Guard Dog Documentation

Version 1.9.42

Welcome to the comprehensive documentation for Guard Dog, a powerful WordPress security plugin designed to protect your site from unauthorized access and brute-force attacks.

Table of Contents

Getting Started

• Installation & Quick Setup
• Initial Configuration
• Best Practices

Core Features

Login Protection

• Custom Login URLs – Hide your wp-admin and wp-login.php from attackers
• Frontend Login Form – Add a Guard Dog-managed login form to normal pages
• CAPTCHA Protection – Multiple CAPTCHA providers to prevent automated attacks
• Login Attempt Limiting – Prevent brute-force attacks with intelligent lockout
• User Enumeration Protection – Block username discovery attacks

Authentication

• Two-Factor Authentication (2FA) – App-based and email-based 2FA
• Passkeys (WebAuthn) – Passwordless login with biometrics or security keys
• Social Login – Sign in with Google, Microsoft, or Apple
• Frontend Account Security – Let users manage 2FA, passkeys, and sessions from account pages
• Email Provider Configuration – Configure AWS SES, Mailgun, Resend, SendGrid, or Google for emails
• Email Verification – Require email verification before login
• Password Policy – Enforce strong password requirements
• Recovery Codes – Backup access when 2FA is unavailable

Access Management

• Access Control – IP-based and username-based whitelist/blacklist
• Site-Wide Blocking – Restrict entire site access by IP
• Temporary User Access – Create time-limited users with secure access
• Login Screen Customization – Brand the native WordPress login flow and helper screens

Monitoring

• Session Management – Track and manage active login sessions
• Activity Log – Comprehensive logging of security and WordPress events
• Debug System – Advanced logging for troubleshooting

Additional Resources

• Frequently Asked Questions
• Troubleshooting Guide
• Security Best Practices
• Performance Optimization

What is Guard Dog?

Guard Dog is a comprehensive security plugin that provides enterprise-level protection for any WordPress site. With features ranging from basic login protection to advanced two-factor authentication and activity monitoring, Guard Dog gives you complete control over who can access your site and what they can do.

Key Benefits

🛡️ Multi-Layer Protection

• Custom login URLs to hide your admin area
• Multiple CAPTCHA providers for bot protection
• Two-factor authentication for enhanced security
• Login attempt limiting to prevent brute-force attacks

🔒 Privacy-Focused

• Choose from privacy-first CAPTCHA providers
• No phone-home tracking or analytics
• Third-party services are only contacted when you enable features that need them
• All 2FA operations happen locally on your server
• Full control over what events are logged

⚙️ Enterprise-Ready

• Scalable features suitable for sites of any size
• Advanced access control with IP and username filtering
• Comprehensive activity logging for compliance
• Temporary user access for secure collaboration

👤 User-Friendly

• Intuitive admin interface with organized pages
• Helpful documentation and tooltips
• Smart defaults that work out of the box
• Gradual feature adoption – enable what you need

Quick Links

• Just installed? Start with Getting Started
• Setting up 2FA? Read the Two-Factor Authentication Guide
• Need help? Check the FAQ or Troubleshooting Guide
• Locked out? See Emergency Access

Feature Overview

Custom Login URLs

Hide your WordPress login page from attackers by using a custom URL instead of the default /wp-login.php. This simple change can eliminate the majority of automated bot attacks targeting your site.

Learn more about Custom Login URLs →

Frontend Login Form

Render a Guard Dog-managed login form on a normal WordPress page. The form can include CAPTCHA, passkey sign-in, social login buttons, remember-me controls, lost password links, and safe post-login redirects.

Learn more about the Frontend Login Form →

CAPTCHA Protection

Choose from four industry-leading CAPTCHA providers to verify that login attempts are made by humans, not bots:

• Google reCAPTCHA v3 (invisible)
• Google reCAPTCHA v2 (checkbox)
• hCaptcha (privacy-focused)
• Cloudflare Turnstile (fast and privacy-first)

Learn more about CAPTCHA Protection →

Two-Factor Authentication

Add an extra layer of security with app-based or email-based two-factor authentication. Users must enter a verification code from their authenticator app or email in addition to their password.

Learn more about Two-Factor Authentication →

Frontend account pages can render 2FA management with [guard_dog_two_factor] or the Guard Dog Two-Factor Auth block.

Social Login

Allow users to sign in with Google, Microsoft, or Apple OAuth. Social login works on the native WordPress login screen, custom login URL, and Guard Dog frontend login form.

Learn more about Social Login →

Email Provider Configuration

Configure AWS SES, Mailgun, Resend, SendGrid, or Google for email 2FA, security notifications, and optional site-wide WordPress email delivery.

Learn more about Email Provider Configuration →

Login Attempt Limiting

Automatically lock out IP addresses after a specified number of failed login attempts, preventing brute-force password attacks.

Learn more about Login Attempt Limiting →

Access Control

Create IP whitelists or blacklists to control who can access your site. Block specific users by username or restrict access to approved IP addresses only.

Learn more about Access Control →

Activity Log

Track every security event, user action, and system change on your site. The comprehensive activity log helps you monitor what's happening and investigate security incidents.

Learn more about Activity Log →

Temporary User Access

Create temporary WordPress users with automatic expiration dates and login limits. Perfect for contractors, clients, or support staff who need temporary access to your site.

Learn more about Temporary User Access →

Passkeys (WebAuthn)

Enable passwordless authentication using biometrics (Face ID, Touch ID) or hardware security keys. Passkeys are more secure than passwords and can optionally bypass 2FA.

Learn more about Passkeys →

Custom login pages can render passkey sign-in with [guard_dog_passkey_login] or the Guard Dog Passkey Login block. Account pages can render passkey management with [guard_dog_passkeys] or the Guard Dog Passkeys block.

Frontend Account Security

Let logged-in users manage their security from a member dashboard or account page. Use the full [guard_dog_account_security] widget, or place 2FA, passkeys, and sessions as separate blocks/shortcodes.

Learn more about Frontend Account Security →

Session Management

Track all active login sessions with device, location, and activity details. Users can remotely terminate sessions, and administrators can enforce session limits and detect suspicious activity.

Learn more about Session Management →

Frontend account pages can render active-session management with [guard_dog_sessions] or the Guard Dog Sessions block.

Login Screen Customization

Customize the native WordPress login experience, including your custom login URL, password reset screens, 2FA challenge screens, password-expired screens, branding, helper text, links, and form styling.

Learn more about Login Screen Customization →

User Enumeration Protection

Block attackers from discovering valid usernames through REST API, author archives, login errors, password reset messages, XML-RPC, oEmbed, and registration forms.

Learn more about User Enumeration Protection →

Password Policy

Enforce strong password requirements with configurable minimum length, character requirements, common password blocking, and password history to prevent reuse.

Learn more about Password Policy →

Email Verification

Require new users to verify their email address before logging in. Prevents fake account registrations and ensures users have access to their stated email.

Learn more about Email Verification →

Support

For support questions, please use the WordPress.org support forums.

Privacy & Third-Party Services

Guard Dog respects user privacy. It does not phone home or send analytics. Data is only sent to third parties when you enable a feature that depends on a provider, such as CAPTCHA, email delivery, social login, IP reputation, or geolocation.

Two-factor authentication uses the TOTP standard and operates entirely on your server – no external services are contacted for 2FA verification.

Read more about Privacy & Third-Party Services

---

Last Updated: April 2026
Plugin Version: 1.9.42
Requires WordPress: 5.9 or higher
Requires PHP: 8.1 or higher