Polanger Admin Suite

The ultimate WordPress admin customization toolkit. Take full control of your WordPress dashboard.

Security Focused GDPR Compliant WordPress 5.0+

Introduction

Polanger Admin Suite is a comprehensive WordPress plugin that gives you complete control over your WordPress admin area. Whether you're building sites for clients, managing a multisite network, or simply want a cleaner admin experience, this plugin has you covered.

Menu Manager

Hide, rename, reorder, and control access to any admin menu item with role-based visibility.

Admin Bar

Customize the admin bar with your logo, hide items, and add custom links with icons.

Login Page

Custom login URL, beautiful design options, and reCAPTCHA protection for security.

Activity Log

Track all admin actions with GDPR-compliant logging, email alerts, and CSV export.

Dashboard Widgets

Hide default widgets, auto-hide third-party widgets, and create custom branded widgets.

Custom Admin Menu

Create custom admin sidebar menus and submenus with internal/external targets and new-tab support.

Security & 2FA

Access control, two-factor authentication, recovery keys, and Super Admin protection.

Multisite Control

Manage network defaults, site overrides, and locked module policies across WordPress multisite networks.

Comment Security

Protect your comment form with bot traps, timing checks, rate limits, content filters, and automatic moderation actions.

Authenticator (TOTP)

Google/Microsoft Authenticator support with secure TOTP verification, recovery keys, and trusted device memory.

reCAPTCHA

Centralized Google reCAPTCHA v2/v3 management for login, registration, password reset, and comment forms.

Installation

Method 1: WordPress Admin Upload

  1. Download the plugin ZIP file from CodeCanyon
  2. Go to Plugins → Add New → Upload Plugin
  3. Choose the ZIP file and click Install Now
  4. After installation, click Activate Plugin

Method 2: FTP Upload

  1. Extract the plugin ZIP file
  2. Upload the polanger-admin-menu-manager folder to /wp-content/plugins/
  3. Go to Plugins in WordPress admin and activate the plugin
After Activation

You'll find the plugin menu at Polanger in your WordPress admin sidebar.

Requirements

Requirement Minimum Recommended
WordPress 5.0+ 6.0+
PHP 7.4+ 8.0+
MySQL 5.6+ 8.0+
MariaDB 10.0+ 10.5+

Admin Bar

Customize the WordPress admin bar (toolbar) that appears at the top of your site.

  • Replace WordPress Logo - Upload your own logo (recommended: 20x20px or 40x40px)
  • Custom Link URL - Set where the logo links to
  • Hide Logo Submenu - Hide items like "About WordPress", "Documentation", etc.

Manage Admin Bar Items

The plugin automatically detects all admin bar items added by WordPress, themes, and plugins.

  • Auto-Detection - Finds items from Elementor, WooCommerce, and other plugins
  • Hide Items - Click the eye icon to hide any item
  • Rename Items - Change the display text of any item
  • Frontend Support - Manage items that only appear on the frontend

Add your own links to the admin bar with icons and optional submenus.

Option Description
Title The text displayed in the admin bar
URL Where the link goes when clicked
Icon Choose from 200+ Dashicons
Target Same window or new tab
Submenu Add dropdown items under the main link

Login Page

Secure and customize your WordPress login page with a custom URL, beautiful design, and reCAPTCHA protection.

Custom Login URL

Change the default wp-login.php URL to something unique for added security.

  • Custom Slug - Use any URL like /my-login or /secure-access
  • Block Default URLs - Redirect wp-login.php and wp-admin to 404
  • Permalink Support - Automatically handles trailing slashes based on your settings
Bookmark Your Login URL

After enabling a custom login URL, bookmark it immediately. If you forget the URL, you'll need to disable the plugin via FTP or phpMyAdmin.

Design Options

Create a beautiful, branded login experience with these customization options:

  • Upload a custom logo from the Media Library
  • Set a custom link URL for the logo
  • Logo appears above the login form
  • Solid Color - Single color background
  • Gradient - Two-color gradient at 135°
  • Image - Full-screen background image
  • Primary Color - Buttons and accents
  • Form Background - Login form card color
  • Automatic hover state generation

reCAPTCHA Protection

Protect your login page from bots and brute force attacks with Google reCAPTCHA.

Checkbox reCAPTCHA - Users click "I'm not a robot" to verify.

  • Visible verification checkbox
  • May show image challenges
  • Best for high-security requirements

Invisible reCAPTCHA - Score-based verification without user interaction.

