Polanger Admin Suite
The ultimate WordPress admin customization toolkit. Take full control of your WordPress dashboard.
Introduction
Polanger Admin Suite is a comprehensive WordPress plugin that gives you complete control over your WordPress admin area. Whether you're building sites for clients, managing a multisite network, or simply want a cleaner admin experience, this plugin has you covered.
Menu Manager
Hide, rename, reorder, and control access to any admin menu item with role-based visibility.
Admin Bar
Customize the admin bar with your logo, hide items, and add custom links with icons.
Login Page
Custom login URL, beautiful design options, and reCAPTCHA protection for security.
Activity Log
Track all admin actions with GDPR-compliant logging, email alerts, and CSV export.
Dashboard Widgets
Hide default widgets, auto-hide third-party widgets, and create custom branded widgets.
Custom Admin Menu
Create custom admin sidebar menus and submenus with internal/external targets and new-tab support.
Security & 2FA
Access control, two-factor authentication, recovery keys, and Super Admin protection.
Multisite Control
Manage network defaults, site overrides, and locked module policies across WordPress multisite networks.
Comment Security
Protect your comment form with bot traps, timing checks, rate limits, content filters, and automatic moderation actions.
Polanger Shield
Block admin pages for selected users, hide specific interface areas directly from the live screen, and attach internal notes to exact admin elements.
Authenticator (TOTP)
Google/Microsoft Authenticator support with secure TOTP verification, recovery keys, and trusted device memory.
reCAPTCHA
Centralized Google reCAPTCHA v2/v3 management for login, registration, password reset, and comment forms.
WooCommerce Security
Extends Polanger reCAPTCHA, 2FA, and rate limiting protection to WooCommerce customer login, registration, and password recovery flows.
Installation
Method 1: WordPress Admin Upload
- Download the plugin ZIP file from CodeCanyon
- Go to Plugins → Add New → Upload Plugin
- Choose the ZIP file and click Install Now
- After installation, click Activate Plugin
Method 2: FTP Upload
- Extract the plugin ZIP file
- Upload the
polanger-admin-menu-managerfolder to/wp-content/plugins/ - Go to Plugins in WordPress admin and activate the plugin
You'll find the plugin menu at Polanger in your WordPress admin sidebar.
Requirements
| Requirement | Minimum | Recommended |
|---|---|---|
| WordPress | 5.0+ | 6.0+ |
| PHP | 7.4+ | 8.0+ |
| MySQL | 5.6+ | 8.0+ |
| MariaDB | 10.0+ | 10.5+ |
Admin Bar
Customize the WordPress admin bar (toolbar) that appears at the top of your site.
Custom Logo
- Replace WordPress Logo - Upload your own logo (recommended: 20x20px or 40x40px)
- Custom Link URL - Set where the logo links to
- Hide Logo Submenu - Hide items like "About WordPress", "Documentation", etc.
Manage Admin Bar Items
The plugin automatically detects all admin bar items added by WordPress, themes, and plugins.
- Auto-Detection - Finds items from Elementor, WooCommerce, and other plugins
- Hide Items - Click the eye icon to hide any item
- Rename Items - Change the display text of any item
- Frontend Support - Manage items that only appear on the frontend
Custom Links
Add your own links to the admin bar with icons and optional submenus.
| Option | Description |
|---|---|
| Title | The text displayed in the admin bar |
| URL | Where the link goes when clicked |
| Icon | Choose from 200+ Dashicons |
| Target | Same window or new tab |
| Submenu | Add dropdown items under the main link |
Login Page
Secure and customize your WordPress login page with a custom URL, beautiful design, and reCAPTCHA protection.
Custom Login URL
Change the default wp-login.php URL to something unique for added security.
- Custom Slug - Use any URL like
/my-loginor/secure-access - Block Default URLs - Redirect
wp-login.phpandwp-adminto 404 - Permalink Support - Automatically handles trailing slashes based on your settings
After enabling a custom login URL, bookmark it immediately. If you forget the URL, you'll need to disable the plugin via FTP or phpMyAdmin.
Design Options
Create a beautiful, branded login experience with these customization options:
- Upload a custom logo from the Media Library
- Set a custom link URL for the logo
- Logo appears above the login form
- Solid Color - Single color background
- Gradient - Two-color gradient at 135°
- Image - Full-screen background image
- Primary Color - Buttons and accents
- Form Background - Login form card color
- Automatic hover state generation
reCAPTCHA Protection
Protect your login page from bots and brute force attacks with Google reCAPTCHA.
Checkbox reCAPTCHA - Users click "I'm not a robot" to verify.
- Visible verification checkbox
- May show image challenges
- Best for high-security requirements
Invisible reCAPTCHA - Score-based verification without user interaction.
- No user interaction required
- Scores requests from 0.0 to 1.0
- Requests below 0.5 are blocked
- Best for user experience
reCAPTCHA can be enabled for:
- Login Form
- Registration Form
- Lost Password Form
Activity Log
Track all administrative actions on your WordPress site. The Activity Log is GDPR/KVKK compliant and never stores sensitive data like passwords or email content.
Logged Events
| Category | Events |
|---|---|
| Login | Login, Logout, Failed Login Attempts |
| Plugins | Activated, Deactivated, Deleted, Updated |
| Themes | Theme Switched, Customizer Saved |
| Content | Created, Updated, Deleted, Trashed |
| Users | Created, Deleted, Role Changed, Password Changed |
| System | Site URL, Home URL, Admin Email, Permalinks |
Severity Levels
- Critical - Security-sensitive actions (URL changes, user deletion, password changes)
- Warning - Actions requiring attention (failed logins, plugin deactivation)
- Info - General activity (content changes, logins)
Log Viewer
View and filter logs with a powerful search interface:
- Search - Find by username, action, or object name
- Filter by Action - Show only specific event types
- Date Range - Filter by start and end dates
- Export CSV - Download logs for external analysis
- Pagination - 20 logs per page with navigation
Email Alerts
Get notified when critical events occur:
- Site URL or Home URL changed
- Admin email changed
- User deleted or role changed
- Plugin deleted
- Password changed
Privacy & Retention
- IP Logging - Optional, disabled by default for GDPR compliance
- Auto-Delete - Automatically delete logs after 7, 30, 60, or 90 days
- No Sensitive Data - Passwords, emails, and form content are never logged
Dashboard Widgets
Take control of the WordPress dashboard by managing widgets, hiding admin notices, and creating custom branded widgets.
