Best Perfex & RISE CRM Security Modules
A self-hosted CRM puts your whole pipeline - clients, leads, invoices, contracts - behind a single staff login page that faces the open internet. That login is the part automated attacks go after first: bots hammer it with credential lists around the clock, and the CRM core leaves the lockouts, IP blocking and session rules for you to add. The two toolsets in this guide close that gap, one for each platform.
PerfShield is the security toolset for Perfex CRM, and RiseGuard is its sibling for RISE CRM. They are built around the same idea - stop brute-force attacks at the sign-in screen, block hostile IPs before they ever reach the form, and tighten control over who stays logged in - so the right pick is decided almost entirely by which CRM you run. Both install from the modules/plugins screen in a couple of minutes and are configured from a single settings panel inside the CRM.
Most important, though, is that no single module makes a server secure on its own. A login-hardening module is one layer of a defence-in-depth setup; the section below on hardening a self-hosted CRM covers the other layers - HTTPS, backups, updates, least-privilege accounts and server-level controls - that have to be in place around it for any of this to hold up.
-
PerfShield hardens Perfex CRM where it is weakest - the staff login. You set how many failed attempts trigger a lockout, how long it lasts, and how repeat offenders get escalated to a multi-hour ban, with an optional admin email once an account has been locked. Beyond brute-force defence it adds a searchable, exportable blacklist for IP addresses, IP ranges and emails, login-expiry dates for contractor and temporary accounts (via the Perfex cron), single-session enforcement to kill shared-credential use, a foreign-IP login alert and an idle-session timeout - all gated behind its own staff-permissions layer. Requires Perfex CRM 3.0 or later.
Best for: Anyone running Perfex CRM who wants login brute-force protection and IP control.
-
RiseGuard brings the same hardening to RISE CRM and adds proper audit logging on top. The configurable brute-force defence covers max retries, lockout time, max lockouts before an extended lockout, reset-retry limits and email-notification throttling so an attacker cannot flood your password-reset mailer, plus an inactivity timeout and a new-IP login alert. You also get IP/range/email blacklisting, per-staff login expiry and single-session control. Its standout is a detailed log of every failed login - email used, IP, failed-attempt and lockout counts, and enriched context like country, ISP and whether the attempt came from a mobile device - which you can export for reporting.
Best for: RISE CRM admins who want login hardening plus exportable failed-login audit logs.
| Module | Platform | Standard | Rating | Best for |
|---|---|---|---|---|
| PerfShield | CodeIgniter | $69 on CC | ★ 4.90 | Anyone running Perfex CRM who wants login brute-force protection and IP control. |
| RiseGuard | CodeIgniter | $69 on CC | ★ 4.80 | RISE CRM admins who want login hardening plus exportable failed-login audit logs. |
The verdict
There is no head-to-head here because the choice is made by your stack: run Perfex CRM and PerfShield is the toolset; run RISE CRM and RiseGuard is. Both shut down the brute-force attacks that target the staff login, block hostile IPs and ranges before they reach the form, and give you login expiry and single-session control to manage who stays signed in - with RiseGuard adding exportable failed-login audit logs and PerfShield adding foreign-IP alerts. Install the one for your CRM, then put the wider hardening checklist above around it - HTTPS, patches, least-privilege accounts and tested backups - so the login layer is reinforcing a server that is already locked down rather than standing alone.
Questions, answered
What is the difference between PerfShield and RiseGuard?
They are sibling security toolsets built for different CRMs. PerfShield is for Perfex CRM; RiseGuard is for RISE CRM. Both add staff-login brute-force protection, IP/range/email blacklisting, login expiry and single-session control. RiseGuard additionally keeps a detailed, exportable audit log of failed login attempts with country and ISP context, while PerfShield adds a foreign-IP login alert. Pick the one that matches your CRM - they are not interchangeable.
How do these modules stop Perfex or RISE CRM brute-force login attacks?
Each enforces rules you set on the staff login: a maximum number of failed attempts before the account is locked, a lockout duration, and an escalating extended lockout for repeat offenders, with a window after which the failed-attempt counter resets. You can also have an administrator emailed once an account has been locked. Together that turns an unlimited guessing game into a few attempts followed by a growing ban.
How do I harden a self-hosted Perfex or RISE CRM beyond a login module?
Treat the login module as one layer of several. Serve the CRM only over HTTPS and force it; keep the CRM core, PHP and the server OS patched; use strong, unique passwords and remove or expire accounts the moment people leave (login-expiry handles temporary staff automatically). Take regular off-site backups and test that they restore. Restrict admin access by IP where you can, lock down file permissions, and keep the database off the public internet. Enable single-session to stop shared logins, watch the audit/login logs for unusual IPs or countries, and grant each staff member only the permissions they actually need. The module hardens the front door - these steps secure the rest of the house.
Do PerfShield and RiseGuard have any special server requirements?
Both install in a couple of minutes and need PHP's allow_url_fopen directive set to ON, which most hosts already enable by default. PerfShield additionally requires Perfex CRM core version 3.0 or later, and its login-expiry feature relies on the Perfex cron job being set up.
Browse the full Themesic catalogue
Every module sold direct - lifetime updates, real developer support, and full source code. Cheaper than the marketplace, with no middleman cut.