GuardPress Pro Documentation
Complete guide to securing your WordPress site with GuardPress Pro. This comprehensive security solution includes 25+ features: firewall, malware scanning, two-factor authentication, file integrity monitoring, login notifications, emergency lockdown, and outdated software checks.
Getting Started
GuardPress Pro is a comprehensive WordPress security plugin that protects your site from hackers, malware, and security threats. It combines essential security features with advanced protection tools in one unified solution.
All Features
Brute Force Protection
Block repeated login attempts and ban malicious IPs.
Login Security
Custom login URL, CAPTCHA, and login limiting.
WordPress Hardening
Disable XML-RPC, hide version, secure permissions.
Activity Logging
Track all user actions and security events.
FirewallPRO
Block malicious requests, SQLi, XSS attacks.
IP ManagementPRO
Whitelist/blacklist IPs, block countries.
Malware ScannerPRO
Detect and remove malicious code from files.
Outdated Software Check
Find outdated plugins, themes, and security misconfigurations.
Two-Factor AuthPRO
TOTP authenticator app support for all users.
File MonitorPRO
Detect unauthorized file changes in real-time.
Emergency LockdownPRO
One-click panic switch — block all logins instantly during an active attack.
Database SecurityPRO
Change table prefix, optimize, and protect.
Spam ProtectionPRO
Block comment spam and form submissions.
Uptime Monitoring
Get notified when your site goes down.
Requirements
- WordPress 5.8 or higher
- PHP 7.4 or higher
- Valid GuardPress Pro license
Installation
Download the plugin
Log in to my.royalplugins.com and download the GuardPress Pro ZIP file.
Upload to WordPress
Go to Plugins > Add New > Upload Plugin, select the ZIP file, and click Install Now.
Activate the plugin
Click "Activate Plugin" after installation completes.
Enter your license key
Navigate to GuardPress > License and enter your license key to unlock all Pro features.
Deactivate GuardPress before installing Pro. Your settings and logs will be preserved.
License Activation
Your license key unlocks all Pro features and enables automatic updates.
Activating Your License
Find your license key
Your license key is in your member account and was emailed after purchase.
Enter the license key
Go to GuardPress > License and paste your license key.
Click Activate
The plugin will verify your license and unlock all Pro features.
You can deactivate a license from one site and activate it on another through your member account or the plugin settings.
Security Dashboard
The security dashboard gives you an at-a-glance view of your site's security status.
Dashboard Widgets
- Security Score - Overall security grade (A-F) based on enabled features
- Failed Logins - Failed login attempts in the last 7 days
- Blocked IPs - Currently blocked IP addresses
- Active Threats - Malware detected by the scanner
- Recent Alerts - Latest security events and warnings
- Quick Actions - One-click access to scans, lockdown, and settings
WordPress Dashboard Widget
See your security status at a glance right from the WordPress dashboard. The Dashboard Widget provides instant visibility into your site's security health without navigating to the full GuardPress dashboard.
Widget Features
- Security Score - Your overall security score displayed prominently with color-coded indicator (green for good, yellow for needs attention, red for critical)
- Threat Count - Number of active threats detected by the malware scanner
- Vulnerability Count - Known vulnerabilities found in your plugins, themes, or core
- Quick Access - One-click link to the full security dashboard for detailed information
Color-Coded Status
| Score Range | Color | Status |
|---|---|---|
| 70-100 | Green | Good - Your site is well protected |
| 40-69 | Yellow | Needs Attention - Review security settings |
| 0-39 | Red | Critical - Immediate action recommended |
The widget appears automatically on the WordPress Dashboard for all administrators. Check your security status every time you log in!
Brute Force Protection
Automatically detect and block brute force login attacks.
Settings
| Setting | Description | Recommended |
|---|---|---|
| Max Login Attempts | Failed attempts before lockout | 5 |
| Lockout Duration | How long to block the IP | 15 minutes |
| Permanent Ban Threshold | Lockouts before permanent ban | 3 |
Login Security
Additional measures to protect your login page.