Widget Visibility
Hide default WordPress dashboard widgets:
- Welcome Panel
- Quick Draft
- Activity
- WordPress Events and News
- Site Health Status
Auto-Hide Third-Party Widgets
Enable this feature to automatically hide all widgets added by plugins and themes. Use the whitelist to allow specific widgets.
When auto-hide is enabled, your dashboard stays clean even when new plugins are installed. Only whitelisted widgets will appear.
Admin Notices
Control the notices that appear at the top of admin pages:
- Hide All Notices - Remove all plugin and theme notices
- Super Admin Exception - Let Super Admins see all notices
- Dashboard Only - Show notices only on the main dashboard
- Log Hidden Notices - Track what notices were hidden
Custom Widgets
Create branded dashboard widgets for your clients or team:
| Option | Description |
|---|---|
| Title | Widget heading displayed on the dashboard |
| Position | Left column (Normal) or Right column (Side) |
| Content | Rich text editor with media support |
| Enabled | Toggle widget visibility |
Use Cases:
- Welcome message with agency branding
- Quick links to important pages
- Support contact information
- Training resources and documentation
Multisite Control
Multisite Control adds network-wide governance for agencies, developers, and site networks while keeping each module independent and extendable.
Network Defaults
- Define global defaults from Network Admin
- Capture a site's current module settings as reusable network defaults
- Apply effective settings through lightweight filters instead of duplicating module logic
Site Overrides
- Allow or disable site-level overrides per network policy
- Show Network, Override, and Locked status per module
- Keep local site settings intact unless network policy is enabled
Lock System
- Lock Menu Manager, Admin Bar, Login Security, Activity Log, and Dashboard Center
- Disable local forms when a module is network locked
- Use
manage_network_optionsfor network settings andmanage_optionsfor site-level controls
Design System
Design System provides token-based admin theming through an addon-first architecture, so visual customization can grow without adding core complexity.
Token-Driven Styling
- Manage primary, background, surface, text, muted, sidebar, and admin bar colors from one screen
- Configure font family and border radius as reusable design tokens
- Generate CSS variables and shared UI styles from saved tokens
Smart Contrast
- Auto-generate readable foreground colors for dark/light surfaces
- Apply scoped readability corrections to postboxes, notices, tables, and form controls
- Enable or disable smart contrast correction from addon settings
Performance & Scope
- Generate cache-friendly CSS files only when token hash changes
- Use inline fallback when filesystem write is unavailable
- Apply styles to Polanger pages only or all admin pages based on selected scope
Frontend Content Visibility
Frontend Content Visibility is a core content access layer for the public side of your WordPress site. It lets editors decide, per post, page, or supported custom post type, who can see that content and what should happen when an unauthorized visitor tries to open it.
This is not just a redirect toggle. The feature combines per-content visibility rules, global fallback behavior, theme compatibility modes, and discovery controls for archives, search results, REST API responses, and WordPress XML sitemaps.
The normal workflow is simple: an editor opens a content edit screen, chooses the visibility rule from the Content Visibility panel, and optionally overrides the denied behavior for that single item. Site-wide defaults live in the main Polanger settings screen so administrators can define one consistent protection policy.
An administrator defines the global defaults once. After that, editors can leave a content item public, limit it to logged-in users, show it only to selected roles, or hide it from selected roles. When a blocked visitor reaches protected content, Polanger follows the chosen denied behavior and can also remove that content from public listings, REST output, and XML sitemaps.
Visibility Modes
The per-content visibility panel is where you decide the audience for one specific post, page, or custom post type entry.
- Public - Leaves the content fully visible to everyone. No access restrictions are applied.
- Logged-in users only - Visitors must be signed in before they can view the protected content.
- Show only selected roles - Only the roles you explicitly choose can open the content. Other roles and guests are treated as denied visitors.
- Hide from selected roles - Useful when most people may access the content, but one or more roles should be excluded.
- Classic and block editor support - The same rule system is available from the classic editor side metabox and the Gutenberg document sidebar panel.
Denied Behavior
When someone reaches protected content without permission, Polanger can respond in several different ways depending on your chosen policy.
- Redirect to login - Sends the visitor to the WordPress login screen so they can authenticate before trying again.
- Show 404 - Makes the protected content behave like it does not exist for unauthorized visitors.
- Show access denied message - Displays a branded access denied state instead of silently redirecting the visitor away.
- Redirect to custom URL - Sends the visitor to a custom destination such as a pricing page, members-only landing page, or help article.
- Per-content custom message - Editors can override the global message for a single content item and write it with TinyMCE, including HTML and supported shortcodes.
- Homepage fallback - If no custom redirect URL is provided, the system safely falls back to the homepage instead of leaving a broken destination.
Global Defaults
The global settings screen defines the default behavior used when an editor does not override the rule on a specific content item.
- Default denied behavior - Controls the standard response for blocked visitors across the site.
- Default access denied message - Uses a TinyMCE editor so administrators can create a reusable message with formatting, links, HTML, and shortcodes.
- Default redirect URL - Sets the destination that should be used when the denied behavior is a custom redirect.
