Title: Guard Dog Author: Adam Greenwell Published: Gwengolo 25, 2025 Last modified: Ebrel 15, 2026 --- Search plugins ![](https://ps.w.org/guard-dog/assets/icon.svg?rev=3367882) # Guard Dog By [Adam Greenwell](https://profiles.wordpress.org/adamgreenwell/) [Download](https://downloads.wordpress.org/plugin/guard-dog.1.9.39.zip) * [Details](https://bre.wordpress.org/plugins/guard-dog/#description) * [Reviews](https://bre.wordpress.org/plugins/guard-dog/#reviews) * [Installation](https://bre.wordpress.org/plugins/guard-dog/#installation) * [Development](https://bre.wordpress.org/plugins/guard-dog/#developers) [Support](https://wordpress.org/support/plugin/guard-dog/) ## Description Guard Dog is a comprehensive security plugin designed to protect your WordPress site from unauthorized access and brute-force attacks. With features like custom login URLs, two-factor authentication, and multiple CAPTCHA providers, Guard Dog provides enterprise-level security for any WordPress site. **Key Features:** * **Custom Login URLs** – Hide your wp-admin and wp-login.php from attackers * **Two-Factor Authentication (2FA)** – TOTP-based authentication with recovery codes * **Social Login (OAuth)** – Sign in with Google, Microsoft, or Apple * **Passkeys** – Use device-based biometric authentication like Face ID, Touch ID or Windows Hello * **Multiple CAPTCHA Providers** – Support for Google reCAPTCHA v2/v3, hCaptcha, and Cloudflare Turnstile * **Login Attempt Limiting** – Prevent brute-force attacks with intelligent lockout * **Access Control** – IP-based whitelist/blacklist protection * **Activity Monitoring** – Comprehensive logging of security events * **Temporary User Access** – Create temporary WordPress users with time-limited, secure access * **User Management** – Advanced user permission controls **Why Choose Guard Dog?** * **Privacy-Focused** – Multiple CAPTCHA options including privacy-first providers * **WordPress.org Compliant** – Built following WordPress coding standards * **Enterprise-Ready** – Scalable features suitable for any site size * **User-Friendly** – Intuitive interface with helpful documentation * **Regular Updates** – Actively maintained and updated **Perfect For:** * Business websites requiring enhanced security * WordPress sites handling sensitive data * Multi-user sites with complex access requirements * Anyone wanting comprehensive protection without complexity ### Additional Information **Support:** For support questions, please use the WordPress.org support forums. **Privacy:** Guard Dog respects user privacy and offers multiple privacy-focused CAPTCHA options. No data is transmitted to third parties except for CAPTCHA verification when enabled. **Security:** Guard Dog follows WordPress security best practices and undergoes regular security audits. All user input is sanitized and all output is escaped. ### Third-Party Services Guard Dog integrates with the following third-party services to provide CAPTCHA protection. These services are optional and only used when CAPTCHA features are enabled. ### Google reCAPTCHA (v2 and v3) **What it is:** Google’s CAPTCHA service that helps protect websites from spam and abuse. **What it’s used for:** – Verifying that login, registration, and password reset attempts are made by humans – Preventing automated bot attacks on your WordPress forms **What data is sent and when:** – User interaction data (mouse movements, time spent on page) when CAPTCHA is solved – IP address of the user – Site domain for verification – CAPTCHA response token **Privacy and Terms:** – [Google reCAPTCHA Privacy Policy](https://policies.google.com/privacy)– [Google reCAPTCHA Terms of Service](https://policies.google.com/terms) – [Google reCAPTCHA Data Usage](https://developers.google.com/recaptcha/docs/v3#data_usage) ### Cloudflare Turnstile **What it is:** Cloudflare’s privacy-first CAPTCHA alternative that doesn’t require user interaction. **What it’s used for:** – Invisible verification of human users during login, registration, and password reset – Privacy-focused protection without tracking or cookies **What data is sent and when:** – Non-interactive browser signals when forms are submitted – IP address for verification – Site domain for validation **Privacy and Terms:** – [Cloudflare Privacy