Features
- Custom Login URL - Hide wp-login.php behind a custom URL
- Login CAPTCHA - Math-based CAPTCHA to prevent bot attacks
- Password Strength - Enforce strong password requirements
WordPress Hardening
Close common security vulnerabilities in WordPress.
Available Options
- Disable XML-RPC - Block remote publishing attacks
- Hide WordPress Version - Remove version from source code
- Disable File Editor - Prevent file editing in admin
- Disable Directory Browsing - Block directory index listing
- Security Headers - Add X-Frame-Options, X-XSS-Protection, etc.
- Remove Meta Tags - Remove RSD, WLW manifest, and shortlinks
FirewallPRO
The firewall blocks malicious requests before they reach your WordPress site.
Protection Types
- SQL Injection - Block database injection attempts
- XSS Attacks - Prevent cross-site scripting
- File Inclusion - Block LFI/RFI attacks
- Bad Bots - Block known malicious bots and user agents
- Rate Limiting - Prevent DDoS and scraping attacks
- IP Whitelist/Blacklist - Allow or block specific IP addresses
Firewall Rules
The firewall includes built-in rules to detect and block common attack patterns. Administrators are automatically whitelisted to prevent lockouts.
Add trusted IP addresses to the whitelist in Settings to ensure they're never blocked by the firewall.
IP ManagementPRO
Take full control of who can access your site with comprehensive IP whitelisting and blacklisting.
Features
- IP Whitelist - Permanently allow trusted IPs (your home, office, VPN)
- IP Blacklist - Block specific IPs or IP ranges from accessing your site
- Country Blocking - Block entire countries based on IP geolocation
- Auto-Block Repeat Offenders - Automatically blacklist IPs after multiple violations
- IP Range Support - Block or allow entire subnets (e.g., 192.168.1.0/24)
Managing IPs
Access IP Management
Go to GuardPress > IP Management in your WordPress admin.
Add IPs to Whitelist or Blacklist
Enter IP addresses manually or select from the list of recently blocked IPs.
Set Expiration (Optional)
For temporary blocks, set an expiration time. Permanent blocks have no expiration.
Before enabling strict firewall rules, add your own IP address to the whitelist to prevent accidentally locking yourself out.
Malware ScannerPRO
Scan your WordPress files for malware, backdoors, and suspicious code.
Scan Types
- Quick Scan - Scans only WordPress core files
- Full Scan - Scans all files in wp-content
- Custom Scan - Scan specific directories
What Gets Detected
- Known malware signatures
- Suspicious PHP code patterns
- Base64-encoded payloads
- Hidden backdoors
- Unauthorized file changes
Always review detected issues before deleting. Some legitimate plugins use patterns that may trigger false positives.
Self-Detection (Expected Behavior)
The scanner may detect its own signature files - this is normal and expected! It proves your malware scanner is working correctly. These detections are shown in a separate "Self-Detection" section with a green indicator, so you can easily distinguish them from real threats.
Outdated Software Check
Scans installed WordPress core, plugins, and themes for pending updates, abandoned code, and common security misconfigurations. This is an update-and-config check, not a CVE database lookup.
What Gets Scanned
- Outdated Plugins - Check all plugins for available security updates
- Outdated Themes - Identify themes that need updating
- WordPress Core - Verify you're running the latest secure version
- Abandoned Plugins - Flag plugins not updated in 2+ years
- Known Vulnerabilities - Check against vulnerability databases
- Security Misconfigurations - Detect weak settings (debug mode, admin username, etc.)
Severity Levels
| Level | Description | Action |
|---|---|---|
| Critical | Known exploited vulnerabilities | Update immediately |
| High | Significant security risk | Update within 24 hours |
| Medium | Moderate risk | Update when convenient |
| Low | Best practice recommendation | Consider updating |
Enable weekly vulnerability scans to stay ahead of security issues. You'll receive email alerts when new vulnerabilities are detected.
