Modular toolkit for WordPress
Security
Harden logins, lock down endpoints, and stop bots before they reach your site.
Custom Login Logo Link
Choose where the login logo click goes—usually back to your own site.
Activity Log
Keep a clear record of important dashboard activity—who logged in, what changed, and when—so you can investigate issues or stay audit-ready without digging through server logs.
Disable File Editing
Remove the dashboard screens that let anyone edit theme or plugin code from the browser—one less disaster if an account is compromised.
Disable REST AP
Block anonymous access to WordPress core REST endpoints (users, settings, themes, and similar) while leaving logged-in staff and third-party plugin REST routes untouched.
Disable Application Passwords
Disables WordPress application passwords site-wide: blocks REST/XML-RPC login with app tokens and hides the profile UI. Normal account passwords and logged-in REST access are unaffected. Existing tokens remain stored but cannot authenticate until this module is off. May break mobile apps, headless sites, and automation that rely on application passwords.
Disable XML-RPC
Closes the old XML-RPC channel many password-guessing tools still target. Fine for most sites; skip if you rely on legacy apps or remote publishing that need it.
Security Headers
Tell modern browsers to enforce sensible safety rules—like blocking sneaky scripts and iframe tricks—with strong defaults you can tighten further for HSTS or content policies.
Limit Login Attempts
Slow down password-guessing bots by locking out repeated failed logins for increasing cool-off periods—simple protection for your sign-in form.
Disable Password Reset
Turn off public “forgot password” self-service for everyone. Use only when you reset passwords another way (manual admin password, WP-CLI, or admin-sent reset links when enabled in settings). Existing email reset links stop working while this module is on.
Two-Factor Authentication (2FA)
Two-factor login for selected roles—extra proof beyond the password.
Disable Trackbacks/Pingbacks
Stops old-style trackbacks and pingbacks that often bring spam or junk alerts.
Password Protection
Put your whole site behind one shared password—ideal for staging, client previews, or a soft launch before you go public.
Block Usernames
Blocks risky default usernames during registration so bots have fewer easy targets.
Force SSL Admin
Always open your dashboard and login screen over a secure https:// link. Anyone using the old http:// address is sent to the encrypted URL automatically.
Hide WP Version
Removes WordPress version from public HTML generator tags, feed generator output, and the admin footer. Does not change ver= on script and style URLs.
Cloudflare Turnstile
Bot protection with Cloudflare Turnstile on logins, forms, comments, and WooCommerce—low hassle for real people.
Google reCAPTCHA
Google reCAPTCHA on logins, forms, comments, and WooCommerce to block bots and spam signups.
Simple CAPTCHA
Ask a quick math question, custom prompt, or image check before someone can submit a form or log in. Everything runs on your server—no third-party CAPTCHA account required.
IP Allow & Block List Pro
Allow or block visitors by IP address—ideal for office-only dashboards or shutting out known troublemakers. Rules apply site-wide, including wp-admin and login.

