[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuZKlQTPHjBmBUaJA2FnoiztivMK2LaNol69JiF-1yp4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":18,"download_link":25,"security_score":26,"vuln_count":14,"unpatched_count":14,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":44,"crawl_stats":35,"alternatives":52,"analysis":163,"fingerprints":303},"authentication-and-xmlrpc-log-writer","Authentication and xmlrpc log writer","1.2.2","Federico Rota","https:\u002F\u002Fprofiles.wordpress.org\u002Fmrrotella\u002F","\u003Cp>This plugin writes the log of failed access attempts (brute force attack) and invalids pingbacks requests ( by xmlrpc.php ). Very useful to process data via fail2ban.\u003Cbr \u002F>\nYou can activate the log for each pingback request feature and stop the user enumeration method (by redirecting to the home) with log.\u003Cbr \u002F>\nIf activated it remove the wordpress version number and meta generator in the head section of your site.\u003Cbr \u002F>\nIf activated it disable xmlrpc methods that require authentication, in order to avoid brute force attack by xmlrpc. Use this feature if you don’t need these xmlrpc methods.\u003Cbr \u002F>\nIf activated can kill multiple requests in a single xmlrpc call returning a 401 code on xmlrpc login error. This feature may be useful to prevent server overloading on brute force attack by xmlrpc.\u003Cbr \u002F>\nYou can also view your CUSTOM error log in the admin panel.\u003C\u002Fp>\n\u003Ch4>You can write error by\u003C\u002Fh4>\n\u003Col>\n\u003Cli>SYSLOG\u003C\u002Fli>\n\u003Cli>APACHE ERROR_LOG\u003C\u002Fli>\n\u003Cli>CUSTOM a custom error log file (the used path need to be writable or APACHE ERROR LOG wil be used)\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Log examples\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>SYSLOG\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>APACHE\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`, referer: SITE_ADDRESS\u002Fwp-login.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS\u002Fxmlrpc.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS\u002Fxmlrpc.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>CUSTOM\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>fail2ban configuration\u003C\u002Fh4>\n\u003Cp>See the FAQ section\u003C\u002Fp>\n\u003Ch4>Log viewer\u003C\u002Fh4>\n\u003Cp>Log viewer is available only in CUSTOM mode. Note: the log path and the file must exist.\u003C\u002Fp>\n\u003Ch4>Localization\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>English (default) – always included\u003C\u002Fli>\n\u003Cli>Italian – since 1.1.3 version\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>English – default, always included\u003C\u002Fli>\n\u003Cli>Italiano – disponibile dalla versione 1.1.3\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem> Feel free to translate this plugin in your language. This is very important for all users worldwide. So please contribute your language to the plugin to make it even more useful. For translating I recommend the \u003Ca href=\"http:\u002F\u002Fwww.poedit.net\u002F\" rel=\"nofollow ugc\">“Poedit Editor”\u003C\u002Fa>.\u003C\u002Fp>\n","Log of failed access, pingbacks, user enumeration, disable xmlrpc authenticated methods, kill xmlrpc request on authentication error.",70,4603,100,1,"2016-11-18T13:47:00.000Z","4.7.32","3.5.1","",[20,21,22,23,24],"authentication-logger","brute-force","fail2ban","security","xmlrpc-hack","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauthentication-and-xmlrpc-log-writer.1.2.2.zip",63,"2025-08-13 00:00:00","2026-03-15T15:16:48.613Z",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":27,"updated_date":41,"references":42,"days_to_patch":35},"CVE-2025-49037","authentication-and-xmlrpc-log-writer-reflected-cross-site-scripting","Authentication and xmlrpc log writer \u003C= 1.2.2 - Reflected Cross-Site Scripting","The Authentication and xmlrpc log writer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.2.2","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-08-18 20:46:13",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fadffa925-0d91-4c8a-b9ec-1af10cb882ca?source=api-prod",{"slug":45,"display_name":7,"profile_url":8,"plugin_count":46,"total_installs":47,"avg_security_score":48,"avg_patch_time_days":49,"trust_score":50,"computed_at":51},"mrrotella",2,170,74,30,76,"2026-04-04T15:39:26.001Z",[53,77,99,123,142],{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":63,"num_ratings":64,"last_updated":65,"tested_up_to":66,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":72,"download_link":73,"security_score":74,"vuln_count":14,"unpatched_count":75,"last_vuln_date":76,"fetched_at":28},"wp-fail2ban","WP fail2ban – Advanced Security","5.4.1","invisnet","https:\u002F\u002Fprofiles.wordpress.org\u002Finvisnet\u002F","\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.fail2ban.org\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">fail2ban\u003C\u002Fa> is one of the simplest and most effective security measures you can implement to protect your WordPress site.