WILLRADFORD.COM

TRUSTGATE SECURITY PLUGIN

A WordPress security and privacy workflow plugin for SSL enforcement, security headers, two-factor authentication, login protection, session management, and privacy acknowledgment tools.

Overview

TrustGate Security helps WordPress site owners harden their sites by combining common SSL, HTTP security header, login protection, two-factor authentication, and privacy acknowledgment features in one plugin.

The plugin is designed for site administrators who want practical controls inside WordPress without manually editing server configuration for every setting.

Privacy and compliance features are provided as workflow tools only. They are not legal advice and do not guarantee compliance with any law or regulation.

Features

SSL Enforcement

  • Force traffic to use HTTPS/SSL.
  • Redirect HTTP visitors to HTTPS.
  • Support common WordPress themes and plugins.

Search Engine Indexing Protection

  • Optional setting to discourage indexing by search engines.
  • Adds robots meta protection when enabled.
  • Adds X-Robots-Tag header protection when enabled.
  • Adds a robots.txt disallow rule when enabled.

Security Headers

  • HTTP Strict Transport Security, or HSTS.
  • Content Security Policy, or CSP.
  • X-Frame-Options clickjacking protection.
  • Referrer Policy controls.
  • Permissions Policy controls.
  • Cross-Origin policy controls.

Privacy Acknowledgment Tools

  • Custom privacy acknowledgment workflow for logged-in users.
  • Role-based privacy acknowledgment requirements.
  • Optional re-acknowledgment expiration.
  • Admin preview tools.
  • Modal-based user acknowledgment flow.

Administrator Agreement

  • Require administrators to accept plugin terms before using protected plugin features.
  • Customizable agreement text and checkbox label.
  • Role-based requirements and exemptions.
  • Optional periodic re-acknowledgment.
  • Emergency override support for lockout prevention.

Two-Factor Authentication

  • Master toggle for all TrustGate Security 2FA behavior.
  • Optional administrator-controlled exclusion for the primary administrator account with user ID #1.
  • Email verification code option.
  • Authenticator app support using TOTP.
  • QR code setup for authenticator apps when available.
  • Website/domain-aware authenticator app labels.
  • Authenticator app link dropdown for common apps.
  • Role-based 2FA requirements.
  • Per-user 2FA overrides.
  • Mandatory setup redirect for required users.
  • Backup recovery codes.
  • Optional email delivery for newly generated backup codes.
  • Optional fallback email code for authenticator users.
  • Recent 2FA attempt logging.
  • Admin recovery tools.

Login Protection

  • Strong password enforcement.
  • Password validation and strength checking.
  • Weak password prevention.

User Session Management

  • View active user sessions.
  • Terminate sessions for specific users or devices.
  • Limit concurrent sessions.
  • Configure maximum session duration.

Login Limiting

  • Brute-force protection.
  • Custom lockout settings.
  • IP whitelist and blacklist controls.
  • Email notifications for lockouts.

Screenshots

The plugin includes WordPress.org-style screenshots in the assets directory.

  1. assets/screenshot-1.png — Main TrustGate Security settings page with admin notice, banner, security score, and tabbed settings.
  2. assets/screenshot-2.png — Two-factor authentication login screen with authenticator app and fallback email code options.
  3. assets/screenshot-3.png — Privacy settings tab within the TrustGate Security settings interface.
  4. assets/screenshot-4.png — User profile authenticator app 2FA setup area with status, manual setup key, and QR code.

Requirements

  • WordPress 6.5 or higher.
  • PHP 7.0 or higher.
  • A valid SSL certificate is required before enabling forced HTTPS.

Installation

From a ZIP file

  1. Download the plugin ZIP.
  2. In WordPress, go to Plugins > Add New > Upload Plugin.
  3. Upload the ZIP file.
  4. Activate TrustGate Security.
  5. Open the TrustGate Security admin menu and configure the plugin settings.

Manual installation

  1. Upload the trustgate-security folder to /wp-content/plugins/.
  2. Activate the plugin from the WordPress Plugins screen.
  3. Open the TrustGate Security admin menu and configure the plugin settings.

Two-Factor Authentication Notes

TrustGate Security supports authenticator app codes using standard TOTP codes. When setting up an authenticator app, the plugin generates a QR code and a manual setup key.

The authenticator app label uses the site domain when possible, for example:

otpauth://totp/example.com:username?secret=...&issuer=example.com

If a user loses access to their authenticator app, backup recovery codes or the optional fallback email code feature can be used when configured.

Emergency 2FA bypass

If 2FA causes a lockout during testing or deployment, add this constant to wp-config.php:

define('TRUSTGATE_SECURITY_DISABLE_2FA', true);

Remove the constant after recovering access.

Security Score Notes

Some settings contribute to the plugin’s Security Score. Settings that count toward the score are marked in the settings page info icons.

The search-engine indexing blocker does not count toward the Security Score because it is a privacy/content visibility control, not a direct security hardening feature.

