Strong and Flexible Access, User Action, API and Role Protection

Adds several layers of security to restrict access to common hacking attack vectors.

Tokenized Protection

Easily reduce Brute Force Password attacks, SPAM Comments, Fake User Registrations and Sploggers! Adds a dynamic Javascript Token field to all common user action forms: Login, Registration (plus BuddyPress Registration), Blog Signup (Multisite only), Lost Password and Commenting.

Since the majority of bots do not have the capacity to recognize or handle javascript fields, their attempts at access via these actions are instantly blocked - with repeat offender getting IP banned from further attempts. This gives seamless and invisible protection (without an annoying ReCaptcha field.)

Login Role Protection

A last line of defense against hackers who have managed to "somehow" create their own administrator account! Automatically block, notify by email, revoke role and/or demote to subscriber any "administrator" account that logs in who is not in an explicit whitelist of verified administrator usernames. Goodbye escalated privelage attack! (The same settings are also available for the Super Admin role for Multisite installs.)

API Protection

Adds several ways to restrict access to XML RPC and REST API features. While these can be disabled, there are several other options provided to severely limit bot and other unauthorized access while still being able to use these features as intended! Part of the aim of this plugin is to make these options available for everyone without needing to code them: Multiple request slowdown, disable XML RPC logins, logged in access only, restrict access to specified user roles, and require secure connection.

Behavioural Protection

ForceField also records access to user actions missing referer headers, missing or bad tokens, and other bad behaviours in a custom table. Reaching transgression limits for any specific action results in an IP ban. Transgression occurences are reduced via cooldown over time, with old records expired and later deleted (with intervals adjustable.) This process keeps protection high for fresh attacks while keeping the database free of old record bloat. Also gives the option to output a form to banned IPs so users can unblock themselves manually in case of false positives (and so you don't lock yourself out of your site!)

Vulnerability Check

Checks your installed core, plugins and themes for known vulnerabilities and sends email alerts on new vulnerabilities found.


  • updated WordQuest Helper library to 1.7.4
  • added vulnerability checker for core, plugins and themes!
  • use do_actions to allow adding extra admin interfaces
  • use apply_filters for filtering whitelist / blacklist
  • honour FORCEFIELD_REQUIRE_SSL constant override
  • fix to reset input type to button so enter submits


  • fix to transgression record check
  • fix for possible empty referrer global
  • fix to default limit settings
  • fix to function names for signup and lostpass token fields
  • fix to remove unchecked API role restrictions
  • update plugin loader class 1.0.6 for multiple alert emails
  • change single alert email setting type to allow multiple
  • removed REST API prefix change option (better hard-coded)


  • Updated to use Plugin Loader Class
  • Disabled Plugin/Theme Updates sections
  • maybe transfer old Settings from settings key
  • moved Role Protect options to separate tab
  • allow for auto-pass/auto-fail limit values
  • added filters for contexts/intervals/expiries
  • added nonce field to user IP unblock form
  • fix to IP blocklist display query arguments


  • Added BuddyPress registration token field
  • Fix multiple undefined function forcefield_record_ip
  • Fix record retrieval by reason without specific IP
  • Removed auto-update features for retesting


  • Better localhost Detection for Local Usage
  • Auto-Refresh Tokens according to Expiry Time
  • Added Context-specific Token Expiry Time Filter
  • Added Option to Auto-update Inactive Plugins
  • Added Option to Auto-update Inactive Themes
  • Added Option to Auto-update this Plugin


  • Dynamically add token input field to forms
  • Added obfuscation of javascript token value


  • Single Global Plugin Settings Array
  • Improved Blacklist / Whitelist Checking
  • IP 4 Range Support for Blacklist / Whitelist
  • Added calls for possible Pro features


  • Added IP Table Recording with Transgression Limits
  • Added Restrict API Access by Role Option
  • Added Simple IP Blacklist / Whitelist
  • Added Settings Reset to Default Button
  • Standardized User Action Tokenizer Logic


  • Development Version
  • Javascript Tokenizer Engine
  • Plugin Admin Options

  1. Upload via the Wordpress plugin installer.
  2. Activate the plugin through the 'Plugins' menu in WordPress.
  3. Access the Plugin Settings via the WordQuest -> ForceField menu


Please Login or Register to Download this Plugin.
Log In

Leave a Reply

Your email address will not be published. Required fields are marked *