  • No user interaction required
  • Scores requests from 0.0 to 1.0
  • Requests below 0.5 are blocked
  • Best for user experience

reCAPTCHA can be enabled for:

  • Login Form
  • Registration Form
  • Lost Password Form

Activity Log

Track all administrative actions on your WordPress site. The Activity Log is GDPR/KVKK compliant and never stores sensitive data like passwords or email content.

Logged Events

Category Events
Login Login, Logout, Failed Login Attempts
Plugins Activated, Deactivated, Deleted, Updated
Themes Theme Switched, Customizer Saved
Content Created, Updated, Deleted, Trashed
Users Created, Deleted, Role Changed, Password Changed
System Site URL, Home URL, Admin Email, Permalinks

Severity Levels

  • Critical - Security-sensitive actions (URL changes, user deletion, password changes)
  • Warning - Actions requiring attention (failed logins, plugin deactivation)
  • Info - General activity (content changes, logins)

Log Viewer

View and filter logs with a powerful search interface:

  • Search - Find by username, action, or object name
  • Filter by Action - Show only specific event types
  • Date Range - Filter by start and end dates
  • Export CSV - Download logs for external analysis
  • Pagination - 20 logs per page with navigation

Email Alerts

Get notified when critical events occur:

  • Site URL or Home URL changed
  • Admin email changed
  • User deleted or role changed
  • Plugin deleted
  • Password changed

Privacy & Retention

  • IP Logging - Optional, disabled by default for GDPR compliance
  • Auto-Delete - Automatically delete logs after 7, 30, 60, or 90 days
  • No Sensitive Data - Passwords, emails, and form content are never logged

Dashboard Widgets

Take control of the WordPress dashboard by managing widgets, hiding admin notices, and creating custom branded widgets.

Widget Visibility

Hide default WordPress dashboard widgets:

  • Welcome Panel
  • Quick Draft
  • Activity
  • WordPress Events and News
  • Site Health Status

Auto-Hide Third-Party Widgets

Enable this feature to automatically hide all widgets added by plugins and themes. Use the whitelist to allow specific widgets.

Clean Dashboard Guarantee

When auto-hide is enabled, your dashboard stays clean even when new plugins are installed. Only whitelisted widgets will appear.

Admin Notices

Control the notices that appear at the top of admin pages:

  • Hide All Notices - Remove all plugin and theme notices
  • Super Admin Exception - Let Super Admins see all notices
  • Dashboard Only - Show notices only on the main dashboard
  • Log Hidden Notices - Track what notices were hidden

Custom Widgets

Create branded dashboard widgets for your clients or team:

Option Description
Title Widget heading displayed on the dashboard
Position Left column (Normal) or Right column (Side)
Content Rich text editor with media support
Enabled Toggle widget visibility

Use Cases:

  • Welcome message with agency branding
  • Quick links to important pages
  • Support contact information
  • Training resources and documentation

Custom Admin Menu

Create your own WordPress admin sidebar menus and submenus from the Menu Manager page. This addon is designed for agencies and site owners who need quick access links, custom tool hubs, and client-friendly navigation.

Menu Builder

  • Modal-Based Builder - Add new menus using a modern modal UI from Menu Manager
  • Main Menu + Submenus - Create a parent menu and unlimited submenu items
  • Icon Picker - Select from an expanded Dashicons library
  • Menu Position - Control where the custom menu appears in the admin sidebar
  • Inline Help Text - Built-in guidance for non-technical users

Targets & New Tab

Each custom menu/submenu can point to an internal admin route or an external URL.

Target Type Example Behavior
Internal admin target admin.php?page=plugin-slug Opens target inside wp-admin
Core admin file tools.php or edit.php?post_type=page Opens matching admin screen
External URL https://example.com/help Can open in same tab or new tab
New Tab Behavior

If "Open in new tab" is enabled, custom menu links are forced to open in a new browser tab, including parent menu links with submenus.

Manage & Edit

  • Custom Menus Table - Review all saved menus, targets, and submenu counts
  • Edit Button - Reopen modal with prefilled data to update existing menus
  • Delete Button - Remove a custom menu and all related submenus in one action
  • Duplicate Parent Cleanup - Automatically removes WordPress auto-duplicated parent submenu entries
  • Route Safety - Prevents blank fallback pages by redirecting parent/submenu routes to their configured targets

Multisite Control

Multisite Control adds network-wide governance for agencies, developers, and site networks while keeping each module independent and extendable.

