Disgrifiad

GhostGate is a lightweight yet powerful WordPress security plugin that eliminates the login page as an attack surface. Instead of just defending, it erases the entrance entirely with dynamic login URLs and multi-layer access verification.

🔒 Hide your login URL with a custom slug and time-based code
🔑 Built-in 2FA via email verification
🚫 Auto-block brute force attacks by IP
🧱 Disable/limit unused endpoints like XML-RPC and REST API
👤 Prevent user enumeration via REST, RSS, and author queries
🔍 Visualize security status and detect conflicts
📜 Activity logs with optional file rotation

GhostGate doesn’t just defend — it disappears.
Invisible to bots. Intuitive for users.

👉 Full features / screenshots / pricing / docs:
https://arce-experience.com/product/

Privacy

GhostGate can store the following data locally on your site to provide rate-limiting and security auditing:
– IP addresses (for temporary throttling / block lists)
– Timestamps and event metadata (login attempts, REST/XML-RPC hits)
– Optional log files under wp-content/uploads/ghostgate/logs (if enabled)

No data is sent to third-party services.
Site owners are responsible for informing users/visitors where required by local laws. You can clear blocks/logs from the admin UI or by deleting the log files.

Lluniau Sgrin

Admin settings page with tabbed UI
Security status diagnostics
IP block log and unblock controls
Access code input screen for login URL (e.g., date-based code)
Security explanation tab

Gosod

Upload the plugin folder to /wp-content/plugins/ghostgate
Activate the plugin via the Plugins menu
Go to GhostGate > Settings and configure your gate logic
Optionally enable 2FA, IP blocking, REST/API controls, and more

Need help with setup?
See the installation & setup video:
https://arce-experience.com/product/

Cwestiynau Cyffredin

Is GhostGate compatible with other security plugins?: Yes. It detects common conflicts and shows visual warnings. You can use it alongside plugins like Wordfence or iThemes.
What happens if I forget my login code or get locked out?: You can always access your site via recovery mode or disable the plugin via FTP if needed.
Does it affect performance?: GhostGate is built for speed. It only runs at login and admin hooks, keeping overhead minimal.

Adolygiadau

There are no reviews for this plugin.

Contributors & Developers

“GhostGate” is open source software. The following people have contributed to this plugin.

codegee0958

Translate “GhostGate” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Cofnod Newid

1.3.2 – 2025-09-24

Fix – Resolved “Undefined variable $user_login / $errors” warnings on the login screen when using the custom login slug or pre-login code screen. The plugin now pre-initializes wp-login.php globals and sets $pagenow before loading the core login template.
Fix – Prevented potential “headers already sent” issues by ensuring no output occurs before redirects or the core login inclusion in the 2FA/login slug flow.
Improvement – Hardened login flow compatibility with core by preparing required globals when the plugin takes over the authentication path.
Improvement – Minor internal refactors around request path normalization and IP detection to reduce edge cases in server environments.
Dev – No database changes. Backward compatible with 1.3.1.

1.3.0 – 2025-09-22

Security: Strengthened “Hide wp-json structure” — allowlist now stores only actually registered routes (including regex routes) and never breaks parameterized patterns.
Fix: Route allowlist UI now correctly preserves selections for regex endpoints such as /gbrl/v1/notify/(?P<slug>[^/]+) and nested variants.
Fix: Resolved rare fatal error on “Unblock IP” admin action by hardening input handling (supports single ip and ip[], sanitizes/validates IPv4/IPv6, safe redirect).
Dev: Added ghostgate_sanitize_allowed_routes() and ghostgate_sanitize_allowed_prefixes(); introduced a temporary bypass flag so the settings UI can enumerate all routes without being filtered by itself.
Dev: Always whitelists / root in rest_endpoints filter; normalized custom prefixes (auto-leading slash, condensed duplicate slashes).
Perf: Reduced overhead when building the REST route list on the settings page.
Tweak: Copy and help text polish in settings; minor CSS/UI adjustments.
Tested: Confirmed compatibility with WordPress 6.8.

1.2.1

Tweak: Added brand header (logo + subtitle) to the code entry screen with Retina and dark mode support, plus minor a11y improvements.
Tweak: Minor CSS polish.

1.2.0

New: Added an option to block direct access to preview URLs with a 403 response (Settings GhostGate “Block preview display”).
Dev: Added removal of the new option (ghostgate_block_preview) to uninstall.php.
Tweak: Minor adjustments to settings UI descriptions.

1.1.1

Maintenance and compliance improvements (enqueue scripts/styles; minor fixes)
UI/diagnostics polish
Tested up to WordPress 6.8

1.1.0

REST/JSON structure stealth options (allowlist & prefix-based allow)
Improved status diagnostics and defaults for rate limits

1.0.0

Initial public release
Dynamic login URL gate, 2FA email code
IP restriction + logs, REST API and XML-RPC shielding
Status analyzer and conflict detector

➡ Full changelog (latest): https://arce-experience.com/changelog/#ghostgate