{"id":288362,"date":"2026-04-18T18:33:44","date_gmt":"2026-04-18T18:33:44","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/login-limiter\/"},"modified":"2026-04-26T19:50:05","modified_gmt":"2026-04-26T19:50:05","slug":"oriole-one-master-guard","status":"publish","type":"plugin","link":"https:\/\/zgh.wordpress.org\/plugins\/oriole-one-master-guard\/","author":23463292,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.0","stable_tag":"1.1.0","tested":"6.9.4","requires":"6.4","requires_php":"8.0","requires_plugins":null,"header_name":"Oriole One Master Guard","header_author":"Rashid Sharafat","header_description":"Advanced WordPress security plugin providing brute-force protection, REST API hardening, sitemap control, SEO-safe indexing rules, and system-level protections.","assets_banners_color":"","last_updated":"2026-04-26 19:50:05","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":213,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq"],"tags":{"1.1.0":{"tag":"1.1.0","author":"rashidsharafat","date":"2026-04-26 19:50:05"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3509760,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.1.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Limit Logins tab<\/strong> \u2014 Configure maximum failed attempts, attempt window, lockout duration, and whether IP locking, username locking, or both are enabled.","2":"Hardening tab<\/strong> \u2014 Enable or disable individual security hardening features using simple checkboxes.","3":"Code Preview tab<\/strong> \u2014 View the generated hardening snippets for transparency and reference.","4":"Failed Logs tab<\/strong> \u2014 Audit table listing blocked login attempts with username, IP address, geolocation, attempt count, and block timestamps."}},"plugin_section":[],"plugin_tags":[2439,31093,9374,1229,600],"plugin_category":[54],"plugin_contributors":[260528],"plugin_business_model":[],"class_list":["post-288362","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-hardening","plugin_tags-limit-login-attempts","plugin_tags-login-security","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-rashidsharafat","plugin_committers-rashidsharafat"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/oriole-one-master-guard\/assets\/icon-256x256.png?rev=3509760","icon_2x":"https:\/\/ps.w.org\/oriole-one-master-guard\/assets\/icon-256x256.png?rev=3509760","generated":false},"screenshots":[],"raw_content":"\n

Oriole One Master Guard<\/strong> is a lightweight, all-in-one security plugin for WordPress. It protects your site against brute-force login attacks, hardens common WordPress attack surfaces, and gives you full control over your security configuration from a clean admin interface \u2014 all without touching WordPress core files.<\/p>\n\n

Whether you run a personal blog, a business site, or manage WordPress for clients, Oriole One Master Guard is designed to be straightforward to configure and effective out of the box.<\/p>\n\n

Who Is This For?<\/h4>\n\n
    \n
  • Site owners who want meaningful login protection without relying on a large, bloated security suite.<\/li>\n
  • Developers who need a practical hardening toolkit with sensible defaults they can tune.<\/li>\n
  • Agencies managing multiple WordPress installations who need reliable, low-maintenance protection.<\/li>\n<\/ul>\n\n

    What It Does<\/h4>\n\n

    Brute-Force Login Protection<\/strong>\nLimits the number of failed login attempts allowed from a given IP address or username within a configurable time window. Once the threshold is reached, the account is temporarily locked and further attempts are blocked. A replay-safe token system ensures that hitting the browser back button or refreshing after a failed attempt does not count as additional attempts.<\/p>\n\n

    Security Hardening<\/strong>\nA dedicated Hardening tab lets you enable or disable individual hardening features with a single checkbox. The plugin applies these protections directly using standard WordPress hooks and filters, keeping the setup simple and safe.<\/p>\n\n

    Hardening options include:<\/p>\n\n

      \n
    • Block XML-RPC requests site-wide<\/li>\n
    • Remove the users provider from WordPress sitemaps<\/li>\n
    • Return HTTP 404 for author archive pages and prevent username enumeration via ?author=N queries<\/li>\n
    • Restrict the \/wp-json\/wp\/v2\/users REST endpoint to logged-in users with the list_users capability<\/li>\n
    • Remove the WordPress version tag, RSD link, WLW manifest, oEmbed discovery links, and REST API head link<\/li>\n
    • Add a noindex, follow meta tag to category, tag, and author archive pages<\/li>\n<\/ul>\n\n

      Code Preview<\/strong>\nThe Code Preview tab shows the generated reference snippets that correspond to your current hardening settings. This output is read-only and provided for transparency only. The plugin does not ask administrators to paste or save arbitrary PHP, JavaScript, or CSS.<\/p>\n\n

      Failed Login Audit Log<\/strong>\nEvery lockout is recorded in a persistent audit table showing the blocked username, IP address, geolocation country, number of attempts, and the time the block was placed and will expire. Individual entries can be removed, or the entire log can be cleared with one click.<\/p>\n\n

      Why Choose Oriole One Master Guard?<\/h4>\n\n
        \n
      • Focused and lightweight<\/strong> \u2014 does exactly what the name says with no unnecessary bulk.<\/li>\n
      • Transparent<\/strong> \u2014 the hardening behavior is clearly visible in the admin and not hidden in plugin internals.<\/li>\n
      • Non-destructive<\/strong> \u2014 uses WordPress hooks and the Settings API only; never modifies core files or theme files.<\/li>\n
      • Auditable<\/strong> \u2014 every lockout event is logged so you always know what happened and when.<\/li>\n<\/ul>\n\n