Network Defaults

  • Define global defaults from Network Admin
  • Capture a site's current module settings as reusable network defaults
  • Apply effective settings through lightweight filters instead of duplicating module logic

Site Overrides

  • Allow or disable site-level overrides per network policy
  • Show Network, Override, and Locked status per module
  • Keep local site settings intact unless network policy is enabled

Lock System

  • Lock Menu Manager, Admin Bar, Login Security, Activity Log, and Dashboard Center
  • Disable local forms when a module is network locked
  • Use manage_network_options for network settings and manage_options for site-level controls

Design System

Design System provides token-based admin theming through an addon-first architecture, so visual customization can grow without adding core complexity.

Token-Driven Styling

  • Manage primary, background, surface, text, muted, sidebar, and admin bar colors from one screen
  • Configure font family and border radius as reusable design tokens
  • Generate CSS variables and shared UI styles from saved tokens

Smart Contrast

  • Auto-generate readable foreground colors for dark/light surfaces
  • Apply scoped readability corrections to postboxes, notices, tables, and form controls
  • Enable or disable smart contrast correction from addon settings

Performance & Scope

  • Generate cache-friendly CSS files only when token hash changes
  • Use inline fallback when filesystem write is unavailable
  • Apply styles to Polanger pages only or all admin pages based on selected scope

Comment Security

Comment Security is a layered protection addon for the WordPress comment system. Its job is simple: let normal visitors leave comments as usual, but make automated spam bots, repeated flood attempts, suspicious links, and blocked keywords much harder to get through.

The addon does not rely on just one rule. Instead, it combines several small checks that work together. A comment can be inspected for bot behavior, submission speed, repeated attempts, suspicious content, blocked words, blocked domains, and final risk score. This means you are not betting your entire protection on only one trick such as a honeypot or only one filter such as a keyword list.

For most site owners, the easiest way to use this addon is to enable it and choose a mode such as Light, Balanced, or Strict. After that, you only add your own blocked words or blocked domains when needed. Advanced settings are there for site owners who want tighter control, but you do not need to understand every number on day one to get value from the addon.

How the Protection Flow Works

When someone submits a comment, the addon first checks whether the comment form contains the protection fields added by the addon. If it does, the bot checks run. Then the addon checks how fast the comment was submitted, whether the hidden trap field was touched, whether the same visitor is posting too often, whether the content contains blocked words or blocked domains, and finally decides whether to allow the comment, send it to spam, move it to trash, or silently drop it.

General

The General tab controls the overall on/off state of the addon and a few important global behaviors. This is the best place to start if you are setting up the addon for the first time.

  • Enable Comment Security Layer - This is the master switch for the entire addon. When this is turned off, none of the bot checks, rate limits, content filters, or silent actions run. WordPress handles comments the normal default way.
  • Quick Protection Modes - These modes apply a ready-made protection profile. Light is the least aggressive, Balanced is the recommended everyday option for most sites, and Strict is for sites that receive heavier spam or want faster blocking.
  • Also apply to logged-in users - By default, many sites trust logged-in users more than anonymous visitors. Turn this on if you want the same comment screening to apply to members, customers, or other signed-in users as well.
  • Enable protection logs - This saves decision records such as allow, spam, trash, or drop so you can later understand what the addon did. If you are troubleshooting false positives or checking how often bots are being blocked, keep this enabled.
  • Log retention (days) - This controls how long the addon keeps log entries before deleting old ones. A shorter number keeps the database smaller. A longer number gives you more history for analysis.

Bot Protection

The Bot Protection tab focuses on low-friction defenses that work without forcing the visitor to solve a challenge. These checks try to detect behavior that looks automated rather than human.

  • Honeypot field - Adds a hidden form field that normal people never use. Many simple bots try to fill every field they see or manipulate the form payload incorrectly. If that hidden field is filled, or if the payload looks tampered with, the addon treats it as a strong bot signal.
  • Honeypot field name - This is the hidden field's name. A realistic-looking name such as url2 or homepage_alt makes it harder for basic spam scripts to identify and skip the trap field. You usually only change this if you want a custom disguise.
  • Submission timing check - Measures how quickly the comment was submitted after the form was displayed. Humans need time to read and type. Bots often submit almost instantly or reuse invalid tokens, so this helps catch robotic submissions that move too fast or use tampered timing data.
  • Minimum seconds before submit - This is the shortest acceptable time between form load and comment submit. If a comment arrives faster than this limit, the addon assumes the visitor likely did not have enough time to read and type a genuine comment.
  • Maximum seconds (token expiry) - This is how long a timing token stays valid before it becomes too old. If someone submits after that window, the token is treated as expired. This helps reduce reuse of old form states and old bot sessions.
  • Signed one-time timing tokens - The addon uses signed timing tokens that are tied to the current post and browser fingerprint, and each token is consumed after one successful check. In plain English, this makes it much harder for a bot to grab one token and reuse it again and again.

