Title: Ghostables Defender Lite
Author: ghostables
Published: June 23, 2026
Last modified: June 23, 2026
---
Search plugins
# Ghostables Defender Lite
By [ghostables](https://profiles.wordpress.org/ghostables/)
[Download](https://downloads.wordpress.org/plugin/ghostables-defender-lite.0.1.6.zip)
* [Details](https://wordpress.org/plugins/ghostables-defender-lite/#description)
* [Reviews](https://wordpress.org/plugins/ghostables-defender-lite/#reviews)
* [Installation](https://wordpress.org/plugins/ghostables-defender-lite/#installation)
* [Development](https://wordpress.org/plugins/ghostables-defender-lite/#developers)
[Support](https://wordpress.org/support/plugin/ghostables-defender-lite/)
## Description
**Ghostables Defender Lite** is a free, fully functional security plugin for WordPress.
Nothing in it is locked, limited, or gated behind a licence — every feature below
works out of the box:
* Continuous vulnerability scanning against installed plugins, themes, and WordPress
core
* Cryptographic file integrity baseline with daily drift detection
* WordPress hardening checklist with one-click safe fixes
* Per-user TOTP two-factor authentication (Google Authenticator, Authy, 1Password)
* Tamper-evident audit log — events are linked together so any deletion is detectable,
with a free, user-configurable retention period
* Operator gate — a PIN above WordPress admin so a compromised super-admin cannot
silently disable the plugin
Built by [Ghostables Ltd](https://ghostables.io). Opinionated about defaults. Honest
about what each setting actually does.
#### Is anything locked or limited?
No. Defender Lite is free and complete — no nag screens, no crippled features, no
trial period, no usage quota. The audit-log retention period is a setting you control(
default 90 days; set it to keep everything forever). Every feature listed above
is the real thing.
#### Is there a more advanced version?
Yes — **Ghostables Defender** is a separate, more advanced plugin distributed from
[ghostables.io](https://ghostables.io). It is not part of this plugin and is not
required to use Defender Lite. It adds capabilities such as a behavioural firewall,
malware quarantine, Cloudflare edge sync, webhook alerts, encrypted backups, and
more. The “More Security” page inside Defender Lite lists what it adds, purely for
information.
#### Coexistence with the separate plugin
If you install the separate Ghostables Defender plugin, Defender Lite steps aside
automatically so the two don’t run side by side. Your settings (Operator PIN, hardening
fixes, baseline, audit chain) are preserved across the handover. Defender Lite remains
free and fully functional whether or not you ever install it.
### External services
This plugin connects to one external service: the public WordPress Vulnerability
Database operated by the WPVulnerability project at `https://www.wpvulnerability.
net/`.
* **What is sent:** an HTTP GET request to `https://www.wpvulnerability.net/plugin/{
slug}/`, `https://www.wpvulnerability.net/theme/{slug}/`, or `https://www.wpvulnerability.
net/core/{wp-version}/` — one URL per installed component being checked. The
request body is empty. The only request headers are `Accept: application/json`
and a User-Agent of the form `GhostablesDefenderLite/`. No site
URL, no admin email, no IP-derived identifier — only the slug of the component
being queried and the User-Agent itself.
* **What is received:** a JSON record listing publicly disclosed vulnerabilities
affecting that single component, with affected version ranges and severity scores.
The plugin compares this against the locally-installed version and stores any
open findings in the plugin’s own database table.
* **When it is sent:** at most once per installed component per 24 hours. Each
per-slug response is cached locally in a WordPress transient, so the twice-daily
scan cron only triggers fresh HTTP requests when the cache has expired.
* **Service provider:** The WPVulnerability Project (operated by ROBOTSTXT and
contributors). Service licence (EUPL v1.2, GPL-compatible): [https://www.wpvulnerability.com/license/](https://www.wpvulnerability.com/license/).
Privacy policy: [https://www.wpvulnerability.com/privacy/](https://www.wpvulnerability.com/privacy/).
No other outbound network traffic originates from this plugin. The two-factor QR
code is rendered locally in the operator’s browser using a vendored MIT-licensed
JavaScript library — the TOTP secret is never transmitted to any third party.
## Installation
1. Upload `ghostables-defender-lite` to `/wp-content/plugins/` (or install via Plugins
Add New)
2. Activate
3. Follow the 4-step setup wizard. The first administrator to complete it becomes
the founding **Operator** — sets a 6–10 digit PIN and receives 10 single-use recovery
codes.
