WordPress security, done right.
Firewall, hardening, 2FA, malware scanning, and a vulnerability feed in one ~1 MB plugin. No bloat, no nag screens, no phone-home by default.
What's inside
A full security stack, in one plugin
Web Application Firewall
A mu-plugin loader runs before WordPress. Six built-in rules block SQLi, XSS, directory traversal, file inclusion, PHP code injection, and user enumeration.
Hardening Audit
15 checks rolled into an A–F grade. One-click fixes for file edit lockdown, salt rotation, REST user exposure, XML-RPC, security headers, and more.
Login Security
Progressive lockouts, TOTP 2FA + backup codes, custom login URL, Turnstile / reCAPTCHA, HIBP password gate, Email OTP, magic links, WebAuthn passkeys.
Malware Scanning
Signature DB plus heuristic analyzer, optional Google Safe Browsing URL reputation. Threats are quarantined to uploads; cleanup is PathGuard-protected.
File Integrity
Verifies WordPress core and plugin files against the official WordPress.org checksum API. Tampering surfaces in the Threats tab.
Vulnerability Feed
Pulls advisories from WPScan, Patchstack, and NVD (opt-in). API keys are encrypted at rest. Matched CVEs surface next to each plugin.
Activity & Request Logs
30+ event types, a live-stream tab over SSE, and CSV export. Every log entry stays on your install — not on ours.
Compliance Reports
PCI and GDPR reports as proper PDFs, generated on demand. Useful for audits without a separate compliance tool.
Notifications
Email (throttled + daily digest), SMS via Twilio, PagerDuty, Datadog, or generic webhook. All channels are opt-in and configurable.
~1 MB
Compressed plugin size — no asset bloat
PSR-4 · DI
Container-driven, namespaced architecture
GPL-2.0+
Free, auditable, fork-friendly
How it works
Hardened WordPress in three steps
Install the plugin
Upload the zip or install from WordPress.org. PHP 7.4+, WordPress 6.5+, multisite-ready.
Loader self-installs
Shakvaro Shield writes a mu-plugin loader so the firewall runs before WordPress on every request. Atomic, syntax-validated, ownership-marked.
Grade, fix, breathe
On your first dashboard hit, Shield runs the hardening audit and starts blocking. Apply one-click fixes to lift the grade.
Doesn't phone home. Doesn't need to.
Shakvaro Shield ships with zero outbound calls by default. No telemetry, no licence checks, no analytics. Every integration that touches the outside world — vulnerability feeds, HIBP, Safe Browsing, SMS, our Network Intel SaaS — is explicitly opt-in and described in the privacy policy.
Inside the admin
A grade for the whole site
The dashboard runs Shield's 15 hardening checks and rolls them up into a single A–F grade. Each failed check has a one-click fix or a clear explanation if it can't be auto-applied.
- Dashboard — overview, grade, recent activity
- Protection — WAF rules, hardening checks
- Threats — quarantine, integrity findings
- Activity — events, request log, live SSE stream
- Compliance — PCI / GDPR reports
- Tools & Settings — integrations, notifications, exports
Hardening grade
14 / 15 checks passing
Last audit · just now
Optional · Network Intel
A shared blocklist that gets stronger with every site
If you turn it on, Shield uploads aggregated IP blocklist hits and failed-login digests to our Network Intel SaaS, and pulls a curated blocklist back. It's a single toggle, off by default, and the privacy policy lays out exactly what crosses the wire.
Questions
Honest answers
Yes. Shakvaro Shield is GPL-2.0+, free forever, and ships every feature listed here in the public release. There is no licence ping and no upgrade nag.
Cloudflare runs at the edge and Shield runs at the application layer, so they complement each other. Don't run two application-layer WAFs at once — disable any other WordPress security plugin's firewall before activating Shield's.
Everything stays on your WordPress install. Logs, scan results, and settings live in custom database tables, and quarantined files sit in your uploads directory. The Network Intel SaaS only receives data when you explicitly opt in.
PHP 7.4 or newer, WordPress 6.5 or newer. Multisite is tested. The plugin is PSR-4, container-driven, and ~1 MB compressed.
Yes. Uninstalling removes the mu-plugin loader, drops Shield's database tables, and deletes the backup, quarantine, and config-backup directories from your uploads folder.
Free · GPL-2.0+ · ~1 MB
Harden WordPress in five minutes.
Drop in the plugin and you'll have a firewall, hardening audit, and login security running before your next cup of coffee.
WordPress 6.5+/PHP 7.4+/Multisite