Rate Limiting

The Rate Limiting tab controls how many comments the same visitor can try to send in a short period. This is very useful against burst spam, repeated abuse, and comment-flood attacks.

  • Enable flood control - Turns the rate limit system on or off. When enabled, the addon tracks how often the same visitor submits comments within short and longer time windows.
  • Max comments per minute - Sets the short burst limit. If the same visitor posts too many comments inside one minute, the addon starts treating those requests as suspicious.
  • Max comments per hour - Sets the longer window limit. This helps catch slower spam waves that stay under the per-minute cap but still post too often over time.
  • Why rate limiting matters - A bot does not always post only one bad comment. Many attack scripts try repeated submissions in a burst. Rate limiting helps stop that behavior even if the content itself looks different every time.

Content Rules

The Content Rules tab checks what is inside the comment itself. This is where you define what kind of text, links, words, or domains you do not want to allow.

  • Maximum links - Controls how many links a comment is allowed to contain before it becomes suspicious. Spammers often pack comments with promotional URLs, so lowering this number can reduce link spam quickly.
  • Penalize comments dominated by non-Latin characters - Adds a score signal when a comment is mostly made up of non-Latin characters. This can help on Latin-only sites that are often targeted by irrelevant spam in other scripts. Do not enable it on multilingual sites unless you are sure it fits your audience.
  • Keyword match mode - Chooses how blocked words are detected. Whole word / repeated word mode is the safer and recommended option because it catches a blocked word used normally and also catches the same blocked word repeated back-to-back in spammy strings. Substring mode is looser and can catch more cases, but it can also create more false positives.
  • Keyword blocklist - This is where you enter words or phrases you never want to allow in comments. If any listed keyword appears in the author name, comment text, or author URL, the addon treats that as a block rule instead of just a weak score signal.
  • URL host blocklist - This is where you list domains you never want commenters to advertise or link to. Use hostnames such as spamdomain.com. If a comment contains a URL from one of those domains, the addon blocks it according to your configured action.
  • Why lists do not change the selected mode - Adding words or domains is considered data entry, not a protection profile change. In other words, you can keep using Balanced or Strict mode while still maintaining your own custom keyword and domain lists.

Silent Mode

The Silent Mode tab decides what the addon should do after a comment is judged suspicious enough to stop. This is where you choose the final action.

  • Enable behavior scoring - When enabled, the addon combines multiple weaker signals into a final score. This is useful because not every suspicious sign means the same thing. Some comments may only need to go to spam, while stronger signals deserve a harder response.
  • Spam threshold (0-100) - If the total score reaches this number, the comment is marked as spam. This is usually the best balance for normal sites because admins can still review the comment later.
  • Drop threshold (0-100) - If the score reaches this higher number, the addon uses the selected hard action. This is meant for comments that look much more clearly abusive or automated.
  • Mark as spam - Sends the blocked comment to the WordPress spam queue. This is the safest choice if you want a review trail and do not mind checking spam occasionally.
  • Move to trash - Sends the blocked comment to trash instead of spam. This can be useful if your moderation workflow is based on the trash queue rather than the spam queue.
  • Silently drop - The comment is never stored. From the admin side, this is the strongest cleanup option because junk comments do not pile up in the database at all.
  • Show a human-readable rejection page on hard drops - If enabled, visitors see a rejection page when a hard drop happens. This is useful while testing or debugging. On production sites, many admins prefer to leave this off so obvious spam bots get no useful feedback.

Logs & Statistics

The Logs & Statistics tab helps you understand what the addon has been doing in the background. If you want proof that protection is working, this tab matters a lot.

  • Statistics cards - Show how many comments were allowed, marked as spam, moved to trash, or dropped over the selected period. This gives you a quick health check without opening individual entries.
  • Recent Events table - Lists individual protection decisions with time, action, score, reason, IP, author details, and related post. This helps you see exactly why a comment was blocked or allowed.
  • Decision filters - Lets you filter the table by action such as allow, spam, trash, or drop. This is especially helpful when you only want to inspect blocked comments.
  • Reason tracking - Stores the reason codes that explain what happened, such as honeypot, timing, keyword, or blocked URL. This is what helps you learn whether your spam problem is mostly bot behavior, flood attempts, or content abuse.
  • Clear logs - Lets you remove old protection entries when you no longer need them. Useful during testing or after a major cleanup.
  • When to use the logs - If a valid user says their comment disappeared, check the logs first. If your site suddenly receives heavy spam, check the logs to see whether the attacks are mostly link spam, repeated floods, keyword abuse, or timing failures.
Recommended Starting Point

If you are not sure where to begin, enable Comment Security, choose Balanced mode, keep logging enabled, and then add your own blocked words and blocked domains over time. This setup gives most WordPress sites strong protection without becoming too aggressive for normal visitors.