Policy](https://www.cloudflare.com/privacypolicy/)– [Cloudflare Terms of Service](https://www.cloudflare.com/terms/) – [Turnstile Documentation](https://developers.cloudflare.com/turnstile/) ### hCaptcha **What it is:** A privacy-focused CAPTCHA service that doesn’t track users across websites. **What it’s used for:** – Human verification during login, registration, and password reset forms – Privacy-conscious alternative to Google reCAPTCHA **What data is sent and when:** – User interaction with CAPTCHA challenge – IP address for verification – Site domain for validation **Privacy and Terms:** – [hCaptcha Privacy Policy](https://www.hcaptcha.com/privacy)– [hCaptcha Terms of Service](https://www.hcaptcha.com/terms) – [hCaptcha Data Processing](https://www.hcaptcha.com/data-processing) ### Google OAuth (Social Login) **What it is:** Google’s OAuth 2.0 service that allows users to sign in using their Google account. **What it’s used for:** – Authenticating WordPress users via their Google account– Retrieving basic profile information (name, email) to link or create accounts **What data is sent and when:** – User is redirected to Google’s authorization server when clicking “Sign in with Google” – An authorization code is exchanged for an access token on your server – Basic profile information (name, email, Google user ID) is retrieved from Google’s API – No ongoing data sharing – data is only retrieved during the login process **Privacy and Terms:** – [Google OAuth Privacy Policy](https://policies.google.com/privacy)– [Google OAuth Terms of Service](https://policies.google.com/terms) – [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy) ### Microsoft Azure AD (Social Login) **What it is:** Microsoft’s OAuth 2.0 service via Azure Active Directory that allows users to sign in using their Microsoft account. **What it’s used for:** – Authenticating WordPress users via their personal Microsoft account or organizational (work/school) account – Retrieving basic profile information( name, email) to link or create accounts **What data is sent and when:** – User is redirected to Microsoft’s authorization server when clicking “Sign in with Microsoft” – An authorization code is exchanged for an access token and ID token (JWT) on your server – Basic profile information( name, email, Azure object ID) is extracted from the ID token – No ongoing data sharing– data is only retrieved during the login process **Privacy and Terms:** – [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement)– [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement)– [Microsoft Identity Platform Documentation](https://learn.microsoft.com/en-us/entra/identity-platform/) ### Apple Sign In (Social Login) **What it is:** Apple’s OAuth 2.0 / OpenID Connect service that allows users to sign in using their Apple ID. **What it’s used for:** – Authenticating WordPress users via their Apple ID – Retrieving basic profile information (name, email) to link or create accounts **What data is sent and when:** – User is redirected to Apple’s authorization server when clicking “Sign in with Apple” – An authorization code is exchanged for an access token and ID token (JWT) on your server – Basic profile information (email, user ID) is extracted from the ID token – User’s name is only provided on first authorization; subsequent logins return only the user ID – Apple may provide a private relay email address instead of the user’s real email – No ongoing data sharing – data is only retrieved during the login process **Privacy and Terms:** – [Apple Privacy Policy](https://www.apple.com/legal/privacy/)– [Sign in with Apple Guidelines](https://developer.apple.com/sign-in-with-apple/get-started/)– [Apple Developer Program License Agreement](https://developer.apple.com/terms/) ### TOTP (Time-based One-Time Password) Standard **What it is:** An open standard (RFC 6238) for generating time-based one-time passwords used in two-factor authentication. **What it’s used for:** – Generating secure, time-limited authentication codes for 2FA – Providing backup authentication when primary 2FA methods are unavailable– Enabling compatibility with popular authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, etc.) **What data is sent and when:** – **No external data transmission** – TOTP codes