Guard Dog

Guard Dog Documentation

Version 1.9.46

Welcome to the documentation for Guard Dog, a plugin-first WordPress security plugin focused on login protection, authentication, sessions, and practical access workflows.

Table of Contents

Getting Started

Core Features

Login Protection

Authentication

Access Management

Monitoring

Additional Resources

What is Guard Dog?

Guard Dog is a focused WordPress security plugin for the login door, user sessions, account security, and practical access controls. With features ranging from custom login URLs to two-factor authentication, passkey support, session monitoring, activity logging, and user enumeration blocking, Guard Dog helps you control who can access your site and understand what happened.

Key Benefits

Multi-Layer Protection

  • Custom login URLs to hide your admin area
  • Multiple CAPTCHA providers for bot protection
  • Two-factor authentication and passkeys for enhanced security
  • Login attempt limiting to prevent brute-force attacks
  • User enumeration protection to block reconnaissance attacks

Privacy-Focused

  • Choose from privacy-first CAPTCHA providers
  • No phone-home tracking or analytics
  • Third-party services are only contacted when you enable features that need them
  • All 2FA operations happen locally on your server
  • Passkey authentication uses on-device secure enclaves
  • Full control over what events are logged

Site-Owned Controls

  • Core protections run inside your WordPress site
  • Advanced access control with IP and username filtering
  • Activity logging for security review and troubleshooting
  • Session monitoring with geographic anomaly detection
  • Temporary user access for secure collaboration

User-Friendly

  • Intuitive admin interface with organized pages
  • Helpful documentation and tooltips
  • Smart defaults that work out of the box
  • Gradual feature adoption - enable what you need

Feature Overview

Custom Login URLs

Hide your WordPress login page from attackers by using a custom URL instead of the default /wp-login.php. This simple change can eliminate the majority of automated bot attacks targeting your site.

How it works:

  • Choose a custom slug (e.g., my-secret-login)
  • Access your login page at yoursite.com/my-secret-login
  • The default wp-login.php and wp-admin redirect returns a 404 error
  • WP-CLI access automatically bypasses the custom URL requirement

Configuration: Guard Dog > Login Security > Custom Login URL

Frontend Login Form

Render a Guard Dog-managed login form on a normal WordPress page. The form can include CAPTCHA, passkey sign-in, social login buttons, remember-me controls, lost password links, and safe post-login redirects.

Shortcode: [guard_dog_login_form]

Block: Guard Dog Login Form

Configuration: Guard Dog > Authentication > Frontend Login Form

CAPTCHA Protection

Choose from four industry-leading CAPTCHA providers to verify that login attempts are made by humans, not bots:

  • Google reCAPTCHA v3 - Invisible, score-based protection
  • Google reCAPTCHA v2 - Checkbox verification
  • hCaptcha - Privacy-focused alternative
  • Cloudflare Turnstile - Fast and privacy-first

CAPTCHA can be applied to the login form, registration form, and password reset form.

Configuration: Guard Dog > CAPTCHA

Login Attempt Limiting

Automatically lock out IP addresses after a specified number of failed login attempts, preventing brute-force password attacks.

Key settings:

  • Maximum retries before lockout (default: 5)
  • Lockout duration (default: 15 minutes)
  • Extended lockout after repeated lockouts
  • Whitelist trusted IPs from lockout

Configuration: Guard Dog > Login Security > Login Attempt Limiting

User Enumeration Protection

Block attackers from discovering valid usernames on your WordPress site. User enumeration is a reconnaissance technique where attackers identify valid accounts before launching targeted attacks.

WordPress exposes usernames in many ways by default:

  • REST API (/wp-json/wp/v2/users) returns user data
  • Author archives (?author=1) reveal usernames
  • Login error messages differentiate between invalid usernames and wrong passwords
  • Password reset forms confirm email existence
  • XML-RPC methods like wp.getAuthors return user lists
  • oEmbed responses include author information

Guard Dog blocks all seven vectors:

VectorProtection
REST API UsersReturns empty array or 404 for unauthenticated requests
Author ArchivesRedirects ?author=N requests to 404
Login ErrorsGeneric “Invalid credentials” message for all failures
Password ResetGeneric “Check your email” regardless of email existence
XML-RPC MethodsUser-related methods removed from API
oEmbed DataAuthor information stripped from responses
RegistrationGeneric errors when username/email exists

