CoxWall

CoxWall is a powerful and lightweight WordPress security plugin designed to protect your website from modern security threats, brute-force attacks, malware attempts, and unauthorized access.

It provides advanced security tools including firewall protection, login hardening, security headers, file integrity monitoring, WooCommerce security, and detailed audit logging — all in an easy-to-use interface.

Whether you run a blog, business website, membership platform, or WooCommerce store, CoxWall helps keep your WordPress site secure and protected in real time.

Key Features:

• Login Protection – Limit login attempts per IP, lock out attackers, and receive email alerts.
• Hide Login – Move your login URL away from the default wp-login.php.
• CAPTCHA – Google reCAPTCHA v2 / v3 on login, registration, and WooCommerce forms.
• Firewall – Block SQLi, XSS, directory traversal, malicious bots, and XML-RPC abuse.
• Security Headers – Set X-Frame-Options, CSP, HSTS, Referrer-Policy, and more.
• File Integrity – Detect changes to WordPress core and plugin files.
• WooCommerce – Extra security for WooCommerce stores.
• Audit Log – Full event log with IP, user, and timestamp for every security event.

Why Choose CoxWall?

• Lightweight and performance-friendly
• Beginner-friendly setup
• Modern security protection
• WooCommerce compatible
• Advanced firewall system
• Detailed security logging
• Real-time protection and monitoring

CoxWall helps you secure your WordPress website with enterprise-level protection while keeping the setup simple and user-friendly.

Features:

• Login Protection
• Hide Login URL
• Google reCAPTCHA v2 / v3
• Firewall Protection
• SQL Injection (SQLi) Blocking
• XSS Attack Protection
• Directory Traversal Protection
• Malicious Bot Blocking
• XML-RPC Protection
• Security Headers Management
• Content Security Policy (CSP)
• HSTS Support
• Referrer Policy Protection
• File Integrity Monitoring
• Core File Change Detection
• Plugin File Change Detection
• WooCommerce Security
• Audit Log System
• IP Activity Logging
• User Activity Tracking
• Real-time Security Alerts
• Email Notifications
• Brute-force Protection
• Login Attempt Limiting
• IP Lockout System
• Malware Defense
• Website Hardening
• Real-time Monitoring
• WordPress Security Suite

External services

This plugin optionally connects to the following third-party / external services. Each service is only contacted when its corresponding module is enabled and the described conditions are met.

Google reCAPTCHA (Google LLC)

What it is and what it is used for:
Google reCAPTCHA is a bot-detection service. CoxWall uses it to protect the WordPress login, registration, lost-password, comment, and WooCommerce My Account forms from automated attacks.

What data is sent and when:
When the CAPTCHA module is enabled, two types of requests are made to Google:

1. Front-end (page load) – the visitor’s browser loads the reCAPTCHA JavaScript library directly from Google’s CDN (www.google.com). Google receives the visitor’s IP address, browser and device information, and the site’s public reCAPTCHA site key.
2. Back-end (form submission) – when a visitor submits a protected form, the plugin sends the reCAPTCHA response token, the site’s secret key, and the visitor’s IP address to Google’s verification endpoint (www.google.com/recaptcha/api/siteverify) to confirm the response is valid.

No data is sent if the CAPTCHA module is disabled or if no reCAPTCHA site/secret key has been configured.

Service provider links:
* Terms of Service: https://policies.google.com/terms
* Privacy Policy: https://policies.google.com/privacy
* reCAPTCHA-specific information: https://developers.google.com/recaptcha

WordPress.org Core Checksums API (WordPress.org)

What it is and what it is used for:
The WordPress.org Checksums API provides official MD5 hashes for every file in each WordPress core release. CoxWall’s File Integrity module uses these hashes to detect unauthorized modifications to core files.

What data is sent and when:
When a file integrity scan runs (manually triggered or on schedule), the plugin sends a GET request to https://api.wordpress.org/core/checksums/1.0/ containing:

• The installed WordPress version number.
• The site’s configured locale/language.

No personal data, user data, or site content is transmitted. The request retrieves a publicly available checksum list.

Service provider links:
* Privacy Policy: https://wordpress.org/about/privacy/
* API documentation: https://codex.wordpress.org/WordPress.org_API