{"id":279420,"date":"2026-02-08T13:16:50","date_gmt":"2026-02-08T13:16:50","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/security-pack\/"},"modified":"2026-02-19T18:23:51","modified_gmt":"2026-02-19T18:23:51","slug":"arkhost-security-pack","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/arkhost-security-pack\/","author":23446996,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1","stable_tag":"1.1","tested":"6.9.4","requires":"5.0","requires_php":"7.4","requires_plugins":null,"header_name":"ArkHost Security Pack","header_author":"ArkHost","header_description":"A free, lightweight security plugin with zero upsells. Login protection, IP blocking, hardening, and activity logging.","assets_banners_color":"","last_updated":"2026-02-19 18:23:51","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"https:\/\/arkhost.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":209,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0":{"tag":"1.0","author":"arkhost","date":"2026-02-08 13:16:34"},"1.1":{"tag":"1.1","author":"arkhost","date":"2026-02-19 18:23:51"}},"upgrade_notice":{"1.1":"<p>Fixes custom login URL breaking on form submission (404 redirect).<\/p>","1.0":"<p>Initial release.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3456394,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3456394,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0","1.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3456394,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3456394,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3456394,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3456394,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3456394,"resolution":"5","location":"assets","locale":""},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3456394,"resolution":"6","location":"assets","locale":""},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3456394,"resolution":"7","location":"assets","locale":""},"screenshot-8.png":{"filename":"screenshot-8.png","revision":3456394,"resolution":"8","location":"assets","locale":""},"screenshot-9.png":{"filename":"screenshot-9.png","revision":3456394,"resolution":"9","location":"assets","locale":""}},"screenshots":{"1":"Security status overview","2":"Login protection settings","3":"Activity log","4":"Two-factor authentication setup","5":"Malware scanner with quarantine"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[9211,1174,602,1184,600],"plugin_category":[38,54],"plugin_contributors":[255448],"plugin_business_model":[],"class_list":["post-279420","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-firewall","plugin_tags-login","plugin_tags-malware","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-arkhost","plugin_committers-arkhost"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/icon-128x128.png?rev=3456394","icon_2x":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/icon-256x256.png?rev=3456394","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-1.png?rev=3456394","caption":"Security status overview"},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-2.png?rev=3456394","caption":"Login protection settings"},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-3.png?rev=3456394","caption":"Activity log"},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-4.png?rev=3456394","caption":"Two-factor authentication setup"},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-5.png?rev=3456394","caption":"Malware scanner with quarantine"},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-6.png?rev=3456394","caption":""},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-7.png?rev=3456394","caption":""},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-8.png?rev=3456394","caption":""},{"src":"https:\/\/ps.w.org\/arkhost-security-pack\/assets\/screenshot-9.png?rev=3456394","caption":""}],"raw_content":"<!--section=description-->\n<p>A complete security plugin that's actually free. No \"pro\" version, no nag screens, no made-up threat statistics.<\/p>\n\n<h4>Login Protection<\/h4>\n\n<ul>\n<li>Blocks IPs after failed login attempts<\/li>\n<li>Custom login URL (hides wp-login.php)<\/li>\n<li>Hides wp-admin from logged-out users<\/li>\n<li>Honeypot field for bots<\/li>\n<li>Hides login errors (stops username enumeration)<\/li>\n<li>Email alerts for admin logins from new IPs<\/li>\n<li>Country\/IP restrictions on login page<\/li>\n<\/ul>\n\n<h4>IP Control<\/h4>\n\n<ul>\n<li>Whitelist and blacklist<\/li>\n<li>Auto-blacklist after repeated lockouts<\/li>\n<li>IPv4, IPv6, CIDR supported<\/li>\n<\/ul>\n\n<h4>Geo Blocking<\/h4>\n\n<ul>\n<li>Block countries<\/li>\n<li>Uses free IP2Location LITE database<\/li>\n<li>One-click download<\/li>\n<\/ul>\n\n<h4>Hardening<\/h4>\n\n<ul>\n<li>Disable XML-RPC<\/li>\n<li>Disable dashboard file editing<\/li>\n<li>Disable application passwords<\/li>\n<li>Restrict REST API to logged-in users<\/li>\n<li>Remove WordPress version<\/li>\n<li>Block user enumeration (?author=1 and REST API)<\/li>\n<li>Disable pingbacks\/trackbacks<\/li>\n<\/ul>\n\n<h4>Security Headers<\/h4>\n\n<p>X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS<\/p>\n\n<h4>Two-Factor Authentication<\/h4>\n\n<ul>\n<li>TOTP (Google Authenticator, Authy, etc.)