When enabled, a WordPress init hook (priority 1) intercepts requests to your chosen secret slug and serves the login form transparently — no redirect, no URL change, the form just loads. Direct requests to /wp-login.php return a clean 404. All internal WordPress links (password reset emails, logout URLs) automatically update to use your secret URL.

Setup takes 30 seconds:

1. Toggle Enable Hide Login on.
2. Enter your secret slug (e.g. team-portal). Avoid login, admin, or dashboard — bots know those too.
3. Click Save and bookmark the new URL immediately.
4. If you ever lose the URL: wp option get csdt_devtools_login_slug via WP-CLI will retrieve it.

What stays unaffected: WP-CLI, XML-RPC, REST API, and WP Cron all bypass the login URL check entirely — nothing breaks.

Three methods, one plugin:

• Email OTP — a 6-digit code sent to the user’s email after login. No app needed. Code expires in 10 minutes. Best for non-technical users.
• Authenticator app (TOTP) — standard RFC 6238 algorithm. Works with Google Authenticator, Authy, 1Password, Bitwarden, or any TOTP app. Generates a new code every 30 seconds, works offline, immune to email interception.
• Passkey (WebAuthn) — replaces the code prompt with Face ID, Touch ID, Windows Hello, or a hardware security key. The fastest and most phishing-resistant option available. See the Passkeys section below.

Admin enforcement: Enable Force 2FA for administrators and any admin who hasn’t configured their second factor gets blocked at the dashboard until they do — they can’t skip it. A configurable grace period lets existing admins set up 2FA before enforcement kicks in.

Brute-Force Protection is built into the same tab: lock accounts after N failed attempts (default: 5 attempts, 5-minute lockout). Both thresholds are yours to configure.

Session Duration lets you override WordPress’s default session length. When set, persistent cookies keep sessions alive across browser closes — useful for teams who find constant re-authentication disruptive.

How it works: When you register a passkey, your device generates a public/private key pair. The private key never leaves your device. At login, your server sends a random challenge; your device signs it with the private key; the server verifies the signature against your stored public key. No secret is ever transmitted over the network.

Supported authenticators: Face ID (iPhone, iPad, Mac), Touch ID (MacBook), Windows Hello (fingerprint, face, PIN), Android biometrics, and hardware security keys (YubiKey 5 series, Google Titan, etc.).

Registering a passkey:

1. Click + Add Passkey and give it a label (e.g. “iPhone 16 Pro”, “YubiKey”).
2. Click Register — your browser prompts for biometric confirmation or hardware key tap.
3. The passkey is saved to your account. Register one per device you log in from.

Browser support: Chrome 108+, Safari 16+, Edge 108+, Firefox 122+. If a browser doesn’t support passkeys, the login flow falls back to email OTP automatically — no user is ever locked out.

Standard Scan audits WordPress core settings, active plugins and themes, user accounts, file permissions, and wp-config.php hardening constants. The AI scores each finding Critical / High / Medium / Low and gives you specific steps to fix it — not generic advice, but instructions for your exact configuration.

Deep Dive Scan adds live probes your site’s security team would run manually:

• Static PHP code analysis of every active plugin — flags eval(), shell execution functions, code obfuscation, and suspicious patterns that malware authors use
• Live HTTP probes — open directory listing, weak TLS (SSLv3, TLS 1.0), CORS misconfigurations, server version header leaks
• DNS security checks — SPF strictness, DMARC policy strength, DKIM probes (skipped entirely for domains with no MX records — no false positives for non-email sites)
• CSP quality analysis — flags unsafe-inline, unsafe-eval, wildcard sources, and missing directives in your Content Security Policy
• AI Code Triage — the 10 highest-risk static findings are sent to the AI with surrounding code context; each is classified as Confirmed Threat / False Positive / Needs Review before the main audit runs

Quick Fixes appear above the scan results — one-click remediations for the most common misconfigurations. Each shows green (done) or amber (needs attention) at a glance.