- Default compatibility mode - Decides whether Polanger should replace only the main content area inside the current theme or force a dedicated full access denied page.
- Default Settings quick link - Editors can jump from the content panel straight to the global defaults in a new tab without searching through the settings menu.
Compatibility & Discovery Control
Restricting access is only part of the job. Polanger also helps prevent protected content from being discovered indirectly.
- Theme-friendly replacement - Keeps the active theme layout and swaps only the content area, which is ideal for standard themes and lightweight site setups.
- Force full access denied page - Uses a stricter standalone response when a builder or custom template might bypass normal content rendering.
- Hide from archives and search - Removes restricted content from public loops, archives, feeds, and search-style frontend queries when enabled.
- Hide from the public REST API - Prevents restricted content from appearing in public API responses that headless frontends or integrations may consume.
- Hide from WordPress XML sitemaps - Stops protected URLs from being listed in native WordPress sitemap output.
Set your preferred global denied behavior first, enable archive/REST/sitemap hiding if the content should stay private everywhere, and then let editors only decide the audience on each content item. This keeps the daily workflow simple while still giving you strong control.
Polanger Shield
Polanger Shield is an admin-side control addon for WordPress backends. Instead of making you guess selectors or configure everything from a distant settings screen, it lets an authorized manager open the real admin page, click the floating Shield button, and create the rule directly on the interface that needs to change.
This makes Shield useful when you want to block one plugin page for a specific administrator, hide one confusing metabox without affecting the rest of the screen, or leave an internal note on an exact setting field so selected users understand what to do there.
The addon works only inside wp-admin. Its rules are context-aware, user-targeted, and designed to avoid changing unrelated screens.
A manager opens the target admin page, clicks the floating Shield button, and chooses one of four actions: hide the current page, lock the page for demo viewing, select and hide a specific area, or leave a contextual note. After selecting the affected users and saving the rule, Shield applies that rule only on the matched admin screen and only for the intended users.
Rule Types
| Rule Type | What It Does | Typical Use Case |
|---|---|---|
| Page Block | Blocks the full admin screen for selected users and can also deny direct URL access. | Hide a plugin settings page from users who should not open or manage it. |
| Demo Lock | Keeps the page visible but turns it into a view-only admin screen for selected users. | Let demo visitors browse a settings page without allowing saves, updates, or destructive actions. |
| Element Hide | Hides only the selected admin area on the matched screen for selected users. | Remove one metabox, panel, or plugin UI block without changing the rest of the page. |
| Note | Shows a visible note marker and popover on the selected element for selected users. | Explain how to use a field, warn about a setting, or document an internal workflow step. |
Access Control
Shield includes its own access-control tab inside Settings -> Shield. This tab decides who is allowed to use the floating Shield tools and manage rules.
- Who can use this addon? - Select which administrator accounts may use the Shield panel, create rules, and open the Shield dashboard.
- Protected admin fallback - One protected administrator is always retained so the site owner cannot accidentally lock every manager out of Shield.
- Send key Shield events to Activity Log - When enabled and the Activity Log addon is active, important Shield events such as rule creation, disabling, and permission changes are forwarded into the centralized activity system.
- Setup reminder notice - If Shield is active but no managers are configured yet, the addon can show a reminder notice so setup is not forgotten.
Page Blocking
The Hide This Page action creates a page-block rule for the current admin screen. This is the strongest action in the addon because it can remove menu access and also stop direct URL access.
- Screen-based targeting - Rules are matched against the current screen context, page slug, page hook, or normalized request URI so the block stays tied to the intended page.
- Selected users only - A page block does not affect every administrator automatically. It only applies to the users selected when the rule is created.
- Optional URL blocking - When enabled, targeted users are not only prevented from clicking the menu item but are also denied if they try to access the page by direct URL.
- Menu cleanup - Matching blocked pages are removed from the admin menu for targeted users where possible, so the UI is cleaner and less confusing.
- Access denied fallback - If a blocked user still reaches the page, Shield stops the request early and shows a clear access denied screen with a safe route back to the dashboard.
Demo Lock
The Lock This Page for Demo action is designed for public or client-facing admin demos where you want people to inspect a screen without being able to change anything important.
- View-only admin screen - The page still loads for the targeted user, but write actions are intercepted so the screen behaves like a protected demo.
- Optional on-page notice - You can show a clear banner explaining that the screen is in demo mode and that changes are intentionally disabled.
- Block standard form submissions - Prevents classic settings forms, editor saves, and similar POST-based admin changes from completing.
- Block likely AJAX save requests - Stops common
admin-ajax.phpupdate flows from silently writing changes in the background. - Block REST write requests - Protects modern interfaces that save through the WordPress REST API, including builder-style or JavaScript-heavy admin screens.
- Friendly blocked-change notice - If the user still tries to save, Shield returns them safely and shows a warning that the change was prevented by Demo Lock.
- Per-screen targeting - The lock applies only on the matched admin screen, so it does not automatically freeze other parts of the admin area.
Element Hiding
The Select & Hide Area action is for partial interface cleanup. Instead of blocking the whole page, Shield lets you click the exact element you want to hide and stores a selector for that location.
- Live screen selection - Managers choose the target by clicking the real admin element, which is usually faster and safer than writing CSS selectors by hand.
- Selector generation - Shield tries to create the strongest selector it can, preferring IDs and unique attributes before falling back to broader DOM paths.
- Per-screen behavior - The selector is applied only on the matched admin screen, so hiding one panel on one page does not automatically hide similar markup everywhere else.
- User-targeted cleanup - You can simplify the screen for some administrators without affecting the people who still need that interface block.
- Good fit for plugin-heavy dashboards - This is especially useful when third-party plugins add boxes, upsells, or controls that some users do not need to see.
Contextual Notes
The Leave Note action attaches an internal note to a specific admin element. Shield then displays a visible note marker near that element for the selected users.