Authenticator App (TOTP)

The Authenticator addon adds Google Authenticator and Microsoft Authenticator support to the core 2FA system. Instead of receiving codes via email, users verify their identity using time-based one-time passwords (TOTP) generated by their authenticator app.

This method provides stronger security than email-based verification and works offline without requiring email delivery.

How TOTP Works

TOTP generates a new 6-digit code every 30 seconds based on a shared secret key. Both the authenticator app and the server know this secret, so they can independently generate and verify matching codes without any network communication.

Multi-User Architecture

The authenticator system is designed for multi-user WordPress installations. Each user has their own authenticator setup, and the system separates global policy settings from individual user enrollment.

Global Settings (Admin Panel)

  • Role Enforcement - Select which user roles require 2FA (Administrator, Editor, etc.)
  • 2FA Method Selection - Choose between Email or Authenticator App
  • Lockout Policy - Configure maximum attempts and lockout duration
  • Super Admin Control - Option to include or exempt Super Admin from 2FA requirements

Per-User Enrollment

  • Individual Secret Keys - Each user has their own unique encrypted secret
  • Profile Page Management - Users manage their 2FA from their profile page (Users → Profile)
  • Enrollment Status - Admins can view enrollment status of users without seeing their secrets
  • Privacy Protection - Admins cannot view other users' secret keys, only their enrollment status

Enrollment Flow

When a user's role requires 2FA and they haven't set up their authenticator yet, they are guided through a mandatory enrollment process on first login:

  1. Login with Password - User enters their username and password as usual
  2. Enrollment Required Screen - System detects unenrolled user and shows setup wizard
  3. Add to Authenticator App
    • Secret key is displayed for manual entry
    • Provisioning URI available for QR code tools
  4. Verify Setup - User enters the 6-digit code from their app
  5. Recovery Keys - 10 recovery keys are generated and displayed (one-time viewing)
  6. Access Granted - User confirms they saved their keys and gains access
No User Lockout

Users are never locked out due to unenrolled 2FA. Instead of showing an error, the system guides them through the setup process during login. They must complete enrollment before accessing the site.

Profile Page Management

After initial enrollment, users can manage their authenticator from their WordPress profile page:

For Own Profile

  • View Status - See if authenticator is active or needs setup
  • Generate New Secret - Rotate to a new secret key (uses safe pending system)
  • Disable Authenticator - Remove authenticator from account
  • Recovery Key Count - See how many recovery keys remain

Admin Viewing Other Users

  • Enrollment Status Only - See if user has configured authenticator
  • Recovery Key Count - View remaining recovery keys
  • No Secret Access - Cannot view or modify user's secret key (privacy protection)

Safe Secret Rotation

When generating a new secret key, the system uses a "pending secret" architecture to prevent accidental lockouts:

Your Old Authenticator Keeps Working

When you generate a new secret, your existing authenticator continues working until you verify the new one. If you cancel or abandon the process, nothing changes.

Rotation Flow

  1. Generate New Secret - Creates a "pending" secret, old secret remains active
  2. Add New Secret to App - User adds the new secret to their authenticator
  3. Verify New Secret - User enters code from the new secret
  4. Activation - On successful verification:
    • Pending secret becomes active
    • Old secret is removed
    • New recovery keys are generated (security context changed)
  5. Cancel Option - User can cancel rotation at any time, keeping their existing setup

Why Pending Secrets Matter

  • No Accidental Lockout - If user abandons rotation midway, old authenticator still works
  • Phone Change Safety - Safe process for migrating to a new device
  • Recovery Context - New recovery keys generated because security context changed

Secret Key Security

  • Encrypted Storage - Secret keys are encrypted at rest using AES-256-CBC (OpenSSL) or HMAC-based XOR keystream fallback
  • Unique Per User - Each user has their own unique 32-character Base32 secret
  • Key Derivation - Encryption keys derived from WordPress auth salts
  • MAC Verification - HMAC-SHA256 integrity verification prevents tampering

Recovery Keys

When you complete authenticator setup, 10 recovery keys are automatically generated. These keys provide emergency access if you lose your phone or cannot use your authenticator app.