Scheduled Scans run automatically on a daily or weekly schedule with email alerts when new issues are found — so you know about problems before your users or Google do.

AI Providers — your choice:

• Anthropic Claude (recommended for depth) — console.anthropic.com/settings/keys. Models: claude-sonnet-4-6 (fast) · claude-opus-4-7 (most thorough)
• Google Gemini (free tier, no credit card) — aistudio.google.com/app/apikey. Models: gemini-2.0-flash (free) · gemini-2.5-pro (most capable)

The Code Block is a native Gutenberg block (cloudscale/code) and a [cs_code] shortcode. It works everywhere WordPress renders content.

190+ languages with auto-detection. CloudScale detects the language automatically from the code content. Override it manually in the block sidebar when detection picks the wrong one.

14 professional colour themes — Atom One Dark/Light, GitHub, Monokai, Nord, Dracula, Tokyo Night, VS Code, VS 2015, Stack Overflow, Night Owl, Gruvbox, Solarized, Panda, Shades of Purple. A toggle button switches between dark and light variants, storing the preference in localStorage so it follows the reader across pages.

Copy to clipboard — one click. Line numbers are rendered via CSS counter so they are never included when someone copies the code.

INI/TOML auto-repair — Gutenberg breaks INI and TOML files at bare [section] headers by treating them as block delimiters. CloudScale detects this silently and reassembles the fragments, showing a brief toast so you know it happened.

The Migrator scans your database for posts and pages using any supported legacy format, shows you a precise before/after diff, and converts them all to CloudScale blocks in a single operation.

Supported source formats:

• WordPress core <!-- wp:code --> and <!-- wp:preformatted --> blocks
• Code Syntax Block plugin (<!-- wp:code-syntax-block/code -->)
• Legacy shortcodes: [code], [sourcecode], and common variants

Workflow:

1. Scan — finds every post and page with supported blocks. Shows title, status, date, and block count.
2. Preview — shows the exact before/after content diff per post. Nothing is written to the database at this stage.
3. Migrate — convert one post at a time, or migrate everything in a single click.

⚠ The migrator writes directly to post_content. Always take a database backup first — use the CloudScale Backup & Restore plugin for a one-click snapshot before you begin.

Read-only enforcement: Every query passes through is_safe_query() which strips comments, rejects semicolons (blocking statement stacking), blocks INTO OUTFILE and LOAD_FILE, and only permits SELECT, SHOW, DESCRIBE, EXPLAIN. Even if an administrator tries to run a destructive query, it is rejected before reaching the database.

14 built-in quick queries cover the most common diagnostic tasks without writing a single line of SQL:

• Health & Diagnostics — database status, site options, table sizes and row counts
• Content Summary — posts by type and status, latest published content
• Bloat & Cleanup — orphaned postmeta, expired transients, revisions, largest autoloaded options (the most common cause of slow WordPress admin)
• URL & Migration Helpers — HTTP references (for HTTP→HTTPS migrations), posts with old IP references, posts missing meta descriptions

Keyboard shortcuts: Enter or Ctrl+Enter runs the query. Shift+Enter inserts a newline for multi-line queries.

All your log sources in one place: The source picker lists every available log file with a live status indicator (readable, not found, permission denied, or empty). Switch between PHP error log, WordPress debug log, and web server access/error logs with a single click.

Live search filters entries as you type with highlighted matches — essential for finding a specific error in a log with thousands of lines.

Severity filter narrows results to Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug. Cuts through noise on busy production sites where Info and Debug lines dominate.

Auto-refresh tail mode polls for new entries every 30 seconds. Reproduce a bug in one browser tab while watching the log update in real time in another — the fastest way to trace an intermittent error.

Custom log paths — add any file path (Nginx error log, a custom application log, a cron output file). Paths persist across sessions.

One-click PHP error logging setup — if PHP error logging isn’t configured on the server, a button writes the required php.ini directives automatically. No server configuration knowledge required.