Uninstall Behavior

TrustGate Security preserves settings during plugin updates and deactivation.

When the plugin is deleted from the WordPress Plugins screen, uninstall.php removes TrustGate Security plugin data, including:

  • Plugin options.
  • 2FA logs.
  • Login lockout transients.
  • Temporary 2FA transients.
  • TrustGate Security user metadata.

Plugin Assets

The plugin includes WordPress.org-style assets:

  • assets/banner-772x250.png
  • assets/icon.svg
  • assets/icon-256x256.png
  • assets/icon-128x128.png
  • assets/screenshot-1.png
  • assets/screenshot-2.png
  • assets/screenshot-3.png
  • assets/screenshot-4.png

assets/banner.svg is included as a source/design copy. The fixed-size PNG banner is the primary WordPress.org directory banner asset.

Development

Recommended local checks before release:

php -l trustgate-security.php
php -l includes/class-trustgate-security.php
php -l includes/class-trustgate-security-totp.php
php -l uninstall.php

Recommended WordPress checks:

  • Test activation and deactivation.
  • Test uninstall cleanup only by deleting the plugin, not by deactivating it.
  • Run the official WordPress Plugin Check plugin.
  • Test forced HTTPS only on a site with a working SSL certificate.
  • Test 2FA on a secondary administrator account before requiring it for the original administrator account.

Changelog

1.98

  • Adjusted the front-end privacy acknowledgment overlay so it does not cover the WordPress admin toolbar for logged-in users.

1.97

  • Strengthened nonce and permission validation for profile 2FA actions, backup-code email requests, session management, 2FA recovery, and log-clearing actions.
  • Added a TrustGate-specific profile 2FA nonce in addition to the WordPress profile-update nonce.
  • Settings remain preserved during updates.

1.96

  • Kept the master 2FA system disabled by default on fresh installs.
  • Set the default Roles requiring 2FA checkboxes to all standard WordPress roles on fresh installs.

1.95

  • Added live Security Score syncing on the settings page when score-counted options are toggled.

1.95

  • Changed fresh installs so the master two-factor authentication system is off until an administrator enables it. Existing settings remain preserved during updates.

1.93

1.92

  • Renamed plugin to TrustGate Security.
  • Renamed plugin folder, main plugin file, class names, constants, text domain, handles, menu labels, settings labels, shortcode, AJAX actions, and documentation to match the new branding.
  • Added migration support so existing settings and user 2FA metadata are preserved when upgrading from the previous plugin branding.

1.91

  • Added a temporary Settings saved notice on the TrustGate Security settings page after admin settings are saved.

1.90

  • Scoped the Administrator Agreement overlay to the TrustGate Security admin panel instead of covering the whole WordPress admin screen.
  • Added a non-blocking inline fallback for admin screens that do not contain the TrustGate Security admin wrapper.

1.89

  • Fixed the Administrator Agreement popup flow so users required to use TrustGate Security 2FA, including Editors selected by role, can see and accept the agreement during required setup.
  • Kept emergency override limited to administrators with settings privileges.

1.87

  • Fixed mandatory authenticator app setup for administrator accounts using the default role-based 2FA rule.
  • Administrators saving their own required profile setup can now verify the authenticator code successfully instead of being redirected back to incomplete setup.

1.86

  • Removed the unregistered user-settings admin script dependency that caused a WordPress debug notice.
  • Kept settings tab memory through the server-side tab parameter and browser fallback.

1.84

  • Fixed a fatal settings page error from an incomplete wp_kses() call.

1.81

  • Added targeted Plugin Check inline documentation for nonce-verified profile and 2FA login form handling.
  • Clarified that profile update fields are processed only after WordPress profile nonces are verified.
  • Preserved existing 2FA, backup code, and settings behavior while resolving remaining Plugin Check reports.

1.80

  • Corrected WordPress Plugin Check findings for public release readiness.
  • Added nonce checks, safer superglobal handling, and escaped admin output.
  • Removed runtime ini_set() usage while keeping X-Powered-By header cleanup.
  • Updated compatibility metadata for Plugin Check expectations.

1.79

  • Replaced the WordPress.org banner and icon assets with the latest supplied files.
  • Added assets/banner.svg as a source/design asset while keeping assets/banner-772x250.png as the WordPress.org display banner.
  • Added square PNG icon fallbacks for the SVG icon.

1.78

  • Added plugin screenshots to the assets directory using WordPress.org screenshot naming conventions.
  • Updated the readme screenshots section so each ordered description corresponds to the matching screenshot file.

Earlier versions

Earlier versions added Settings API tabs, 2FA stages, backup codes, fallback email codes, profile overrides, admin notices, search-engine indexing controls, license files, screenshots, and public-release cleanup.

License

This plugin is licensed under the GNU General Public License version 3 or later.

See LICENSE.txt for the full license text.

Author

Created by Will Radford.

trustgate-security-v1.98Download