Additional capabilities:

  • Per-vector control - Enable only the protections you need
  • Role-based bypass - Administrators and selected roles can still access protected endpoints
  • Auto-blocking - Automatically blacklist IPs after repeated enumeration attempts
  • Alert notifications - Receive immediate or digest email alerts during attacks
  • Comprehensive logging - All attempts recorded in Activity Log

Configuration: Guard Dog > Login Security > User Enumeration Protection

Two-Factor Authentication

Add an extra layer of security with app-based or email-based two-factor authentication. Users must enter a verification code from their authenticator app or email in addition to their password.

App-Based 2FA (TOTP):

  • Works with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and any TOTP-compatible app
  • Generates 6-digit codes that change every 30 seconds
  • All validation happens locally on your server

Email-Based 2FA:

  • Sends verification codes via configured email provider
  • No app installation required
  • Great for less technical users

Additional features:

  • 10 single-use recovery codes for emergency access
  • Optional enforcement with configurable grace period
  • QR code setup with manual entry fallback
  • Frontend account management with [guard_dog_two_factor] or the Guard Dog Two-Factor Auth block

Configuration: Guard Dog > Login Security > Two-Factor Authentication

Social Login

Allow users to sign in with Google, Microsoft, or Apple OAuth. Social login works on the native WordPress login screen, custom login URL, and Guard Dog frontend login form.

Providers:

  • Google OAuth
  • Microsoft OAuth
  • Apple Sign In

Callback URL: https://yoursite.com/guard-dog/oauth/callback

Configuration: Guard Dog > Authentication > Social Login

Passkeys (WebAuthn)

Passkeys enable passwordless authentication using biometrics or hardware security keys. Built on the WebAuthn standard, passkeys are more secure than passwords and provide a faster login experience.

How passkeys work:

  • User registers a passkey from their WordPress profile
  • Device generates a public/private key pair
  • Public key is stored on the server; private key never leaves the device
  • At login, the user clicks “Sign in with Passkey” and verifies with biometrics or a PIN
  • The server validates the cryptographic signature

Supported authentication methods:

  • Face ID / Touch ID (macOS, iOS)
  • Windows Hello (face, fingerprint, or PIN)
  • Android biometrics (fingerprint or screen lock)
  • Hardware security keys (YubiKey, Titan, any FIDO2 device)

Key features:

  • Phishing-resistant - Passkeys are bound to your specific domain
  • Multiple passkeys per user - Register on laptop, phone, and a backup security key
  • Optional 2FA bypass - Passkeys provide equivalent security to password + 2FA
  • Synced passkeys - iCloud Keychain and Google Password Manager can sync passkeys across devices
  • Full activity logging - Registration, login, deletion, and rename events are all logged
  • Frontend-ready surfaces - Use [guard_dog_passkey_login] for custom login pages and [guard_dog_passkeys] for account pages

Browser requirements: Chrome 67+, Firefox 60+, Safari 13+, Edge 79+

Server requirements: HTTPS is required for WebAuthn to function.

Configuration: Guard Dog > Login Security > Passkeys

Frontend Account Security

Let logged-in users manage their security from a member dashboard or account page.

Shortcodes:

  • [guard_dog_account_security] for the composite widget
  • [guard_dog_two_factor] for 2FA controls
  • [guard_dog_passkeys] for passkey management
  • [guard_dog_sessions] for active-session management

Blocks:

  • Guard Dog Account Security
  • Guard Dog Two-Factor Auth
  • Guard Dog Passkeys
  • Guard Dog Sessions

Email Provider Configuration

Configure a reliable email provider for email-based 2FA, password reset notifications, and other transactional emails:

  • AWS SES - Amazon Simple Email Service
  • Mailgun - Domain-based transactional email
  • Resend - Modern email API
  • SendGrid - Twilio SendGrid
  • Google - Gmail and Google Workspace with OAuth or app password mode

Optional global override can route all WordPress wp_mail() email through the configured Guard Dog provider.

Configuration: Guard Dog > Settings > Email Provider

Email Verification

Require new users to verify their email address before logging in. This prevents fake account registrations and ensures users have access to their stated email address.