Save Your Recovery Keys

Recovery keys are shown only once when generated. Store them securely (password manager, printed copy in a safe place). Each key can only be used once.

  • 10 Keys Per User - Each user receives 10 unique recovery keys
  • One-Time Use - Each key works only once and is then invalidated
  • Regeneratable - Generate new keys from the 2FA settings page
  • Shared with Email 2FA - The same recovery keys work for both email and authenticator methods

Login Flow

When authenticator 2FA is active, the login process works as follows:

  1. Enter username and password as usual
  2. You're redirected to the authenticator verification screen
  3. Open your authenticator app and enter the current 6-digit code
  4. Optionally check "Trust this device for 30 days"
  5. Click "Verify & Login"

Alternative Access Methods

Option When to Use
Use Recovery Key Lost phone, app deleted, or authenticator unavailable
Send Code via Email Temporary fallback to email verification
Trusted Device Skip 2FA for 30 days on trusted browsers

Security Features

  • Replay Attack Prevention - Each code can only be used once per time window
  • Time Window Tolerance - Accepts codes from ±1 time slice to handle clock drift
  • Lockout Protection - Too many failed attempts triggers temporary lockout
  • Super Admin Bypass - Optional exemption to prevent network lockouts

reCAPTCHA Protection

The reCAPTCHA addon provides centralized Google reCAPTCHA management for your WordPress site. All reCAPTCHA configuration is consolidated into this single addon, eliminating scattered settings and ensuring consistent protection across all forms.

Centralized Configuration

All reCAPTCHA settings that were previously spread across different modules have been consolidated into this addon. Configure your API keys once and enable protection wherever you need it.

API Key Setup

To use reCAPTCHA, you need API keys from Google:

  1. Visit the Google reCAPTCHA Admin Console
  2. Register your site (choose v2 or v3 based on your preference)
  3. Copy the Site Key and Secret Key
  4. Enter them in the reCAPTCHA addon settings

Checkbox Challenge - Users see a visible "I'm not a robot" checkbox.

  • Clear visual confirmation for users
  • May display image challenges for suspicious traffic
  • Best when you want explicit user verification
  • Higher friction but very reliable

Invisible Scoring - Works silently in the background without user interaction.

  • No checkbox or challenges shown to users
  • Returns a score from 0.0 (likely bot) to 1.0 (likely human)
  • Configurable threshold (default: 0.5)
  • Best for user experience, requires score tuning

Protected Forms

Enable reCAPTCHA protection on any combination of these forms:

Form Protection
Login Form Prevents brute force attacks and credential stuffing
Registration Form Blocks automated account creation by bots
Lost Password Form Prevents password reset abuse and enumeration
Comment Form Stops spam comments (integrates with Comment Security addon)

Settings

v3 Score Threshold

For reCAPTCHA v3, set the minimum score required to pass verification:

  • 0.9 - Very strict, may block some legitimate users
  • 0.7 - Strict, good for high-security sites
  • 0.5 - Balanced (recommended starting point)
  • 0.3 - Permissive, allows more traffic through

Badge Position (v3)

Control where the reCAPTCHA badge appears on your site:

  • Bottom Right - Default position (required by Google ToS)
  • Bottom Left - Alternative corner position
  • Inline - Embedded within the form
Comment Security Integration

When both reCAPTCHA and Comment Security addons are active, reCAPTCHA runs first (priority 50) before Comment Security scoring (priority 100). Failed reCAPTCHA immediately blocks the comment without further processing.

Settings

Configure access control, two-factor authentication, and other plugin-wide settings.

Access Control

Restrict who can access and modify the plugin settings:

  • Allowed Users - Select which administrators can access the plugin
  • Access Levels - Full Access or Read-only for each user
  • Super Admin Protection - Super Admin (ID 1) can never be locked out
  • URL Blocking - Restricted users can't access plugin pages via direct URL
Read-Only Mode

Read-only users can view all settings but cannot make changes. A banner is displayed and all forms are disabled.

Two-Factor Authentication (2FA)

Add an extra layer of security with email-based 2FA:

Setup Process

  1. Click "Send Test Email" to verify email delivery works
  2. Enable Two-Factor Authentication
  3. Select which roles require 2FA
  4. Save your recovery keys

Features

  • 6-Digit Codes - Sent via email on each login
  • Code Expiry - 5, 10, or 15 minutes
  • Role-Based - Require 2FA for specific roles
  • Recovery Keys - One-time use backup codes
  • Super Admin Bypass - Super Admin is exempt to prevent lockouts

Miscellaneous

  • Custom Footer Text - Replace "Thank you for creating with WordPress"
  • Hide WordPress Version - Remove version number from admin footer
  • Live Preview - See footer changes in real-time

Hooks & Filters

For developers who want to extend or customize the plugin behavior.