\u003C\u002Fp>\n\u003Cp>\u003Cem>WP fail2ban\u003C\u002Fem> provides the link between WordPress and \u003Ccode>fail2ban\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1\nOct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cem>WPf2b\u003C\u002Fem> comes with three \u003Ccode>fail2ban\u003C\u002Fcode> filters: \u003Ccode>wordpress-hard.conf\u003C\u002Fcode>, \u003Ccode>wordpress-soft.conf\u003C\u002Fcode>, and \u003Ccode>wordpress-extra.conf\u003C\u002Fcode>. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Failed Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\nThe very first feature of \u003Cem>WPf2b\u003C\u002Fem>: logging failed login attempts so the IP can be banned. Just as useful today as it was then.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block User Enumeration\u003C\u002Fstrong>\u003Cbr \u002F>\nOne of the most common precursors to a password-guessing brute force attack is \u003Ca href=\"https:\u002F\u002Fwp-fail2ban.com\u002Ffeatures\u002Fblock-user-enumeration\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">user enumeration\u003C\u002Fa>. \u003Cem>WPf2b\u003C\u002Fem> can block it, stopping the attack before it starts.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block username logins\u003C\u002Fstrong>\u003Cbr \u002F>\nSometimes it’s not possible to block user enumeration (for example, if your theme provides Author profiles). \u003Cem>WPf2b\u003C\u002Fem> can require users to login with their email address instead of their username.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Blocking Users\u003C\u002Fstrong>\u003Cbr \u002F>\nAnther of the older \u003Cem>WPf2b\u003C\u002Fem> features: the login process can be aborted for specified usernames.\u003Cbr \u002F>\nSay a bot collected your site’s usernames before you blocked user enumeration. Once you’ve changed all the usernames, add the old ones to the list; anything using them will trigger a “hard” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Empty Username Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\nSome bots will try to login without a username; harmless, but annoying. These attempts are logged as a “soft” fail so the more persistent bots will be banned.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Spam\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will log a spammer’s IP address as a “hard” fail when their comment is marked as spam; the Premium version will also log the IP when Akismet discards “obvious” spam.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Attempted Comments\u003C\u002Fstrong>\u003Cbr \u002F>\nSome spam bots try to comment on everything, even things that aren’t there. \u003Cem>WPf2b\u003C\u002Fem> detects these and logs them as a “hard” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Pingbacks\u003C\u002Fstrong>\u003Cbr \u002F>\nPingbacks are a great feature, but they can be abused to attack the rest of the WWW. Rather than disable them completely, \u003Cem>WPf2b\u003C\u002Fem> effectively rate-limits potential attackers by logging the IP address as a “soft” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block XML‑RPC Requests\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nThe only reason most sites need XML‑RPC (other than Pingbacks) is for Jetpack; \u003Cem>WPf2b\u003C\u002Fem> Premium can block XML‑RPC while allowing Jetpack and\u002For Pingbacks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block Countries\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nSometimes you just need a bigger hammer – if you’re seeing nothing but attacks from some countries, block them!\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Cloudflare and Proxy Servers\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will work with \u003Ca href=\"https:\u002F\u002Fwp-fail2ban.com\u002Ffeatures\u002Fcloudflare-and-proxy-servers\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">Cloudflare\u003C\u002Fa>, and the Premium version will automatically update the list of Cloudflare IP addresses.\u003Cbr \u002F>\nYou can also configure your own list of trusted proxies.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>syslog Dashboard Widget\u003C\u002Fstrong>\u003Cbr \u002F>\nEver wondered what’s being logged? The dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Site Health Check\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will (try to) check that your \u003Ccode>fail2ban\u003C\u002Fcode> configuration is sane and that the filters are up to date; out-of-date filters are the primary cause of \u003Cem>WPf2b\u003C\u002Fem> not working as well as it can.\u003Cbr \u002F>\nWhen did you last run the Site Health tool?\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>\u003Ccode>mu-plugins\u003C\u002Fcode> Support\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> can easily be configured as a “must-use plugin” – see \u003Ca href=\"https:\u002F\u002Fdocs.wp-fail2ban.com\u002Fen\u002F5.4\u002Fconfiguration.html?