Two-Factor AuthenticationPRO
Add an extra layer of security with TOTP-based two-factor authentication.
Setup
Enable 2FA
Go to GuardPress > Settings and enable Two-Factor Authentication.
Users configure 2FA
Each user goes to their User Profile page where they'll see the 2FA setup section.
Scan QR code
Users scan the QR code with their authenticator app (Google Authenticator, Authy, etc.) and enter the verification code to complete setup.
When enabled, 2FA setup is available to all users including administrators. Each user must configure it individually from their profile page.
Supported Apps
- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password
- Any TOTP-compatible app
File Integrity MonitorPRO
Detect unauthorized changes to your WordPress files in real-time.
Monitored Files
- WordPress core files - compared against official checksums
- Plugin files - detect unauthorized modifications
- Theme files - track template changes
- Uploads directory - scan for suspicious files
Alerts
Get email notifications when files are modified or deleted. The daily scan runs automatically and sends alerts if changes are detected.
File integrity scans run daily as part of the scheduled security checks. You can also run a manual scan anytime from the File Monitor page.
Database SecurityPRO
Protect and optimize your WordPress database.
Features
- Change Table Prefix - Change from default wp_ prefix
- Database Cleanup - Remove post revisions, transients, spam
- Optimize Tables - Defragment and repair tables
- Export/Import - Database migration tools
Always create a backup before changing the table prefix or running cleanup operations.
Emergency LockdownPRO
A site-wide kill switch for moments when your site is under active attack. When enabled, all new sign-ins are denied until you flip it off — existing sessions are unaffected, so you don't get logged out of the admin you're currently in.
When to use it
- Sustained brute-force attack despite IP blocking
- Credential leak (you suspect an admin password is in a breach corpus)
- You're investigating a compromise and want to freeze the front door while you work
How to enable
Open Login Protection settings
Go to GuardPress → Settings → Login Protection.
Toggle Emergency Lockdown ON
A persistent admin notice will appear across every admin page, and the WordPress Dashboard widget will show a red "Emergency Lockdown ACTIVE" banner. A CRITICAL severity entry is written to the audit log.
Investigate & respond
Run a malware scan, review the audit log, rotate admin passwords, and check the file integrity monitor. Existing logged-in admins can keep working — only new sign-ins are blocked.
Flip the toggle off when safe
Toggling Lockdown off writes another CRITICAL audit log entry so the timeline is forensically reconstructable.
If Lockdown is on AND your session has expired AND you can't sign back in, edit wp-config.php over FTP / SSH and add this line above the /* That's all, stop editing! */ comment:
define( 'GUARDPRESS_EMERGENCY_BYPASS', true );
Sign in, flip Lockdown off, then remove the constant. The bypass is intentionally file-edit-only (not IP-based) so it can't be misconfigured into a permanent backdoor.
Sign-in NotificationsPRO
Email the user themselves every time their account successfully signs in — the Gmail / GitHub pattern. If an admin account is compromised, the rightful owner gets a notification with the IP and a one-click password-reset link, even if the attacker also clears the email later.
Defaults
- Default ON for Administrators only — the highest-risk role gets coverage out of the box without flooding lower-privilege users with mail.
- Per-role allow-list configurable under GuardPress → Settings → Login Protection — turn on Editors, Shop Managers, or any custom role as fits your site.
- No rate limiting — a user logging in 10 times a day is normal and won't trigger silent suppression.
What each email contains
- Username and display name
- IP address (so the recipient can recognise "that was me on my phone" vs "that's not me")
- Timestamp in the site's timezone
- One-click Reset Password link — the first thing a compromised user should click
Every notify-eligible sign-in also writes a successful_login_notified entry to the GuardPress audit log. Even if the recipient mailbox is also compromised, the security log has the full sign-in history.
Spam ProtectionPRO
Filtering for the WordPress comment form and the WordPress login form — without sending visitor data to a third-party service like Akismet.
