"Administrator is a role, not a throne." AGPLv3+ β Open Source. Built for sites that will be compromised eventually.
This project is a Proof of Concept (PoC) and part of ongoing research and development at VisionGaia Technology. It is not a certified or production-ready product.
Use at your own risk. The software may contain security vulnerabilities, bugs, or unexpected behavior. It may break your environment if misconfigured or used improperly.
Do not deploy in critical production environments without thorough code review. Throne Guard modifies WordPress capability assignments β if you lock yourself out of the Master role without recording your Superkey, recovery requires direct database access.
Found a vulnerability or have an improvement? Open an issue or contact us.
- Pre-Flight WAF: Scoped to admin and MCP routes only β no more collateral damage in frontend uploads
- Upload Jail:
.htaccessnow uses append-with-markers instead of overwrite β preserves existing custom rules (CDN, WebP, rewrites) - Session Gating: Ephemeral server-side token validation with strict
hash_equalscomparison β immune to client-side cookie manipulation - Exception Hierarchy:
ValidationException/SecurityException/StorageExceptionwith asymmetric client/log messaging β users never see internal details - CSRF Tokens: Single-use
bin2hex(random_bytes(32))tokens on top of WordPress nonces for all state-changing operations
Throne Guard is a WordPress hardening plugin that removes the most dangerous capabilities from the Administrator role and places them behind a separate Master role gated by a Superkey.
It is built on a single premise: in 9 out of 10 WordPress compromises, the attacker ends up with Administrator access. Vulnerable plugins, phished passwords, stolen session cookies β the Administrator account is the pivot point of almost every real-world WordPress hack.
Throne Guard assumes the Administrator will be compromised and makes sure that even then, the attacker cannot install plugins, switch themes, create users, or deactivate Throne Guard itself.
Traditional WordPress Hardening:
β 2FA on admin login β prevents credential theft
β Login rate limiting β slows brute force
β IP whitelisting β limits attack surface
β Still: Admin compromise = full site compromise
Throne Guard Approach:
β Admin β God β strip toxic capabilities
β Separate Master role β elevated functions isolated
β Superkey gate β bcrypt-hashed, never in session
β Plugin stealth β Throne Guard invisible to Admins
β Deactivation guard β cannot be disabled without Master
Incoming Admin Request
β
Pre-Flight WAF (Upload Inspection)
β Toxic extensions (.php, .phar, .phtml, .pht...) blocked at MS 0
β Scoped to admin routes β zero frontend collateral damage
β Double-extension detection (shell.phar.jpg)
β
Backend Lock (Zero-Trust Session Gating)
β Master-capability check
β Ephemeral token + server-side meta validation
β 2-hour expiration enforced server-side
β AJAX routes gated separately (no bypass)
β
CSRF + Nonce Double Layer
β WordPress nonce (action-scoped)
β Single-use CSRF token from user meta
β Both required for all state changes
β
Capability Enforcement
β Administrator: stripped of toxic capabilities
β Master: full control, gated by Superkey
β editable_roles filter: non-Masters cannot promote to Master
β all_plugins filter: Throne Guard invisible to non-Masters
β
Upload Jail (Auto-Healed)
β wp-content/uploads/.htaccess maintained on every dashboard load
β Append-with-markers β preserves existing custom rules
β PHP execution disabled at webserver level
β
Secure Vault Upload
β MIME + magic byte + IMAGETYPE triple-check
β GD re-encoding β all metadata and payloads stripped
β 0600 permissions + 0700 directory + realpath jail
β Cryptographically random filenames
Strips toxic capabilities from the Administrator role. Configurable via dashboard, enforced at WordPress capability level. Requires Superkey confirmation for every change.
| Capability | Risk if Retained | Default |
|---|---|---|
activate_plugins |
Install backdoor plugins | Stripped |
delete_plugins |
Remove security plugins | Stripped |
install_plugins |
Upload malicious plugins | Stripped |
edit_plugins |
Inject code into existing plugins | Stripped |
update_plugins |
Downgrade to vulnerable versions | Stripped |
switch_themes |
Activate malicious themes | Stripped |
edit_themes |
Inject code into themes | Stripped |
install_themes |
Upload malicious themes | Stripped |
delete_themes |
Remove legitimate themes | Stripped |
update_themes |
Downgrade to vulnerable versions | Stripped |
edit_users |
Change other users' passwords/roles | Stripped |
delete_users |
Remove legitimate admins | Stripped |
create_users |
Create persistent backdoor accounts | Stripped |
promote_users |
Elevate accounts to admin | Stripped |
All capabilities are re-assignable to Administrator via the dashboard, provided the Superkey is presented.
