Shakvaro.

Shakvaro Shield · Plugin Privacy

Privacy Policy

The short version: Shakvaro Shield runs inside your WordPress install and makes zero outbound calls by default. Every integration that touches the outside world is explicitly opt-in and listed below. Last updated May 30, 2026.

1. What Shakvaro Shield is

Shakvaro Shield is a WordPress plugin licensed under GPL-2.0+. It runs inside your WordPress installation on your server. Shakvaro does not host any part of the plugin's runtime, does not receive its logs, and does not see its dashboards. There is no account, no licence server, and no required telemetry.

2. What we don't collect by default

Out of the box, Shakvaro Shield makes zero outbound calls. No telemetry, no licence ping, no analytics, no auto-updates beyond what WordPress itself performs. Your dashboard, settings, scan results, and logs stay on your install.

3. Where data lives on your site

Shield stores everything in two places on your own server:

  • Custom database tables prefixed {wp_prefix}shakvaroshield_* — events, request logs, rules, configuration, encrypted secrets.
  • Folders under wp_upload_dir()['basedir']/shakvaro-shield-{backups,quarantine,config-backups}/

Uninstalling the plugin drops those tables and deletes those folders. Shakvaro keeps no copy because we never had one.

4. Third-party integrations

Every service below is opt-in and disabled by default, except the WordPress.org checksum lookup which is part of the File Integrity module and runs automatically when that module is enabled (marked Auto). Each integration only sends what is described — Shield does not include site secrets or user PII unless that data is intrinsic to the integration (e.g. a phone number for SMS).

  • WordPress.org checksumsAuto

    Runs automatically as part of the File Integrity scan to verify core, plugin, and theme files against the official WordPress.org checksum API. Shield sends WordPress version + locale and plugin / theme slug + installed version — all public values. No user data. Disable by turning off the File Integrity module.

    Terms: n/a·Privacy: https://wordpress.org/about/privacy/

  • Have I Been Pwned (HIBP) password gate

    Used during password set / change to refuse known-breached passwords. Shield sends only the first 5 characters of the SHA-1 hash of the candidate password using HIBP's k-anonymity Range API; the full password and full hash never leave your server.

    Terms: n/a·Privacy: https://haveibeenpwned.com/Privacy

  • Google Safe Browsing

    Used during malware scans to check URLs that surface inside files against Google's threat list. Only those URLs are sent. Your site URL is not transmitted as part of the request body.

    Terms: https://policies.google.com/terms·Privacy: https://policies.google.com/privacy

  • WPScan

    Vulnerability feed source. Shield queries WPScan for plugin slugs and version strings to match advisories. Your WPScan API key is encrypted at rest in your WordPress database.

    Terms: https://wpscan.com/api/terms·Privacy: https://wpscan.com/privacy-policy

  • Patchstack

    Vulnerability feed source. Same shape as WPScan: slug + version queries, API key encrypted at rest.

    Terms: https://patchstack.com/terms-of-service·Privacy: https://patchstack.com/privacy-policy

  • NVD (NIST)

    Vulnerability feed source. Public NVD API queries by CVE (already public). NIST is a US government service and does not publish separate Terms of Service.

    Terms: n/a·Privacy: https://www.nist.gov/privacy-policy

  • Cloudflare Turnstile

    Login / form CAPTCHA. The visitor's token and IP are sent to Cloudflare for verification along with the site's Turnstile secret. Disabled by default.

    Terms: https://www.cloudflare.com/website-terms/·Privacy: https://www.cloudflare.com/privacypolicy/

  • Google reCAPTCHA v3

    Alternate CAPTCHA option. Token and visitor IP are sent to Google along with the site's secret key. Google's frontend script also collects browser signals. Disabled by default. A built-in math-question fallback never leaves your site.

    Terms: https://policies.google.com/terms·Privacy: https://policies.google.com/privacy

  • Twilio (SMS notifications)

    If enabled, alert SMS messages are POSTed to Twilio. The destination phone number, message body, and Twilio Account SID + Auth Token go to Twilio. Credentials are encrypted at rest.

    Terms: https://www.twilio.com/legal/tos·Privacy: https://www.twilio.com/legal/privacy

  • PagerDuty

    If enabled, alerts are POSTed as PagerDuty Events. The payload includes event metadata you configure plus the routing key. Routing key is encrypted at rest.

    Terms: https://www.pagerduty.com/terms-of-service-agreement/·Privacy: https://www.pagerduty.com/privacy-policy/

  • Datadog

    If enabled, event log entries are POSTed to Datadog's Logs API for your configured region. The API key sits in the request header. API key is encrypted at rest.

    Terms: https://www.datadoghq.com/legal/terms/·Privacy: https://www.datadoghq.com/legal/privacy/

  • Generic webhook

    If enabled, alerts are POSTed as JSON to a URL you choose. We never see the recipient. The endpoint and any HMAC secret are encrypted at rest.

    Terms: n/a·Privacy: n/a

  • Email notifications

    Sent through your WordPress installation via wp_mail() to addresses you configure. Per-channel throttling and a daily digest mode keep volume sane.

    Terms: n/a·Privacy: n/a

5. Network Intel (Shakvaro-operated, opt-in)

Shakvaro operates an optional aggregation service called Network Intel. If you turn it on in Tools & Settings, your site uploads two kinds of event:

  • Aggregated IP blocklist hits — counts of blocked source IPs across time windows, not request bodies.
  • Failed-login digests — counts grouped by source IP and target user hint, not credentials, never passwords.

In return, your site receives a curated blocklist refreshed on a schedule. The feature is off until you switch it on. Turning it off stops further uploads and clears the next blocklist sync.

Terms: https://shakvaro.com/terms·Privacy: https://shakvaro.com/privacy

6. Encryption at rest

API keys, 2FA shared secrets, trusted-device tokens, magic-link challenges, and Network Intel credentials are encrypted in the database using a key derived from your wp-config.php salts. Rotating salts re-keys these values on the next access.

7. Cookies, sessions, and login challenges

Email OTP, magic-link, and trusted-device flows store short-lived challenge rows in the database and set opaque cookies scoped to your WordPress site. WebAuthn passkey credentials follow the same lifecycle and never leave the browser's authenticator boundary.

8. Children

Shakvaro Shield is a server-side WordPress plugin intended for administrators. It does not knowingly collect personal data from anyone, including children. Opt-in integrations only collect what you direct them to collect.

9. Changes to this policy

If we change how Shakvaro Shield handles data, we'll update this page and revise the date above. Material changes will be reflected in the plugin's WordPress.org listing and in the plugin's changelog.

10. Contact

Privacy questions about Shakvaro Shield? privacy@shakvaro.com. Shakvaro Shield is built by Shakvaro (Chattogram, Bangladesh).

Back to Shakvaro Shield