Description
DominoGuard Security is an all-in-one, modern security solution for WordPress. Built with a beautiful, decoupled React.js dashboard, it provides enterprise-grade security features without bloating your website or slowing down your database. Unlike other security plugins that overwhelm you with confusing settings and bloated logs, DominoGuard is laser-focused on actionable insights and top-tier protection.
Detailed Feature Breakdown
1. Web Application Firewall (WAF)
Block malicious traffic before it even reaches your WordPress database.
* Basic Firewall Exploit Protection: Silently detects and blocks bad actors attempting to use ../ directory traversal commands to read sensitive server files, and blocks SQL Injection (SQLi) and XSS patterns in query strings.
* Smart Rate Limiting: Automatically blocks IP addresses that make an excessive number of requests (e.g., more than 60 requests in 1 minute). Both the request limit and time frame are fully customizable.
* 404 Lockout (Bot Scanner Detection): Immediately blocks aggressive bots and vulnerability scanners that generate too many 404 Not Found errors within a short period.
* Geo-IP Blocking: Stop traffic from entire high-risk countries. Simply enter a comma-separated list of 2-letter country codes (e.g., RU, CN) and all traffic from those regions will be dropped.
* IP Blocklist: Permanently ban specific, known malicious IP addresses from ever viewing or interacting with your website.
2. Advanced Authentication (2FA & Passwordless)
Secure your front door with modern, impenetrable authentication standards.
* True Two-Step Authentication (TOTP) [PRO]: Users can scan a QR code in their WordPress profile using Google Authenticator, Authy, or any TOTP app. DominoGuard uses a secure, modern Two-Step interstitial redirection flow that prevents bypasses and hides the 2FA fields from the main login screen.
* Email 2FA: Send a secure, time-sensitive 6-digit code to the user’s email address upon login.
* Limit Login Attempts (Brute Force Protection): Automatically block IP addresses for a specified duration after they fail to log in 5 times continuously. Modifying these limits is a [PRO] feature.
* Force Password Resets: In the event of a breach or security audit, administrators can instantly force every single user on the website to reset their password upon their next login.
* Enforce Strong Passwords: Force all users to create passwords that are at least 12 characters long and contain both letters and numbers.
3. Temporary Logins & Magic Links
- Magic Link Login (Passwordless Entry): Stop relying on easily guessable passwords! When enabled, administrators simply type in their username to receive a cryptographically secure, temporary Magic Link via email. Clicking the link logs them securely into the dashboard without ever needing a password. (Setting durations longer than 7 days is [PRO])
- Temporary User Maker: Need to give a developer or support agent temporary access to your site? Generate a temporary account that will automatically delete itself after a specified duration. (Generating more than 2 temporary users is [PRO])
4. Malware & Integrity Scanners
Ensure your WordPress installation hasn’t been compromised.
* Core File Verification: Scans your WordPress core files against the official WordPress.org checksums. It immediately alerts you if a hacker has modified a core file to hide a backdoor.
* Malware Signature Scanner: Performs a deep scan of your wp-content directory, hunting for known PHP backdoors, obfuscated code, eval() injections, and base64 payloads.
* File Integrity Monitoring (FIM): Creates a cryptographic baseline of your critical files (wp-config.php, .htaccess, plugins, and themes). If a file is modified, deleted, or added without your permission, FIM will detect it and alert you.
5. Access Control
Control exactly who has access to your site and for how long.
* Role-Based Access Control (RBAC) [PRO]: Strictly define what each WordPress user role (Editor, Author, Contributor) is allowed to do. You can toggle capabilities like edit_posts, delete_posts, and upload_files with granular precision.
6. Advanced Activity Log (Audit Trail)
Keep a watchful eye over your entire WordPress ecosystem. The Activity Log acts as a digital security camera, recording who did what, and when they did it.
* Deep Event Tracking: We don’t just log logins. DominoGuard tracks when posts are deleted, when post statuses change, when settings are altered, when themes are switched, and when plugins are activated or deactivated.
* Automated Log Retention: Keep your database lean. Set a rule to automatically purge logs older than 30, 60, or 90 days.
* CSV Export [PRO]: Export your entire activity log to a CSV file for compliance or external auditing.
* Instant Email Alerts: Toggle on Email Alerts to get instantly notified whenever a highly critical event occurs.
7. Active Sessions Manager
Have complete control over who is logged into your website at this exact moment.
* Real-time Session Tracking: View a comprehensive list of every active login session on your site, complete with the user’s IP Address, Login Date, and the exact Expiration Date of their session cookie.