- Element-specific notes - Notes are attached to one chosen area, so the guidance appears exactly where the user needs it instead of being buried in a generic help page.
- Visible users list - Notes are shown only to the users selected in the note rule. This is useful for internal training, handoff instructions, or client-safe guidance.
- Clickable marker and popover - Users can click the note marker to open a readable note panel without changing the underlying admin page layout.
- Context menu for managers - Managers can quickly disable or inspect note rules from the note marker itself, which helps with fast cleanup during testing.
- Non-destructive guidance - Notes do not block the page. They simply add structured context to the existing interface.
Rule Dashboard
The Shield dashboard is the central place for reviewing and maintaining saved rules after they have been created from live admin screens.
- Rule list with type and target - Each record shows whether it is a page block, demo lock, element hide, or note rule, plus the matched screen or selector.
- User visibility summary - The dashboard shows which users are affected by each rule so access changes stay auditable.
- Test mode links - Managers can open a rule target in test mode to highlight the matched area and confirm that the selector still points to the expected element.
- Disable and delete actions - Rules can be disabled temporarily or deleted entirely, either one by one or through bulk actions.
- Focused review flow - Dashboard links can open a rule in context so the manager can inspect and verify it quickly.
Safe Mode & Recovery
Because Shield can hide pages and interface areas, it also includes recovery paths to reduce lockout risk.
- Temporary Safe Mode - Managers can open admin pages in a temporary safe mode so page-block and other enforcement rules can be bypassed while troubleshooting.
- Protected admin requirement - Shield always keeps one protected administrator in the manager path so there is a reliable recovery account.
- Constant-based emergency bypass - Developers can disable Shield blocking through a server-side constant when deep recovery is needed.
- Recommended rollout - Start with a small set of rules, test with one target user, then expand once the result is confirmed.
Use Shield first for targeted cleanup, not for broad redesign. Start by blocking one sensitive plugin page, hiding one confusing metabox, or adding one instructional note. This approach keeps rules understandable, easier to audit, and safer to maintain over time.
Authenticator App (TOTP)
The Authenticator addon adds Google Authenticator and Microsoft Authenticator support to the core 2FA system. Instead of receiving codes via email, users verify their identity using time-based one-time passwords (TOTP) generated by their authenticator app.
This method provides stronger security than email-based verification and works offline without requiring email delivery.
TOTP generates a new 6-digit code every 30 seconds based on a shared secret key. Both the authenticator app and the server know this secret, so they can independently generate and verify matching codes without any network communication.
Multi-User Architecture
The authenticator system is designed for multi-user WordPress installations. Each user has their own authenticator setup, and the system separates global policy settings from individual user enrollment.
Global Settings (Admin Panel)
- Role Enforcement - Select which user roles require 2FA (Administrator, Editor, etc.)
- 2FA Method Selection - Choose between Email or Authenticator App
- Lockout Policy - Configure maximum attempts and lockout duration
- Super Admin Control - Option to include or exempt Super Admin from 2FA requirements
Per-User Enrollment
- Individual Secret Keys - Each user has their own unique encrypted secret
- Profile Page Management - Users manage their 2FA from their profile page (Users → Profile)
- Enrollment Status - Admins can view enrollment status of users without seeing their secrets
- Privacy Protection - Admins cannot view other users' secret keys, only their enrollment status
Enrollment Flow
When a user's role requires 2FA and they haven't set up their authenticator yet, they are guided through a mandatory enrollment process on first login:
- Login with Password - User enters their username and password as usual
- Enrollment Required Screen - System detects unenrolled user and shows setup wizard
- Add to Authenticator App
- Secret key is displayed for manual entry
- Provisioning URI available for QR code tools
- Verify Setup - User enters the 6-digit code from their app
- Recovery Keys - 10 recovery keys are generated and displayed (one-time viewing)
- Access Granted - User confirms they saved their keys and gains access
Users are never locked out due to unenrolled 2FA. Instead of showing an error, the system guides them through the setup process during login. They must complete enrollment before accessing the site.
Profile Page Management
After initial enrollment, users can manage their authenticator from their WordPress profile page:
For Own Profile
- View Status - See if authenticator is active or needs setup
- Generate New Secret - Rotate to a new secret key (uses safe pending system)
- Disable Authenticator - Remove authenticator from account
- Recovery Key Count - See how many recovery keys remain
Admin Viewing Other Users
- Enrollment Status Only - See if user has configured authenticator
- Recovery Key Count - View remaining recovery keys
- No Secret Access - Cannot view or modify user's secret key (privacy protection)
Safe Secret Rotation
When generating a new secret key, the system uses a "pending secret" architecture to prevent accidental lockouts:
When you generate a new secret, your existing authenticator continues working until you verify the new one. If you cancel or abandon the process, nothing changes.
Rotation Flow
- Generate New Secret - Creates a "pending" secret, old secret remains active
- Add New Secret to App - User adds the new secret to their authenticator
- Verify New Secret - User enters code from the new secret
- Activation - On successful verification:
- Pending secret becomes active
- Old secret is removed
- New recovery keys are generated (security context changed)
- Cancel Option - User can cancel rotation at any time, keeping their existing setup
Why Pending Secrets Matter
- No Accidental Lockout - If user abandons rotation midway, old authenticator still works
- Phone Change Safety - Safe process for migrating to a new device
- Recovery Context - New recovery keys generated because security context changed
Secret Key Security
- Encrypted Storage - Secret keys are encrypted at rest using AES-256-CBC (OpenSSL) or HMAC-based XOR keystream fallback
- Unique Per User - Each user has their own unique 32-character Base32 secret
- Key Derivation - Encryption keys derived from WordPress auth salts
- MAC Verification - HMAC-SHA256 integrity verification prevents tampering
Recovery Keys
When you complete authenticator setup, 10 recovery keys are automatically generated. These keys provide emergency access if you lose your phone or cannot use your authenticator app.
