Description
Holographic Login Shield helps protect the WordPress login area from repeated failed logins, automated abuse and common account-discovery behaviour.
The plugin is designed to stay focused. It adds practical login hardening without replacing the WordPress admin area, adding unnecessary front-end assets or sending free-plugin security logs to an external service.
Free features include configurable failed-login lockouts, an automatic permanent IP block threshold, local allowed and blocked IP address lists, Cloudflare-aware visitor IP detection, a paginated recent activity log, CSV log export, log retention cleanup, generic login errors, XML-RPC control, Application Password control, optional author archive blocking, a hidden bot trap and optional throttled failed-login email alerts.
Allowed IP addresses can be added manually or with the Add My IP button. Blocked IP addresses can be added manually and are also populated automatically when the permanent blocking threshold is reached. Both lists remain local to your WordPress site.
Screenshots
Main Holographic Login Shield settings screen showing security status, protection settings, allowed and blocked IP address controls, and recent login activity.
Installation
- Upload the plugin files to the /wp-content/plugins/holographic-login-shield directory, or install the plugin ZIP through the WordPress Plugins screen.
- Activate the plugin.
- Go to Settings > Login Shield.
- Review the default login protection settings and save any changes.
FAQ
-
Does this block brute-force login attempts?
-
Yes. The plugin can lock out repeated failed login attempts from the same IP address and username combination. You can configure the failed attempt limit, attempt window, lockout length and automatic permanent IP block threshold.
-
What does the permanent IP block setting do?
-
It automatically adds an IP address to the local blocked IP list after that IP reaches the configured failed-login threshold within the attempt window. Set the value to 0 if you want to disable automatic permanent blocking.
-
Can I allow my own IP address?
-
Yes. Add your IP address to the allowed IP list manually or use the Add My IP button on the settings page. Allowed IP addresses bypass local lockouts, automatic permanent blocking and the local block list.
-
Can I remove a blocked IP address?
-
Yes. Delete the IP address from the blocked IP box and save the settings.
-
Does the free plugin send login logs to Holographic Plugins?
-
No. The free plugin stores login security logs locally in your WordPress database. It does not send those logs to Holographic Plugins.
-
Can I disable XML-RPC?
-
Yes. You can disable XML-RPC from the plugin settings if your site does not need it.
-
Can I disable Application Passwords?
-
Yes. The plugin can disable WordPress Application Password authentication if your site does not need external application access.
-
Can I export the login log?
-
Yes. Site administrators can export recent login activity as a CSV file from the plugin settings page.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Holographic Login Shield” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Holographic Login Shield” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.15
- Added safe Cloudflare-aware visitor IP detection for login protection and activity logging.
- Added pagination to the Activity Log.
- Improved Activity Log notes when a trusted Cloudflare proxy is detected.
1.0.14
- Added the plugin screenshot asset and screenshot readme entry.
- Improved the WordPress.org readme description and FAQs.
1.0.13
- Updated the WordPress.org short description and tightened remaining form and notice input handling flagged by the local checker.
1.0.12
- Reworked remaining form and notice input handling to use WordPress unslash and sanitising functions instead of PHP filter input helpers.
1.0.11
- Tightened login honeypot nonce handling and request validation.
- Moved local activity logging away from direct custom-table calls to remove the remaining database-query warnings.
1.0.8
- Fixed a fatal callback error caused by a removed security header method still being registered.
- Restored bundled admin CSS and JavaScript assets used by the settings page.
1.0.7
- Completed a release-prep optimisation and security pass.
- Tightened login bot trap handling, IP validation, cache invalidation and uninstall cleanup.
- Added suggested privacy policy wording for local login security logs.
- Changed new-install failed-login email alerts to opt-in.
- Removed the public plugin-identifying response header.
1.0.6
- Fixed the Add My IP admin button script so it correctly adds the detected administrator IP address to the allowed IP list.
1.0.5
- Added an Add My IP button for the allowed IP list.
- Added automatic permanent IP blocking after a configurable number of failed logins.
1.0.4
- Added object caching around CSV export log retrieval to satisfy Plugin Check database caching requirements.
1.0.3
- Added local IP allow and block lists.
- Added CSV login log export.
- Added Application Passwords control.
- Added generic login error protection.
- Added optional author archive blocking.
- Added daily log retention cleanup.
- Added a security status panel.
- Updated the readme contributor name.
1.0.2
- Changed uninstall cleanup so the custom log table is cleared without dropping the table.
1.0.1
- Fixed Plugin Check issues and updated release metadata.
1.0.0
- Initial release.