wordpress.org/plugin/gatewarden.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/gatewarden/#description)
 * [Reviews](https://wordpress.org/plugins/gatewarden/#reviews)
 *  [Installation](https://wordpress.org/plugins/gatewarden/#installation)
 * [Development](https://wordpress.org/plugins/gatewarden/#developers)

 [Support](https://wordpress.org/support/plugin/gatewarden/)

## Description

Gatewarden provides a modular security and mail-delivery layer for WordPress and
WooCommerce. The interface and source strings are written in English and are translation-
ready through the `gatewarden` text domain.

All public protection, integration, privacy, event-logging, notification, SMTP, 
and uninstall-cleanup modules are disabled by default. Administrators enable only
the features required by the site.

#### CAPTCHA providers

 * Google reCAPTCHA v2.
 * Google reCAPTCHA v3.
 * Cloudflare Turnstile.

#### WordPress protection

 * Login.
 * Registration.
 * Lost password.
 * Password reset.
 * Comments.

#### WooCommerce protection

 * My Account login and registration.
 * Lost-password and reset-password forms.
 * Checkout login.
 * Account creation during classic checkout.
 * Account creation during Checkout Block checkout.

#### Security, observability, and email features

 * Configurable failed-login limits by IP address, username, or IP address and username.
 * Progressive lockout durations with a configurable multiplier and maximum duration.
 * Optional neutral account messages for login, registration, and password-recovery
   flows.
 * One indexed audit stream with focused Authentication, CAPTCHA, Account activity,
   and Email views.
 * Searchable, filterable, sortable, paginated, clearable, and CSV-exportable activity
   logs.
 * WordPress-native list tables with Screen Options for visible columns and rows
   per page.
 * Human-readable event details instead of raw JSON in the administration interface
   and CSV exports.
 * A Gatewarden dashboard with login, lockout, CAPTCHA, email, provider, integration,
   and recent-event metrics.
 * A compact WordPress Dashboard widget for administrators.
 * Optional email alerts for selected lockouts, logins, registrations, password 
   events, CAPTCHA service errors, and SMTP failures.
 * Configurable alert recipients, successful-login scope, minimum lockout duration,
   and duplicate-alert cooldown.
 * Optional approximate IP location from server headers or an explicit IPWHOIS.io
   lookup.
 * Optional standard SMTP delivery with sender, host, port, encryption, authentication,
   timeout, certificate verification, protected credentials, and a test tool.
 * Credential-redacted SMTP diagnostics that classify DNS, connection, timeout, 
   TLS, authentication, relay, sender, recipient, and message-policy failures.
 * SMTP outcome logging that excludes message bodies, attachments, passwords, and
   complete recipient addresses.
 * Configurable log retention and optional data removal on uninstall.
 * Secret-key and SMTP-password controls that never render a stored secret in administration
   HTML.
 * Responsive CAPTCHA wrappers for WordPress and WooCommerce forms.

Gatewarden stores security events and lockout state in site-prefixed custom database
tables created through the WordPress database API. Records can include IP addresses
and submitted usernames. Configure event logging, alerting, and retention according
to the site’s privacy and operational requirements.

To disable public Gatewarden protection during an emergency, add this to `wp-config.
php`:

    ```
    define( 'GATEWARDEN_DISABLE', true );
    ```

Administrators with the `manage_options` capability see a warning while the emergency
bypass is active.

The default allowed CAPTCHA verification hostname is taken from `home_url()`. Additional
explicit hostnames can be supplied through the `gatewarden_allowed_hostnames` filter.

### External services

Gatewarden connects to an external service only after the relevant feature is explicitly
configured and enabled by an administrator.

#### Google reCAPTCHA

When Google reCAPTCHA v2 or v3 is selected, Gatewarden loads Google’s reCAPTCHA 
JavaScript from `www.google.com` on protected forms and sends the generated response
token and configured secret key to Google’s verification endpoint. Gatewarden does
not include the visitor’s IP address in the server-side verification request. Google’s
client-side service may process browser and device data under Google’s terms.

 * Service: https://www.google.com/recaptcha/about/
 * Privacy policy: https://policies.google.com/privacy
 * Terms: https://policies.google.com/terms

#### Cloudflare Turnstile

When Cloudflare Turnstile is selected, Gatewarden loads the Turnstile JavaScript
from `challenges.cloudflare.com` on protected forms and sends the generated response
token and configured secret key to Cloudflare’s verification endpoint. Gatewarden
does not include the visitor’s IP address in the server-side verification request.
Cloudflare’s client-side service may process browser and device data under Cloudflare’s
policies.

 * Service: https://www.cloudflare.com/products/turnstile/
 * Privacy policy: https://www.cloudflare.com/privacypolicy/
 * Terms: https://www.cloudflare.com/website-terms/

#### Administrator-configured SMTP server

When SMTP is enabled, WordPress sends outgoing message content, recipient addresses,
and sender details to the SMTP server configured by the administrator. The server
may be operated by any provider selected by the site owner. Gatewarden stores the
configured SMTP password in the WordPress options table, never renders the stored
password in administration HTML, and supplies it only to the configured host during
SMTP authentication. Review the selected provider’s privacy policy and terms before
enabling SMTP.

#### IPWHOIS.io

Approximate location is disabled by default. When an administrator enables location
in security notifications and explicitly selects IPWHOIS.io, Gatewarden sends the
event IP address to `ipwho.is` and requests country, region, and city data. The 
result is cached on the WordPress site for 24 hours. Server-header location mode
does not make this external request.