Zero-trust session gating for the Master role.
| Feature | Detail |
|---|---|
| Storage | password_hash() with PASSWORD_DEFAULT (bcrypt) |
| Verification | password_verify() β timing-safe |
| Minimum Length | 12 characters |
| Session Token | Ephemeral: expiration|bin2hex(random_bytes(32)) |
| Server Binding | Identical string stored in user meta and cookie β client-side manipulation immediately detectable |
| Validation | hash_equals() strict comparison β timing-attack resistant |
| Expiration | 2 hours, server-side enforced via meta timestamp |
| Cookie Flags | httponly, secure, samesite=Strict |
| Cleanup | Session meta auto-deleted on clear_auth_cookie hook |
| Anti-Bruteforce | sleep(2) penalty on failed Superkey attempts |
Recovery if Superkey is lost:
DELETE FROM wp_options WHERE option_name = 'mcp_superkey_hash';Direct database access required. No email recovery, no security questions. By design.
Intercepts toxic file uploads before WordPress processes them.
| Feature | Detail |
|---|---|
| Scope | is_admin() or MCP action routes only β no frontend impact |
| Detection | Extension allowlist + regex double-extension check |
| Blocked Extensions | .php, .phtml, .phar, .shtml, .php3β.php8, .pht, .cgi, .pl, .asp, .aspx, .jsp |
| Double-Extension | shell.phar.jpg β blocked via regex pattern against any toxic extension in the filename |
| Response | HTTP 403 + immediate die() β no WordPress processing whatsoever |
| Logging | All interceptions written to error_log with filename |
Auto-maintained .htaccess in wp-content/uploads/ to disable PHP execution at the webserver level.
# BEGIN VGT REDTEAM
<FilesMatch "\.(?i:php|phtml|phar|shtml|php3|php4|php5|pht|cgi|pl|asp|aspx|jsp)">
Require all denied
Order allow,deny
Deny from all
</FilesMatch>
<IfModule mod_php.c>
php_flag engine off
</IfModule>
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php8.c>
php_flag engine off
</IfModule>
# END VGT REDTEAMSelf-healing: Re-applied on every dashboard load if markers are missing or tampered with.
Coexistence: Appended using # BEGIN / # END markers β preserves existing custom rules (CDN, WebP, redirects).
Nginx/Caddy fallback: index.php injected into vault directory to prevent directory listing.
Jailed, re-encoded image uploads with aggressive payload stripping. Accessible only to Master users.
| Stage | Check |
|---|---|
| 1. MIME Check | finfo binary inspection |
| 2. Magic Byte Check | getimagesize() type verification |
| 3. Cross-Validation | MIME type β IMAGETYPE_* constant match β polyglot vectors blocked |
| 4. Memory Budget | Pre-calculated image memory requirement vs. PHP memory_limit |
| 5. Re-Encoding | GD imagecreatefrom* β image*() β all EXIF metadata and embedded payloads stripped |
| 6. Filesystem Jail | realpath validation, 0700 directory, 0600 file permissions |
| 7. Filename | bin2hex(random_bytes(16)) β original filename discarded entirely |
Allowed formats: JPEG, PNG, WebP, GIF Max file size: 5MB
Throne Guard actively conceals itself from unauthorized users:
- Invisible to Administrators:
all_pluginsfilter removes Throne Guard from the plugin list for any user withoutmcp_master_access - Deactivation blocked: The
deactivate_pluginhook fireswp_die()with HTTP 403 for unauthorized deactivation attempts - Role hidden: The Master role is not visible in user edit forms for non-Master users via
editable_rolesfilter
An attacker with full Administrator access sees a WordPress installation with no Throne Guard present. They cannot deactivate what they cannot see.
Every state-changing operation requires both:
- WordPress nonce β action-scoped, time-limited (
wp_verify_nonce) - CSRF token β
bin2hex(random_bytes(32))stored in user meta, single-use, consumed on verify viadelete_user_meta
Both must validate. The CSRF token is deleted after a single successful verification β replay is impossible even within the nonce's validity window.
Strict Content-Security-Policy with per-request nonces injected on the frontend only (admin backend is exempt to avoid breaking WordPress core inline scripts):
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}';
style-src 'self' 'nonce-{random}'; object-src 'none';
base-uri 'self';
Frontend script output uses JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT encoding and DOM construction exclusively via document.createElement + textContent β no innerHTML.
Throne Guard uses a typed exception hierarchy with asymmetric error messaging:
| Exception | Visible to User | Logged |
|---|---|---|
ValidationException |
Full message shown verbatim | No |
SecurityException |
Generic "request rejected" message | Yes β full detail to error_log |
StorageException |
Generic "server error" message | Yes β full detail to error_log |
Internal error details never leak to the client. Users see only what is safe to expose.
