Getting Started with Guard Dog

This guide will help you install and configure Guard Dog for the first time.

Installation

From WordPress Admin

1. Navigate to Plugins → Add New in your WordPress admin
2. Search for "Guard Dog"
3. Click Install Now on the Guard Dog plugin
4. Click Activate after installation completes

Manual Installation

1. Download the guard-dog plugin folder
2. Upload it to /wp-content/plugins/ via FTP or your hosting file manager
3. Navigate to Plugins in your WordPress admin
4. Find Guard Dog in the list and click Activate

After Activation

Once activated, you'll see a new Guard Dog menu item in your WordPress admin sidebar. This is your security command center.

Initial Configuration

Guard Dog works out of the box with secure defaults, but you should configure these essential features:

Step 1: Change Your Login URL (Recommended)

Why: This is the single most effective way to stop automated bot attacks on your site.

1. Go to Guard Dog → Authentication
2. In the Custom Login URL section, enter your desired login slug
   • Example: secure-login will make your login URL yoursite.com/secure-login
   • Use something unique and memorable
   • Avoid common words like "admin", "login", or "secure"
3. Click Save Changes
4. Important: Bookmark your new login URL immediately!

Learn more about Custom Login URLs →

Step 2: Enable CAPTCHA (Recommended)

Why: CAPTCHA verification ensures only humans can attempt to log in, stopping automated bot attacks.

1. Go to Guard Dog → CAPTCHA
2. Choose your preferred CAPTCHA provider (see comparison)
3. Sign up for API keys from your chosen provider
4. Enter your Site Key and Secret Key
5. Configure display options (theme, size)
6. Click Save Changes

Learn more about CAPTCHA Protection →

Choosing a CAPTCHA Provider

Provider	Best For	User Experience	Privacy
Google reCAPTCHA v3	Invisible protection	Excellent – no user interaction	Google tracking
Google reCAPTCHA v2	Traditional verification	Good – simple checkbox	Google tracking
hCaptcha	Privacy-conscious sites	Good – accessible challenges	Privacy-focused
Cloudflare Turnstile	Modern, fast protection	Excellent – usually invisible	Privacy-first

Step 3: Enable Login Attempt Limiting (Recommended)

Why: Prevents brute-force password attacks by locking out IPs after failed attempts.

1. Go to Guard Dog → Authentication
2. In the Login Attempt Limiting section:
   • Check "Enable Login Attempt Limiting"
   • Set Maximum Retries (default: 5)
   • Set Lockout Duration in minutes (default: 15)
3. Click Save Changes

Learn more about Login Attempt Limiting →

Step 4: Configure Two-Factor Authentication (Optional but Highly Recommended)

Why: 2FA provides the strongest protection for user accounts.

1. Go to Guard Dog → Authentication
2. In the Two-Factor Authentication section:
   • Check "Enable Two-Factor Authentication"
   • Optionally enable email-based 2FA
   • Configure enforcement settings if desired
3. Click Save Changes
4. Go to your User Profile to set up 2FA for your account

Learn more about Two-Factor Authentication →

Step 5: Decide How Users Will Sign In (Optional)

Guard Dog can support more than the default WordPress login form:

• Passkeys for biometric or security-key sign-in
• Social Login for Google, Microsoft, or Apple OAuth
• Frontend Login Form for login pages built inside your theme or page builder
• Frontend Account Security so users can manage 2FA, passkeys, and sessions from account pages

These are optional. Start with password + CAPTCHA + login limiting first, then add the sign-in experience your site actually needs.

• Learn more about Passkeys →
• Learn more about Social Login →
• Learn more about Frontend Login Form →

Post-Installation Checklist

After initial configuration, review these settings:

• Custom login URL is set and bookmarked
• CAPTCHA is enabled and tested
• Login attempt limiting is enabled
• 2FA is enabled for your admin account
• Test login with new settings from an incognito window
• If behind Cloudflare, Kinsta, WP Engine, or another proxy, configure Trusted Proxy IPs under Sessions
• If using email 2FA, configure and test an email provider
• Add your IP to the whitelist (optional, for extra protection)
• Review Activity Log settings

Recommended Configuration for Different Use Cases

Personal Blog or Small Site

Focus on simplicity:

• ✅ Custom login URL
• ✅ CAPTCHA (reCAPTCHA v3 for invisible protection)
• ✅ Login attempt limiting (5 retries, 15 min lockout)
• ✅ 2FA for admin users (optional)
• ❌ IP whitelisting (too restrictive)
• ✅ Activity logging (security events only)
• Optional: ✅ Passkeys for admin users

Business Website

Balanced security:

• ✅ Custom login URL
• ✅ CAPTCHA (Cloudflare Turnstile or reCAPTCHA v3)
• ✅ Login attempt limiting (3 retries, 30 min lockout)
• ✅ 2FA enforced for all users
• ✅ Username blacklist (common usernames like "admin", "administrator")
• ✅ Activity logging (all events)
• Optional: ✅ Frontend account security page for staff or members

E-commerce or High-Value Site

Maximum security:

• ✅ Custom login URL
• ✅ CAPTCHA (Cloudflare Turnstile)
• ✅ Strict login attempt limiting (3 retries, 60 min lockout)
• ✅ 2FA enforced for all users
• ✅ IP whitelist for admin users
• ✅ Site-wide IP blocking for maintenance mode
• ✅ Comprehensive activity logging
• ✅ Email provider configured for 2FA emails
• ✅ Session management reviewed and proxy IP detection configured if behind a CDN

Development/Staging Site

Access control focus:

• ✅ IP whitelist (office/home IPs only)
• ✅ Site-wide blocking enabled
• ❌ CAPTCHA (not needed with IP whitelist)
• ✅ Temporary user access for clients/testers
• ✅ Activity logging

Testing Your Configuration

Before relying on your security setup, test it:

Test 1: Login URL

1. Open an incognito/private browser window
2. Try to access yoursite.com/wp-admin – should redirect to 404
3. Access your custom login URL – should show login form
4. Successfully log in

Test 2: CAPTCHA

1. Open an incognito window
2. Go to your login page
3. Verify CAPTCHA appears (or works invisibly for v3)
4. Complete CAPTCHA and log in

Test 3: Login Limiting

1. Open an incognito window
2. Enter incorrect password multiple times (up to your max retries)
3. Verify you get locked out
4. Wait for lockout duration to expire or clear lockout from admin

Test 4: Two-Factor Authentication

1. Set up 2FA on your account
2. Log out
3. Log in with username and password
4. Verify 2FA prompt appears
5. Enter 2FA code successfully

Test 5: Optional Frontend Login or Account Pages

If you added Guard Dog frontend blocks or shortcodes:

1. Open the page in a private browser window
2. Confirm the login form or account-security widget renders
3. Test passkey and social buttons if enabled
4. Confirm post-login redirects go where you expect

Common Initial Setup Issues

Issue: Locked Out After Changing Login URL

Solution: The custom login URL is stored in your database. If you lose access:

1. Via FTP or cPanel File Manager, rename the Guard Dog plugin folder to disable it temporarily
2. Log in via the standard /wp-login.php
3. Rename the plugin folder back
4. Go to Guard Dog settings and note/change your login URL

Prevention: Always bookmark your custom login URL immediately after setting it.

Issue: CAPTCHA Not Appearing

Causes:

• JavaScript errors on the page
• Incorrect API keys
• Wrong CAPTCHA provider domain registration

Solution:

1. Check browser console for JavaScript errors
2. Verify your Site Key and Secret Key are correct
3. Ensure your domain is registered with your CAPTCHA provider
4. Try a different CAPTCHA provider

Issue: Can't Receive 2FA Emails

Causes:

• WordPress default mail function not working
• Email provider not configured
• Spam filtering

Solution:

1. Test your WordPress email with a plugin like WP Mail SMTP
2. Configure an email provider in Guard Dog → Settings → Email Provider
3. Check spam folders
4. Use app-based 2FA instead

Next Steps

Now that you have Guard Dog configured:

1. Enable Activity Logging – Start tracking security events

   • Activity Log Documentation →

2. Set Up Access Control – Fine-tune who can access your site

   • Access Control Documentation →

3. Build Frontend Account Pages – Give users self-service 2FA, passkeys, and session controls

   • Frontend Account Security Documentation →

4. Create Temporary Access – For contractors or support staff

   • Temporary User Access Documentation →

5. Review Security Best Practices – Optimize your security posture

   • Best Practices Guide →

Getting Help

• FAQ: Frequently Asked Questions →
• Troubleshooting: Troubleshooting Guide →
• Support: WordPress.org Support Forums

---

← Back to Documentation Home | Custom Login URLs →