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1#mu-plugins-support\" rel=\"nofollow ugc\">Configuration\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>API to Extend \u003Cem>WPf2b\u003C\u002Fem>\u003C\u002Fstrong>\u003Cbr \u002F>\nIf your plugin can detect behaviour which should be blocked, why reinvent the wheel?\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Event Hooks\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nNeed to do something special when \u003Cem>WPf2b\u003C\u002Fem> detects a particular event? \u003Ca href=\"https:\u002F\u002Fdocs.wp-fail2ban.com\u002Fen\u002F5.4\u002Fdevelopers\u002Fevents.html?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">There’s a hook for that\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Premium\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Web Application Firewall (WAF)\u003C\u002Fli>\n\u003Cli>Akismet support.\u003C\u002Fli>\n\u003Cli>Block XML‑RPC while allowing Jetpack and\u002For Pingbacks.\u003C\u002Fli>\n\u003Cli>Block Countries.\u003C\u002Fli>\n\u003Cli>Auto-update Cloudflare IPs.\u003C\u002Fli>\n\u003Cli>Event log.\u003C\u002Fli>\n\u003Cli>Event hooks.\u003C\u002Fli>\n\u003C\u002Ful>\n","WP fail2ban uses fail2ban to protect your WordPress site.",70000,1973124,84,71,"2025-04-29T15:21:00.000Z","6.8.5","4.2","7.4",[21,22,70,23,71],"login","syslog","https:\u002F\u002Fwp-fail2ban.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-fail2ban.5.4.1.zip",99,0,"2019-02-25 00:00:00",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":18,"tags":92,"homepage":18,"download_link":96,"security_score":87,"vuln_count":97,"unpatched_count":75,"last_vuln_date":98,"fetched_at":28},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","6.9.4","3.0",[93,21,94,95,23],"2fa","firewall","login-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip",4,"2023-12-20 00:00:00",{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":107,"downloaded":108,"rating":109,"num_ratings":110,"last_updated":111,"tested_up_to":90,"requires_at_least":112,"requires_php":68,"tags":113,"homepage":118,"download_link":119,"security_score":120,"vuln_count":121,"unpatched_count":75,"last_vuln_date":122,"fetched_at":28},"better-wp-security","Solid Security – Password, Two Factor Authentication, and Brute Force Protection","9.4.6","StellarWP","https:\u002F\u002Fprofiles.wordpress.org\u002Fstellarwp\u002F","\u003Ch4>Reduce your WordPress website’s risk to nearly zero with Solid Security\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fwporg-security-ithemes\" rel=\"nofollow ugc\">Formerly iThemes Security. Looking for iThemes? Learn more here.\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>On average, 30,000 websites are hacked every day.* Cyberattacks in the US increased by 57% in 2022.** Bad actors who want to hack your site, steal your data, and cripple your business are a 24\u002F7\u002F365 threat.\u003C\u002Fp>\n\u003Cp>You need a proactive, strategic approach to WordPress website security that protects your site from brute force attacks, malware infections, and other cyber threats.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fsolid-security-pro\" rel=\"nofollow ugc\">Solid Security\u003C\u002Fa> shields your site from cyberattacks and prevents security vulnerabilities. It automatically locks out bad users identified by our Brute Force Protection Network that is nearly 1 million sites strong and leverages your own blacklist. It secures and protects your most commonly attacked part of your WordPress website – user login authentication.\u003C\u002Fp>\n\u003Cp>With Patchstack integration (Pro) protects your site before you even have a chance to address vulnerabilities and before a plugin or theme vendor or developer can even issue a patch.\u003C\u002Fp>\n\u003Cp>That’s 24\u002F7\u002F365 always-on truly Solid Security.\u003C\u002Fp>\n\u003Cp>\u003Ciframe loading=\"lazy\" title=\"Welcome to Solid Security, Part of the SolidWP Suite\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F863249227?dnt=1&app_id=122963\" width=\"750\" height=\"422\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write\">\u003C\u002Fiframe>\u003C\u002Fp>\n\u003Ch4>🌐 Secure your Website in Minutes\u003C\u002Fh4>\n\u003Cp>The Solid Security setup and onboarding experience allows anyone to secure their WordPress website in under 10 minutes, regardless of technical acumen. Knowing that you have enabled all the right security settings for your website will leave you feeling like your site has never been more secure.\u003C\u002Fp>\n\u003Ch4>📚 Security Site Templates to Fit Your Type of Site\u003C\u002Fh4>\n\u003Cp>Enabling the correct security settings based on the type of website you are building or maintaining is essential for proper security. An eCommerce site requires a different level of security than a basic blog. Solid Security Site Templates make it quick and easy to apply the right security settings for your website.