What's covered
- Comment-form honeypot — an invisible field added via
comment_form_after_fields; any submission with the field filled is rejected with a 403 - Time-based comment protection — submissions faster than 3 seconds after form load (almost certainly a bot) and forms older than 1 hour (stale token) are rejected
- Login-form honeypot (optional, off by default) — turn on under GuardPress → Settings → Spam Protection. The verification hook runs at
authenticatepriority 100, after core's username/password handler at priority 20, so a bot supplying valid credentials but filling the trap is still rejected - Keyword detection with Unicode-aware word boundaries — spam terms in Japanese, Korean, Arabic, Hebrew, and other non-Latin scripts match correctly (PHP's default
\bis ASCII-only) - Link spam detection and disposable-email detection on comment author addresses
Spam Protection hooks the WordPress comment form and the WordPress login form. It does not automatically protect WPForms, Contact Form 7, Gravity Forms, WooCommerce checkout, or other third-party forms — those plugins have their own anti-spam settings you should enable separately.
Uptime Monitoring
Get an email alert when your site stops responding. Useful for catching outages before customers do — whether the cause is a hosting issue, a fatal PHP error, or a DDoS that's tipped your server over.
How it works
- An hourly WP-Cron job fetches your homepage with a 10-second HTTP timeout
- Every check is recorded in the
gp_uptime_checkstable: status, response code, response time, and any error message - If the request fails (network error OR HTTP status other than 200), GuardPress sends a downtime alert and writes a CRITICAL severity entry to the audit log
- Alerts are rate-limited to once per hour so a sustained outage doesn't flood your inbox
- The Uptime Monitoring admin page shows the check history and uptime statistics for the last day / week / month
Enabling
Open Uptime Monitoring settings
Go to GuardPress → Settings and enable Uptime Monitoring.
Confirm the alert email address
Alerts go to the WordPress admin email by default. Set a separate address (e.g. an ops inbox or pager) under GuardPress → Settings → Notifications if you want alerts routed elsewhere.
Uptime Monitoring runs from inside your WordPress install via WP-Cron, so it catches cases where the server is up but WordPress is broken. It does not catch cases where the server itself is completely off the internet (the cron job can't fire). For full coverage, pair this with a free external monitor like UptimeRobot or BetterStack.
GuardPress sends a downtime alert when the check fails but does not send a follow-up "site back online" email. Check the Uptime Monitoring admin page or the gp_uptime_checks table to confirm recovery.
Troubleshooting
Pick the category that matches what you're seeing. Each card opens the full step-by-step guide.
Login & Access
🔒 Locked Out Recovery
Blocked by the firewall or brute-force protection? Database and FTP recovery methods that work even when you can't reach wp-admin.
🔗 Forgot Login URL
Set a custom login URL and can't remember it? How to recover it from the database or reset it via wp-config.
📱 2FA Recovery PRO
Lost your authenticator app or recovery codes? Regain account access without locking yourself out permanently.
Firewall & WAF
Site Recovery
⚪ White Screen / Fatal Error
Site went white after enabling a feature? How to identify the trigger and recover via WP_DEBUG, error logs, or safe-mode.
🦠 Malware Removal PRO
Scanner found real malware? Complete cleanup, file restoration from canonical WordPress.org sources, and post-incident hardening.
Quick Tips
License won't activate
- Check for extra spaces in the license key — copy-paste from the licensing dashboard sometimes pulls a trailing space
- Verify you haven't exceeded the site limit for your plan
- Confirm the license hasn't expired (check my.royalplugins.com)
- Activating on localhost / staging? See Licensing — local installs use a separate dev-mode constant rather than burning a real site slot
Locked out by Emergency Lockdown
If you enabled Emergency Lockdown and your session expired before you could disable it, edit wp-config.php over FTP / SSH and add define( 'GUARDPRESS_EMERGENCY_BYPASS', true );. Full procedure under Emergency Lockdown.
