Title: Governance Guardrails
Author: Malcolm Peralty
Published: <strong>June 16, 2026</strong>
Last modified: June 16, 2026

---

Search plugins

![](https://ps.w.org/governance-guardrails/assets/banner-772x250.png?rev=3574986)

![](https://ps.w.org/governance-guardrails/assets/icon-256x256.png?rev=3574986)

# Governance Guardrails

 By [Malcolm Peralty](https://profiles.wordpress.org/phoenixfireball/)

[Download](https://downloads.wordpress.org/plugin/governance-guardrails.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/governance-guardrails/#description)
 * [Reviews](https://wordpress.org/plugins/governance-guardrails/#reviews)
 *  [Installation](https://wordpress.org/plugins/governance-guardrails/#installation)
 * [Development](https://wordpress.org/plugins/governance-guardrails/#developers)

 [Support](https://wordpress.org/support/plugin/governance-guardrails/)

## Description

Governance Guardrails is a file-based WordPress governance plugin for site owners,
agencies, and managed WordPress teams that want important operational rules to live
in code instead of scattered database settings.

You define a policy in a PHP configuration file. Governance Guardrails reads that
file on each request and applies the configured rules. This makes the policy easy
to review, version-control, and deploy consistently across environments or multiple
sites.

Governance Guardrails can help you manage:

 * Feature toggles such as XML-RPC, comments, feeds, the Customizer, widgets, application
   passwords, user registration, WP-Cron, and related admin features.
 * Admin UI cleanup, including admin bar nodes, dashboard widgets, menu pages, and
   admin footer text.
 * Runtime capability denials by role without changing stored role definitions in
   the database.
 * Upload governance, including allowed MIME types and per-file size limits.
 * Content behavior such as revisions, autosave intervals, oEmbed, and emoji loading.
 * Login behavior such as password reset restrictions, generic login errors, and
   post-logout redirects.
 * HTTP security headers and other hardening options such as pingback removal, author
   archive handling, file editing restrictions, and staging noindex headers.
 * Head cleanup for RSD, WLW manifest, shortlinks, feed links, and REST API discovery
   links.
 * Locked options so selected `wp_options` values are pinned from code.
 * Custom governance callbacks for site-specific rules.

This plugin does not claim to secure a site by itself. It is intended as a governance
and consistency tool that helps keep selected WordPress settings and behaviors aligned
with your site’s operational policy.

#### Must-use plugin support

Governance Guardrails was originally built for must-use plugin deployment. It can
still be installed that way by copying `governance-guardrails.php` and the `governance-
guardrails/` directory into `wp-content/mu-plugins/`.

For WordPress.org installation, it can also be installed and activated as a normal
plugin. In that case, the included sample config is used from the plugin directory
unless you define a custom config path.

To use a custom config file, add this to `wp-config.php`:

    ```
    define( 'GOVGUARD_CONFIG', '/absolute/path/to/governance-guardrails-config.php' );
    ```

The shipped sample config lives at `governance-guardrails/governance-guardrails-
config.php`.

Config loading is fail-open. If the config file is missing, unreadable, has a syntax
error, or does not return an array, Governance Guardrails does not enforce governance
rules and logs a warning instead of crashing the site.

#### WP-CLI

When WP-CLI is available, Governance Guardrails registers the `wp governance` command
set.

Examples:

 * `wp governance status`
 * `wp governance check`
 * `wp governance audit`
 * `wp governance audit --severity=high`
 * `wp governance diff`
 * `wp governance get features --format=json`
 * `wp governance mimes`

## Installation

#### Normal plugin installation

 1. Upload the plugin files to the `/wp-content/plugins/governance-guardrails/` directory,
    or install the plugin through the WordPress Plugins screen.
 2. Activate Governance Guardrails through the Plugins screen in WordPress.
 3. Review the included sample config at `governance-guardrails/governance-guardrails-
    config.php`.
 4. For a site-specific policy, define `GOVGUARD_CONFIG` in `wp-config.php` and point
    it at your own config file.
 5. If WP-CLI is available, run `wp governance check` to validate the active config.