Recovery keys are shown only once when generated. Store them securely (password manager, printed copy in a safe place). Each key can only be used once.
- 10 Keys Per User - Each user receives 10 unique recovery keys
- One-Time Use - Each key works only once and is then invalidated
- Regeneratable - Generate new keys from the 2FA settings page
- Shared with Email 2FA - The same recovery keys work for both email and authenticator methods
Login Flow
When authenticator 2FA is active, the login process works as follows:
- Enter username and password as usual
- You're redirected to the authenticator verification screen
- Open your authenticator app and enter the current 6-digit code
- Optionally check "Trust this device for 30 days"
- Click "Verify & Login"
Alternative Access Methods
| Option | When to Use |
|---|---|
| Use Recovery Key | Lost phone, app deleted, or authenticator unavailable |
| Send Code via Email | Temporary fallback to email verification |
| Trusted Device | Skip 2FA for 30 days on trusted browsers |
Security Features
- Replay Attack Prevention - Each code can only be used once per time window
- Time Window Tolerance - Accepts codes from ±1 time slice to handle clock drift
- Lockout Protection - Too many failed attempts triggers temporary lockout
- Super Admin Bypass - Optional exemption to prevent network lockouts
reCAPTCHA Protection
The reCAPTCHA addon provides centralized Google reCAPTCHA management for your WordPress site. All reCAPTCHA configuration is consolidated into this single addon, eliminating scattered settings and ensuring consistent protection across all forms.
All reCAPTCHA settings that were previously spread across different modules have been consolidated into this addon. Configure your API keys once and enable protection wherever you need it.
API Key Setup
To use reCAPTCHA, you need API keys from Google:
- Visit the Google reCAPTCHA Admin Console
- Register your site (choose v2 or v3 based on your preference)
- Copy the Site Key and Secret Key
- Enter them in the reCAPTCHA addon settings
Checkbox Challenge - Users see a visible "I'm not a robot" checkbox.
- Clear visual confirmation for users
- May display image challenges for suspicious traffic
- Best when you want explicit user verification
- Higher friction but very reliable
Invisible Scoring - Works silently in the background without user interaction.
- No checkbox or challenges shown to users
- Returns a score from 0.0 (likely bot) to 1.0 (likely human)
- Configurable threshold (default: 0.5)
- Best for user experience, requires score tuning
Protected Forms
Enable reCAPTCHA protection on any combination of these forms:
| Form | Protection |
|---|---|
| Login Form | Prevents brute force attacks and credential stuffing |
| Registration Form | Blocks automated account creation by bots |
| Lost Password Form | Prevents password reset abuse and enumeration |
| Comment Form | Stops spam comments (integrates with Comment Security addon) |
When the optional WooCommerce Security addon is active, this same Where to Enable list also gains WooCommerce Login Forms, WooCommerce Registration Form, and WooCommerce Lost Password Form.
Settings
v3 Score Threshold
For reCAPTCHA v3, set the minimum score required to pass verification:
- 0.9 - Very strict, may block some legitimate users
- 0.7 - Strict, good for high-security sites
- 0.5 - Balanced (recommended starting point)
- 0.3 - Permissive, allows more traffic through
Badge Position (v3)
Control where the reCAPTCHA badge appears on your site:
- Bottom Right - Default position (required by Google ToS)
- Bottom Left - Alternative corner position
- Inline - Embedded within the form
When both reCAPTCHA and Comment Security addons are active, reCAPTCHA runs first (priority 50) before Comment Security scoring (priority 100). Failed reCAPTCHA immediately blocks the comment without further processing.
WooCommerce Security
WooCommerce Security is an optional companion addon that extends the Polanger security stack into WooCommerce customer account flows. Instead of creating a second disconnected security system, it reuses the existing Polanger reCAPTCHA and 2FA infrastructure and adds a dedicated rate limiting layer for store-facing authentication requests.
This means store owners can protect customer login, registration, and password recovery screens from one familiar Polanger settings workflow instead of scattering controls across multiple plugin pages.
The addon is dependency-aware by design. It only runs when both Polanger Admin Suite and WooCommerce are available, so stores are not left with half-loaded security features or broken form hooks.
Activate the addon plugin, open Polanger Settings -> WooCommerce, keep rate limiting enabled, then go to the reCAPTCHA tab and turn on the WooCommerce form locations you want. If your site already uses Polanger 2FA, WooCommerce customer login will automatically follow that same verification flow where applicable.
Dependencies & Activation Behavior
WooCommerce Security is shipped as a separate addon plugin, but it is intentionally strict about dependencies so it cannot be activated in an incomplete environment.
- Requires Polanger Admin Suite - The addon expects the core Polanger security helpers to be available before it boots.
- Requires WooCommerce - WooCommerce must be installed and active because the addon hooks directly into WooCommerce authentication forms and request handlers.
- Activation gate - If WooCommerce is missing or inactive, activation is refused and a clear admin-facing dependency message is shown.
- Auto-deactivation safety - If WooCommerce or the core suite disappears later, the addon deactivates itself on admin load instead of continuing in a broken state.
- One-time setup notice - After successful activation, administrators receive a direct link to the WooCommerce tab inside Polanger Settings so setup is not forgotten.
