{"id":335885,"date":"2026-07-12T17:20:17","date_gmt":"2026-07-12T17:20:17","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/isecure-guard\/"},"modified":"2026-07-12T17:20:08","modified_gmt":"2026-07-12T17:20:08","slug":"fpx-security-guard","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/fpx-security-guard\/","author":23527249,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0.1","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"FPX Security Guard","header_author":"FreePDFtxt","header_description":"Complete security suite for WordPress \u2014 login protection, firewall headers, WordPress info hiding, and hardening tools.","assets_banners_color":"","last_updated":"2026-07-12 17:20:08","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wp.freepdftxt.com\/","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":31,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"mamuniu06","date":"2026-07-12 17:20:08"}},"upgrade_notice":[],"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[2439,1174,31093,15756,600],"plugin_category":[54],"plugin_contributors":[271264],"plugin_business_model":[],"class_list":["post-335885","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-firewall","plugin_tags-hardening","plugin_tags-login-protection","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-mamuniu06","plugin_committers-mamuniu06"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/fpx-security-guard.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p>FPX Security Guard protects your WordPress site with:<\/p>\n\n<ul>\n<li><strong>Two-Factor Authentication (2FA)<\/strong> \u2014 Standard TOTP support (Google Authenticator, Authy, Microsoft Authenticator, 1Password). Users enable it individually from their Profile page with QR-code setup, and receive 10 one-time recovery codes. Works fully offline \u2014 no external service or email required.<\/li>\n<li><strong>Login Protection<\/strong> \u2014 Limits failed login attempts per IP with configurable lockout duration, generic error messages (no username\/password hints), and a hidden honeypot field that silently blocks bots.<\/li>\n<li><strong>Firewall &amp; Headers<\/strong> \u2014 Sends modern security headers (X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, HSTS on HTTPS) and blocks requests containing common SQL injection \/ XSS \/ path traversal patterns.<\/li>\n<li><strong>Hide WordPress Info<\/strong> \u2014 Removes the WP version from meta tags and asset URLs, blocks ?author=N user enumeration scans, and hides the public REST API users endpoint.<\/li>\n<li><strong>Hardening<\/strong> \u2014 Disables XML-RPC (a common brute-force vector) and the built-in theme\/plugin file editor.<\/li>\n<\/ul>\n\n<p><strong>Want more?<\/strong> <a href=\"https:\/\/wp.freepdftxt.com\/\">FPX Security Guard Pro<\/a> adds daily File Change Detection with malware-injection alerts \u2014 a background scanning service, hosted and sold separately from this free plugin.<\/p>\n\n<p>All features can be toggled individually from Settings \u2192 FPX Security Guard. A lockout log shows the last 20 blocked login attempts.<\/p>\n\n<h3>External Services<\/h3>\n\n<p>This plugin's optional <strong>Country Block<\/strong> feature (disabled by default) uses the free geo-location service ip-api.com to determine the country of a visitor's IP address.<\/p>\n\n<ul>\n<li><strong>What is sent:<\/strong> Only the visitor's IP address is sent to ip-api.com, and only when the Country Block feature is manually enabled by the site administrator and a visitor's country is not already cached.<\/li>\n<li><strong>When:<\/strong> On the first request from a given IP; the result is cached locally for 24 hours, so repeat visitors trigger no external calls.<\/li>\n<li><strong>No other data<\/strong> (no personal info, no site data) is ever transmitted.<\/li>\n<\/ul>\n\n<p>Service provider: ip-api.com \u2014 Terms: https:\/\/ip-api.com\/docs\/legal \u2014 Privacy: https:\/\/ip-api.com\/docs\/legal<\/p>\n\n<p>If the Country Block feature is disabled (the default), the plugin makes no external requests whatsoever.<\/p>\n\n<h4>Does rate limiting slow down my site?<\/h4>\n\n<p>Rate limiting tracks each visitor's request count using WordPress's core Transients API. If your host has a persistent object cache (Redis\/Memcached), this data is stored there with no database writes at all. Without one, it falls back to the options table like any request-level counter \u2014 the tracked data expires within seconds, so it never accumulates.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>fpx-security-guard<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or upload the zip via Plugins \u2192 Add New \u2192 Upload Plugin.<\/li>\n<li>Activate the plugin through the Plugins menu.<\/li>\n<li>Configure options under Settings \u2192 FPX Security Guard.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"i%27m%20locked%20out%20of%20two-factor%20authentication.%20how%20do%20i%20get%20back%20in%3F\"><h3>I'm locked out of two-factor authentication. How do I get back in?<\/h3><\/dt>\n<dd><p>There are three rescue paths, in order of ease:<\/p>\n\n<ol>\n<li><strong>Recovery codes<\/strong> \u2014 enter one of your saved one-time recovery codes in the Authentication Code field on the login screen.<\/li>\n<li><strong>Ask an administrator<\/strong> \u2014 any admin can open Users \u2192 your profile and reset your 2FA with one click. You can then log in with just your password and set 2FA up again.<\/li>\n<li><strong>Server access (site owners)<\/strong> \u2014 add this line to your wp-config.php file: <code>define( 'FPXSG_DISABLE_2FA', true );<\/code> \u2014 this temporarily bypasses 2FA for all logins. Log in, reset your 2FA from your profile, then REMOVE the line again. Because it requires file access, only someone who controls the server can use it.<\/li>\n<\/ol><\/dd>\n<dt id=\"will%20this%20conflict%20with%20other%20security%20plugins%3F\"><h3>Will this conflict with other security plugins?<\/h3><\/dt>\n<dd><p>Avoid running multiple firewall\/login-limit plugins at once \u2014 features may overlap.<\/p><\/dd>\n<dt id=\"i%20use%20jetpack%20or%20a%20mobile%20app%20to%20publish.\"><h3>I use Jetpack or a mobile app to publish.<\/h3><\/dt>\n<dd><p>Disable the \"Disable XML-RPC\" option in settings.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>Login protection: per-IP attempt limits, lockouts, honeypot, generic error messages.<\/li>\n<li>Two-Factor Authentication (TOTP): QR-code setup, recovery codes, low-code warnings, works offline.<\/li>\n<li>DDoS\/flood protection via per-IP rate limiting.<\/li>\n<li>Firewall: malicious query blocking and modern security headers.<\/li>\n<li>Country blocking (optional, via ip-api.com with local caching).<\/li>\n<li>Comment spam protection: honeypot and link limits.<\/li>\n<li>Hardening: XML-RPC off, file editor off, version hiding, user-enumeration blocking.<\/li>\n<li>Bundled QRCode.js by davidshimjs (MIT license, GPL-compatible) for local QR rendering.<\/li>\n<\/ul>","raw_excerpt":"Complete security suite for WordPress \u2014 login protection, firewall headers, info hiding, and hardening.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/335885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=335885"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/mamuniu06"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=335885"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=335885"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=335885"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=335885"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=335885"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=335885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}