Ghostables Defender Lite

Ghostables Defender Lite is a free, fully functional security plugin for WordPress. Nothing in it is locked, limited, or gated behind a licence — every feature below works out of the box:

• Continuous vulnerability scanning against installed plugins, themes, and WordPress core
• Cryptographic file integrity baseline with daily drift detection
• WordPress hardening checklist with one-click safe fixes
• Per-user TOTP two-factor authentication (Google Authenticator, Authy, 1Password)
• Tamper-evident audit log — events are linked together so any deletion is detectable, with a free, user-configurable retention period
• Operator gate — a PIN above WordPress admin so a compromised super-admin cannot silently disable the plugin

Built by Ghostables Ltd. Opinionated about defaults. Honest about what each setting actually does.

Is anything locked or limited?

No. Defender Lite is free and complete — no nag screens, no crippled features, no trial period, no usage quota. The audit-log retention period is a setting you control (default 90 days; set it to keep everything forever). Every feature listed above is the real thing.

Is there a more advanced version?

Yes — Ghostables Defender is a separate, more advanced plugin distributed from ghostables.io. It is not part of this plugin and is not required to use Defender Lite. It adds capabilities such as a behavioural firewall, malware quarantine, Cloudflare edge sync, webhook alerts, encrypted backups, and more. The „More Security“ page inside Defender Lite lists what it adds, purely for information.

Coexistence with the separate plugin

If you install the separate Ghostables Defender plugin, Defender Lite steps aside automatically so the two don’t run side by side. Your settings (Operator PIN, hardening fixes, baseline, audit chain) are preserved across the handover. Defender Lite remains free and fully functional whether or not you ever install it.

External services

This plugin connects to one external service: the public WordPress Vulnerability Database operated by the WPVulnerability project at https://www.wpvulnerability.net/.

• What is sent: an HTTP GET request to https://www.wpvulnerability.net/plugin/{slug}/, https://www.wpvulnerability.net/theme/{slug}/, or https://www.wpvulnerability.net/core/{wp-version}/ — one URL per installed component being checked. The request body is empty. The only request headers are Accept: application/json and a User-Agent of the form GhostablesDefenderLite/<plugin version>. No site URL, no admin email, no IP-derived identifier — only the slug of the component being queried and the User-Agent itself.
• What is received: a JSON record listing publicly disclosed vulnerabilities affecting that single component, with affected version ranges and severity scores. The plugin compares this against the locally-installed version and stores any open findings in the plugin’s own database table.
• When it is sent: at most once per installed component per 24 hours. Each per-slug response is cached locally in a WordPress transient, so the twice-daily scan cron only triggers fresh HTTP requests when the cache has expired.
• Service provider: The WPVulnerability Project (operated by ROBOTSTXT and contributors). Service licence (EUPL v1.2, GPL-compatible): https://www.wpvulnerability.com/license/. Privacy policy: https://www.wpvulnerability.com/privacy/.

No other outbound network traffic originates from this plugin. The two-factor QR code is rendered locally in the operator’s browser using a vendored MIT-licensed JavaScript library — the TOTP secret is never transmitted to any third party.