are generated locally using the TOTP algorithm – **Secret key generation** – A unique secret key is generated locally when 2FA is enabled for a user – **QR code generation**– QR codes are generated locally for easy setup with authenticator apps – **Code verification**– Generated codes are verified locally against the stored secret key **Privacy and Terms:** – [RFC 6238 – TOTP Standard](https://tools.ietf.org/html/rfc6238)– [Google Authenticator Privacy Policy](https://policies.google.com/privacy) (if using Google Authenticator app) – [Authy Privacy Policy](https://authy.com/privacy/) ( if using Authy app) – [Microsoft Authenticator Privacy Policy](https://privacy.microsoft.com/en-us/privacystatement)( if using Microsoft Authenticator app) ### Data Handling Summary **When CAPTCHA is disabled:** No data is sent to any third-party services. **When CAPTCHA is enabled:** Only the specific provider you choose receives verification data. Data is not shared between providers or stored by Guard Dog beyond the verification process. **When 2FA is disabled:** No external data transmission occurs. **When 2FA is enabled:** – All TOTP operations (code generation, verification) happen locally on your server – No data is transmitted to external services for 2FA functionality – Authenticator apps only receive the initial setup QR code or secret key – Recovery codes are generated locally and stored securely **When Social Login is disabled:** No data is sent to any OAuth provider. **When Social Login is enabled:** – Data is only sent to the configured providers( Google, Microsoft, Apple) during the login process – Only basic profile information( name, email, user ID) is retrieved – Social account links are stored locally in your WordPress database – Users can unlink their social accounts from their profile at any time **User control:** Users can choose which CAPTCHA provider to use, or disable CAPTCHA entirely. 2FA can be enabled/disabled per user, and users can choose their preferred authenticator app. Social login can be enabled/disabled by administrators, and users can manage their linked social accounts. All security features are optional and configurable. ## Screenshots * [[ * Change your WordPress login URL to your own string * [[ * Limit login attempts and set lockout duration * [[ * Enable email and app-based two-factor authentication methods * [[ * 2FA configuration from the user profile screen * [[ * Two-factor authentication on the login screen * [[ * Enable site-wide blocking, IP address blocking and username blocking * [[ * Create temporary user with granular access and expiration controls * [[ * Track site and system events with the Activity Log feature * [[ * Configure AWS SES, Mailgun, Resend, SendGrid, or Google as your email provider for two-factor messaging ## Blocks This plugin provides 2 blocks. * Guard Dog Account Security * Guard Dog Login Form ## Installation 1. Upload the `guard-dog` folder to the `/wp-content/plugins/` directory 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. Navigate to ‘Guard Dog’ in your admin menu to configure settings 4. Configure your desired security features step by step **Quick Setup:** 1. **Change Login URL**: Set a custom login URL immediately after activation 2. **Enable CAPTCHA**: Choose and configure your preferred CAPTCHA provider 3. **Configure 2FA**: Set up two-factor authentication for enhanced security 4. **Review Settings**: Adjust login limits and access controls as needed ## FAQ ### What if I get locked out of my site? Guard Dog includes a temporary access feature that generates secure bypass links. These can be created before lockout occurs. If you’re already locked out, you can disable the plugin via FTP by renaming the plugin folder. ### Which CAPTCHA provider should I choose? * **Google reCAPTCHA v3** – Invisible, best user experience * **Google reCAPTCHA v2** – Checkbox verification, widely supported * **hCaptcha** – Privacy-focused alternative to Google * **Cloudflare Turnstile** – Fast, privacy-first option ### Is two-factor authentication required? No, 2FA is optional but highly recommended. It can be enabled per-user and includes recovery codes for backup access. ### Will this affect my site performance? Guard Dog is optimized for performance. Features like database