plugin-icon

CodeWP Shield Monitor

By CodeWP·
Privacy-first WordPress security hardening, login protection, and local audit logging.
audit log
hardening
login
Ratings
Add a review
Version
1.3.2
Last updated
Jun 28, 2026
CodeWP Shield Monitor

CodeWP Shield Monitor adds a careful baseline of WordPress security controls without sending site data to third parties by default.

  • Rate limits repeated failed logins by hashed IP address.
  • Restricts public user enumeration.
  • Adds conservative browser security headers.
  • Optionally disables XML-RPC.
  • Disables dashboard file editing.
  • Records a local security audit log with configurable retention.
  • Displays basic WordPress security and update status in wp-admin.
  • Provides token-authenticated REST endpoints for the CodeWP Shield Monitor App.
  • Pairs the App using a local QR code and a short-lived, one-time exchange code.
  • Monitors important WordPress files every five minutes using SHA-256 hashes.
  • Records recent public content create/update activity and new administrator access.
  • Records WordPress core, plugin, and theme update events.
  • Runs lightweight suspicious-code and database scans with severity-based findings.
  • Adds threat intelligence checks for admin anomalies, executable uploads, suspicious options, cron hooks, MU plugins, fake CAPTCHA content, external scripts, cloaking signals, and hardening gaps.
  • Provides an incident-response summary with prioritized findings and next review steps.
  • Pushes Contact Form 7 submissions, WooCommerce orders, and selected custom post type creations to the authenticated events API.
  • Skips previously clean malware-scan files while their SHA-256 hash is unchanged.
  • Flags external JavaScript and URLs outside the current site domain in source or database content.
  • Hides the default login/admin paths behind a custom login slug when enabled.
  • Creates scoped, one-time quick-login URLs for paired App/Web clients when enabled.
  • Shows failed-login IPs with manual block and unlock controls.
  • Records plugin and theme lifecycle events, including activation, deactivation, installs, and updates.
  • Lets administrators run manual scans or schedule scans daily, weekly, or monthly.
  • Emails alerts for administrator logins, blocked login attacks, and file changes.
  • Retains local security audit logs for 30 days.

CodeWP Shield Monitor hashes IP addresses in its 30-day audit log. For failed-login lockout management, it may also store recent source IP addresses, attempt counts, lockout status, and last failed-login time so administrators can block or unlock those IPs. File contents and post body content are never stored.

External services

CodeWP Shield Monitor can connect to the official WordPress.org checksum API when the administrator enables core checksum verification. The service is used to compare local WordPress core file hashes with official release hashes. It sends the installed WordPress version and site locale at most once every 12 hours; it does not send stored credentials, file contents, full database values, post body content, audit-log IP hashes, API tokens, or CAPTCHA tokens. WordPress.org provides this service under the WordPress.org Terms of Service and Privacy Policy.

Terms: https://wordpress.org/about/terms-of-service/ Privacy: https://wordpress.org/about/privacy/

CodeWP Shield Monitor can connect to Cloudflare Turnstile only when an administrator enables login CAPTCHA, selects Cloudflare Turnstile, and saves a Turnstile site key and secret key. The login page loads Cloudflare’s Turnstile JavaScript from challenges.cloudflare.com to display the challenge. During login, the plugin sends the Turnstile response token, configured secret key, and visitor IP address to Cloudflare’s siteverify endpoint to validate the challenge. This is required for the optional Turnstile CAPTCHA feature.

Terms: https://www.cloudflare.com/website-terms/ Privacy: https://www.cloudflare.com/privacypolicy/

CodeWP Shield Monitor can connect to Google reCAPTCHA only when an administrator enables login CAPTCHA, selects Google reCAPTCHA, and saves a reCAPTCHA site key and secret key. The login page loads Google’s reCAPTCHA JavaScript from google.com to display the challenge. During login, the plugin sends the reCAPTCHA response token, configured secret key, and visitor IP address to Google’s siteverify endpoint to validate the challenge. This is required for the optional Google reCAPTCHA feature.

Terms: https://policies.google.com/terms Privacy: https://policies.google.com/privacy

Freeon paid plans
Get started
By installing, you agree to WordPress.com Terms of Service and Third-Party plugin Terms.
Tested up to
WordPress 7.0
This plugin is available for download for your site.
Download