 * Service and documentation: https://ipwhois.io/documentation
 * Privacy policy: https://ipwhois.io/privacy
 * Terms: https://ipwhois.io/terms

## Installation

 1. Upload the `gatewarden` directory to `/wp-content/plugins/`, or install the ZIP
    from Plugins > Add New Plugin > Upload Plugin.
 2. Activate Gatewarden.
 3. Open the top-level Gatewarden menu.
 4. Enable and configure only the required modules. No public protection is active 
    until it is explicitly enabled.

## FAQ

### Is any protection enabled immediately after activation?

No. CAPTCHA protection, protected forms, login limits, WooCommerce integration, 
generic account messages, event logging, notifications, SMTP, and uninstall cleanup
are disabled by default.

### Can login limits run without CAPTCHA?

Yes. Login limits have their own activation control and do not require a configured
CAPTCHA provider.

### What do generic account messages change?

When enabled, Gatewarden replaces account-specific login and registration errors
with neutral messages. Password-recovery requests for known and unknown accounts
use the same public confirmation message, while an email is sent only for a real
account. CAPTCHA and lockout errors remain authoritative.

### Why does Gatewarden keep one log table instead of one table per subsystem?

Authentication, CAPTCHA, account, and email events share the same retention, export,
search, and dashboard requirements. One append-only, indexed audit schema avoids
duplicated maintenance logic and supports cross-category investigation. The administration
screen separates the data into native category views so unrelated records do not
have to be displayed together.

### What SMTP information is stored in logs?

When event logging and SMTP are enabled, Gatewarden records whether the WordPress
mail transaction was accepted or failed, the SMTP host, port, encryption mode, recipient
count, recipient domains, attachment count, and a sanitized failure reason. It does
not store email bodies, attachment contents or paths, SMTP credentials, or complete
recipient addresses.

### Where can I see the exact SMTP test failure?

After a test, Gatewarden displays the latest result for the current administrator
on the SMTP tab for seven days. The report includes the exact sanitized mail error,
an actionable classification, connection settings, elapsed time, and a bounded SMTP
transcript with credentials and AUTH payloads redacted. It does not depend on `debug.
log`.

### Does a successful SMTP test guarantee inbox delivery?

No. A successful result means the WordPress mail transport accepted the message.
Final delivery can still be affected by provider policy, spam filtering, DNS authentication,
mailbox rules, or downstream delivery failures. Review the provider delivery logs
when a message is accepted but does not arrive.

### Can notifications create an email loop when SMTP is broken?

No. Notification delivery failures are recorded as email events when logging is 
enabled, but they do not trigger another SMTP-failure notification. Potentially 
noisy alert types also support a configurable cooldown.

### Does the emergency bypass disable login limits too?

Yes. When `GATEWARDEN_DISABLE` is strictly `true`, public CAPTCHA checks and login
lockouts are bypassed. Administrative configuration and previously stored event 
visibility remain available.

### Are stored secret keys or SMTP passwords rendered in the settings page?

No. Existing values are never included in the HTML. They can be retained, explicitly
replaced, or deleted.

### What happens to data on uninstall?

By default, settings and security tables are retained. Enable the uninstall data-
removal option in Gatewarden > Settings to remove the site’s settings, tables, list
preferences, and recent SMTP diagnostic metadata when the plugin is uninstalled.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Gatewarden” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ Tudor Constantin ](https://profiles.wordpress.org/tud0r/)

[Translate “Gatewarden” into your language.](https://translate.wordpress.org/projects/wp-plugins/gatewarden)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/gatewarden/), check
out the [SVN repository](https://plugins.svn.wordpress.org/gatewarden/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/gatewarden/) by 
[RSS](https://plugins.trac.wordpress.org/log/gatewarden/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial public release.
 * Production-ready, WordPress-native administration UI with responsive navigation,
   full-width controls, consistent Dashicon statuses, accessible focus states, Screen
   Options support, and tablet/mobile list-table presentation.
 * CAPTCHA protection with Google reCAPTCHA v2, Google reCAPTCHA v3, and Cloudflare
   Turnstile for supported WordPress and WooCommerce forms.
 * Progressive login limits by IP address, username, or both, including configurable
   lockout escalation and active-lockout management.
 * Categorized security activity logs with search, filters, sorting, pagination,
   Screen Options, CSV export, and retention controls.
 * Security metrics in the Gatewarden dashboard and a compact WordPress Dashboard
   widget.
 * Optional generic account messages that reduce account-enumeration information
   in login, registration, and password-recovery flows.
 * Optional SMTP delivery with protected credentials, connection testing, actionable
   diagnostics, and mail outcome logging.
 * Configurable email notifications for selected authentication, lockout, account,
   CAPTCHA, and SMTP events.
 * Privacy guidance, translation support, accessible administration controls, WooCommerce
   integration, and optional uninstall cleanup.
 * CAPTCHA protection, login limits, logging, notifications, SMTP, integrations,
   and data removal remain disabled until explicitly enabled by an administrator.

## Meta

 *  Version **1.0.0**
 *  Last updated **14 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.5 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 8.0 or higher **
 * Tags
 * [captcha](https://wordpress.org/plugins/tags/captcha/)[login security](https://wordpress.org/plugins/tags/login-security/)
   [security](https://wordpress.org/plugins/tags/security/)[smtp](https://wordpress.org/plugins/tags/smtp/)
   [woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://wordpress.org/plugins/gatewarden/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/gatewarden/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/gatewarden/reviews/)

## Contributors

 *   [ Tudor Constantin ](https://profiles.wordpress.org/tud0r/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/gatewarden/)