Shakvaro Shield

Shakvaro Shield is a comprehensive WordPress security plugin designed to protect your site against the most common and advanced threats. It combines a Web Application Firewall (WAF), brute force protection, Two-Factor Authentication, file integrity monitoring, and a full suite of hardening checks into a single, well-organized package. Whether you run a personal blog or a high-traffic business site, Shakvaro Shield gives you enterprise-grade security without the complexity.

At the heart of Shakvaro Shield is a Web Application Firewall that loads via an auto-installed mu-plugin, allowing it to inspect and block malicious requests before WordPress and other plugins even begin to load. The firewall ships with six built-in rules covering SQL injection, cross-site scripting (XSS), directory traversal, file inclusion, and other common attack vectors. Alongside the WAF, Shakvaro Shield performs 15 security hardening checks and calculates an A-F health score so you can see your site’s security posture at a glance. Each check includes a one-click fix or clear remediation instructions, making it easy to bring your score up to an A.

Login security is where Shakvaro Shield truly shines. Brute force protection uses progressive lockouts that increase in duration with each failed attempt, effectively neutralizing automated attacks. Two-Factor Authentication supports any TOTP-compatible authenticator app and generates single-use backup codes so users are never locked out. You can also set a custom login URL to hide wp-login.php entirely, enforce password strength policies, and add CAPTCHA verification using reCAPTCHA v3, Cloudflare Turnstile, or a lightweight math-based fallback that requires no external service.

Shakvaro Shield is built for performance. The entire plugin is under 1 MB, uses PSR-4 autoloading so classes are only loaded when needed, and adds zero JavaScript or CSS to your site’s frontend. File integrity monitoring verifies WordPress core files and installed plugins against official WordPress.org checksums, alerting you to unauthorized changes. Every security-relevant action is recorded in a searchable activity log with over 30 event types, and email notifications use intelligent throttling and optional daily digests so you stay informed without inbox overload. A guided setup wizard walks you through initial configuration in under two minutes.

External services

Shakvaro Shield can connect to the external services below. All are opt-in and default OFF unless marked “automatic”. For each: what is sent and the provider’s Terms/Privacy. Disable any opt-in service by un-checking it in the matching admin tab or leaving its API key empty.

1. Shakvaro Network Intel (own SaaS, optional) – aggregated IP reputation/blocklist + opt-in failed-login digests. Sends: SHA-256 hash of the site URL, plugin version, offending IP, hashed username. No plaintext usernames/emails/passwords/content. Endpoints: https://api.shakvaro.com/network-intel/{blocklist,report,digest}. Terms: https://shakvaro.com/terms – Privacy: https://shakvaro.com/privacy

2. Shakvaro WP Insights (own SaaS, optional, OFF by default, two-tier consent) – opt-in usage analytics. Sends: WP/PHP/MySQL versions, theme, locale, multisite, server, plugin version, feature on/off states + coarse buckets (hardening grade, active rule count, CAPTCHA provider), and a one-way hash of site URL+title. No IPs, usernames, emails, passwords, keys, or content. Opt out any time from Settings -> Data Sharing (sends a deletion request). Endpoint: https://track.shakvaro.cloud. Terms: https://shakvaro.com/terms – Privacy: https://shakvaro.com/wp-insights/privacy

3. WordPress.org checksums (automatic, file integrity) – sends WP version/locale + plugin/theme slug+version (public). Endpoints: https://api.wordpress.org/core/checksums/1.0/, https://downloads.wordpress.org/plugin-checksums/. Privacy: https://wordpress.org/about/privacy/

4. Have I Been Pwned – Pwned Passwords (optional) – sends only the first 5 chars of a SHA-1 password hash (k-anonymity); the plaintext password never leaves the site. Endpoint: https://api.pwnedpasswords.com/range/. Privacy: https://haveibeenpwned.com/Privacy

5. Cloudflare Turnstile (optional CAPTCHA) – sends the Turnstile token, user IP, and site secret key. Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify. Terms: https://www.cloudflare.com/website-terms/ – Privacy: https://www.cloudflare.com/privacypolicy/

6. Google reCAPTCHA v3 (optional CAPTCHA) – sends the reCAPTCHA token, user IP, and site secret key; Google’s script also collects browser signals. Endpoint: https://www.google.com/recaptcha/api/siteverify. Terms: https://policies.google.com/terms – Privacy: https://policies.google.com/privacy

7. WPScan (optional vulnerability data) – sends installed plugin slugs and your WPScan API token. Endpoint: https://wpscan.com/api/v3/plugins/. Terms: https://wpscan.com/terms/ – Privacy: https://automattic.com/privacy/

8. Patchstack (optional vulnerability data) – sends your Patchstack API key. Endpoint: https://patchstack.com/database/api/v2/vulnerabilities. Privacy: https://patchstack.com/privacy-policy/

9. NIST NVD (optional CVE enrichment) – sends a public CVE identifier. Endpoint: https://services.nvd.nist.gov/rest/json/cves/2.0. Privacy: https://www.nist.gov/privacy-policy

10. Google Safe Browsing (optional URL reputation) – sends the URLs being checked and your Safe Browsing API key. Endpoint: https://safebrowsing.googleapis.com/v4/threatMatches:find. Terms: https://policies.google.com/terms – Privacy: https://policies.google.com/privacy

11. PagerDuty Events (optional alerts) – sends an alert payload (title, severity, summary) and the routing key. Endpoint: https://events.pagerduty.com/v2/enqueue. Terms: https://www.pagerduty.com/terms-of-service/ – Privacy: https://www.pagerduty.com/privacy-policy/

12. Datadog Logs (optional log forwarding) – sends event log entries and the API key. Endpoint: https://http-intake.logs..datadoghq.com/api/v2/logs. Terms: https://www.datadoghq.com/legal/terms/ – Privacy: https://www.datadoghq.com/legal/privacy/

13. ip-api.com (optional GeoIP fallback) – sends the visitor IP address. Endpoint: http://ip-api.com/json/. Terms/Privacy: https://ip-api.com/docs/legal

14. Sucuri SiteCheck (optional URL reputation) – sends the URL being checked. Endpoint: https://sitecheck.sucuri.net/api/v3/. Terms: https://sucuri.net/terms/ – Privacy: https://sucuri.net/privacy/