ArkHost Security Pack

A complete security plugin that's actually free. No "pro" version, no nag screens, no made-up threat statistics. Login Protection

• Blocks IPs after failed login attempts
• Custom login URL (hides wp-login.php)
• Hides wp-admin from logged-out users
• Honeypot field for bots
• Hides login errors (stops username enumeration)
• Email alerts for admin logins from new IPs
• Country/IP restrictions on login page

IP Control

• Whitelist and blacklist
• Auto-blacklist after repeated lockouts
• IPv4, IPv6, CIDR supported

Geo Blocking

• Block countries
• Uses free IP2Location LITE database
• One-click download

Hardening

• Disable XML-RPC
• Disable dashboard file editing
• Disable application passwords
• Restrict REST API to logged-in users
• Remove WordPress version
• Block user enumeration (?author=1 and REST API)
• Disable pingbacks/trackbacks

Security Headers X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS Two-Factor Authentication

• TOTP (Google Authenticator, Authy, etc.)
• Backup codes
• Enforce for admins

File Integrity Monitoring

• Checks WordPress core files against official checksums
• Daily scans
• Email alerts on changes

Malware Scanner

• Scans plugins, themes, uploads
• Pattern-based detection
• Quarantine suspicious files
• Weekly scans

Activity Log

• Login attempts, lockouts, blocks
• IP, country, username, timestamp
• Configurable retention
• CSV export

Tools

• Export/import settings
• Force logout all users
• Test email
• Delete readme.html/license.txt

Privacy No tracking. No analytics. No telemetry. External connections:

• WordPress.org API (core file checksums)
• IP2Location (database download, only when you click it)

1.1

• Fixed: Custom login URL form submission redirecting to 404 page
• Fixed: URL rewrite filters not being registered before login page render

1.0

• Initial release