WordPress.org

Сахалыы

Get WordPress
WordPress.org

Plugin Directory

Ghostables Defender Lite

Ghostables Defender Lite

By ghostables
Download

Description

Ghostables Defender Lite is a free, fully functional security plugin for WordPress. Nothing in it is locked, limited, or gated behind a licence — every feature below works out of the box:

  • Continuous vulnerability scanning against installed plugins, themes, and WordPress core
  • Cryptographic file integrity baseline with daily drift detection
  • WordPress hardening checklist with one-click safe fixes
  • Per-user TOTP two-factor authentication (Google Authenticator, Authy, 1Password)
  • Tamper-evident audit log — events are linked together so any deletion is detectable, with a free, user-configurable retention period
  • Operator gate — a PIN above WordPress admin so a compromised super-admin cannot silently disable the plugin

Built by Ghostables Ltd. Opinionated about defaults. Honest about what each setting actually does.

Is anything locked or limited?

No. Defender Lite is free and complete — no nag screens, no crippled features, no trial period, no usage quota. The audit-log retention period is a setting you control (default 90 days; set it to keep everything forever). Every feature listed above is the real thing.

Is there a more advanced version?

Yes — Ghostables Defender is a separate, more advanced plugin distributed from ghostables.io. It is not part of this plugin and is not required to use Defender Lite. It adds capabilities such as a behavioural firewall, malware quarantine, Cloudflare edge sync, webhook alerts, encrypted backups, and more. The “More Security” page inside Defender Lite lists what it adds, purely for information.

Coexistence with the separate plugin

If you install the separate Ghostables Defender plugin, Defender Lite steps aside automatically so the two don’t run side by side. Your settings (Operator PIN, hardening fixes, baseline, audit chain) are preserved across the handover. Defender Lite remains free and fully functional whether or not you ever install it.

External services

This plugin connects to one external service: the public WordPress Vulnerability Database operated by the WPVulnerability project at https://www.wpvulnerability.net/.

  • What is sent: an HTTP GET request to https://www.wpvulnerability.net/plugin/{slug}/, https://www.wpvulnerability.net/theme/{slug}/, or https://www.wpvulnerability.net/core/{wp-version}/ — one URL per installed component being checked. The request body is empty. The only request headers are Accept: application/json and a User-Agent of the form GhostablesDefenderLite/<plugin version>. No site URL, no admin email, no IP-derived identifier — only the slug of the component being queried and the User-Agent itself.
  • What is received: a JSON record listing publicly disclosed vulnerabilities affecting that single component, with affected version ranges and severity scores. The plugin compares this against the locally-installed version and stores any open findings in the plugin’s own database table.
  • When it is sent: at most once per installed component per 24 hours. Each per-slug response is cached locally in a WordPress transient, so the twice-daily scan cron only triggers fresh HTTP requests when the cache has expired.
  • Service provider: The WPVulnerability Project (operated by ROBOTSTXT and contributors). Service licence (EUPL v1.2, GPL-compatible): https://www.wpvulnerability.com/license/. Privacy policy: https://www.wpvulnerability.com/privacy/.

No other outbound network traffic originates from this plugin. The two-factor QR code is rendered locally in the operator’s browser using a vendored MIT-licensed JavaScript library — the TOTP secret is never transmitted to any third party.

Installation

  1. Upload ghostables-defender-lite to /wp-content/plugins/ (or install via Plugins Add New)
  2. Activate
  3. Follow the 4-step setup wizard. The first administrator to complete it becomes the founding Operator — sets a 6–10 digit PIN and receives 10 single-use recovery codes.
  4. The wizard takes the first file-integrity baseline and runs the first vulnerability scan automatically.

FAQ

Does Defender Lite phone home?

Lite calls one external service: the public WordPress Vulnerability Database at wpvulnerability.net, to look up disclosed vulnerabilities for each installed plugin, theme, and your WordPress core version. No API key, no site URL, no admin email — only the slug being queried and a User-Agent identifying the plugin version. Each lookup is cached locally for 24 hours. See the “External services” section above for the full disclosure.

The two-factor QR code is rendered locally in your browser; the TOTP secret never leaves your WordPress install.

Will Lite slow my site down?

The scans run on cron (twice-daily CVE check, daily integrity scan). Runtime hardening is a handful of cheap filter hooks. No page-load impact you’ll measure.

Will Lite break my site?

The hardening checklist tells you what each fix does before you click it. Every one-click fix is reversible by editing wp-config.php or unchecking the option. Defaults are conservative — nothing is enforced site-wide on first install except the Operator gate, which only restricts Defender’s own settings.

Does it work alongside Wordfence / iThemes / Sucuri?

Technically yes, but running multiple security plugins is usually counterproductive — they fight over the same hooks. Run one, run it well.

Is the audit log really tamper-evident?

Each row’s row_hash is an HMAC-SHA-256 over the previous row’s hash plus the row’s own fields, keyed with a 32-byte chain key. The chain key is either (a) the GDEF_LITE_AUDIT_KEY constant in your wp-config.php, or (b) auto-generated and stored as a WordPress option on first use. An attacker with database write access can delete or modify a row, but cannot quietly recompute the following row’s HMAC without the key — so the next row’s stored hash will no longer match, and the break is visible from Settings Operator Chain status. For the strongest guarantee, set GDEF_LITE_AUDIT_KEY in wp-config.php so the key never lives in the database alongside the rows it signs.

