Title: DominoGuard Security &#8211; Firewall, Malware Scanner, 2FA, Magic Links, Hide Login &amp; Activity Log
Author: Dominopress
Published: <strong>May 9, 2026</strong>
Last modified: July 4, 2026

---

Search plugins

![](https://ps.w.org/dominoguard-security/assets/banner-772x250.png?rev=3596194)

![](https://ps.w.org/dominoguard-security/assets/icon-256x256.png?rev=3596194)

# DominoGuard Security – Firewall, Malware Scanner, 2FA, Magic Links, Hide Login & Activity Log

 By [Dominopress](https://profiles.wordpress.org/dominopress/)

[Download](https://downloads.wordpress.org/plugin/dominoguard-security.2.0.0.zip)

 * [Details](https://test.wordpress.org/plugins/dominoguard-security/#description)
 * [Reviews](https://test.wordpress.org/plugins/dominoguard-security/#reviews)
 *  [Installation](https://test.wordpress.org/plugins/dominoguard-security/#installation)
 * [Development](https://test.wordpress.org/plugins/dominoguard-security/#developers)

 [Support](https://wordpress.org/support/plugin/dominoguard-security/)

## Description

**DominoGuard Security** is an all-in-one, modern security solution for WordPress.
Built with a beautiful, decoupled React.js dashboard, it provides enterprise-grade
security features without bloating your website or slowing down your database. Unlike
other security plugins that overwhelm you with confusing settings and bloated logs,
DominoGuard is laser-focused on actionable insights and top-tier protection.

### Detailed Feature Breakdown

### 1. Web Application Firewall (WAF)

Block malicious traffic before it even reaches your WordPress database.
 * **Basic
Firewall Exploit Protection**: Silently detects and blocks bad actors attempting
to use `../` directory traversal commands to read sensitive server files, and blocks
SQL Injection (SQLi) and XSS patterns in query strings. * **Smart Rate Limiting**:
Automatically blocks IP addresses that make an excessive number of requests (e.g.,
more than 60 requests in 1 minute). Both the request limit and time frame are fully
customizable. * **404 Lockout (Bot Scanner Detection)**: Immediately blocks aggressive
bots and vulnerability scanners that generate too many 404 Not Found errors within
a short period. * **Geo-IP Blocking**: Stop traffic from entire high-risk countries.
Simply enter a comma-separated list of 2-letter country codes (e.g., RU, CN) and
all traffic from those regions will be dropped. * **IP Blocklist**: Permanently 
ban specific, known malicious IP addresses from ever viewing or interacting with
your website.

### 2. Advanced Authentication (2FA & Passwordless)

Secure your front door with modern, impenetrable authentication standards.
 * **
True Two-Step Authentication (TOTP) [PRO]**: Users can scan a QR code in their WordPress
profile using Google Authenticator, Authy, or any TOTP app. DominoGuard uses a secure,
modern Two-Step interstitial redirection flow that prevents bypasses and hides the
2FA fields from the main login screen. * **Email 2FA**: Send a secure, time-sensitive
6-digit code to the user’s email address upon login. * **Limit Login Attempts (Brute
Force Protection)**: Automatically block IP addresses for a specified duration after
they fail to log in 5 times continuously. Modifying these limits is a **[PRO]** 
feature. * **Force Password Resets**: In the event of a breach or security audit,
administrators can instantly force every single user on the website to reset their
password upon their next login. * **Enforce Strong Passwords**: Force all users 
to create passwords that are at least 12 characters long and contain both letters
and numbers.

### 3. Temporary Logins & Magic Links

 * **Magic Link Login (Passwordless Entry)**: Stop relying on easily guessable passwords!
   When enabled, administrators simply type in their username to receive a cryptographically
   secure, temporary Magic Link via email. Clicking the link logs them securely 
   into the dashboard without ever needing a password. (Setting durations longer
   than 7 days is **[PRO]**)
 * **Temporary User Maker**: Need to give a developer or support agent temporary
   access to your site? Generate a temporary account that will automatically delete
   itself after a specified duration. (Generating more than 2 temporary users is**[
   PRO]**)

### 4. Malware & Integrity Scanners

Ensure your WordPress installation hasn’t been compromised.
 * **Core File Verification**:
Scans your WordPress core files against the official WordPress.org checksums. It
immediately alerts you if a hacker has modified a core file to hide a backdoor. ***
Malware Signature Scanner**: Performs a deep scan of your `wp-content` directory,
hunting for known PHP backdoors, obfuscated code, `eval()` injections, and base64
payloads. * **File Integrity Monitoring (FIM)**: Creates a cryptographic baseline
of your critical files (`wp-config.php`, `.htaccess`, plugins, and themes). If a
file is modified, deleted, or added without your permission, FIM will detect it 
and alert you.

