NiyiGuard

NiyiGuard hardens WordPress at the application layer: login abuse, accountability, file integrity, browser security headers, optional rate limits, and WooCommerce-specific threats. It complements your host firewall, CDN, or WAF — it does not replace them.

Why install NiyiGuard?

• Self-hosted — security data stays on your server; no NiyiGuard account and no usage telemetry to the author.
• One dashboard — enable or disable modules (authentication, audit log, integrity, headers, rate limits, WooCommerce protection).
• For store owners — reduce fake checkouts, cart and coupon abuse, registration spam, and Store API abuse when WooCommerce is active.
• For developers — protect custom admin-post handlers, forms, and REST routes with the Security SDK (CSRF, rate limits, signed URLs, route guards).
• Fully free — no license key, beta trial, or paywalled module in 0.1.0.

What makes it different?

Many security plugins offer two-factor auth, lockouts, headers, or malware scanning. NiyiGuard does not claim to be the only plugin with those features. It stands out in three ways:

1. Developer SDK — middleware-style helpers for your code paths, not only wp-admin toggles.
2. WooCommerce abuse pipelines — checkout, cart, registration, and Store API protection in the same package as audit logging and login hardening.
3. Privacy-first — no license server and no analytics to the author (see Privacy section below).

Longer positioning notes and reusable marketing copy: docs/WHY_NIYIGUARD.md.

Features included (0.1.0)

• Authentication hardening — login lockouts (IP and username), TOTP and email two-factor authentication, recovery codes, session tracking with remote revoke, and new-device suspicious-login email alerts.
• Security headers — HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options (each header can be toggled).
• Audit log — logins, plugin changes, role changes, selected option changes, file editor use, and WooCommerce-related actions. Admin list UI, detail view, retention, and scheduled pruning.
• File integrity monitoring — WordPress.org core checksum comparison, plugin manifest diff scans, suspicious PHP heuristics, and optional themes/uploads scopes (scheduled scans).
• Rate limiting — optional global throttling for front-end, AJAX, wp-login, and REST API traffic (wp-admin dashboard loads excluded by default).
• WooCommerce Protection — checkout, cart, registration, and Store API pipelines (velocity limits, honeypots, disposable-email checks, fraud scoring, coupon abuse). Requires WooCommerce.
• CSRF middleware and SDK — nonce verification for custom routes, forms, and REST handlers you register.
• Signed URLs — time-limited HMAC links for downloads, invites, and sensitive actions.
• Login URL disguise — optional custom login path instead of wp-login.php (off by default; test on staging first).
• Safe mode — emergency bypass via NIYIGUARD_SAFE_MODE in wp-config.php without changing saved settings.
• Health diagnostics — hooks, database tables, and module state on an admin screen.
• MU loader helper — optional must-use loader for earlier bootstrap in the request lifecycle.

The NiyiGuard → Dashboard includes optional links to leave a WordPress.org review or support development (Ko-fi). Neither is required.

Developer APIs

The Security facade provides route guards, CSRF fields, rate limiters, signed URLs, and related helpers. Documented in docs/USAGE.md. Middleware applies to routes you protect — it is not automatic site-wide protection for every WordPress hook. Before production, follow docs/STAGING_TEST_PLAN.md.

Requirements

• WordPress 6.4+
• PHP 8.2+
• MySQL 5.7+ or MariaDB 10.3+ (standard WordPress database)

Privacy

NiyiGuard processes security-related data on your WordPress server (IP addresses, user agents, user IDs, audit events, session metadata, and similar fields when features are enabled). It does not sell personal data or include advertising trackers.

Third-party service

• WordPress.org Core Checksums API (https://api.wordpress.org/core/checksums/1.0/) — used for core file integrity checks (WordPress version and locale only; responses may be cached about 12 hours).

Email

Optional security emails (two-factor codes, suspicious-login alerts) use WordPress wp_mail() and your site’s mail configuration.

Optional donations

If you use the dashboard Ko-fi link, payment and any data you provide are handled by Ko-fi under their terms, not by NiyiGuard.

Full details: docs/PRIVACY.md in the plugin folder, and the Privacy section below.