#### Must-use plugin installation

 1. Copy `governance-guardrails.php` and the `governance-guardrails/` directory into`
    wp-content/mu-plugins/`.
 2. Review or replace the config file at `wp-content/mu-plugins/governance-guardrails/
    governance-guardrails-config.php`.
 3. Optionally define `GOVGUARD_CONFIG` in `wp-config.php` to point at a config file
    outside the plugin directory.
 4. If WP-CLI is available, run `wp governance status` or `wp governance check`.

## FAQ

### Is Governance Guardrails a security plugin?

Governance Guardrails includes security-related controls, but it is better described
as a governance and configuration enforcement plugin. It helps enforce selected 
operational rules from code. It should be used alongside normal WordPress security
practices such as updates, strong authentication, least-privilege users, backups,
logging, and server hardening.

### Can I use it as a normal plugin?

Yes. Governance Guardrails can be activated as a normal plugin. It was originally
designed for must-use deployment, so teams that want policy enforced outside the
normal plugin activation flow may still prefer the mu-plugin installation method.

### Where does the configuration live?

By default, the plugin loads `governance-guardrails/governance-guardrails-config.
php` from the plugin directory. You can define `GOVGUARD_CONFIG` in `wp-config.php`
to use an absolute path to another config file.

### What happens if the config file is broken?

Governance Guardrails fails open. It logs a warning and does not enforce governance
rules from a broken or missing config file. This avoids taking down the site because
of a bad governance config.

### Does Governance Guardrails write settings to the database?

The core governance model is file-based. It reads policy from a PHP config file 
and applies rules at runtime. Some rules prevent changes to selected options by 
filtering reads and updates, but the plugin is not designed around storing settings
in the database.

### Does it make remote requests or send tracking data?

No. Governance Guardrails does not include phone-home tracking or external service
calls.

### How does the disable_wp_cron option work?

When enabled, Governance Guardrails stops WordPress from spawning WP-Cron requests
on normal page views by filtering the list of ready cron jobs. It does not define
the global DISABLE_WP_CRON constant, and it does not delete or unschedule any events.
Direct requests to wp-cron.php and WP-CLI cron commands continue to work normally,
so this option should be paired with a real system cron — for example a scheduled
request to wp-cron.php or `wp cron event run --due-now`. Without one, scheduled 
events will not run.

### Who should use this plugin?

It is most useful for developers, agencies, and managed WordPress teams that want
repeatable policy controls across one or more sites. It may be more technical than
a typical settings-screen plugin because the policy is configured in PHP.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Governance Guardrails” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ Malcolm Peralty ](https://profiles.wordpress.org/phoenixfireball/)

[Translate “Governance Guardrails” into your language.](https://translate.wordpress.org/projects/wp-plugins/governance-guardrails)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/governance-guardrails/),
check out the [SVN repository](https://plugins.svn.wordpress.org/governance-guardrails/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/governance-guardrails/)
by [RSS](https://plugins.trac.wordpress.org/log/governance-guardrails/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial WordPress.org-ready release.
 * Provides file-based governance configuration for admin UI, feature toggles, capabilities,
   uploads, content behavior, login behavior, security headers, locked options, 
   and WP-CLI inspection commands.

## Meta

 *  Version **1.0.0**
 *  Last updated **20 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.4 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 8.1 or higher **
 * Tags
 * [admin](https://wordpress.org/plugins/tags/admin/)[governance](https://wordpress.org/plugins/tags/governance/)
   [mu plugin](https://wordpress.org/plugins/tags/mu-plugin/)[security](https://wordpress.org/plugins/tags/security/)
   [wp-cli](https://wordpress.org/plugins/tags/wp-cli/)
 *  [Advanced View](https://wordpress.org/plugins/governance-guardrails/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/governance-guardrails/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/governance-guardrails/reviews/)

## Contributors

 *   [ Malcolm Peralty ](https://profiles.wordpress.org/phoenixfireball/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/governance-guardrails/)