### 5. Access Control

Control exactly who has access to your site and for how long.
 * **Role-Based Access
Control (RBAC) [PRO]**: Strictly define what each WordPress user role (Editor, Author,
Contributor) is allowed to do. You can toggle capabilities like `edit_posts`, `delete_posts`,
and `upload_files` with granular precision.

### 6. Advanced Activity Log (Audit Trail)

Keep a watchful eye over your entire WordPress ecosystem. The Activity Log acts 
as a digital security camera, recording who did what, and when they did it.
 * **
Deep Event Tracking**: We don’t just log logins. DominoGuard tracks when posts are
deleted, when post statuses change, when settings are altered, when themes are switched,
and when plugins are activated or deactivated. * **Automated Log Retention**: Keep
your database lean. Set a rule to automatically purge logs older than 30, 60, or
90 days. * **CSV Export [PRO]**: Export your entire activity log to a CSV file for
compliance or external auditing. * **Instant Email Alerts**: Toggle on Email Alerts
to get instantly notified whenever a highly critical event occurs.

### 7. Active Sessions Manager

Have complete control over who is logged into your website at this exact moment.
***
Real-time Session Tracking**: View a comprehensive list of every active login session
on your site, complete with the user’s IP Address, Login Date, and the exact Expiration
Date of their session cookie. * **Remote Session Termination [PRO]**: Click the 
red “Terminate” button to instantly destroy any session and kick the user out of
the dashboard.

### 8. WordPress Hardening & Stealth

Remove the low-hanging fruit that automated bots look for.
 * **Custom Secret Login
Slug**: Change your login URL to a secret word of your choosing. Anyone who attempts
to visit `wp-login.php` will be intercepted and redirected to a 404 page. * **HTTP
Security Headers**: Automatically applies essential headers (X-Frame-Options, X-
Content-Type-Options, HSTS, X-XSS-Protection) to prevent clickjacking and data interception.***
Disable Application Passwords**: Completely removes the REST API Application Passwords
feature, closing a potential backdoor for unauthorized remote access. * **Disable
File Editor**: Prevents hackers from editing plugin and theme files directly from
the WordPress dashboard if they manage to steal an admin account. * **Block PHP 
in Uploads**: Places a secure `.htaccess` file in your `wp-content/uploads/` directory
to prevent attackers from executing uploaded PHP backdoors. * **Disable XML-RPC**:
XML-RPC is a massive vector for brute force and DDoS pingback attacks. DominoGuard
lets you disable it completely. * **Disable REST API Users Endpoint**: Prevents 
unauthorized bots from scraping your `/wp-json/wp/v2/users` endpoint to steal user
data. * **Block User Enumeration**: Blocks `/?author=1` scans to keep your usernames
private. * **Hide WordPress Version**: Removes the WP version generator meta tag
to prevent attackers from targeting known vulnerabilities. * **Disable Trackbacks/
Pingbacks**: Stops DDoS and spam attacks originating from legacy pingback methods.

#### Why Choose DominoGuard?

Many security plugins suffer from excessive bloat, storing gigabytes of useless 
log data and injecting heavy CSS/JS files onto the frontend of your website. DominoGuard
takes a modern approach:
 1. **Frontend Performance**: We load absolutely ZERO assets
on the frontend of your website. Your page speed remains untouched. 2. **Backend
Performance**: We use a decoupled React interface for a blazing-fast dashboard experience
that doesn’t rely on clunky page reloads.

## Screenshots

[[

[[

[[

[[

[[

[[

[[

[[

[[

[[

[[

[[

## Installation

 1. Upload the `dominoguard-security` directory to your `/wp-content/plugins/` directory,
    or install it directly via the WordPress Plugins menu.
 2. Activate the plugin through the ‘Plugins’ menu in WordPress.
 3. A new “DominoGuard” menu will appear in your sidebar.
 4. Navigate to the dashboard to configure your Custom Login URL, enable the Activity
    Log, run a Malware Scan, and set up your Firewall.