Configuration: Guard Dog > User Registration > Email Verification

Password Policy

Enforce strong password requirements with configurable rules:

  • Minimum password length
  • Character type requirements (uppercase, lowercase, numbers, symbols)
  • Common password blocking
  • Password history to prevent reuse
  • Password expiration with configurable duration

Configuration: Guard Dog > User Registration > Password Policy

Access Control

Create IP whitelists or blacklists to control who can access your site. Block specific users by username or restrict access to approved IP addresses only.

Features:

  • IP-based whitelist and blacklist
  • Username-based blocking
  • Country-based blocking
  • Site-wide access control mode
  • Customizable blocked access page via WordPress Customizer

Configuration: Guard Dog > Access Control

Temporary User Access

Create temporary WordPress users with automatic expiration dates and login limits. Perfect for contractors, clients, or support staff who need temporary access to your site.

Features:

  • Set expiration date for user access
  • Limit number of logins allowed
  • Assign any WordPress role
  • Automatic cleanup of expired accounts

Configuration: Guard Dog > Temporary Access

Login Screen Customization

Customize the native WordPress login experience, including your custom login URL, password reset screens, 2FA challenge screens, password-expired screens, branding, helper text, links, and form styling.

Configuration: Guard Dog > Appearance > WordPress Login Screen

Session Management

Track all active login sessions for every user on your site. Session Management provides complete visibility into who is logged in, from where, and on what device.

What’s tracked for each session:

  • Device and browser information
  • IP address and geographic location (country, city)
  • Last activity timestamp
  • Suspicious activity flags

Key capabilities:

  • Remote logout - Users can terminate their own sessions from any device. Administrators can terminate any user’s session.
  • Session limits - Set maximum concurrent sessions per user (default: 5). When the limit is reached, the oldest session is automatically terminated.
  • Inactivity timeout - Sessions expire after a configurable period of inactivity (default: 60 minutes).
  • IP shift detection - Flags sessions where the IP address changes mid-session, which can indicate session hijacking.
  • Geographic anomaly detection - Flags when the same user has concurrent sessions from different countries.
  • Optional user notifications - Email users when suspicious activity is detected on their account.

Where to manage sessions:

  • Users: Profile > Active Sessions (view and terminate own sessions)
  • Frontend account pages: [guard_dog_sessions] shortcode or the Guard Dog Sessions block
  • Administrators: Guard Dog > Sessions (view and manage all sessions)

Configuration: Guard Dog > Sessions > Settings

Activity Log

Track every security event, user action, and system change on your site. The comprehensive activity log helps you monitor what’s happening and investigate security incidents.

Logged events include:

  • Login attempts (successful and failed)
  • 2FA verifications
  • Passkey registrations and logins
  • Session creation, termination, and suspicious activity
  • User enumeration attempts
  • Access control blocks
  • User profile changes
  • Password changes and resets
  • Plugin and theme changes

Configuration: Guard Dog > Activity Log

Debug System

Advanced logging and support-report tooling for troubleshooting issues with Guard Dog features. The debug system records detailed technical information that can help diagnose problems, and the support report summarizes environment and plugin configuration with sensitive values redacted where possible.

Configuration: Guard Dog > Settings > Debug

  • Just installed? Start with the Getting Started guide
  • Setting up 2FA? Read the Two-Factor Authentication section
  • Want passwordless login? See the Passkeys section
  • Need help? Check the FAQ or Troubleshooting Guide
  • Locked out? See Emergency Access in the Troubleshooting Guide

Privacy & Third-Party Services

Guard Dog respects user privacy. It does not phone home or send analytics. Data is only sent to third parties when you enable a feature that depends on a provider, such as CAPTCHA, email delivery, social login, IP reputation, or geolocation.

Two-factor authentication uses the TOTP standard and operates entirely on your server - no external services are contacted for 2FA verification.

Passkey authentication uses the WebAuthn standard and operates between the user’s device and your server. No third-party services are involved in passkey registration or authentication.

Session management and access-control geolocation can use trusted CDN/proxy country headers when available. If those are not available and geolocation is enabled, Guard Dog may query the configured IP geolocation provider.

Support

For support questions, please use the WordPress.org support forums.

Last Updated: May 2026 Plugin Version: 1.9.46 Requires WordPress: 5.9 or higher Requires PHP: 8.1 or higher