StageGuard is a WordPress plugin designed to clearly indicate and manage a staging environment. It provides various features to protect your staging site, prevent accidental emails, and manage plugin activations.
- Displays a prominent message in the admin panel and on the frontend indicating a staging environment - only if WooCommerce is not installed
- Automatically deactivates specific plugins on staging environments
- Prevents activation of certain plugins and provides a custom error message
- Activates Coming Soon mode for WooCommerce (if installed)
- Modifies search engine visibility settings
- Provides password protection for the staging site (redirects to WordPress login)
- Advanced IP restriction with multiple formats:
- Individual IP addresses (e.g.,
192.168.1.1) - CIDR notation for IP ranges (e.g.,
192.168.1.0/24) - IP address ranges (e.g.,
192.168.1.1-192.168.1.10) - Supports both IPv4 and IPv6
- Automatic localhost whitelisting for safety
- Smart proxy header detection (X-Forwarded-For, X-Real-IP)
- Individual IP addresses (e.g.,
- Filters robots.txt to discourage search engine indexing (no physical file modification)
- Catches and logs emails sent from the staging environment
- Includes WP-CLI commands for managing the plugin
- Clean, modular architecture with separated concerns
StageGuard will deactivate the following plugins:
- BunnyCDN
- Redis Cache
- Google Listings and Ads
- Metorik Helper
- Order Sync with Zendesk for WooCommerce
- Redis Object Cache
- RunCloud Hub
- Site Kit by Google
- Super Page Cache for Cloudflare
- WooCommerce - ShipStation Integration
- WP OPcache
- Headers Security Advanced & HSTS WP
- WP-Rocket
- Tidio Chat
- LiteSpeed Cache
- WP Fastest Cache
- PhastPress
- W3 Total Cache
- WP Optimize
- Autoptimize
- NitroPack
- WP Sync DB
- WP Sync DB Media Files
- UpdraftPlus
- Mailchimp for WooCommerce
- Upload the
stageguardfolder to the/wp-content/plugins/directory. - Activate the plugin through the 'Plugins' menu in WordPress.
- Go to Settings > StageGuard to configure the plugin.
Navigate to Settings > StageGuard in your WordPress admin panel to configure:
Toggle WordPress debug mode on or off. When enabled, WP_DEBUG constant will be set to true in wp-config.php.
Enable to redirect non-logged-in users to the WordPress login page. This ensures only authenticated users can access the staging site.
Enable IP-based access control to restrict who can view the staging site.
Specify IP addresses that should have access to the staging site. Supports multiple formats:
- Individual IPs:
192.168.1.1(one per line) - CIDR Notation:
192.168.1.0/24(allows entire subnet) - IP Ranges:
192.168.1.1-192.168.1.10(allows range of IPs) - IPv6 Support:
2001:db8::1or2001:db8::/32
The system automatically whitelists 127.0.0.1 and ::1 (localhost) for safety. Your current IP address is displayed in the settings page for convenience.
You can view the StageGuard logs in two ways:
- Admin Interface: Go to Settings > StageGuard Logs in the WordPress admin area.
- WP-CLI: Use the command
wp stageguard show_logto view logs in the terminal.
StageGuard supports the following WP-CLI commands:
wp stageguard debug_mode <on|off>: Toggle debug mode on or off.wp stageguard show_log [--lines=<number>]: Display the StageGuard log. Use the--linesoption to specify the number of lines to show (default is 50).
StageGuard features a clean, modular architecture:
StageGuard/
├── stageguard.php # Main plugin file
└── includes/
├── class-stageguard-admin.php # Admin UI and settings
├── class-stageguard-security.php # Password & IP protection
└── class-stageguard-cli.php # WP-CLI commands
This separation of concerns makes the code:
- Easier to maintain and test
- More secure with focused responsibilities
- Simpler to extend with new features
If you're having issues with StageGuard, check the following:
- Logging Issues: Ensure that the web server has write permissions to the
wp-contentdirectory for logging. - Staging Indicator Not Showing: Check if your theme is properly loading the
wp_headaction. - Password Protection Not Working: Make sure you're not already logged in to WordPress. The protection only affects non-authenticated users.
- IP Restriction Issues:
- Verify your IP format is correct (use the formats shown in Configuration section)
- Check if you're behind a proxy - the plugin detects
X-Forwarded-Forheaders - Remember that
127.0.0.1and::1are always whitelisted
- robots.txt Not Updating: The plugin uses WordPress's virtual robots.txt. If you have a physical
robots.txtfile, it will take precedence. Delete the physical file to use the plugin's filter.
- WordPress: 6.4 or higher
- PHP: 8.0 or higher
- License: GPL-2.0-or-later
- Refactored plugin architecture with separated concerns
- Added advanced IP restriction with CIDR notation support
- Added IP range support (e.g., 192.168.1.1-192.168.1.10)
- Added IPv6 support for IP restrictions
- Improved robots.txt handling (filter-only, no file modification)
- Enhanced security with better input sanitization
- Smart proxy header detection for accurate IP identification
- Automatic localhost whitelisting
- Updated to Open-WP-Club ownership
- Improved code documentation and PHPDoc blocks
- Better error messages for access denied scenarios
- Initial release with basic staging protection features
- Plugin deactivation on staging
- Password protection and basic IP restriction
- Email catching and logging
- WP-CLI support
For support, please open an issue on the GitHub repository.
We welcome contributions! Please feel free to submit pull requests or open issues for bugs and feature requests.
Open-WP-Club
- Website: https://openwpclub.com
- GitHub: https://github.com/Open-WP-Club