WooCommerce reCAPTCHA Integration
When this addon is active, the main Polanger reCAPTCHA tab gains extra WooCommerce-specific locations. You still manage API keys, version selection, and other global reCAPTCHA behavior from the existing reCAPTCHA addon. WooCommerce Security simply adds the store-side form hooks and verification points.
| Location | Where It Appears | What It Protects |
|---|---|---|
| WooCommerce Login Forms | My Account login form and supported WooCommerce login prompts, including checkout login contexts | Blocks automated login abuse, credential stuffing, and scripted login attempts before WooCommerce continues processing the request |
| WooCommerce Registration Form | The customer registration form on My Account | Reduces bot-driven account creation and fake registrations |
| WooCommerce Lost Password Form | WooCommerce password reset request screens | Helps stop reset-form abuse and repeated automated recovery requests |
Both reCAPTCHA v2 and v3 continue to work through the same Polanger service layer. The WooCommerce addon only renders and verifies the protection in the correct store form locations.
WooCommerce 2FA Flow
WooCommerce Security also carries the existing Polanger 2FA challenge flow into WooCommerce customer login. It does not replace the core 2FA system. Instead, it preserves the WooCommerce context so the user can complete verification and still return to the correct store destination.
- My Account aware - If login begins from WooCommerce, the pending 2FA context is marked as a WooCommerce-origin login.
- Redirect preservation - The original WooCommerce redirect target is captured and reused after successful verification where allowed.
- Correct back link behavior - The "back to login" path on the 2FA screen points back to the original WooCommerce login screen instead of a generic WordPress login page.
- Shared 2FA policy - Code expiry, failed attempt limits, lockout duration, trusted-device behavior, recovery methods, and required-role rules still come from the main Polanger 2FA settings.
- No duplicate 2FA settings page - Store owners do not need to configure a second 2FA system just for WooCommerce.
Rate Limiting
The WooCommerce tab in Polanger Settings adds a focused rate limiting layer for customer authentication traffic. This runs automatically on WooCommerce login failures, registration attempts, and lost password requests, using both identity-based and IP-based tracking windows.
- Single master switch - Enable or disable the entire WooCommerce rate limiting layer from one toggle.
- Identity + IP buckets - Limits are evaluated against the submitted username or email where possible, and also against the client IP.
- Automatic login reset - A successful WooCommerce login clears the login identity bucket so legitimate users are not penalized after finally authenticating.
- No form clutter - Customers do not see extra fields. The protection works in the background and only shows a message if limits are reached.
Protection Modes
Instead of asking store owners to tune every number manually, the addon offers three ready-made rate limiting profiles.
| Mode | Login | Registration | Lost Password |
|---|---|---|---|
| Relaxed | 8 identity attempts or 16 IP attempts in 10 minutes | 4 identity attempts or 8 IP attempts in 30 minutes | 4 identity attempts or 8 IP attempts in 30 minutes |
| Balanced | 5 identity attempts or 10 IP attempts in 10 minutes | 3 identity attempts or 6 IP attempts in 30 minutes | 3 identity attempts or 6 IP attempts in 30 minutes |
| Strict | 3 identity attempts or 6 IP attempts in 15 minutes | 2 identity attempts or 4 IP attempts in 60 minutes | 2 identity attempts or 4 IP attempts in 60 minutes |
For most stores, keep WooCommerce rate limiting enabled, choose Balanced mode, then enable the three WooCommerce reCAPTCHA locations you actually use. If customer 2FA is already part of your Polanger policy, the WooCommerce login experience will inherit it automatically without a second setup track.
Settings
Configure access control, two-factor authentication, and other plugin-wide settings.
Access Control
Restrict who can access and modify the plugin settings:
- Allowed Users - Select which administrators can access the plugin
- Access Levels - Full Access or Read-only for each user
- Super Admin Protection - Super Admin (ID 1) can never be locked out
- URL Blocking - Restricted users can't access plugin pages via direct URL
Read-only users can view all settings but cannot make changes. A banner is displayed and all forms are disabled.
Two-Factor Authentication (2FA)
Add an extra layer of security with email-based 2FA:
Setup Process
- Click "Send Test Email" to verify email delivery works
- Enable Two-Factor Authentication
- Select which roles require 2FA
- Save your recovery keys
Features
- 6-Digit Codes - Sent via email on each login
- Code Expiry - 5, 10, or 15 minutes
- Role-Based - Require 2FA for specific roles
- Recovery Keys - One-time use backup codes
- Super Admin Bypass - Super Admin is exempt to prevent lockouts
Miscellaneous
- Custom Footer Text - Replace "Thank you for creating with WordPress"
- Hide WordPress Version - Remove version number from admin footer
- Live Preview - See footer changes in real-time
Hooks & Filters
For developers who want to extend or customize the plugin behavior.
Polanger core is currently maintained in a stability-first phase. New capabilities are expected to be delivered primarily via addons, while core updates focus on security, compatibility, and regression prevention.
Polanger Custom Developer Hooks
| Hook / Filter | Type | Description |
|---|---|---|
polanger_init |
Action | Extension API bootstrap for registering addon modules |
pdt_register_addons |
Filter | Inject or modify addon card definitions in Addons page |
pdt_active_addons |
Filter | Override active addon flags at runtime |
polanger_effective_settings |
Filter | Modify effective settings per module/context (multisite-aware) |
pdt_admin_menu_after_dashboard_center |
Action | Add submenu items between Dashboard Center and Settings |
pdt_menu_manager_after_header |
Action | Inject addon UI directly after Menu Manager header |
pdt_menu_manager_after_form |
Action | Inject addon UI directly after Menu Manager form |
polanger_admin_theme_assets |
Action | Enqueue admin theme CSS/JS for Polanger pages without core edits |
Menu Manager Hooks
| Hook | Priority | Description |
|---|---|---|
admin_menu |
9999 | Capture and modify menu items |
admin_init |
1 | URL access blocking |
menu_order |
- | Custom menu ordering |
Admin Bar Hooks
| Hook | Priority | Description |
|---|---|---|
admin_bar_menu |
999999 | Capture admin bar nodes |
wp_before_admin_bar_render |
1000-1002 | Apply customizations |
Login Page Hooks
| Hook | Description |
|---|---|
login_enqueue_scripts |
Load custom styles and scripts |
login_head |
Output custom CSS |
login_form |
Add reCAPTCHA to login form |
wp_authenticate_user |
Verify reCAPTCHA on login |
Database
The plugin stores settings in WordPress options and creates one custom table for activity logs.