How do I get the separate Ghostables Defender plugin?

It’s distributed from ghostables.io. Install it alongside Defender Lite and Lite steps aside automatically; every setting you’ve configured here carries over. You never need it to keep using Defender Lite, which is free and fully functional on its own.

What happens if I uninstall?

Uninstalling (not just deactivating) drops Defender’s three tables and clears its options. Your audit log goes with it. This is intentional — uninstall means uninstall.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Ghostables Defender Lite” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Ghostables Defender Lite” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.1.6

  • Fix: on the Scan page, the vulnerability and file-integrity scan progress modal could appear hidden behind its own backdrop. The modal is mounted on the page body — outside the plugin’s styling scope — so its brand colour variables weren’t resolving and the card rendered transparent. The modal now carries its own tokens and displays correctly. No change to scanning behaviour.

0.1.5

  • Authorisation: the integrity scan-control endpoints (start, tick, cancel) and the baseline and finding-resolve endpoints now enforce the Operator gate directly in their REST permission_callback — administrator capability plus an unlocked Operator session — because advancing a baseline rewrites the trusted file fingerprint (a security-state change). Read-only endpoints (CVE scan, scan status, audit verify) continue to require the administrator capability only. Locked requests return a clear, actionable 403.
  • Removed remaining “free tier / upgrade” wording from the plugin header description to match the rest of the plugin: Defender Lite is free and fully functional, with the separate plugin described for information only.

0.1.4

  • Guidelines compliance. Audit-log retention is now a free, user-configurable setting (default 90 days, set to 0 to keep everything forever) — it is no longer presented as a paid limit. Nothing in the plugin is gated behind a licence, tier, quota, or time limit; every feature is free and fully functional.
  • The “More Security” page now describes Ghostables Defender purely as a separate, more advanced plugin available from ghostables.io — no locked tiles, no “unlock”, no in-plugin upsell or licence-key entry.
  • All JavaScript and CSS is now loaded through wp_enqueue_*. The previous inline and blocks (the REST helper, scan modal, onboarding wizard) moved to enqueued assets/js/admin.js, assets/js/onboard.js, assets/css/onboard.css, and assets/css/login.css. Inline onclick handlers and inline style attributes were replaced with delegated event listeners and CSS classes.
  • No change to the actual security features: vulnerability scanning, file integrity, hardening, two-factor authentication, Operator gate, and the tamper-evident audit log all work exactly as before.

0.1.3

  • Plugin Check round-2 cleanup. Fixed the only remaining ERROR (a $wpdb->prepare() call in the CVE scanner that concatenated time() into the SQL — now bound as %d), collapsed two multi-line $wpdb->prepare() calls onto single lines so the phpcs:ignore directive actually lands on the offending line, suppressed the PrefixAllGlobals sniff on view templates (they are require()’d inside controller methods, so their variables are method-local at runtime even though PHPCS sees them as global), and wrapped uninstall.php’s body in an immediately-invoked closure so its working variables are genuinely function-scoped. No functional or behavioural changes.

0.1.2

  • Plugin Check cleanup: switched all filesystem operations to WP_Filesystem; sanitised every superglobal read with wp_unslash() + sanitize_text_field() / esc_url_raw(); annotated every deliberate direct $wpdb query with the rationale; prefixed all view-file local variables with gdef_ to satisfy the PrefixAllGlobals rule.
  • No functional changes — all behaviour, option keys, DB schemas, REST routes, and admin UI are unchanged.

0.1.1

  • Vulnerability feed switched from Wordfence Intelligence to the public WordPress Vulnerability Database (wpvulnerability.net). Same coverage, GPL-compatible licensing, per-component 24h cache.
  • Two-factor QR code is now rendered locally in the operator’s browser using a bundled MIT-licensed library. The TOTP secret is no longer transmitted to a third party.
  • Two-factor authentication now blocks XML-RPC and application-password channels for any user with 2FA enabled, closing the previous bypass.
  • Two-factor recovery codes are stored as password_hash() values rather than plaintext.
  • Brute-force throttle added to the Operator PIN, the Operator recovery code, and the 2FA challenge — 5 failures in 5 minutes triggers a lockout with exponential backoff up to 1 hour.
  • Audit chain upgraded from unkeyed SHA-256 to HMAC-SHA-256 with a chain key. The key is read from a GDEF_LITE_AUDIT_KEY wp-config constant when present, otherwise auto-generated and stored as an option. Existing pre-upgrade rows remain verifiable under the legacy scheme.
  • The audit log no longer trusts X-Forwarded-For or CF-Connecting-IP headers by default — opt in via the GDEF_LITE_TRUST_PROXY wp-config constant or the gdef_lite_trust_proxy filter when the site genuinely sits behind a reverse proxy.
  • Hardening: nginx server-block snippet for blocking PHP execution in /uploads is now generated on the Hardening page (Apache .htaccess output unchanged).
  • Admin pages no longer fetch Google Fonts from a CDN — system font stack is used instead.

0.1.0

  • Initial release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum