Runtime

WordPress Plugin

A ready-to-install WordPress plugin ZIP is generated per license from Console → Deployment. The embedded agent.php is a clean, readable thin client that fetches encrypted engine logic from the cloud. The plugin also supports private auto-updates from your AuraGuardian platform (not WordPress.org).

Install

Download the plugin ZIP from Console → Deployment → WordPress.
WordPress Admin → Plugins → Add New → Upload Plugin.
Activate AuraGuardian.
Go to WP Admin sidebar → AuraGuardian → Settings.

Settings

Enabled: protects frontend requests (recommended enabled).
API Key (license key): stored in wp_options (treat as a password).
Protect wp-login.php: off by default to reduce lockout risk.
Only protect these paths: optional allow-list of protected routes.
Except these paths: recommended exclusions to prevent breakage.

Safe defaults

The plugin is intentionally conservative to avoid breaking admin / API / background contexts. It skips protection when any of these are true:

is_admin() (wp-admin)
REST_REQUEST, DOING_AJAX, DOING_CRON
WP_CLI

Default excluded paths: /wp-admin/*, /wp-login.php, /wp-json/*, /xmlrpc.php, /wp-cron.php

only_paths / except_paths

Use only_paths to start small (high-value endpoints first). Patterns are one per line:

/checkout
/account/*
/my-plugin/secure-endpoint

Enabling login protection increases the chance of admin lockouts (cookies, caching layers, security plugins). If you enable it, test in an incognito window and keep a server-side recovery path.

Operational notes

Challenge redirect uses opaque token flow when supported.
Behind proxies, ensure scheme/HTTPS is configured correctly (see Proxy & HTTPS).
For performance: avoid protecting static assets; prefer only_paths for expensive routes.