query optimization and intelligent caching ensure minimal impact on your site speed. ### I’m getting false “IP shift” alerts showing the same IP for every user This happens when your site is behind a reverse proxy, CDN, or load balancer (common with hosts like Kinsta, WP Engine, Cloudflare, or AWS). The proxy sits between users and WordPress, so Guard Dog sometimes detects the proxy’s IP instead of the real visitor’s IP. **To fix this:** 1. Go to Guard Dog > Sessions > Settings 2. Scroll to “Reverse Proxy / Load Balancer” 3. Set “IP Detection Method” to match your setup: 4. * **Cloudflare** – if your site uses Cloudflare (most common) * **X-Forwarded-For** – for most other proxies (Kinsta, WP Engine, Nginx, AWS ELB) * **X-Real-IP** – if your server uses Nginx as a reverse proxy * **Auto** – tries all headers automatically (default, works for most sites) * **REMOTE_ADDR only** – only use if you have NO proxy (direct connections only) 5. Add your proxy’s IP addresses to “Trusted Proxy IPs” (one per line, CIDR ranges supported) 6. Check the “Detected IP” row to verify your real IP is shown, not the proxy IP **Important:** If you are unsure, leave the default “Auto” setting. Only change this if you are experiencing false IP shift alerts or if your hosting provider has instructed you to use a specific header. Misconfiguring this can cause Guard Dog to see incorrect IP addresses, which affects IP-based blocking, login attempt tracking, and activity logs. ### How do I find my proxy’s IP address? If you’re seeing false IP shift alerts, the alert email will contain the proxy IP( the “new IP” that keeps appearing). You can also check the “Detected IP” row on the Sessions settings page – if it shows your proxy’s IP instead of your real IP, that IP should be added to the Trusted Proxy IPs list. Common proxy IP ranges: * **Cloudflare** – see [Cloudflare’s IP ranges](https://www.cloudflare.com/ips/) * **Kinsta** – typically a Google Cloud IP (e.g., 34.x.x.x or 35.x.x.x) * **AWS ELB/CloudFront** – check your AWS console for load balancer IPs * **Private networks** – 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ### Does it work with other security plugins? Guard Dog is designed to work alongside other security plugins, though we recommend testing in a staging environment first to avoid conflicts. ### What external services does Guard Dog use? * **CAPTCHA (when enabled):** Google reCAPTCHA, hCaptcha, or Cloudflare Turnstile. * **Email (when Email 2FA enabled):** Amazon SES, Mailgun, Resend, SendGrid, or Google SMTP. * **Social Login (when enabled):** Google OAuth, Microsoft Azure AD, and Apple Sign In (authorization and user profile). * **IP Reputation (when enabled):** DNS only: Spamhaus ZEN, CBL (abuseat.org), dan.me.uk (Tor). Optional geo: ip-api.com or ipinfo.io; geo can be turned off to use only DNS. * **Geolocation (country from IP):** When CDN/proxy headers do not provide country, ip-api.com or ipapi.co may be used (e.g. access control, activity log). For details, data flows, and privacy policies, see the Privacy & Data Usage documentation in the `docs` folder. ## Reviews ![](https://secure.gravatar.com/avatar/02b25c2a099ee8a89aef4292486138882cb3f85acec54cb5605ca4ac438ae8b9? s=60&d=retro&r=g) ### 󠀁[Thanks you !](https://wordpress.org/support/topic/thanks-you-29/)󠁿 [Phuong Tong](https://profiles.wordpress.org/tvphuong41/) Ebrel 7, 2026 I just discovered this plugin. It’s fantastic. ![](https://secure.gravatar.com/avatar/bcbef54560a56e4ce9e2b17ece59a000f0c277edaf3ab904a46888bd15a81761? s=60&d=retro&r=g) ### 󠀁[Great all in one protection with passkeys](https://wordpress.org/support/topic/great-all-in-one-protection-with-passkeys/)󠁿 [tcviper](https://profiles.wordpress.org/tcviper/) C’hwevrer 11, 2026 1 reply After searching for quite some time for all kinds of plugins that could help with 2FA and/or Passkeys support for wordpress without having to pay for yet another plugin I found this Guard Dog plugin and apart from some caching problems it has been working like a charm! Thank you so much! [ Read all 2 reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/) ## Contributors & Developers “Guard Dog” is open source software. The following people have contributed to this plugin. Contributors * [ Adam Greenwell ](https://profiles.wordpress.org/adamgreenwell/) [Translate “Guard Dog” into your language.](https://translate.wordpress.org/projects/wp-plugins/guard-dog) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/guard-dog/), check out the [SVN repository](https://plugins.svn.wordpress.org/guard-dog/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/guard-dog/) by [RSS](https://plugins.trac.wordpress.org/log/guard-dog/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.9.39 * Fix author archive protection so raw `?author=N` enumeration requests stay blocked without breaking public `/author/slug/` pages #### 1.9.38 * Fix Apple social login and account linking failures after host migrations or WordPress salt changes * Add clearer provider configuration and linking failure handling for social login * Clean up orphaned social account records when linked users are deleted * Improve social login and passkey button layout on the login screen #### 1.9.37 * Fix custom login URL requests so they redirect to the canonical host/port before loading the WordPress login screen * Keep passkey login AJAX and redirects same-origin to prevent cookie failures #### 1.9.36 * Reorganize admin settings pages * Add Google OAuth to email provider for use with Workspace accounts #### 1.9.35 * Fix stale cached session metadata potentially showing incorrect sessions in session management UI * Fix proxy IP fallback and preserve authentication block reasons #### 1.9.34 * Expired sessions on frontend pages now silently degrade to logged-out state instead of redirecting to the login page #### 1.9.33 * Add reverse proxy / load balancer configuration for accurate IP detection behind CDNs and proxies * New IP detection method setting: Auto, Cloudflare, X-Forwarded-For, X-Real-IP, or REMOTE_ADDR only * New trusted proxy IPs setting with CIDR range support to prevent IP spoofing via forwarded headers * Fix false IP shift alerts on sites behind reverse proxies (Kinsta, Google Cloud, AWS ELB, etc.) * Consolidate duplicate IP detection methods across plugin to use centralized proxy- aware logic * Add diagnostic “Detected IP” display on settings page to verify proxy configuration #### 1.9.32 * Isolate all vendor dependencies with PHP-Scoper namespace prefixing to prevent conflicts with other plugins * Improved session management handling when using caching layers like Varnish or Redis #### 1.9.31 * Add Google (Gmail/Workspace) and SendGrid as email provider options * Minor login page styling update when social login buttons are present * Fix email provider detection on Login Security page #### 1.9.30 * Add social login with Google, Microsoft, and Apple OAuth support * Allow users to sign in with their Google, Microsoft, or Apple account from the WordPress login page * Apple Sign In with JWT client secret and id_token-based authentication * Link and unlink social accounts from user profile * Optional auto-linking by email and auto-creation of new users * Social login bypasses 2FA when configured (follows passkey pattern) * Activity logging for social login events #### 1.9.20 * Fix authentication failures (passkey login, 2FA) on sites using page caching ( Varnish, Cloudflare, Nginx FastCGI) * Remove dependency on PHP sessions — all auth state now uses WordPress transients with secure one-time-use tokens * Resolve WordPress Site Health critical warning about session_start() usage #### 1.9.11 * Add user enumeration protection feature with multi-vector blocking #### 1.9.1 * Add support for Passkeys * Add session and session management support with suspicious activity detection * Improve user flow when password policy is set and enforce 2FA is enabled #### 1.9.01 * Fix a bug causing the Access Denied page to lose styling when using the built- in customizer feature #### 1.9.0 * Add feature to set password strength policy and block reusing passwords * Add feature to require user email verification before login with customizable link expiration * Update email provider feature to allow using for all WordPress emails #### 1.8.48 * Improve access control to block entire countries * Add caching for access control rules #### 1.8.47 * Improve log exporting * Ensure WordPress 6.9 compatibility #### 1.8.46 * Add feature to customize access denied page with built-in customizer or template override #### 1.8.45 * Add feature to customize email template for two-factor auth code with built-in customizer or template override #### 1.8.44 * Add WooCommerce events to Activity Log * Improve site-wide blocking message customization #### 1.8.433 * Fix activity log error that could occur when updating a navigation menu #### 1.8.432 * Fix “Unknown Event” event name logging in the Activity Log section to display the proper event name #### 1.8.431 * Minor 2FA login form styling #### 1.8.43 * Resolve AWS SDK conflict with other plugins that may use AWS environment variables * Refactor 2FA login flow to improve security #### 1.8.42 * Code quality improvements to meet WordPress coding standards #### 1.8.41 * Code quality improvements to meet WordPress coding standards #### 1.8.4 * Improve Activity Log admin interface * Improve front-end styling for two-factor authentication methods when logging in #### 1.8.325 * Added additional two-factor authentication method via email * Added email provider configuration for use with two-factor via email authentication #### 1.8.312 * Under-the-hood refactoring of plugin settings templates #### 1.8.31 * Update readme.txt describing third party libraries in use and what they do #### 1.8.3 * Under-the-hood performance improvements and updates for WordPress plugin directory compliance #### 1.8.2 * Improved debug logging to prevent potential PHP errors #### 1.8.1 * Update activity log settings to add additional event types * Improve shortcode 2FA widget for use in custom themes using a custom login page #### 1.8.0 * Custom login URL feature refactored to be server agnostic * Improve custom login URL support when using CAPTCHA and 2FA #### 1.7.0 * Enhanced debug logging system with multiple log levels and export ability * Styling improvements applied to settings page #### 1.6.0 * Added Cloudflare Turnstile CAPTCHA support * Enhanced activity logging system * NEW: Complete temporary user access system – create actual WordPress users with time limits * Improved temporary access security with automatic user cleanup * Better mobile responsiveness for admin interface * Performance optimizations for large sites #### 1.5.0 * Added hCaptcha support for privacy-focused protection * Enhanced two-factor authentication with recovery codes * Improved user interface and user experience * Better internationalization support * Bug fixes and security enhancements #### 1.4.0 * Implemented comprehensive activity monitoring * Added advanced IP access control features * Enhanced temporary access system * Improved admin interface design * Performance optimizations #### 1.3.0 * Added two-factor authentication (TOTP) * Enhanced login attempt limiting * Improved admin interface * Better error handling and logging * Security improvements #### 1.2.0 * Added Google reCAPTCHA v3 support * Enhanced custom login URL features * Improved user management * Better admin interface * Performance optimizations #### 1.1.0 * Added login attempt limiting * Enhanced access control features * Improved admin interface * Bug fixes and optimizations #### 1.0.0 * Initial release * Custom login URLs * Basic access control * Google reCAPTCHA v2 support * Activity logging ## Meta * Version **1.9.39** * Last updated **3 days ago** * Active installations **10+** * WordPress version ** 5.9 or higher ** * Tested up to **6.9.4** * PHP version ** 8.1 or higher ** * Language * [English (US)](https://wordpress.org/plugins/guard-dog/) * Tags * [2FA](https://bre.wordpress.org/plugins/tags/2fa/)[authentication](https://bre.wordpress.org/plugins/tags/authentication/) [captcha](https://bre.wordpress.org/plugins/tags/captcha/)[protection](https://bre.wordpress.org/plugins/tags/protection/) [security](https://bre.wordpress.org/plugins/tags/security/) * [Advanced View](https://bre.wordpress.org/plugins/guard-dog/advanced/) ## Ratings 5 out of 5 stars. * [ 2 5-star reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/guard-dog/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/guard-dog/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/guard-dog/reviews/) ## Contributors * [ Adam Greenwell ](https://profiles.wordpress.org/adamgreenwell/) ## Support Issues resolved in last two months: 0 out of 1 [View support forum](https://wordpress.org/support/plugin/guard-dog/)