plugin-icon

FPX Security Guard

Por mamuniu06·
Complete security suite for WordPress — login protection, firewall headers, info hiding, and hardening.
Versão
1.0.0
Última atualização
Jul 12, 2026

FPX Security Guard protects your WordPress site with:

  • Two-Factor Authentication (2FA) — Standard TOTP support (Google Authenticator, Authy, Microsoft Authenticator, 1Password). Users enable it individually from their Profile page with QR-code setup, and receive 10 one-time recovery codes. Works fully offline — no external service or email required.
  • Login Protection — Limits failed login attempts per IP with configurable lockout duration, generic error messages (no username/password hints), and a hidden honeypot field that silently blocks bots.
  • Firewall & Headers — Sends modern security headers (X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, HSTS on HTTPS) and blocks requests containing common SQL injection / XSS / path traversal patterns.
  • Hide WordPress Info — Removes the WP version from meta tags and asset URLs, blocks ?author=N user enumeration scans, and hides the public REST API users endpoint.
  • Hardening — Disables XML-RPC (a common brute-force vector) and the built-in theme/plugin file editor.

Want more? FPX Security Guard Pro adds daily File Change Detection with malware-injection alerts — a background scanning service, hosted and sold separately from this free plugin.

All features can be toggled individually from Settings FPX Security Guard. A lockout log shows the last 20 blocked login attempts.

External Services

This plugin’s optional Country Block feature (disabled by default) uses the free geo-location service ip-api.com to determine the country of a visitor’s IP address.

  • What is sent: Only the visitor’s IP address is sent to ip-api.com, and only when the Country Block feature is manually enabled by the site administrator and a visitor’s country is not already cached.
  • When: On the first request from a given IP; the result is cached locally for 24 hours, so repeat visitors trigger no external calls.
  • No other data (no personal info, no site data) is ever transmitted.

Service provider: ip-api.com — Terms: https://ip-api.com/docs/legal — Privacy: https://ip-api.com/docs/legal

If the Country Block feature is disabled (the default), the plugin makes no external requests whatsoever.

Does rate limiting slow down my site?

Rate limiting tracks each visitor’s request count using WordPress’s core Transients API. If your host has a persistent object cache (Redis/Memcached), this data is stored there with no database writes at all. Without one, it falls back to the options table like any request-level counter — the tracked data expires within seconds, so it never accumulates.

Freeem planos pagos
Ao instalar, você concorda com os Termos de Serviço do WordPress.com e com os Termos do plugin de terceiros.
Testado até
WordPress 7.0.1
Esse plugin está disponível para download para o seu .