        Requirements<\/h3>\n\n
          \n
        • WordPress:<\/strong> 6.4 or higher<\/li>\n
        • PHP:<\/strong> 8.0 or higher<\/li>\n<\/ul>\n\n

          Support<\/h3>\n\n

          For questions, bug reports, or feature requests, please use the support forum on the plugin's WordPress.org page. When reporting a bug, include your WordPress version, PHP version, and a description of the steps to reproduce the issue.<\/p>\n\n\n

          Automatic Installation<\/h4>\n\n
            \n
          1. Log in to your WordPress admin dashboard.<\/li>\n
          2. Go to Plugins > Add New Plugin<\/strong>.<\/li>\n
          3. Search for Oriole One Master Guard<\/strong>.<\/li>\n
          4. Click Install Now<\/strong>, then click Activate<\/strong>.<\/li>\n
          5. Go to Settings > Oriole One Master Guard<\/strong> to configure the plugin.<\/li>\n<\/ol>\n\n

            Manual Installation<\/h4>\n\n
              \n
            1. Download the plugin zip file from WordPress.org.<\/li>\n
            2. Log in to your WordPress admin dashboard.<\/li>\n
            3. Go to Plugins > Add New Plugin<\/strong> and click Upload Plugin<\/strong>.<\/li>\n
            4. Choose the downloaded zip file and click Install Now<\/strong>.<\/li>\n
            5. Click Activate Plugin<\/strong>.<\/li>\n
            6. Go to Settings > Oriole One Master Guard<\/strong> to configure the plugin.<\/li>\n<\/ol>\n\n

              First-Time Setup<\/h4>\n\n

              After activation, the plugin is immediately active with secure default settings. Visit each tab to review and adjust:<\/p>\n\n

                \n
              • Limit Logins<\/strong> \u2014 set your preferred attempt threshold, window duration, and lockout length.<\/li>\n
              • Hardening<\/strong> \u2014 enable the security features that apply to your site.<\/li>\n
              • Code Preview<\/strong> \u2014 review the generated hardening snippets for reference.<\/li>\n
              • Failed Logs<\/strong> \u2014 monitor blocked login attempts.<\/li>\n<\/ul>\n\n\n
                \n

                Does this plugin modify my theme's functions.php file?<\/h3><\/dt>\n

                No. The plugin does not write to your theme files or ask you to save custom code. All protections are applied directly through standard WordPress hooks and filters.<\/p><\/dd>\n

                Will the hardening features conflict with other plugins?<\/h3><\/dt>\n

                Each generated hardening snippet is wrapped in a function_exists() check, so they will not conflict with functions of the same name defined elsewhere. If you are already using another plugin to handle one of the same concerns (for example, blocking XML-RPC), you can simply leave that toggle unchecked.<\/p><\/dd>\n

                What happens if I deactivate or uninstall the plugin?<\/h3><\/dt>\n

                Deactivating the plugin stops all brute-force protection and removes the security hooks. Uninstalling the plugin removes the stored plugin options from the database and cleans up legacy files from older versions if present. Your theme files are not affected in either case.<\/p><\/dd>\n

                Can I edit the generated hardening code?<\/h3><\/dt>\n

                The Code Preview tab is read-only and provided for reference only. In line with WordPress.org security guidance, the plugin does not allow administrators to store or execute arbitrary PHP, JavaScript, or CSS.<\/p><\/dd>\n

                Why is geolocation shown as \"Unknown\"?<\/h3><\/dt>\n

                Geolocation is resolved locally using PHP server extensions. If your hosting environment does not have a GeoIP extension or database available, the country value will display as Unknown. The login protection itself is not affected \u2014 all lockout logic is based on IP address, not geolocation.<\/p><\/dd>\n

                Can I unblock a locked user or IP manually?<\/h3><\/dt>\n

                Yes. Go to the Failed Logs<\/strong> tab in the plugin settings. You can remove individual entries using the Remove<\/strong> button next to each row, which will also release any active lock for that user or IP. The Clear Entries<\/strong> button removes all log entries and releases all active locks at once.<\/p><\/dd>\n

                Does refreshing the login page after a failed attempt count as another attempt?<\/h3><\/dt>\n

                No. The plugin uses a one-time token system tied to each login form submission. Refreshing the page or hitting the back button after a failed attempt does not create a new token and therefore does not count as another attempt.<\/p><\/dd>\n

                Does this plugin work with WooCommerce or other login forms?<\/h3><\/dt>\n

                The brute-force protection is applied to the standard WordPress login form at wp-login.php. Custom login forms provided by WooCommerce or membership plugins that bypass wp-login.php are not currently covered.<\/p><\/dd>\n

                Will enabling all hardening features break my site?<\/h3><\/dt>\n

                Each feature is designed to be safe to enable on a standard WordPress installation. However, a few features have functional side effects you should be aware of: blocking author archives will affect sites that use author archive pages for editorial or portfolio purposes; restricting the REST users endpoint may affect some third-party integrations that query user data publicly. Review each feature description before enabling it.<\/p><\/dd>\n

                Does the Code Preview tab run any custom code?<\/h3><\/dt>\n

                No. It only displays reference snippets based on your current hardening settings. The preview itself does not execute any user-provided code.<\/p><\/dd>\n\n<\/dl>","raw_excerpt":"All-in-one WordPress security with brute-force protection, hardening controls, and a clear failed login audit log.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/288362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=288362"}],"author":[{"embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rashidsharafat"}],"wp:attachment":[{"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=288362"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=288362"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=288362"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=288362"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=288362"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/zgh.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=288362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}