plugin-icon

Peace Protocol

By Billy Wilcosky·
A secure, decentralized protocol for WordPress administrators to connect their sites and build a network of trust through cryptographic handshakes.
cryptographic
decentralized
federation
Rating
Add a review
Version
1.2.7
Last updated
Aug 27, 2025
Peace Protocol

Peace Protocol enables WordPress site administrators to authenticate as their website and send cryptographically signed “peace” messages to other WordPress sites running the same protocol. This creates a decentralized network where admins can establish trust relationships, share peace, and enable cross-site interactions.

🔒 **Security-First Design**

Admin-Only Authentication

  • WordPress Administrators Only: This plugin is designed exclusively for WordPress site administrators
  • Site-Level Authentication: Admins authenticate as their website, not as individual users
  • No Public Registration: No public user registration system – only federated users created after secure handshakes
  • Cryptographic Tokens: Each site uses cryptographically secure tokens for authentication

Federated User System

  • Limited Permissions: Federated users can only comment on posts, no admin access
  • Automatic Cleanup: Federated users are removed when the plugin is uninstalled
  • Role-Based Security: Federated users have the federated_peer role with minimal capabilities
  • No Dashboard Access: Federated users cannot access WordPress admin areas

Token Security

  • Cryptographically Secure: Tokens are generated using WordPress’s secure password generator
  • Token Rotation: Support for multiple tokens with automatic rotation
  • Secure Storage: Tokens are stored securely in WordPress options
  • Expiring Authorization Codes: Authorization codes expire after 5 minutes

🌟 **Key Features**

Core Functionality

  • Send Peace: Send cryptographically signed peace messages to other WordPress sites
  • Peace Log Wall: Display received peace messages using the [peaceprotocol_log_wall] shortcode
  • Automatic Feed Subscription: Automatically subscribe to peace feeds from sites you connect with
  • Token Management: Generate, rotate, and manage authentication tokens
  • User Banning System: Ban problematic users with reason tracking
  • IndieAuth Support: Alternative authentication using the IndieAuth standard with PKCE

Federated Login System

  • Cross-Site Authentication: Users from remote sites can comment as their site identity
  • Seamless Integration: Works with existing WordPress comment systems
  • Secure Handshake: Only sites completing the cryptographic handshake can create federated logins
  • Automatic User Creation: Creates federated users automatically after successful handshake
  • Dual Authentication: Support for both Peace Protocol tokens and IndieAuth standard

Admin Interface

  • Token Management: Generate, view, and delete authentication tokens
  • Feed Management: View and manage subscribed peace feeds
  • Peace Log: View all received peace messages in the admin area
  • User Banning: Ban users with reason tracking and management
  • Settings Configuration: Configure button position and auto-insertion

Frontend Features

  • Peace Button: Floating peace hand button (✌️) that can be positioned anywhere
  • Auto-Insertion: Automatically insert the peace button on your site
  • Shortcode Support: Use [peaceprotocol_hand_button] to manually place the button
  • Responsive Design: Works on all devices and screen sizes
  • Dark Mode Support: Automatically adapts to user’s color scheme preference
  • Choice Modal: User-friendly modal to choose between Peace Protocol and IndieAuth authentication

Technical Features

  • REST API: Modern REST API endpoints for all functionality
  • AJAX Fallback: AJAX endpoints for sites with REST API disabled
  • CORS Support: Proper CORS headers for cross-site communication
  • Translation Ready: Full internationalization support with multiple languages
  • Custom Post Types: Uses custom post types for peace logs
  • IndieAuth Endpoints: Full IndieAuth specification compliance with authorization and token endpoints
  • PKCE Support: Proof Key for Code Exchange for enhanced security

🚀 **How It Works**

For WordPress Administrators

  1. Install & Activate: Install the plugin and activate it on your WordPress site
  2. Generate Tokens: Go to Settings > Peace Protocol and generate authentication tokens
  3. Send Peace: Use the peace button to send cryptographically signed peace to other sites
  4. Build Network: Connect with other WordPress sites and build a network of trust

Federated Login Process

Peace Protocol Authentication

  1. User from Site A visits Site B and wants to comment
  2. User clicks “Peace” button on Site B
  3. User chooses “Login with Peace Protocol” from the choice modal
  4. Site B redirects to Site A for authentication
  5. Site A validates the user and generates an authorization code
  6. User is redirected back to Site B with the authorization code
  7. Site B automatically logs in the user as a federated user from Site A
  8. User can comment on Site B as “siteacom”

IndieAuth Authentication

  1. User from Site A visits Site B and wants to comment
  2. User clicks “Peace” button on Site B
  3. User chooses “Login with IndieAuth” from the choice modal
  4. Site B discovers IndieAuth endpoints on Site A
  5. Site B redirects to Site A’s IndieAuth authorization endpoint
  6. Site A validates the user and generates an authorization code
  7. User is redirected back to Site B with the authorization code
  8. Site B exchanges the code for an access token using PKCE
  9. Site B automatically logs in the user as a federated user from Site A
  10. User can comment on Site B as “Logged in as siteacom”

Security Flow

  1. Cryptographic Handshake: Sites exchange cryptographically signed tokens
  2. Token Validation: Each peace message is validated using secure tokens
  3. Federated User Creation: Only after successful handshake are federated users created
  4. Limited Permissions: Federated users have minimal permissions and no admin access
  5. Automatic Cleanup: All federated data is removed on plugin uninstall

🛡️ **Security Considerations**

What This Plugin Does NOT Do

  • No Public User Registration: Only WordPress administrators can use this plugin (federated users are created automatically after secure handshakes)
  • No Admin Access for Federated Users: Federated users cannot access WordPress admin
  • No Database Access: Federated users cannot access sensitive site data
  • No File System Access: Federated users cannot upload or modify files
  • No Plugin/Theme Management: Federated users cannot install or modify plugins/themes

What This Plugin DOES Do

  • Site-to-Site Authentication: WordPress admins authenticate as their website
  • Cryptographic Verification: All peace messages are cryptographically signed
  • Limited Federated Access: Federated users can only comment on posts
  • Automatic Cleanup: All federated data is removed on uninstall
  • Secure Token Management: Tokens are cryptographically secure and can be rotated

🌍 **Internationalization**

Peace Protocol is fully translation-ready and includes translations for: – English (default) – Spanish (es_ES) – French (fr_FR) – Japanese (ja) – Chinese Simplified (zh_CN)

Freeon Business plan
Get started
By installing, you agree to WordPress.com Terms of Service and Third-Party plugin Terms.
Tested up to
WordPress 6.8.3
This plugin is available for download for your site.
Download