Getting too many GuardPress emails
The most common cause is the File Integrity Monitor sending one email per changed file during a plugin update. GuardPress 1.6.24+ consolidates these into a single batched email per scan. Make sure you're on the latest version (Dashboard → Updates).
Cache plugin showing DYNAMIC / not caching
Pre-1.6.17 GuardPress started a PHP session on every request, which made Cloudflare and most cache plugins skip the response. Update to 1.6.17 or later and the issue resolves on its own — sessions are now scoped to wp-login.php only.
Email support@royalplugins.com with your site URL, GuardPress version (Dashboard → Updates), and any relevant entries from GuardPress → Audit Log. Priority email support is included with your GuardPress Pro license — typical response time is within 24 hours.
Frequently Asked Questions
CAPTCHA is blocking my WooCommerce / MemberPress / theme login form. How do I fix this?
Update to GuardPress 1.6.17 or later. Before 1.6.17 the CAPTCHA only rendered on wp-login.php but was verified on every authentication attempt — so logins through WooCommerce /my-account/, MemberPress, BuddyPress, theme login forms, and page-builder widgets had no widget to complete and were rejected with "Please complete the security challenge." 1.6.17 renders the CAPTCHA on every common login surface and switches to fail-open semantics when no CAPTCHA field is present (covers REST API basic auth, Application Passwords, XML-RPC). Brute-force lockout remains active on all surfaces regardless.
GuardPress is sending me too many security emails. How do I quiet them?
Two common causes — both fixed by updating. (1) Pre-1.6.21 the file-integrity, malware, and outdated-software scanners re-emailed the same unresolved finding on every scan, sometimes for weeks. 1.6.21+ hashes each finding set and only emails when it changes; the hash auto-clears when the issue is resolved. (2) Pre-1.6.24 the file monitor sent one email per changed file, so a plugin update touching 100 files sent 100 emails. 1.6.24 consolidates to one batched summary per scan. Update GuardPress to the latest version and the email flood stops on its own.
The malware scanner flagged files that look legitimate. What should I do?
GuardPress 1.6.15 substantially tightened the malware-detection heuristics — most pre-1.6.15 "threats" on typical WooCommerce sites were noise. Update first. If a finding persists and you've verified the file is legitimate (a vendored library, a known core file, your own custom code), click Ignore next to the finding. Ignored findings move to a separate collapsible section and won't surface on future scans — click Restore to bring them back. See the Malware Scanner section for the difference between Quarantine, Delete, and Ignore.
Will GuardPress break my caching (Cloudflare, ForgeCache, WP Rocket)?
GuardPress 1.6.17+ is fully compatible with Cloudflare, ForgeCache, WP Rocket, server-level FastCGI cache, and other cache layers. Pre-1.6.17 the plugin started a PHP session on every request, which forced Cache-Control: no-store on every response and neutralized every downstream cache (every Cloudflare hit returned cf-cache-status: DYNAMIC). 1.6.17 scopes sessions to wp-login.php only, so the rest of the site caches normally. After updating, purge your cache once so the old no-store responses stop being served.
Can I use GuardPress alongside Wordfence / iThemes Security / Sucuri?
We don't recommend it. Two firewalls fighting over the same request, two CAPTCHAs stacked on the same form, and two file-integrity scans rotating the same cron lock cause real conflicts that make both plugins behave worse than either would alone. Pick one and deactivate the others. If you're switching from another security plugin to GuardPress, deactivate the old one first, then activate GuardPress and walk through GuardPress → Settings to enable equivalent protections.
Can I use the same license on multiple sites?
Depends on your license type. Single licenses cover 1 site, Multi covers 5, Developer covers 25, and Agency covers 100. Localhost, .local, .test, and .localhost domains are excluded from the site limit when WP_DEBUG is true AND the GUARDPRESS_DEV_MODE constant is defined as true in wp-config.php — so your local development site doesn't burn a real site slot. See the Licensing section for details.