Throne Guard is defense in depth. It does not replace existing security measures β it adds a layer that becomes relevant specifically when your other layers have failed.
| Threat | Mitigation |
|---|---|
| Admin credential theft β backdoor plugin install | Admin lacks install_plugins |
| Admin session hijack β theme code injection | Admin lacks edit_themes |
| Admin compromise β persistent backdoor account | Admin lacks create_users |
| Admin compromise β privilege escalation | Admin cannot see or promote to Master role |
| File upload β PHP execution in uploads directory | Pre-Flight WAF + Upload Jail |
| Attacker discovering security tooling | Throne Guard hidden from non-Masters |
| Attacker disabling security plugin | Deactivation blocked at hook level |
| Threat | Reason |
|---|---|
| Server-level RCE | WordPress capability checks are irrelevant once the attacker has shell |
| Direct database modification | wp_options write access bypasses all WordPress logic |
| Master user compromise | Master is the top of the chain β protect it with 2FA |
| Supply chain attacks against Throne Guard | Always verify the plugin checksum |
| WordPress core vulnerabilities | Keep WordPress updated |
# 1. Clone into WordPress plugins directory
cd /var/www/html/wp-content/plugins/
git clone https://github.com/visiongaiatechnology/throne-guard
# 2. Activate in WordPress Admin
# Plugins β Throne Guard β Activate
# The activating Administrator is automatically promoted to Master
# 3. Define Superkey
# Master User Control β Admin Neutering
# Enter a Superkey (min 12 characters) and save
# 4. Review and apply capability stripping
# Toggle which capabilities Administrator retains
# Confirm with SuperkeyOn first activation, Throne Guard automatically:
β Creates the Master role with full capabilities
β Promotes the activating Administrator to Master
β Initializes the capability database table (wp_mcp_user_roles)
β Seeds default role descriptions
β Deploys Upload Jail (.htaccess with BEGIN/END markers)
β Hides itself from non-Master plugin lists
β οΈ Critical: Record your Superkey somewhere safe before closing the dashboard. It is stored only as a bcrypt hash and cannot be recovered through WordPress.
| Component | Detail |
|---|---|
| PHP | 8.1+ (uses match expressions, throw expressions, str_starts_with) |
| WordPress | 6.0+ |
| Webserver | Apache with mod_rewrite (auto) Β· Nginx (manual rule translation required) Β· LiteSpeed |
| Multisite | Not tested β single-site installations only |
| Page Builders | Compatible β no DOM or header interference on frontend |
| Other Security Plugins | Compatible β Throne Guard operates at the capability layer, not the request layer |
- Anti-Bruteforce uses
sleep(2)on failed Superkey attempts. Under concentrated attack on PHP-FPM with limited workers, this is a potential self-DoS vector. Transient-based rate limiting planned for V2.5.2. - Multisite not tested. The capability model on WordPress multisite differs significantly β single-site installations only.
- Server-level compromise bypasses Throne Guard. WordPress capability checks are meaningless once an attacker has shell access.
- Lost Superkey requires database access. No email recovery, no alternative. By design β no recovery path means no recovery attack surface.
| Test | Steps | Expected Result |
|---|---|---|
| Capability stripping | Log in as Administrator after applying Admin Neutering | Plugins/Themes/Users menus absent or read-only |
| Master gate | Log out of Master session, access admin | Lock screen rendered, dashboard inaccessible |
| Plugin stealth | Log in as Administrator, check plugin list | Throne Guard absent from list |
| Deactivation guard | As Administrator, attempt deactivation via WP-CLI | HTTP 403 response |
| Upload WAF | Upload shell.php, shell.phar.jpg, shell.phtml via admin uploader |
All blocked with 403 |
| Upload Jail | Place .php file in wp-content/uploads/, access via browser |
403 response |
| Superkey brute force | Attempt 5 wrong Superkeys | Each attempt delayed 2 seconds |
| Session expiry | Unlock Master session, wait 2 hours + 1 minute | Session re-locked automatically |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| Tool | Type | Purpose |
|---|---|---|
| π° Throne Guard | WordPress Hardening | Admin capability isolation β you are here |
| βοΈ VGT Sentinel CE | WAF / IDS Framework | Zero-Trust request inspection, WAF, integrity monitoring |
| π‘οΈ VGT Myrmidon | ZTNA | Zero Trust device registry and cryptographic integrity verification |
| β‘ VGT Auto-Punisher | IDS | L4+L7 Hybrid IDS β attackers terminated before they even knock |
| π VGT Dattrack | Analytics | Sovereign analytics engine β your data, your server, no third parties |
| π VGT Global Threat Sync | Preventive | Daily threat feed β block known attackers before they arrive |
Pull requests are welcome. For major changes, open an issue first to discuss the direction.
Security issues: Please email rather than opening a public issue.
Licensed under GPLv2+ β the same license as WordPress itself. Fork it, modify it, ship it.
VisionGaia Technology builds security infrastructure for operators who assume compromise.
"Throne Guard was built because WordPress Administrator is a role with too much power and too little friction. The default role model was designed for 2003, when WordPress was a blog engine. In 2026, it is the pivot point of every real-world WordPress hack. Throne Guard fixes that at the capability level."
Version 2.5.1 β Throne Guard // Admin Capability Isolation // Zero-Trust Session Gating // Defense in Depth // AGPLv3+