<\/li>\n<li>Backup codes<\/li>\n<li>Enforce for admins<\/li>\n<\/ul>\n\n<h4>File Integrity Monitoring<\/h4>\n\n<ul>\n<li>Checks WordPress core files against official checksums<\/li>\n<li>Daily scans<\/li>\n<li>Email alerts on changes<\/li>\n<\/ul>\n\n<h4>Malware Scanner<\/h4>\n\n<ul>\n<li>Scans plugins, themes, uploads<\/li>\n<li>Pattern-based detection<\/li>\n<li>Quarantine suspicious files<\/li>\n<li>Weekly scans<\/li>\n<\/ul>\n\n<h4>Activity Log<\/h4>\n\n<ul>\n<li>Login attempts, lockouts, blocks<\/li>\n<li>IP, country, username, timestamp<\/li>\n<li>Configurable retention<\/li>\n<li>CSV export<\/li>\n<\/ul>\n\n<h4>Tools<\/h4>\n\n<ul>\n<li>Export\/import settings<\/li>\n<li>Force logout all users<\/li>\n<li>Test email<\/li>\n<li>Delete readme.html\/license.txt<\/li>\n<\/ul>\n\n<h4>Privacy<\/h4>\n\n<p>No tracking. No analytics. No telemetry.<\/p>\n\n<p>External connections:\n* WordPress.org API (core file checksums)\n* IP2Location (database download, only when you click it)<\/p>\n\n<h3>External services<\/h3>\n\n<p>This plugin connects to the following external services under specific circumstances:<\/p>\n\n<h4>WordPress.org Checksums API<\/h4>\n\n<ul>\n<li>Service: api.wordpress.org\/core\/checksums\/1.0\/<\/li>\n<li>Used for: Verifying WordPress core file integrity by comparing local files against official checksums<\/li>\n<li>Data sent: WordPress version and locale<\/li>\n<li>When: During daily scheduled file integrity scans and when manually triggered by the admin<\/li>\n<li>Privacy policy: https:\/\/wordpress.org\/about\/privacy\/<\/li>\n<\/ul>\n\n<h4>IP Detection Services<\/h4>\n\n<ul>\n<li>Services: api.ipify.org, ifconfig.me, icanhazip.com<\/li>\n<li>Used for: Detecting the server's public IP address for the \"Whitelist My IP\" tool<\/li>\n<li>Data sent: Standard HTTP request (no personal data)<\/li>\n<li>When: Only when an admin uses the \"Whitelist My IP\" feature in the Tools tab<\/li>\n<li>Terms: https:\/\/www.ipify.org\/ \/ https:\/\/ifconfig.me\/ \/ https:\/\/icanhazip.com\/<\/li>\n<\/ul>\n\n<h4>IP2Location<\/h4>\n\n<ul>\n<li>Service: download.ip2location.com<\/li>\n<li>Used for: Downloading the free IP2Location LITE geolocation database for country-based blocking<\/li>\n<li>Data sent: Standard HTTP request (optional: user's download token if configured)<\/li>\n<li>When: Only when an admin clicks \"Download IP2Location Database\" in the IP Control tab<\/li>\n<li>Terms of service: https:\/\/www.ip2location.com\/terms<\/li>\n<li>Privacy policy: https:\/\/www.ip2location.com\/privacy<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin files to <code>\/wp-content\/plugins\/arkhost-security-pack\/<\/code><\/li>\n<li>Activate the plugin through the 'Plugins' screen<\/li>\n<li>Configure under the Security menu<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20there%20a%20premium%20version%3F\"><h3>Is there a premium version?<\/h3><\/dt>\n<dd><p>No. This is the complete plugin.<\/p><\/dd>\n<dt id=\"will%20it%20slow%20my%20site%3F\"><h3>Will it slow my site?<\/h3><\/dt>\n<dd><p>No. Checks run on login and admin access, not frontend page loads.<\/p><\/dd>\n<dt id=\"i%20locked%20myself%20out\"><h3>I locked myself out<\/h3><\/dt>\n<dd><p>Connect via FTP\/SSH and rename the plugin folder. Log in normally. Fix your settings.<\/p><\/dd>\n<dt id=\"does%20geo-blocking%20work%20without%20the%20database%3F\"><h3>Does geo-blocking work without the database?<\/h3><\/dt>\n<dd><p>No. Download the free IP2Location LITE database from the plugin settings.<\/p><\/dd>\n<dt id=\"can%20i%20use%20this%20with%20other%20security%20plugins%3F\"><h3>Can I use this with other security plugins?<\/h3><\/dt>\n<dd><p>Possible but likely to cause conflicts. We recommend using one security plugin at a time.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1<\/h4>\n\n<ul>\n<li>Fixed: Custom login URL form submission redirecting to 404 page<\/li>\n<li>Fixed: URL rewrite filters not being registered before login page render<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"WordPress security without the nonsense. No upsells, no premium tier, no fake threat counters.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/279420","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=279420"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/arkhost"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=279420"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=279420"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=279420"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=279420"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=279420"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=279420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}