Options
| Option Name | Description |
|---|---|
pdt_settings |
Main plugin settings |
pdt_menu_items |
Menu item configurations |
pdt_admin_bar_settings |
Admin bar settings |
pdt_login_page_settings |
Login page settings |
pdt_activity_log_settings |
Activity log settings |
pdt_dashboard_widgets_settings |
Dashboard widgets settings |
pdt_custom_admin_menus |
Custom Admin Menu Builder records |
pdt_active_addons |
Active addon flags for addon-managed modules |
pdt_network_active_addons |
Network-wide active addon flags for multisite networks |
polanger_network_settings |
Network defaults, lock policy, and override policy for Multisite Control |
polanger_site_override_settings |
Per-site override flags for Multisite Control |
pdt_design_settings |
Design System token settings and behavior flags |
pdt_design_css_meta |
Generated CSS metadata (hash, path, and URL) for Design System caching |
pdt_general_settings |
General/security settings |
Activity Log Table
Table name: {prefix}_pdt_admin_logs
CREATE TABLE {prefix}_pdt_admin_logs (
id bigint(20) unsigned NOT NULL AUTO_INCREMENT,
user_id bigint(20) unsigned NOT NULL,
user_login varchar(60) NOT NULL,
action varchar(100) NOT NULL,
object_type varchar(50) DEFAULT NULL,
object_id bigint(20) unsigned DEFAULT NULL,
object_name varchar(255) DEFAULT NULL,
ip_address varchar(45) DEFAULT NULL,
user_agent varchar(255) DEFAULT NULL,
meta longtext DEFAULT NULL,
created_at datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (id),
KEY user_id (user_id),
KEY action (action),
KEY created_at (created_at)
);
Security
The plugin follows WordPress security best practices:
- Nonce Verification - All forms use WordPress nonces to prevent CSRF attacks
- Capability Checks - Only users with
manage_optionscan access the plugin - Input Sanitization - All user inputs are sanitized before storage
- Prepared Statements - Database queries use
$wpdb->prepare() - Super Admin Protection - Super Admin cannot be locked out of the plugin
- Read-Only Mode - Server-side enforcement prevents unauthorized changes
- GDPR Compliance - No sensitive data is logged, IP logging is optional
This plugin was designed with security as a primary concern. All features include safeguards to prevent accidental lockouts and unauthorized access.
Changelog
Version 1.5.3 Latest
- New: Frontend Content Visibility core module for posts, pages, and supported custom post types with role-based audience control, denied behavior routing, and discovery hiding for archives, REST API, and XML sitemaps
- Improved: Admin design system and user interface components enhanced for a better user experience.
- Improved: Mobile and responsive layouts optimized across various plugin screens.
- Improved: Enhanced security measures and hardening implemented for the Two-Factor Authentication (2FA) module.
- Improved: Translation catalogs and compiled language packs were refreshed for the current release across bundled locales
Version 1.5.2
- Improved: Menu Manager now captures late-registered and dynamically reordered top-level admin menus more reliably, fixing cases where some third-party plugin menus did not appear in the manager list
- Improved: Menu Manager list ordering now better mirrors the effective live WordPress sidebar order for plugins that reposition themselves through custom menu filters
- Improved: Design System was expanded into a richer WCAG-aware admin theming engine with semantic color tokens, advanced typography controls, and a live preview playground
- Improved: Design System presets were redesigned into curated professional themes, with stronger compatibility across admin menus, admin bar states, metaboxes, tables, widgets, and classic editor screens
- Improved: Design System Midnight compatibility was hardened for third-party admin UI, including low-contrast text recovery and dark dropdown/menu readability fixes that only activate for the Midnight preset
- Improved: Mobile admin usability refinements across settings layouts and action controls for better spacing, responsiveness, and alignment on smaller screens
Version 1.5.1
- Fixed: Resolved an issue where reCAPTCHA could fail to appear on the custom login page under certain configurations
- Improved: Better integration and compatibility between Authenticator App (TOTP) and reCAPTCHA verification flows
- Improved: Comment Guard reCAPTCHA integration is now more stable and reliable across comment submission scenarios
- Fixed: Resolved login page logo cropping issues on responsive and custom layout configurations
- Improved: On mobile devices, the login page language selector is now displayed inside a compact drawer for a cleaner layout
- New: Added option to completely disable the language switcher on the login page
Version 1.5.0
- New: Authenticator App (TOTP) addon – Google/Microsoft Authenticator support with multi-user architecture (per-user enrollment, profile page management, admin sees status only), mandatory enrollment flow for required roles, safe secret rotation with pending secret system (old authenticator keeps working until new verified), AES-256-CBC encryption, recovery keys with auto-regeneration on rotation, trusted device memory (30 days), email fallback, brute-force protection, and replay attack prevention
- New: reCAPTCHA addon – centralized Google reCAPTCHA v2/v3 key management; all reCAPTCHA configuration consolidated from multiple locations into one dedicated addon; supports login, registration, lost password, and comment forms; integrates seamlessly with Comment Security addon
- Improved: Design System – expanded color customization with Sidebar Background, Sidebar Text Color, Admin Bar Background, Admin Bar Text Color, Admin Bar Submenu Background, and Admin Bar Submenu Text Color options
- Improved: Design System color compatibility – enhanced contrast handling and readability corrections across admin UI components including postboxes, notices, tables, and form controls
- Improved: Menu Manager stability – resolved conflict issues with certain third-party plugins and themes that were causing menu rendering inconsistencies
- Improved: Mobile responsiveness – comprehensive layout and interaction improvements across all admin screens for better tablet and smartphone usability; improved touch targets, spacing, and navigation
- Fixed: 2FA settings form submission – resolved nested form issue that prevented Save Settings button from working when Authenticator addon was active
Version 1.4.3
- New: Comment Security Layer addon – multi-layer comment protection with honeypot trap, HMAC-signed timing tokens, per-IP flood control (per-minute and per-hour windows), keyword and URL blocklists, behavior scoring engine with configurable thresholds, and silent action modes (spam queue, trash, or silent drop)
