ZA Creative Login Shield

ZA Creative Login Shield is a comprehensive security plugin that protects your WordPress site against brute force attacks, unauthorized access, and credential stuffing. It provides multiple layers of defense with an intuitive dashboard.

Key Features

• Two-Factor Authentication (2FA) – Email OTP and Google Authenticator (TOTP) support with per-role enforcement.
• Login Rate Limiting – Automatically block IPs after configurable failed attempts with adjustable lockout duration.
• IP Blocking & Whitelist – Manual and automatic IP blocking with dedicated whitelist management and Cloudflare IP range import.
• Custom Login URL – Hide wp-admin and wp-login behind a custom slug to block automated attacks.
• Security Dashboard – Weighted security score (100 pts), 14-day stacked bar analytics, recommendations engine, and quick actions.
• Password Policy – Enforce minimum length, uppercase, lowercase, digits, and special characters.
• Session Management – Track active sessions with idle timeout enforcement.
• Device Fingerprinting – Detect and track known devices with alerts for new device logins.
• Emergency Lockdown – One-click full site lockdown with IP whitelist override.
• Country Intelligence – GeoIP lookup via ip-api.com to display country codes on login attempts and blocked IPs.
• Audit Trail – Complete action log for security events (settings changes, blocks, lockdown, reports).
• Scheduled Reports – Daily, weekly, or monthly email security summaries.
• Setup Wizard – Guided 5-step onboarding to configure core protections quickly.
• Dashboard Widgets – At-a-glance security score and recent activity on the WordPress admin dashboard.
• CSV Export – Export login attempt logs for external analysis.

Integrations

• Cloudflare – One-click import of Cloudflare IP ranges to restore real visitor IPs.
• ip-api.com – Free GeoIP country lookup (no API key required).

Privacy

This plugin stores the following information:

• Login attempt records
• IP addresses
• Device fingerprint identifiers (opt-in, disabled by default)
• Audit trail events
• Two-factor authentication status

All data is stored locally inside the WordPress database.

Country information may be retrieved via ip-api.com if GeoIP is enabled (opt-in, disabled by default). Cloudflare API requests (manual admin action) send no visitor data.

Site administrators are responsible for complying with local privacy laws.

Full data removal on uninstall (all database tables and options cleaned up).

External Services

This plugin uses the following external services:

Cloudflare API

• Purpose: Fetch Cloudflare IP ranges for restoring real visitor IPs behind Cloudflare proxy.
• Data Sent: None beyond the standard HTTP request to api.cloudflare.com.
• Trigger: Manual admin action (button click on settings page).
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Terms of Service: https://www.cloudflare.com/website-terms/

ip-api.com

• Purpose: GeoIP country code lookup for login attempts and blocked IPs.
• Data Sent: Visitor IP address.
• Trigger: Any login attempt when GeoIP is enabled in settings (opt-in, disabled by default).
• Terms of Service: https://ip-api.com/docs/legal
• Privacy Policy: https://ip-api.com/docs/legal