\u003C\u002Fp>\n\u003Cp>Choose from six different site templates to apply the type of security your site needs:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\u003Cstrong>Ecommerce\u003C\u002Fstrong> – websites that sell products or services\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Network\u003C\u002Fstrong> – websites that connect people or communities\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Non-Profit\u003C\u002Fstrong> – websites that promote your cause and collect donations\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Blog\u003C\u002Fstrong> – websites that share your thoughts or start a conversation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Portfolio\u003C\u002Fstrong> – websites that showcase your craft\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brochure\u003C\u002Fstrong> – simple websites that promote your business\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>⌚ Real-Time Website Security Dashboard\u003C\u002Fh4>\n\u003Cp>Every day, lots of activity is happening on your website that you can’t see. Many of these activities can be related to your site’s security, so monitoring these events is vital to keeping your site secure.\u003C\u002Fp>\n\u003Cp>The \u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fsolid-security-pro\" rel=\"nofollow ugc\">Solid Security Pro\u003C\u002Fa> plugin provides a real-time WordPress security dashboard that monitors security-related events on your site around the clock. The Solid Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place, including brute force attacks, banned users, active lockouts, site scan results, and user security stats (Pro).\u003C\u002Fp>\n\u003Ch4>🗝️ WordPress Login Security\u003C\u002Fh4>\n\u003Cp>Setting up and maintaining proper WordPress configurations and managing user account access are essential aspects of hardening your site against threats and vulnerabilities. Basic and Pro include features that address both of these factors.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Two Factor Authentication (2FA)\u003C\u002Fstrong> – Make your WordPress login nearly impenetrable to attack by requiring users to enter a security code along with a password to login. The Solid Security plugin allows you to add two-factor authentication to your WordPress login with several authentication methods, including mobile apps like Authy and Google Authenticator, email, and backup codes.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Password Requirements\u003C\u002Fstrong> – Create and enforce a password policy for your users in less than a minute.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>reCAPTCHA\u003C\u002Fstrong> (Pro) – Stop bad bots from engaging in abusive activities on your website, such as attempting to break into your website using compromised passwords, posting spam, or even scraping your content.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Passwordless Logins\u003C\u002Fstrong> (Pro) – WordPress security made easy. Secure your user accounts with 2fa & strong passwords while allowing real users login with a click of a mouse.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Trusted Devices\u003C\u002Fstrong> (Pro) – Identify the devices you and other users use to block session hijacking attacks and limit Administrator privileges to Trusted Devices.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Automated Vulnerability Patching\u003C\u002Fstrong> (Pro) – Solid Security Pro includes Patchstack which patches vulnerabilities before you have a chance to and applies fixes even before a plugin developer or vendor has issued a patch.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Learn more about how \u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fwporgpasswordless\" rel=\"nofollow ugc\">passwordless login is the future\u003C\u002Fa> and how Solid Security can help you implement it today.\u003C\u002Fp>\n\u003Ch4>👨‍👩‍👧‍👦 The Right Amount of Security for Every User Level\u003C\u002Fh4>\n\u003Cp>Different types of user levels require different levels of security. During the Solid Security setup process, you can identify your website’s key user groups. Once the different types of users are identified, you can apply the level of security that is just right for each user group.\u003C\u002Fp>\n\u003Cp>Here are a couple of examples of how User Groups are useful for securing your site:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>For Clients\u003C\u002Fstrong> – Let’s say you are configuring Solid Security on a client’s website. You will decide whether or not they are required to use two-factor authentication and if they should have access to the Solid Security settings.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>For Customers\u003C\u002Fstrong> – If you have an eCommerce website, you will decide whether or not you want to protect customer accounts with a password policy.