- Improved: Login page design – refined mobile layout with corrected form card proportions, improved spacing around inputs and buttons on small screens, and more consistent hover and focus state rendering across breakpoints
- Improved: Login page background rendering – smoother gradient transitions and better full-coverage rendering for background images on narrow viewports; improved visual layering between background and form card
- Improved: Admin panel mobile responsiveness – layout and spacing adjustments across Settings, Addons, and Activity Log screens; better usability on tablet and mobile viewports with more appropriate touch target sizing
- Improved: Sub-tab settings saves – partial save operations now only process and re-validate the submitted field group, reducing redundant sanitization passes on every tab change
- Improved: Addon list layout – card grid now wraps and spaces more cleanly on narrow viewports with improved readability of addon status indicators on mobile
Version 1.4.2
- New: Multisite Control addon for network-wide defaults, lock policies, and site-level overrides
- New: Network-aware settings engine using effective settings filters across supported modules
- New: Network lock support for Menu Manager, Admin Bar, Login Security, Activity Log, and Dashboard Center
- New: Site override status controls and network-managed module notices
- Improved: Addon activation flow with optional network-wide active addon support
- Improved: 2FA login session handling now respects the original Remember Me preference during verification
- Improved: 2FA resend verification flow hardened with nonce-protected requests and stricter token validation
- Improved: 2FA verification flow now includes stronger user/session guard checks to reduce edge-case failures
- Improved: 2FA trusted device and security logging IP resolution strengthened with trusted-proxy aware validation
- Improved: 2FA email delivery failure behavior is now configurable with secure-by-default login handling
- New: Design System addon scaffold with token-based settings, preset support, and generated CSS output
- Improved: Addon-first theming extensibility via
polanger_admin_theme_assetsfor clean admin UI customization without core CSS overrides
Version 1.4.1
- Improved: Activity Log export flow (CSV/JSON) output handling on Settings page for more consistent downloads
- Improved: Settings export callback visibility and
admin_initlifecycle compatibility - Improved: Activity Log query hardening with validated table-name usage and allowlisted
ORDER BYhandling - Improved: 2FA verification comparison updated with timing-safe hash validation (
hash_equals) - Improved: Activity Log IP resolution now prefers
REMOTE_ADDRand supports trusted-proxy based forwarded-header parsing - Improved: Settings input validation for
allowed_userswith strict array-type guards before normalization
Version 1.4.0
- Major update: All premium features are now available for free
- New: Full Admin Suite experience (menu, login, security, dashboard, activity log)
- New: Custom Admin Menu Builder
- New: Role-based access control improvements
- Improved: UI/UX across all modules
- Improved: Performance and stability
- Improved: Security layers and validation
- Fixed: Minor bugs and edge cases
Comment Security
Comment Security is a layered protection addon for the WordPress comment system. Its job is simple: let normal visitors leave comments as usual, but make automated spam bots, repeated flood attempts, suspicious links, and blocked keywords much harder to get through.
The addon does not rely on just one rule. Instead, it combines several small checks that work together. A comment can be inspected for bot behavior, submission speed, repeated attempts, suspicious content, blocked words, blocked domains, and final risk score. This means you are not betting your entire protection on only one trick such as a honeypot or only one filter such as a keyword list.
For most site owners, the easiest way to use this addon is to enable it and choose a mode such as Light, Balanced, or Strict. After that, you only add your own blocked words or blocked domains when needed. Advanced settings are there for site owners who want tighter control, but you do not need to understand every number on day one to get value from the addon.
When someone submits a comment, the addon first checks whether the comment form contains the protection fields added by the addon. If it does, the bot checks run. Then the addon checks how fast the comment was submitted, whether the hidden trap field was touched, whether the same visitor is posting too often, whether the content contains blocked words or blocked domains, and finally decides whether to allow the comment, send it to spam, move it to trash, or silently drop it.
General
The General tab controls the overall on/off state of the addon and a few important global behaviors. This is the best place to start if you are setting up the addon for the first time.
Bot Protection
The Bot Protection tab focuses on low-friction defenses that work without forcing the visitor to solve a challenge. These checks try to detect behavior that looks automated rather than human.
url2orhomepage_altmakes it harder for basic spam scripts to identify and skip the trap field. You usually only change this if you want a custom disguise.Rate Limiting
The Rate Limiting tab controls how many comments the same visitor can try to send in a short period. This is very useful against burst spam, repeated abuse, and comment-flood attacks.
Content Rules
The Content Rules tab checks what is inside the comment itself. This is where you define what kind of text, links, words, or domains you do not want to allow.
spamdomain.com. If a comment contains a URL from one of those domains, the addon blocks it according to your configured action.Silent Mode
The Silent Mode tab decides what the addon should do after a comment is judged suspicious enough to stop. This is where you choose the final action.
Logs & Statistics
The Logs & Statistics tab helps you understand what the addon has been doing in the background. If you want proof that protection is working, this tab matters a lot.
If you are not sure where to begin, enable Comment Security, choose Balanced mode, keep logging enabled, and then add your own blocked words and blocked domains over time. This setup gives most WordPress sites strong protection without becoming too aggressive for normal visitors.