ArkHost Security Pack
·
WordPress security without the nonsense. No upsells, no premium tier, no fake threat counters.
A complete security plugin that’s actually free. No “pro” version, no nag screens, no made-up threat statistics.
Login Protection
- Blocks IPs after failed login attempts
- Custom login URL (hides wp-login.php)
- Hides wp-admin from logged-out users
- Honeypot field for bots
- Hides login errors (stops username enumeration)
- Email alerts for admin logins from new IPs
- Country/IP restrictions on login page
IP Control
- Whitelist and blacklist
- Auto-blacklist after repeated lockouts
- IPv4, IPv6, CIDR supported
Geo Blocking
- Block countries
- Uses free IP2Location LITE database
- One-click download
Hardening
- Disable XML-RPC
- Disable dashboard file editing
- Disable application passwords
- Restrict REST API to logged-in users
- Remove WordPress version
- Block user enumeration (?author=1 and REST API)
- Disable pingbacks/trackbacks
Security Headers
X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS
Two-Factor Authentication
- TOTP (Google Authenticator, Authy, etc.)
- Backup codes
- Enforce for admins
File Integrity Monitoring
- Checks WordPress core files against official checksums
- Daily scans
- Email alerts on changes
Malware Scanner
- Scans plugins, themes, uploads
- Pattern-based detection
- Quarantine suspicious files
- Weekly scans
Activity Log
- Login attempts, lockouts, blocks
- IP, country, username, timestamp
- Configurable retention
- CSV export
Tools
- Export/import settings
- Force logout all users
- Test email
- Delete readme.html/license.txt
Privacy
No tracking. No analytics. No telemetry.
External connections: * WordPress.org API (core file checksums) * IP2Location (database download, only when you click it)
External services
This plugin connects to the following external services under specific circumstances:
WordPress.org Checksums API
- Service: api.wordpress.org/core/checksums/1.0/
- Used for: Verifying WordPress core file integrity by comparing local files against official checksums
- Data sent: WordPress version and locale
- When: During daily scheduled file integrity scans and when manually triggered by the admin
- Privacy policy: https://wordpress.org/about/privacy/
IP Detection Services
- Services: api.ipify.org, ifconfig.me, icanhazip.com
- Used for: Detecting the server’s public IP address for the “Whitelist My IP” tool
- Data sent: Standard HTTP request (no personal data)
- When: Only when an admin uses the “Whitelist My IP” feature in the Tools tab
- Terms: https://www.ipify.org/ / https://ifconfig.me/ / https://icanhazip.com/
IP2Location
- Service: download.ip2location.com
- Used for: Downloading the free IP2Location LITE geolocation database for country-based blocking
- Data sent: Standard HTTP request (optional: user’s download token if configured)
- When: Only when an admin clicks “Download IP2Location Database” in the IP Control tab
- Terms of service: https://www.ip2location.com/terms
- Privacy policy: https://www.ip2location.com/privacy