Maintenance Mode Policy

Polanger core is currently maintained in a stability-first phase. New capabilities are expected to be delivered primarily via addons, while core updates focus on security, compatibility, and regression prevention.

Polanger Custom Developer Hooks

Hook / Filter Type Description
polanger_init Action Extension API bootstrap for registering addon modules
pdt_register_addons Filter Inject or modify addon card definitions in Addons page
pdt_active_addons Filter Override active addon flags at runtime
polanger_effective_settings Filter Modify effective settings per module/context (multisite-aware)
pdt_admin_menu_after_dashboard_center Action Add submenu items between Dashboard Center and Settings
pdt_menu_manager_after_header Action Inject addon UI directly after Menu Manager header
pdt_menu_manager_after_form Action Inject addon UI directly after Menu Manager form
polanger_admin_theme_assets Action Enqueue admin theme CSS/JS for Polanger pages without core edits

Menu Manager Hooks

Hook Priority Description
admin_menu 9999 Capture and modify menu items
admin_init 1 URL access blocking
menu_order - Custom menu ordering

Admin Bar Hooks

Hook Priority Description
admin_bar_menu 999999 Capture admin bar nodes
wp_before_admin_bar_render 1000-1002 Apply customizations

Login Page Hooks

Hook Description
login_enqueue_scripts Load custom styles and scripts
login_head Output custom CSS
login_form Add reCAPTCHA to login form
wp_authenticate_user Verify reCAPTCHA on login

Database

The plugin stores settings in WordPress options and creates one custom table for activity logs.

Options

Option Name Description
pdt_settings Main plugin settings
pdt_menu_items Menu item configurations
pdt_admin_bar_settings Admin bar settings
pdt_login_page_settings Login page settings
pdt_activity_log_settings Activity log settings
pdt_dashboard_widgets_settings Dashboard widgets settings
pdt_custom_admin_menus Custom Admin Menu Builder records
pdt_active_addons Active addon flags for addon-managed modules
pdt_network_active_addons Network-wide active addon flags for multisite networks
polanger_network_settings Network defaults, lock policy, and override policy for Multisite Control
polanger_site_override_settings Per-site override flags for Multisite Control
pdt_design_settings Design System token settings and behavior flags
pdt_design_css_meta Generated CSS metadata (hash, path, and URL) for Design System caching
pdt_general_settings General/security settings

Activity Log Table

Table name: {prefix}_pdt_admin_logs

SQL Schema 
CREATE TABLE {prefix}_pdt_admin_logs (
  id bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  user_id bigint(20) unsigned NOT NULL,
  user_login varchar(60) NOT NULL,
  action varchar(100) NOT NULL,
  object_type varchar(50) DEFAULT NULL,
  object_id bigint(20) unsigned DEFAULT NULL,
  object_name varchar(255) DEFAULT NULL,
  ip_address varchar(45) DEFAULT NULL,
  user_agent varchar(255) DEFAULT NULL,
  meta longtext DEFAULT NULL,
  created_at datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (id),
  KEY user_id (user_id),
  KEY action (action),
  KEY created_at (created_at)
);

Security

The plugin follows WordPress security best practices:

  • Nonce Verification - All forms use WordPress nonces to prevent CSRF attacks
  • Capability Checks - Only users with manage_options can access the plugin
  • Input Sanitization - All user inputs are sanitized before storage
  • Prepared Statements - Database queries use $wpdb->prepare()
  • Super Admin Protection - Super Admin cannot be locked out of the plugin
  • Read-Only Mode - Server-side enforcement prevents unauthorized changes
  • GDPR Compliance - No sensitive data is logged, IP logging is optional
Security First

This plugin was designed with security as a primary concern. All features include safeguards to prevent accidental lockouts and unauthorized access.