4. The wizard takes the first file-integrity baseline and runs the first vulnerability
scan automatically.
## FAQ
### Does Defender Lite phone home?
Lite calls one external service: the public WordPress Vulnerability Database at
wpvulnerability.net, to look up disclosed vulnerabilities for each installed plugin,
theme, and your WordPress core version. No API key, no site URL, no admin email —
only the slug being queried and a User-Agent identifying the plugin version. Each
lookup is cached locally for 24 hours. See the “External services” section above
for the full disclosure.
The two-factor QR code is rendered locally in your browser; the TOTP secret never
leaves your WordPress install.
### Will Lite slow my site down?
The scans run on cron (twice-daily CVE check, daily integrity scan). Runtime hardening
is a handful of cheap filter hooks. No page-load impact you’ll measure.
### Will Lite break my site?
The hardening checklist tells you what each fix does before you click it. Every
one-click fix is reversible by editing wp-config.php or unchecking the option. Defaults
are conservative — nothing is enforced site-wide on first install except the Operator
gate, which only restricts Defender’s own settings.
### Does it work alongside Wordfence / iThemes / Sucuri?
Technically yes, but running multiple security plugins is usually counterproductive—
they fight over the same hooks. Run one, run it well.
### Is the audit log really tamper-evident?
Each row’s row_hash is an HMAC-SHA-256 over the previous row’s hash plus the row’s
own fields, keyed with a 32-byte chain key. The chain key is either (a) the `GDEF_LITE_AUDIT_KEY`
constant in your `wp-config.php`, or (b) auto-generated and stored as a WordPress
option on first use. An attacker with database write access can delete or modify
a row, but cannot quietly recompute the following row’s HMAC without the key — so
the next row’s stored hash will no longer match, and the break is visible from Settings
Operator Chain status. For the strongest guarantee, set `GDEF_LITE_AUDIT_KEY` in`
wp-config.php` so the key never lives in the database alongside the rows it signs.
### How do I get the separate Ghostables Defender plugin?
It’s distributed from [ghostables.io](https://ghostables.io). Install it alongside
Defender Lite and Lite steps aside automatically; every setting you’ve configured
here carries over. You never need it to keep using Defender Lite, which is free
and fully functional on its own.
### What happens if I uninstall?
Uninstalling (not just deactivating) drops Defender’s three tables and clears its
options. Your audit log goes with it. This is intentional — uninstall means uninstall.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“Ghostables Defender Lite” is open source software. The following people have contributed
to this plugin.
Contributors
* [ ghostables ](https://profiles.wordpress.org/ghostables/)
[Translate “Ghostables Defender Lite” into your language.](https://translate.wordpress.org/projects/wp-plugins/ghostables-defender-lite)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/ghostables-defender-lite/),
check out the [SVN repository](https://plugins.svn.wordpress.org/ghostables-defender-lite/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/ghostables-defender-lite/)
by [RSS](https://plugins.trac.wordpress.org/log/ghostables-defender-lite/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 0.1.6
* Fix: on the Scan page, the vulnerability and file-integrity scan progress modal
could appear hidden behind its own backdrop. The modal is mounted on the page
body — outside the plugin’s styling scope — so its brand colour variables weren’t
resolving and the card rendered transparent. The modal now carries its own tokens
and displays correctly. No change to scanning behaviour.
#### 0.1.5
* Authorisation: the integrity scan-control endpoints (start, tick, cancel) and
the baseline and finding-resolve endpoints now enforce the Operator gate directly
in their REST permission_callback — administrator capability plus an unlocked
Operator session — because advancing a baseline rewrites the trusted file fingerprint(
a security-state change). Read-only endpoints (CVE scan, scan status, audit verify)
continue to require the administrator capability only. Locked requests return
a clear, actionable 403.
* Removed remaining “free tier / upgrade” wording from the plugin header description
to match the rest of the plugin: Defender Lite is free and fully functional,
with the separate plugin described for information only.
#### 0.1.4
* Guidelines compliance. Audit-log retention is now a free, user-configurable setting(
default 90 days, set to 0 to keep everything forever) — it is no longer presented
as a paid limit. Nothing in the plugin is gated behind a licence, tier, quota,
or time limit; every feature is free and fully functional.
