This page explains what Guard Dog stores, what may be sent to third parties, and what site administrators should disclose to users.
Guard Dog does not phone home, send analytics, or transmit your site data to the plugin author. Data is stored locally unless you enable a feature that uses an external provider.
Local Data Storage
Guard Dog stores security data in your WordPress database.
User Security Settings
Stored in WordPress user meta:
- 2FA enabled status
- TOTP secret data
- Hashed recovery codes
- Email 2FA preferences
- Passkey metadata
- Temporary user metadata
Purpose: provide per-user authentication and recovery features.
Activity Logs
Stored in the Guard Dog activity log table:
- Event type
- User ID or guest/system context
- IP address
- Timestamp
- Event details
Purpose: security monitoring, troubleshooting, and audit history.
Retention: configurable in Activity Log settings.
Login Attempts and Lockouts
Stored in Guard Dog login-attempt data:
- IP address
- Failed attempt count
- Lockout status
- Expiration time
Purpose: brute-force protection.
Retention: until lockout data expires or is cleaned up.
Session Records
Stored in Guard Dog session data:
- User ID
- Session token hash
- IP address
- User agent
- Approximate location when available
- Last activity time
- Suspicious-session flags
Purpose: active-session visibility, remote logout, session limits, and suspicious activity detection.
Plugin Settings
Stored in WordPress options:
- Login URL settings
- CAPTCHA provider settings
- Email provider settings
- Social login provider settings
- Access control rules
- Debug settings
- Appearance/customizer settings
Sensitive provider secrets are stored in protected settings and are redacted from exports and support reports where applicable.
Third-Party Services
Guard Dog only contacts third parties when you enable features that require them.
CAPTCHA Providers
When CAPTCHA is enabled, the selected provider may receive verification data.
Supported providers:
- Google reCAPTCHA
- hCaptcha
- Cloudflare Turnstile
Data may include:
- IP address
- Browser/device information
- CAPTCHA token
- Site domain
- Interaction signals depending on provider
Use Cloudflare Turnstile or hCaptcha if privacy is the priority. Google reCAPTCHA may require additional consent disclosures depending on your jurisdiction.
Email Providers
When email 2FA, security email, or the global email override uses a provider, that provider receives email-sending requests.
Supported providers:
- Amazon SES
- Mailgun
- Resend
- SendGrid
- Google Gmail / Google Workspace
Data may include:
- Recipient email address
- Email subject
- Email body
- Sender identity
- Provider credentials used for authentication
If you enable Use Guard Dog Email Provider for all WordPress emails, non-Guard Dog WordPress email sent via wp_mail() also goes through the configured provider.
Social Login Providers
When Social Login is enabled, users authenticate through the provider you configure.
Supported providers:
- Microsoft
- Apple
Data involved:
- OAuth state request
- Provider user ID
- Email address returned by the provider
- Name/profile fields returned by the provider
- Avatar URL when returned by the provider
Guard Dog stores linked social accounts locally by provider and provider user ID.
IP Reputation
When IP Reputation features are enabled, Guard Dog may check IPs against DNS-based reputation sources and optional geolocation providers.
Possible services include:
- Spamhaus ZEN
- CBL / abuseat.org
- dan.me.uk Tor list
- ip-api.com
- ipinfo.io
Data involved:
- IP address being checked
- DNS query or API request depending on provider
Geolocation and Country Detection
Guard Dog can use trusted CDN/proxy country headers when available, such as Cloudflare country headers. Forwarded headers are only trusted when the direct proxy is configured in Trusted Proxy IPs.
If headers are not available and geolocation is enabled, Guard Dog may use an IP geolocation provider to resolve country or location details.
Data Not Collected
Guard Dog does not collect:
- Plain-text passwords
- Raw 2FA codes after verification
- Payment information
- Post/page content for analytics
- Site analytics or usage telemetry for the plugin author
- Data for sale or advertising
Privacy by Feature
Custom Login URL
No new third-party data transfer. This changes the login route and blocks direct access to default login URLs.
Frontend Login Form
Uses WordPress authentication locally. Third-party transfer only occurs if enabled features are shown or used, such as CAPTCHA or Social Login.
Two-Factor Authentication
App-based TOTP works locally. Email 2FA sends email through the configured provider.
Passkeys
Passkeys use WebAuthn between the user's browser/device and your site. The private key stays on the user's device. Guard Dog stores public credential metadata locally.
Social Login
Users are redirected to the chosen OAuth provider. Guard Dog stores the provider link locally after successful authentication.
Access Control
Stores IP and username rules locally. Country-based decisions may use trusted headers or geolocation services depending on configuration.
Activity Log
Stores local audit records. Logs may contain personal data such as IP addresses and usernames.
Temporary User Access
Stores temporary account metadata locally, including display email, expiration, login limit, and hashed access token data.
Debug Logs and Support Reports
Debug logs are written to the WordPress debug log. Support reports include system and plugin configuration details for troubleshooting, with sensitive values redacted where Guard Dog can identify them.
Review logs and reports before sharing them with support, especially if another plugin logs sensitive information into the shared WordPress debug log.
Administrator Responsibilities
You are responsible for configuring Guard Dog in a privacy-aware way for your jurisdiction.
Recommended steps:
- Update your privacy policy.
- Disclose security logging and IP processing.
- Disclose any CAPTCHA, email, OAuth, reputation, or geolocation providers you enable.
- Set activity log retention to the shortest useful period.
- Limit access to logs and support reports.
- Review exported data before sending it to support.
Sample Privacy Policy Language
Adjust this to match your site and enabled features:
We use security tooling to protect accounts and prevent unauthorized access. This may include logging login attempts, IP addresses, account security events, and session activity. If enabled, CAPTCHA, email delivery, social login, IP reputation, or geolocation providers may process limited data needed to provide those features. We use this data for website security, fraud prevention, troubleshooting, and account protection.
GDPR Notes
Guard Dog can be used as part of a GDPR-compliant setup, but compliance depends on your configuration and disclosures.
Consider:
- Treating IP addresses as personal data where required
- Using legitimate interest for security logging
- Setting retention periods
- Providing user data exports when requested
- Deleting user-associated logs when appropriate and lawful
- Listing enabled subprocessors in your privacy policy
Subprocessors to Consider
Only list providers you actually enable.
CAPTCHA:
- hCaptcha / Intuition Machines
- Cloudflare
Email:
- Amazon Web Services
- Mailgun
- Resend
- Twilio SendGrid
Social login:
- Microsoft
- Apple
IP reputation and geolocation:
- Spamhaus
- CBL / abuseat.org
- dan.me.uk
- ip-api.com
- ipinfo.io
Privacy-Focused Configuration
For a privacy-conscious setup:
- Use app-based 2FA or passkeys instead of email 2FA when practical.
- Use Cloudflare Turnstile or hCaptcha instead of Google reCAPTCHA.
- Keep Activity Log retention modest, such as 30 to 90 days.
- Avoid global email override unless you need it.
- Disable social login providers you do not actively use.
- Configure Trusted Proxy IPs so country/IP headers are only accepted from known infrastructure.