ImageAboutImageBlogImageProjectsImageWordPressImageMusicImageArtImageContactImagePurchases

Peace Protocol

A decentralized way for WordPress admins to share peace, respect, and follow each other with cryptographic handshakes.

Free

Updated December 17, 2025 (version 1.2.5) | How to install or update safely
Image

The WordPress Peace Protocol makes it easy for WordPress webmasters (admins) to connect with other WordPress webmasters (admins). Although anything’s possible in the future, for now the focus is on admins connecting with each other. Or, you could look at it as each website shaking hands. This is not something for just any random user to use.

What’s the point? Think about this: You have a WordPress blog called My Life. Your friend has a WordPress blog called Turtles Rule. Now you can comment on each other’s blog posts as your respective sites and subscribe to each other’s RSS feeds. All with a few clicks. In other words you:

  • Authenticate with your website, not yourself
  • Comment as your website
  • Subscribe to each other
  • Optional: submit to each other’s peace log (basically a guestbook)
  • If a rude site authenticates, you can ban them

Is it secure? Most anything can be hacked. Even the strongest government websites. But, security is ensured as best as possible by:

Admin-Only Authentication

  • WordPress Administrators Only: This plugin is designed exclusively for WordPress site administrators
  • Site-Level Authentication: Admins authenticate as their website, not as individual users
  • No Public Registration: No public user registration system – only federated users created after secure handshakes
  • Cryptographic Tokens: Each site uses cryptographically secure tokens for authentication

Federated User System

  • Limited Permissions: Federated users can only comment on posts, no admin access
  • Automatic Cleanup: Federated users are removed when the plugin is uninstalled
  • Role-Based Security: Federated users have the federated_peer role with minimal capabilities
  • No Dashboard Access: Federated users cannot access WordPress admin areas

Token Security

  • Cryptographically Secure: Tokens are generated using WordPress’s secure password generator
  • Token Rotation: Support for multiple tokens with automatic rotation
  • Secure Storage: Tokens are stored securely in WordPress options
  • Expiring Authorization Codes: Authorization codes expire after 5 minutes

I’ll be working on getting this added to the WordPress.org repository soon.

Here are some lovely screenshots:

Image
The first step towards connecting with another WordPress website.
Image
You automatically subscribe to the other site, but you can unsubscribe at any time.
Image
Settings
Image
Peace Log
Image
Commenting as your website.

Changelog

December 17, 2025 – v1.2.5

  • Compatibility checks to ensure plugin works with WordPress 6.9

August 2, 2025 – v1.2.4

  • Code cleaning and added various WordPress security techniques

July 5, 2025 – v1.2.0

  • Added IndieAuth support
  • Minor bug fixes

June 29, 2025 – v1.1.3

  • Code clean up; preparing for WordPress.org plugin directory inclusion

June 29, 2025 – v1.1.2

  • Fixed JavaScript bug
  • Disabled error logging used during initial development

June 29, 2025 – v1.1.1

  • Fixed bugs
  • Added user banning
  • Updated readme files to better explain the plugin

June 25, 2025 – v1.0.1

  • Initial release
Billy Wilcosky