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Privilege Escalation\u003C\u002Fstrong> (Pro) also adds a safe, secure way to grant temporary admin-level access to your website.\u003C\u002Fp>\n\u003Ch4>🤖 Block Bad Bots & Ban User Agents with Lockouts\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Ban Users\u003C\u002Fstrong> (Basic and Pro) – Permanently block repeat offenders from accessing your site.\u003Cbr \u002F>\nLocal Brute Force Protection – Automatically identify and stop the most common method of attack on WordPress sites.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Local Brute Force Protection\u003C\u002Fstrong> (Basic and Pro) – Automatically identify and stop the most common method of attack on WordPress sites.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Network Brute Force Protection\u003C\u002Fstrong> (Basic and Pro) – The network is the Solid Security community and is nearly one million websites strong. If someone tries to break into websites in the Solid Security community, Solid Security will block them across the network.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Magic Links\u003C\u002Fstrong> (Pro) – Security shouldn’t get in your way. Magic Links allow you to log in to your WordPress site while your username is locked out by the Solid Security Local Brute Force Protection feature.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🔍 Monitor Your Site’s Security Health\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>File Change Detection\u003C\u002Fstrong> (Basic and Pro) – Solid Security logs changes made to your website that can help detect malicious activity on your website.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Site Scanner (Basic and Pro)\u003C\u002Fstrong> – Schedule checks to run four times per day (Basic) or hourly (Pro) for known vulnerabilities of WordPress core file, plugins and themes. Using the Google Safe Browsing API, the Site Scan also checks your Google’s blocklist status and will alert you if Google has found any malware on your website.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Patchstack integration (Pro)\u003C\u002Fstrong> – Automated virtual patching of some vulnerabilities before you even have a chance to address them yourself, and before a plugin or theme vendor or developer can even issue a patch.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Site Scanner\u003C\u002Fstrong> (Pro) – Unlock Version Management to automatically apply a patch to vulnerable software detected by the Site Scan when one is available.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>User Logging\u003C\u002Fstrong> (Pro) – Keep a record of user activity in your WordPress security logs, including login\u002Flogout, user registration, adding\u002Fremoving plugins, switching themes, changes to posts and pages, and more.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Version Management\u003C\u002Fstrong> (Pro) – The Version Management feature in Solid Security Pro allows you to auto-update WordPress, plugins, and themes. Beyond that, Version Management also has options to harden your website when you are running outdated software and scan for old websites.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🧠 Smarter, More Actionable Vulnerability Prioritization\u003C\u002Fh4>\n\u003Cp>Not all vulnerabilities pose the same level of risk, and the traditional Common Vulnerability Scoring System (CVSS) score doesn’t always reflect the realities of running a WordPress site.\u003C\u002Fp>\n\u003Cp>Solid Security now uses the Patchstack Priority score, which goes beyond CVSS to provide a real-world risk assessment tailored to WordPress. It factors in how likely a vulnerability is to be exploited and its actual impact on your site.\u003C\u002Fp>\n\u003Cp>With Patchstack Priority, you get a clearer picture of what really matters, helping you focus on the vulnerabilities that pose the greatest risk, and worry less about noise from low-impact issues.\u003C\u002Fp>\n\u003Ch4>🛠️ Website Security Utilities\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Enforce SSL\u003C\u002Fstrong> – Force all connections to the website to be made over SSL\u002FTLS.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Database Backups\u003C\u002Fstrong> – Create backups of your WordPress database. (Not a complete backup.)\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Geolocation\u003C\u002Fstrong> (Pro) – Improve Trusted Devices by connecting to an external location or mapping API.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🚀 Advanced Security Tools\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Identify Server IPs\u003C\u002Fstrong> – Prevent issues caused by inadvertently locking out your server IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change User ID 1\u003C\u002Fstrong> – Change the user ID for the first WordPress user, potentially preventing attacks that assume the user with ID1 exists and is an administrator.