Fixes the scan progress modal appearing hidden behind its backdrop. No functional changes.<\/p>","0.1.5":"
Scan-control REST endpoints now enforce the Operator gate in their permission_callback. No change to the security features themselves.<\/p>","0.1.4":"
Guidelines compliance: retention is now a free setting, no features are gated, and all JS\/CSS is enqueued. No change to the security features themselves.<\/p>","0.1.3":"
Plugin Check round-2 cleanup. No functional changes.<\/p>","0.1.2":"
Plugin Check \/ WordPress.org coding-standards cleanup. No functional or behavioural changes.<\/p>","0.1.1":"
Security hardening release. Removes third-party transmission of the 2FA secret, closes XML-RPC\/application-password bypass for 2FA users, hashes recovery codes, adds brute-force throttling, and upgrades the audit chain to HMAC. Upgrade promptly.<\/p>","0.1.0":"
First release.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3583851,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3583851,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3583851,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3583851,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.5","0.1.6"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Six-card security dashboard.","2":"Vulnerability scan results.","3":"File-integrity drift findings with re-baseline.","4":"Hardening checklist with one-click fixes.","5":"Tamper-evident audit log.","6":"\"More Security\" page \u2014 information about the separate Ghostables Defender plugin.","7":"Setup wizard."}},"plugin_section":[],"plugin_tags":[168808,31093,600,1909,139069],"plugin_category":[54],"plugin_contributors":[268617],"plugin_business_model":[],"class_list":["post-325268","plugin","type-plugin","status-publish","hentry","plugin_tags-file-integrity","plugin_tags-hardening","plugin_tags-security","plugin_tags-two-factor-authentication","plugin_tags-vulnerability-scanner","plugin_category-security-and-spam-protection","plugin_contributors-ghostables","plugin_committers-ghostables"],"banners":{"banner":"https:\/\/ps.w.org\/ghostables-defender-lite\/assets\/banner-772x250.png?rev=3583851","banner_2x":"https:\/\/ps.w.org\/ghostables-defender-lite\/assets\/banner-1544x500.png?rev=3583851","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/ghostables-defender-lite\/assets\/icon-128x128.png?rev=3583851","icon_2x":"https:\/\/ps.w.org\/ghostables-defender-lite\/assets\/icon-256x256.png?rev=3583851","generated":false},"screenshots":[],"raw_content":"\n
Ghostables Defender Lite<\/strong> is a free, fully functional security plugin for WordPress. Nothing in it is locked, limited, or gated behind a licence \u2014 every feature below works out of the box:<\/p>\n\n Built by Ghostables Ltd<\/a>. Opinionated about defaults. Honest about what each setting actually does.<\/p>\n\n No. Defender Lite is free and complete \u2014 no nag screens, no crippled features, no trial period, no usage quota. The audit-log retention period is a setting you control (default 90 days; set it to keep everything forever). Every feature listed above is the real thing.<\/p>\n\n Yes \u2014 Ghostables Defender<\/strong> is a separate, more advanced plugin distributed from ghostables.io<\/a>. It is not part of this plugin and is not required to use Defender Lite. It adds capabilities such as a behavioural firewall, malware quarantine, Cloudflare edge sync, webhook alerts, encrypted backups, and more. The \"More Security\" page inside Defender Lite lists what it adds, purely for information.<\/p>\n\n If you install the separate Ghostables Defender plugin, Defender Lite steps aside automatically so the two don't run side by side. Your settings (Operator PIN, hardening fixes, baseline, audit chain) are preserved across the handover. Defender Lite remains free and fully functional whether or not you ever install it.<\/p>\n\n This plugin connects to one external service: the public WordPress Vulnerability Database operated by the WPVulnerability project at No other outbound network traffic originates from this plugin. The two-factor QR code is rendered locally in the operator's browser using a vendored MIT-licensed JavaScript library \u2014 the TOTP secret is never transmitted to any third party.<\/p>\n\n\n Lite calls one external service: the public WordPress Vulnerability Database at wpvulnerability.net, to look up disclosed vulnerabilities for each installed plugin, theme, and your WordPress core version. No API key, no site URL, no admin email \u2014 only the slug being queried and a User-Agent identifying the plugin version. Each lookup is cached locally for 24 hours. See the \"External services\" section above for the full disclosure.<\/p>\n\n The two-factor QR code is rendered locally in your browser; the TOTP secret never leaves your WordPress install.<\/p><\/dd>\n The scans run on cron (twice-daily CVE check, daily integrity scan). Runtime hardening is a handful of cheap filter hooks. No page-load impact you'll measure.<\/p><\/dd>\n The hardening checklist tells you what each fix does before you click it. Every one-click fix is reversible by editing wp-config.php or unchecking the option. Defaults are conservative \u2014 nothing is enforced site-wide on first install except the Operator gate, which only restricts Defender's own settings.<\/p><\/dd>\n Technically yes, but running multiple security plugins is usually counterproductive \u2014 they fight over the same hooks. Run one, run it well.<\/p><\/dd>\n Each row's row_hash is an HMAC-SHA-256 over the previous row's hash plus the row's own fields, keyed with a 32-byte chain key. The chain key is either (a) the \n
Is anything locked or limited?<\/h4>\n\n
Is there a more advanced version?<\/h4>\n\n
Coexistence with the separate plugin<\/h4>\n\n
External services<\/h3>\n\n
https:\/\/www.wpvulnerability.net\/<\/code>.<\/p>\n\n\n
https:\/\/www.wpvulnerability.net\/plugin\/{slug}\/<\/code>, https:\/\/www.wpvulnerability.net\/theme\/{slug}\/<\/code>, or https:\/\/www.wpvulnerability.net\/core\/{wp-version}\/<\/code> \u2014 one URL per installed component being checked. The request body is empty. The only request headers are Accept: application\/json<\/code> and a User-Agent of the form GhostablesDefenderLite\/<plugin version><\/code>. No site URL, no admin email, no IP-derived identifier \u2014 only the slug of the component being queried and the User-Agent itself.<\/li>\n\n
ghostables-defender-lite<\/code> to \/wp-content\/plugins\/<\/code> (or install via Plugins \u2192 Add New)<\/li>\n\n
Does Defender Lite phone home?<\/h3><\/dt>\n
Will Lite slow my site down?<\/h3><\/dt>\n
Will Lite break my site?<\/h3><\/dt>\n
Does it work alongside Wordfence \/ iThemes \/ Sucuri?<\/h3><\/dt>\n
Is the audit log really tamper-evident?<\/h3><\/dt>\n
GDEF_LITE_AUDIT_KEY<\/code> constant in your wp-config.php<\/code>, or (b) auto-generated and stored as a WordPress option on first use. An attacker with database write access can delete or modify a row, but cannot quietly recompute the following row's HMAC without the key \u2014 so the next row's stored hash will no longer match, and the break is visible from Settings \u2192 Operator \u2192 Chain status. For the strongest guarantee, set GDEF_LITE_AUDIT_KEY<\/code> in wp-config.php<\/code> so the key never lives in the database alongside the rows it signs.<\/p><\/dd>\nHow do I get the separate Ghostables Defender plugin?<\/h3><\/dt>\n