* Remote Session Termination [PRO]: Click the red “Terminate” button to instantly destroy any session and kick the user out of the dashboard.
8. WordPress Hardening & Stealth
Remove the low-hanging fruit that automated bots look for.
* Custom Secret Login Slug: Change your login URL to a secret word of your choosing. Anyone who attempts to visit wp-login.php will be intercepted and redirected to a 404 page.
* HTTP Security Headers: Automatically applies essential headers (X-Frame-Options, X-Content-Type-Options, HSTS, X-XSS-Protection) to prevent clickjacking and data interception.
* Disable Application Passwords: Completely removes the REST API Application Passwords feature, closing a potential backdoor for unauthorized remote access.
* Disable File Editor: Prevents hackers from editing plugin and theme files directly from the WordPress dashboard if they manage to steal an admin account.
* Block PHP in Uploads: Places a secure .htaccess file in your wp-content/uploads/ directory to prevent attackers from executing uploaded PHP backdoors.
* Disable XML-RPC: XML-RPC is a massive vector for brute force and DDoS pingback attacks. DominoGuard lets you disable it completely.
* Disable REST API Users Endpoint: Prevents unauthorized bots from scraping your /wp-json/wp/v2/users endpoint to steal user data.
* Block User Enumeration: Blocks /?author=1 scans to keep your usernames private.
* Hide WordPress Version: Removes the WP version generator meta tag to prevent attackers from targeting known vulnerabilities.
* Disable Trackbacks/Pingbacks: Stops DDoS and spam attacks originating from legacy pingback methods.
Why Choose DominoGuard?
Many security plugins suffer from excessive bloat, storing gigabytes of useless log data and injecting heavy CSS/JS files onto the frontend of your website. DominoGuard takes a modern approach:
1. Frontend Performance: We load absolutely ZERO assets on the frontend of your website. Your page speed remains untouched.
2. Backend Performance: We use a decoupled React interface for a blazing-fast dashboard experience that doesn’t rely on clunky page reloads.
Installation
- Upload the
dominoguard-securitydirectory to your/wp-content/plugins/directory, or install it directly via the WordPress Plugins menu. - Activate the plugin through the ‘Plugins’ menu in WordPress.
- A new “DominoGuard” menu will appear in your sidebar.
- Navigate to the dashboard to configure your Custom Login URL, enable the Activity Log, run a Malware Scan, and set up your Firewall.
FAQ
-
How does the Custom Login URL work?
-
When you set a Custom Login Slug (e.g.,
secret-login), anyone visiting the standardwp-login.phppage will be automatically redirected. You will only be able to log in by visitingyoursite.com/secret-login. -
Does the Activity Log slow down my database?
-
No. Our Activity Log is designed to ignore “noisy” background options that flood typical security plugins. You can also set an Automated Retention Rule to automatically purge old logs so your database never grows out of control.
-
How do I terminate a user’s session?
-
Navigate to the “Active Sessions” tab. You will see a list of every user currently logged in. Simply click the red “Terminate” button next to their name, and they will be instantly logged out.
-
What is the difference between Core File Verification and the Malware Scanner?
-
The Core File Verification strictly checks the integrity of official WordPress files (
wp-includesandwp-admin) by comparing their cryptographic hashes against the official WordPress.org servers. The Malware Signature Scanner does a deep scan of your custom files (wp-content, plugins, and themes) looking for known backdoor codes, obfuscated strings, and malicious payloads.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“DominoGuard Security – Firewall, Malware Scanner, 2FA, Magic Links, Hide Login & Activity Log” is open source software. The following people have contributed to this plugin.
ContributorsInterested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.0.0
- Major Overhaul: Introduced ultra-fast React.js Dashboard UI.
- Added Web Application Firewall (WAF) with Smart Rate Limiting, Geo-IP Blocking, 404 Lockout, and Exploit Protection.
- Added Comprehensive Authentication Suite: TOTP 2FA, Email 2FA, Magic Links, Force Password Resets, and Strong Password Enforcement.
- Added Core File Verification, Malware Signature Scanner, and File Integrity Monitoring (FIM).
- Added Temporary User Maker and Role-Based Access Control (RBAC).
- Added Extensive Hardening Features: HTTP Security Headers, Disable App Passwords, Block PHP in Uploads, and more.
- Added Advanced Activity Log with deep Event Tracking, CSV Export, Search, and Auto-Purge Rules.
- Added Active Sessions Manager with one-click Remote Session Termination.
- Added Hide Login Page (Custom Login URL & Redirection) feature.
1.0.0
- Initial Release.
