GhostGate

GhostGate is a lightweight yet powerful WordPress security plugin that eliminates the login page as an attack surface. Instead of just defending, it erases the entrance entirely with dynamic login URLs and multi-layer access verification.

• 🔒 Hide your login URL with a custom slug and time-based code
• 🔑 Built-in 2FA via email verification
• 🚫 Auto-block brute force attacks by IP
• 🧱 Disable/limit unused endpoints like XML-RPC and REST API
• 👤 Prevent user enumeration via REST, RSS, and author queries
• 🔍 Visualize security status and detect conflicts
• 📜 Activity logs with optional file rotation

GhostGate doesn’t just defend — it disappears.
Invisible to bots. Intuitive for users.

👉 Full features / screenshots / pricing / docs:
https://arce-experience.com/product/

Privacy

GhostGate can store the following data locally on your site to provide rate-limiting and security auditing:
– IP addresses (for temporary throttling / block lists)
– Timestamps and event metadata (login attempts, REST/XML-RPC hits)
– Optional log files under wp-content/uploads/ghostgate/logs (if enabled)

No data is sent to third-party services.
Site owners are responsible for informing users/visitors where required by local laws. You can clear blocks/logs from the admin UI or by deleting the log files.

1. Upload the plugin folder to /wp-content/plugins/ghostgate
2. Activate the plugin via the Plugins menu
3. Go to GhostGate > Settings and configure your gate logic
4. Optionally enable 2FA, IP blocking, REST/API controls, and more

Need help with setup?
See the installation & setup video:
https://arce-experience.com/product/

1. 

   Admin settings page with tabbed UI

2. 

   Security status diagnostics

3. 

   IP block log and unblock controls

4. 

   Access code input screen for login URL (e.g., date-based code)

5. 

   Security explanation tab

1.3.2 – 2025-09-24

• Fix – Resolved “Undefined variable $user_login / $errors” warnings on the login screen when using the custom login slug or pre-login code screen. The plugin now pre-initializes wp-login.php globals and sets $pagenow before loading the core login template.
• Fix – Prevented potential “headers already sent” issues by ensuring no output occurs before redirects or the core login inclusion in the 2FA/login slug flow.
• Improvement – Hardened login flow compatibility with core by preparing required globals when the plugin takes over the authentication path.
• Improvement – Minor internal refactors around request path normalization and IP detection to reduce edge cases in server environments.
• Dev – No database changes. Backward compatible with 1.3.1.

1.3.0 – 2025-09-22

• Security: Strengthened “Hide wp-json structure” — allowlist now stores only actually registered routes (including regex routes) and never breaks parameterized patterns.
• Fix: Route allowlist UI now correctly preserves selections for regex endpoints such as /gbrl/v1/notify/(?P<slug>[^/]+) and nested variants.
• Fix: Resolved rare fatal error on “Unblock IP” admin action by hardening input handling (supports single ip and ip[], sanitizes/validates IPv4/IPv6, safe redirect).
• Dev: Added ghostgate_sanitize_allowed_routes() and ghostgate_sanitize_allowed_prefixes(); introduced a temporary bypass flag so the settings UI can enumerate all routes without being filtered by itself.
• Dev: Always whitelists / root in rest_endpoints filter; normalized custom prefixes (auto-leading slash, condensed duplicate slashes).
• Perf: Reduced overhead when building the REST route list on the settings page.
• Tweak: Copy and help text polish in settings; minor CSS/UI adjustments.
• Tested: Confirmed compatibility with WordPress 6.8.

1.2.1

• Tweak: Added brand header (logo + subtitle) to the code entry screen with Retina and dark mode support, plus minor a11y improvements.
• Tweak: Minor CSS polish.

1.2.0

• New: Added an option to block direct access to preview URLs with a 403 response (Settings → GhostGate → “Block preview display”).
• Dev: Added removal of the new option (ghostgate_block_preview) to uninstall.php.
• Tweak: Minor adjustments to settings UI descriptions.

1.1.1

• Maintenance and compliance improvements (enqueue scripts/styles; minor fixes)
• UI/diagnostics polish
• Tested up to WordPress 6.8

1.1.0

• REST/JSON structure stealth options (allowlist & prefix-based allow)
• Improved status diagnostics and defaults for rate limits

1.0.0

• Initial public release
• Dynamic login URL gate, 2FA email code
• IP restriction + logs, REST API and XML-RPC shielding
• Status analyzer and conflict detector

➡ Full changelog (latest): https://arce-experience.com/changelog/#ghostgate