## FAQ

### How does the Custom Login URL work?

When you set a Custom Login Slug (e.g., `secret-login`), anyone visiting the standard`
wp-login.php` page will be automatically redirected. You will only be able to log
in by visiting `yoursite.com/secret-login`.

### Does the Activity Log slow down my database?

No. Our Activity Log is designed to ignore “noisy” background options that flood
typical security plugins. You can also set an Automated Retention Rule to automatically
purge old logs so your database never grows out of control.

### How do I terminate a user’s session?

Navigate to the “Active Sessions” tab. You will see a list of every user currently
logged in. Simply click the red “Terminate” button next to their name, and they 
will be instantly logged out.

### What is the difference between Core File Verification and the Malware Scanner?

The **Core File Verification** strictly checks the integrity of official WordPress
files (`wp-includes` and `wp-admin`) by comparing their cryptographic hashes against
the official WordPress.org servers. The **Malware Signature Scanner** does a deep
scan of your custom files (`wp-content`, plugins, and themes) looking for known 
backdoor codes, obfuscated strings, and malicious payloads.

## Reviews

![](https://secure.gravatar.com/avatar/dd8cef4c70bb3a14f5922eb54c92a8166947a303f44eb4a89a954cee4defad6f?
s=60&d=retro&r=g)

### 󠀁[Great and works silent](https://wordpress.org/support/topic/great-and-works-silent/)󠁿

 [tinaponting](https://profiles.wordpress.org/ponting/) July 6, 2026

This a plugin that make sleep smooth!

 [ Read all 1 review ](https://wordpress.org/support/plugin/dominoguard-security/reviews/)

## Contributors & Developers

“DominoGuard Security – Firewall, Malware Scanner, 2FA, Magic Links, Hide Login &
Activity Log” is open source software. The following people have contributed to 
this plugin.

Contributors

 *   [ Dominopress ](https://profiles.wordpress.org/dominopress/)

[Translate “DominoGuard Security – Firewall, Malware Scanner, 2FA, Magic Links, Hide Login & Activity Log” into your language.](https://translate.wordpress.org/projects/wp-plugins/dominoguard-security)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/dominoguard-security/),
check out the [SVN repository](https://plugins.svn.wordpress.org/dominoguard-security/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/dominoguard-security/)
by [RSS](https://plugins.trac.wordpress.org/log/dominoguard-security/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 2.0.0

 * Major Overhaul: Introduced ultra-fast React.js Dashboard UI.
 * Added Web Application Firewall (WAF) with Smart Rate Limiting, Geo-IP Blocking,
   404 Lockout, and Exploit Protection.
 * Added Comprehensive Authentication Suite: TOTP 2FA, Email 2FA, Magic Links, Force
   Password Resets, and Strong Password Enforcement.
 * Added Core File Verification, Malware Signature Scanner, and File Integrity Monitoring(
   FIM).
 * Added Temporary User Maker and Role-Based Access Control (RBAC).
 * Added Extensive Hardening Features: HTTP Security Headers, Disable App Passwords,
   Block PHP in Uploads, and more.
 * Added Advanced Activity Log with deep Event Tracking, CSV Export, Search, and
   Auto-Purge Rules.
 * Added Active Sessions Manager with one-click Remote Session Termination.
 * Added Hide Login Page (Custom Login URL & Redirection) feature.

#### 1.0.0

 * Initial Release.

## Meta

 *  Version **2.0.0**
 *  Last updated **3 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/dominoguard-security/)
 * Tags
 * [2FA](https://test.wordpress.org/plugins/tags/2fa/)[Activity Log](https://test.wordpress.org/plugins/tags/activity-log/)
   [firewall](https://test.wordpress.org/plugins/tags/firewall/)[malware scanner](https://test.wordpress.org/plugins/tags/malware-scanner/)
   [security](https://test.wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://test.wordpress.org/plugins/dominoguard-security/advanced/)

## Ratings

 5 out of 5 stars.

 *  [  1 5-star review     ](https://wordpress.org/support/plugin/dominoguard-security/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/dominoguard-security/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/dominoguard-security/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/dominoguard-security/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/dominoguard-security/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/dominoguard-security/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/dominoguard-security/reviews/)

## Contributors

 *   [ Dominopress ](https://profiles.wordpress.org/dominopress/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/dominoguard-security/)