Changelog

Version 1.5.1 Latest

  • Fixed: Resolved an issue where reCAPTCHA could fail to appear on the custom login page under certain configurations
  • Improved: Better integration and compatibility between Authenticator App (TOTP) and reCAPTCHA verification flows
  • Improved: Comment Guard reCAPTCHA integration is now more stable and reliable across comment submission scenarios
  • Fixed: Resolved login page logo cropping issues on responsive and custom layout configurations
  • Improved: On mobile devices, the login page language selector is now displayed inside a compact drawer for a cleaner layout
  • New: Added option to completely disable the language switcher on the login page

Version 1.5.0

  • New: Authenticator App (TOTP) addon – Google/Microsoft Authenticator support with multi-user architecture (per-user enrollment, profile page management, admin sees status only), mandatory enrollment flow for required roles, safe secret rotation with pending secret system (old authenticator keeps working until new verified), AES-256-CBC encryption, recovery keys with auto-regeneration on rotation, trusted device memory (30 days), email fallback, brute-force protection, and replay attack prevention
  • New: reCAPTCHA addon – centralized Google reCAPTCHA v2/v3 key management; all reCAPTCHA configuration consolidated from multiple locations into one dedicated addon; supports login, registration, lost password, and comment forms; integrates seamlessly with Comment Security addon
  • Improved: Design System – expanded color customization with Sidebar Background, Sidebar Text Color, Admin Bar Background, Admin Bar Text Color, Admin Bar Submenu Background, and Admin Bar Submenu Text Color options
  • Improved: Design System color compatibility – enhanced contrast handling and readability corrections across admin UI components including postboxes, notices, tables, and form controls
  • Improved: Menu Manager stability – resolved conflict issues with certain third-party plugins and themes that were causing menu rendering inconsistencies
  • Improved: Mobile responsiveness – comprehensive layout and interaction improvements across all admin screens for better tablet and smartphone usability; improved touch targets, spacing, and navigation
  • Fixed: 2FA settings form submission – resolved nested form issue that prevented Save Settings button from working when Authenticator addon was active

Version 1.4.3

  • New: Comment Security Layer addon – multi-layer comment protection with honeypot trap, HMAC-signed timing tokens, per-IP flood control (per-minute and per-hour windows), keyword and URL blocklists, behavior scoring engine with configurable thresholds, and silent action modes (spam queue, trash, or silent drop)
  • Improved: Login page design – refined mobile layout with corrected form card proportions, improved spacing around inputs and buttons on small screens, and more consistent hover and focus state rendering across breakpoints
  • Improved: Login page background rendering – smoother gradient transitions and better full-coverage rendering for background images on narrow viewports; improved visual layering between background and form card
  • Improved: Admin panel mobile responsiveness – layout and spacing adjustments across Settings, Addons, and Activity Log screens; better usability on tablet and mobile viewports with more appropriate touch target sizing
  • Improved: Sub-tab settings saves – partial save operations now only process and re-validate the submitted field group, reducing redundant sanitization passes on every tab change
  • Improved: Addon list layout – card grid now wraps and spaces more cleanly on narrow viewports with improved readability of addon status indicators on mobile

Version 1.4.2

  • New: Multisite Control addon for network-wide defaults, lock policies, and site-level overrides
  • New: Network-aware settings engine using effective settings filters across supported modules
  • New: Network lock support for Menu Manager, Admin Bar, Login Security, Activity Log, and Dashboard Center
  • New: Site override status controls and network-managed module notices
  • Improved: Addon activation flow with optional network-wide active addon support
  • Improved: 2FA login session handling now respects the original Remember Me preference during verification
  • Improved: 2FA resend verification flow hardened with nonce-protected requests and stricter token validation
  • Improved: 2FA verification flow now includes stronger user/session guard checks to reduce edge-case failures
  • Improved: 2FA trusted device and security logging IP resolution strengthened with trusted-proxy aware validation
  • Improved: 2FA email delivery failure behavior is now configurable with secure-by-default login handling
  • New: Design System addon scaffold with token-based settings, preset support, and generated CSS output
  • Improved: Addon-first theming extensibility via polanger_admin_theme_assets for clean admin UI customization without core CSS overrides

Version 1.4.1

  • Improved: Activity Log export flow (CSV/JSON) output handling on Settings page for more consistent downloads
  • Improved: Settings export callback visibility and admin_init lifecycle compatibility
  • Improved: Activity Log query hardening with validated table-name usage and allowlisted ORDER BY handling
  • Improved: 2FA verification comparison updated with timing-safe hash validation (hash_equals)
  • Improved: Activity Log IP resolution now prefers REMOTE_ADDR and supports trusted-proxy based forwarded-header parsing
  • Improved: Settings input validation for allowed_users with strict array-type guards before normalization

Version 1.4.0

  • Major update: All premium features are now available for free
  • New: Full Admin Suite experience (menu, login, security, dashboard, activity log)
  • New: Custom Admin Menu Builder
  • New: Role-based access control improvements
  • Improved: UI/UX across all modules
  • Improved: Performance and stability
  • Improved: Security layers and validation
  • Fixed: Minor bugs and edge cases