* The “More Security” page now describes Ghostables Defender purely as a separate,
more advanced plugin available from ghostables.io — no locked tiles, no “unlock”,
no in-plugin upsell or licence-key entry.
* All JavaScript and CSS is now loaded through wp_enqueue_*. The previous inline
and blocks (the REST helper, scan modal, onboarding wizard) moved to enqueued
assets/js/admin.js, assets/js/onboard.js, assets/css/onboard.css, and assets/
css/login.css. Inline onclick handlers and inline style attributes were replaced
with delegated event listeners and CSS classes.
* No change to the actual security features: vulnerability scanning, file integrity,
hardening, two-factor authentication, Operator gate, and the tamper-evident audit
log all work exactly as before.
#### 0.1.3
* Plugin Check round-2 cleanup. Fixed the only remaining ERROR (a $wpdb->prepare()
call in the CVE scanner that concatenated time() into the SQL — now bound as %
d), collapsed two multi-line $wpdb->prepare() calls onto single lines so the
phpcs:ignore directive actually lands on the offending line, suppressed the PrefixAllGlobals
sniff on view templates (they are require()’d inside controller methods, so their
variables are method-local at runtime even though PHPCS sees them as global),
and wrapped uninstall.php’s body in an immediately-invoked closure so its working
variables are genuinely function-scoped. No functional or behavioural changes.
#### 0.1.2
* Plugin Check cleanup: switched all filesystem operations to WP_Filesystem; sanitised
every superglobal read with wp_unslash() + sanitize_text_field() / esc_url_raw();
annotated every deliberate direct $wpdb query with the rationale; prefixed all
view-file local variables with gdef_ to satisfy the PrefixAllGlobals rule.
* No functional changes — all behaviour, option keys, DB schemas, REST routes,
and admin UI are unchanged.
#### 0.1.1
* Vulnerability feed switched from Wordfence Intelligence to the public WordPress
Vulnerability Database (wpvulnerability.net). Same coverage, GPL-compatible licensing,
per-component 24h cache.
* Two-factor QR code is now rendered locally in the operator’s browser using a
bundled MIT-licensed library. The TOTP secret is no longer transmitted to a third
party.
* Two-factor authentication now blocks XML-RPC and application-password channels
for any user with 2FA enabled, closing the previous bypass.
* Two-factor recovery codes are stored as password_hash() values rather than plaintext.
* Brute-force throttle added to the Operator PIN, the Operator recovery code, and
the 2FA challenge — 5 failures in 5 minutes triggers a lockout with exponential
backoff up to 1 hour.
* Audit chain upgraded from unkeyed SHA-256 to HMAC-SHA-256 with a chain key. The
key is read from a `GDEF_LITE_AUDIT_KEY` wp-config constant when present, otherwise
auto-generated and stored as an option. Existing pre-upgrade rows remain verifiable
under the legacy scheme.
* The audit log no longer trusts `X-Forwarded-For` or `CF-Connecting-IP` headers
by default — opt in via the `GDEF_LITE_TRUST_PROXY` wp-config constant or the`
gdef_lite_trust_proxy` filter when the site genuinely sits behind a reverse proxy.
* Hardening: nginx server-block snippet for blocking PHP execution in /uploads
is now generated on the Hardening page (Apache .htaccess output unchanged).
* Admin pages no longer fetch Google Fonts from a CDN — system font stack is used
instead.
#### 0.1.0
* Initial release.
## Meta
* Version **0.1.6**
* Last updated **5 days ago**
* Active installations **Fewer than 10**
* WordPress version ** 6.0 or higher **
* Tested up to **7.0**
* PHP version ** 7.4 or higher **
* Tags
* [File Integrity](https://wordpress.org/plugins/tags/file-integrity/)[hardening](https://wordpress.org/plugins/tags/hardening/)
[security](https://wordpress.org/plugins/tags/security/)[two factor authentication](https://wordpress.org/plugins/tags/two-factor-authentication/)
[vulnerability scanner](https://wordpress.org/plugins/tags/vulnerability-scanner/)
* [Advanced View](https://wordpress.org/plugins/ghostables-defender-lite/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/ghostables-defender-lite/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/ghostables-defender-lite/reviews/)
## Contributors
* [ ghostables ](https://profiles.wordpress.org/ghostables/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/ghostables-defender-lite/)