Описание
Dotsquares Custom Login URL & Security Suite helps secure your WordPress site by allowing you to change the default login URL and apply additional security layers — all from one beautifully designed dashboard.
🔑 Login Security
- Custom login slug — redirect wp-login.php to your own secret URL
- Optionally hide wp-login.php (returns 404 for guests)
- Optionally block wp-admin for non-logged-in users
- Brute force protection with configurable lockout thresholds
- Login honeypot trap (hidden field that catches bots)
- Two-Factor Authentication (TOTP — works with Google Authenticator, Authy, etc.)
- Weak username detection (blocks «admin», «root», «test», etc.)
- Force logout after inactivity (configurable timeout)
- Manual approval for new user registrations
- Prevent display name from matching username
🛡️ Firewall
- Disable XML-RPC (common attack vector)
- Block bad bots and fake user agents (40+ known bots)
- Block POST requests with empty User-Agent headers
- Rate limiting per IP address
- IP blacklist and whitelist (supports CIDR ranges)
- Geo-blocking by country code
- Restrict REST API for non-logged-in users
- Prevent user enumeration via ?author= scans
🔍 Malware & File Scanner
- Deep scan of WordPress core, plugins, themes and uploads
- 40+ malware signature patterns (PHP shells, backdoors, crypto miners, pharma hacks, SEO spam injections)
- Detects known web shells by filename (c99, r57, WSO, b374k, adminer, etc.)
- WordPress core file integrity check (compares against official api.wordpress.org checksums)
- Detects PHP files hidden inside the uploads folder
- Suspicious code pattern detection (eval, exec, base64_decode combos, etc.)
- File change detection using MD5 hash baseline
- File permission scanner (755/644 standards)
- .htaccess security rules generator
👥 User & Session Management
- View and kill active user sessions
- Session tracking with IP and user-agent logging
- Manual user approval workflow
📊 Monitoring & Logs
- Security event log (login, logout, failed attempts, plugin/theme changes)
- IP blocking log with unblock controls
- Real-time security score (A–F grade with per-check breakdown)
⚙️ Other Features
- Maintenance mode with custom message
- Database backup download
- Email alerts for security events
- Beautiful admin dashboard with quick-toggle switches
Important
Hardening actions such as DB prefix change and wp-content rename are advanced operations.
Always run these features on a staging environment and ensure you have a full backup before applying them on production.
Установка
- Upload the plugin ZIP via Plugins Add New Upload Plugin.
- Activate the plugin.
- Go to DS Shield in your WordPress admin menu to configure options.
- Important: Bookmark your new login URL before saving changes!
Часто задаваемые вопросы
-
I forgot my custom login URL. How do I recover access?
-
Deactivate the plugin via FTP by renaming the plugin folder, then log in normally using /wp-login.php and reactivate it.
-
Is this compatible with WooCommerce?
-
Yes. The custom login URL works with WooCommerce’s My Account page.
-
Can I use Google Authenticator for 2FA?
-
Yes. Any TOTP-compatible app works: Google Authenticator, Authy, Microsoft Authenticator, Bitwarden, and others.
-
Will the malware scanner slow down my site?
-
No. The scanner only runs when you manually trigger it from the admin dashboard. It has no impact on front-end performance.
-
How does the core integrity check work?
-
The scanner fetches official MD5 checksums for your WordPress version from api.wordpress.org and compares every core file against them. Any differences are flagged.
Отзывы
Нет отзывов об этом плагине.
Участники и разработчики
«Dotsquares Custom Login URL & Security Suite» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:
Участники
Перевести «Dotsquares Custom Login URL & Security Suite» на ваш язык.
Заинтересованы в разработке?
Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.
Журнал изменений
1.6.3
- Added deep malware scanner with 40+ signature patterns (PHP shells, backdoors, crypto miners, pharma hacks)
- Added WordPress core file integrity check via api.wordpress.org checksums
- Added detection of known web shell filenames (c99, r57, WSO, b374k, adminer, etc.)
- Added PHP-in-uploads detection (critical severity)
- Added suspicious code pattern detection (eval/exec/base64 combos)
- Added file change detection using MD5 hash baseline comparison
- Added animated scan progress UI with step-by-step status
- Added colour-coded scan results (Critical / High / Medium / Low / Info)
- Added scan options: toggle Core / Plugins / Themes / Uploads / Deep Malware independently
- Fixed: all WordPress coding standards errors and warnings (PHPCS clean)
- Fixed: namespace declaration order in all module files
- Fixed: missing translators comments on all i18n printf() calls
- Fixed: unordered placeholders in translatable strings
- Fixed: HTTP_USER_AGENT missing wp_unslash() sanitization
- Fixed: register_setting() missing sanitize_callback
- Fixed: load_plugin_textdomain() removed (deprecated since WP 4.6)
- Fixed: date() replaced with gmdate() throughout
- Fixed: parse_url() replaced with wp_parse_url()
- Fixed: rand() replaced with wp_rand()
- Improved: all $_POST/$_GET/$_SERVER superglobals now properly unslashed and sanitized
- Improved: all DB queries use $wpdb->prepare() or esc_sql() for identifiers
1.6.2
- Custom login slug now loads login form without redirecting to wp-login.php (URL stays masked)
1.6.1
- Fixed redirect loop on custom login URL
- Improved compatibility when permalinks are not flushed
1.6.0
- Added Brute Force protection
- Added Firewall module
- Added Malware scanner
- Added Hardening tools (DB prefix change, wp-content rename) with backup + rollback UI
- Added Security Dashboard