150+ modules in one suite — toggle only what you need. Zero runtime cost for features you leave off.
See Plans
Modular toolkit for WordPress

Security

Harden logins, lock down endpoints, and stop bots before they reach your site.

Custom Login Logo Link

Choose where the login logo click goes—usually back to your own site.

Activity Log

Keep a clear record of important dashboard activity—who logged in, what changed, and when—so you can investigate issues or stay audit-ready without digging through server logs.

Disable File Editing

Remove the dashboard screens that let anyone edit theme or plugin code from the browser—one less disaster if an account is compromised.

Disable REST AP

Block anonymous access to WordPress core REST endpoints (users, settings, themes, and similar) while leaving logged-in staff and third-party plugin REST routes untouched.

Disable Application Passwords

Disables WordPress application passwords site-wide: blocks REST/XML-RPC login with app tokens and hides the profile UI. Normal account passwords and logged-in REST access are unaffected. Existing tokens remain stored but cannot authenticate until this module is off. May break mobile apps, headless sites, and automation that rely on application passwords.

Disable XML-RPC

Closes the old XML-RPC channel many password-guessing tools still target. Fine for most sites; skip if you rely on legacy apps or remote publishing that need it.

Security Headers

Tell modern browsers to enforce sensible safety rules—like blocking sneaky scripts and iframe tricks—with strong defaults you can tighten further for HSTS or content policies.

Limit Login Attempts

Slow down password-guessing bots by locking out repeated failed logins for increasing cool-off periods—simple protection for your sign-in form.

Disable Password Reset

Turn off public “forgot password” self-service for everyone. Use only when you reset passwords another way (manual admin password, WP-CLI, or admin-sent reset links when enabled in settings). Existing email reset links stop working while this module is on.

Two-Factor Authentication (2FA)

Two-factor login for selected roles—extra proof beyond the password.

Disable Trackbacks/Pingbacks

Stops old-style trackbacks and pingbacks that often bring spam or junk alerts.

Password Protection

Put your whole site behind one shared password—ideal for staging, client previews, or a soft launch before you go public.

Block Usernames

Blocks risky default usernames during registration so bots have fewer easy targets.

Force SSL Admin

Always open your dashboard and login screen over a secure https:// link. Anyone using the old http:// address is sent to the encrypted URL automatically.

Hide WP Version

Removes WordPress version from public HTML generator tags, feed generator output, and the admin footer. Does not change ver= on script and style URLs.

Cloudflare Turnstile

Bot protection with Cloudflare Turnstile on logins, forms, comments, and WooCommerce—low hassle for real people.

Google reCAPTCHA

Google reCAPTCHA on logins, forms, comments, and WooCommerce to block bots and spam signups.

Simple CAPTCHA

Ask a quick math question, custom prompt, or image check before someone can submit a form or log in. Everything runs on your server—no third-party CAPTCHA account required.

IP Allow & Block List Pro

Allow or block visitors by IP address—ideal for office-only dashboards or shutting out known troublemakers. Rules apply site-wide, including wp-admin and login.