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change Database Prefix\u003C\u002Fstrong> – Change the database prefix that WordPress uses, potentially preventing attacks that assume the database prefix is “wp_”.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Check File Permission\u003C\u002Fstrong> – See the file and directory permissions of key areas of your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server Config Rules\u003C\u002Fstrong> – View or flush the server security rules generated by Solid Security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>wp-config.php Rules\u003C\u002Fstrong> – View or flush the wp-config.php security rules generated by Solid Security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change WordPress Salts\u003C\u002Fstrong> – Secure your site after a successful attack by changing the WordPress salts used to secure cookies and security tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Login URL\u003C\u002Fstrong> – change the login URL of your site, making it harder for bots to find your login page and attack it.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🛟 Need Help?\u003C\u002Fh4>\n\u003Cp>Free support may be available with the community’s help in the WordPress.org support forums. Our Solid Security support team provides top-notch technical support to all our Solid Security Basic users there.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fsecurity-help-center\" rel=\"nofollow ugc\">Our Help Center will help you become an iThemes Security expert.\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Get additional peace of mind with professional support from our expert team and pro features to take your site’s security to the next level with Solid Security Pro.\u003C\u002Fp>\n\u003Ch4>Recover From a Hacked Site\u003C\u002Fh4>\n\u003Cp>Solid Security makes regular backups of your WordPress database, allowing you to get back online quickly in the event of a hack or security breach. Use Solid Security to create and email database backups on a customizable schedule.\u003C\u002Fp>\n\u003Cp>For complete site backups and the ability to restore or move WordPress to a new host or domain, check out \u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fsecurity-basic-solid-backups\" rel=\"nofollow ugc\">Solid Backups\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Solid Central Integration\u003C\u002Fh4>\n\u003Cp>Manage more than one WordPress site? Release lockouts and keep your themes, plugins, and WordPress core up to date from one dashboard with \u003Ca href=\"https:\u002F\u002Fgo.solidwp.com\u002Fsecurity-basic-solid-central\" rel=\"nofollow ugc\">Solid Central\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>*Zippia. “30 Crucial Cybersecurity Statistics [2023]: Data, Trends And More” Zippia.com. Jun. 15, 2023, https:\u002F\u002Fwww.zippia.com\u002Fadvice\u002Fcybersecurity-statistics\u002F\u003C\u002Fp>\n\u003Cp>**https:\u002F\u002Fblog.checkpoint.com\u002F2023\u002F01\u002F05\u002F38-increase-in-2022-global-cyberattacks\u002F\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>Released under the terms of the GNU General Public License.\u003C\u002Fp>\n","Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.",700000,37290141,92,3981,"2026-02-25T12:43:00.000Z","6.5",[114,115,116,23,117],"brute-force-protection","malware","password-protection","two-factor-authentication","https:\u002F\u002Fsolidwp.com\u002Fproducts\u002Fsecurity","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-wp-security.9.4.6.zip",93,19,"2024-06-20 00:00:00",{"slug":124,"name":125,"version":126,"author":127,"author_profile":128,"description":129,"short_description":130,"active_installs":131,"downloaded":132,"rating":13,"num_ratings":46,"last_updated":133,"tested_up_to":90,"requires_at_least":134,"requires_php":135,"tags":136,"homepage":140,"download_link":141,"security_score":13,"vuln_count":75,"unpatched_count":75,"last_vuln_date":35,"fetched_at":28},"cloudsecure-wp-security","CloudSecure WP Security","1.4.5","cloudsecure","https:\u002F\u002Fprofiles.wordpress.org\u002Fcloudsecure\u002F","\u003Cp>管理画面とログインURLをサイバー攻撃から守る、安心の国産・日本語対応プラグインです。\u003Cbr \u002F>\nかんたんな設定を行うだけで、不正アクセスや不正ログインからあなたのWordPressを保護し、セキュリティが向上します。\u003Cbr \u002F>\nまた、各機能の有効・無効（ON・OFF）や設定などをお好みにカスタマイズし、いつでも保護状態を管理できます。\u003C\u002Fp>\n\u003Cp>ドキュメントやFAQなど、より詳細な情報は \u003Ca href=\"https:\u002F\u002Fwpplugin.cloudsecure.ne.jp\u002Fcloudsecure_wp_security\" rel=\"nofollow ugc\">こちら\u003C\u002Fa> でご覧いただけます。\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPressのマルチサイト機能には対応していません。\u003C\u002Fli>\n\u003Cli>WebサーバーのApache1.3、2.xにのみ対応しています。\u003C\u002Fli>\n\u003Cli>画像認証追加機能を利用するためには、PHPに拡張ライブラリ「gd」をインストールする必要があります。\u003C\u002Fli>\n\u003Cli>管理画面アクセス制限機能、ログインURL変更機能を利用するためには、Apacheに「mod_rewrite」を読み込む必要があります。\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>本プラグインの機能は以下のとおりです。\u003C\u002Fp>\n\u003Ch4>ログイン無効化\u003C\u002Fh4>\n\u003Cp>指定した期間内に指定した回数ログインに失敗した場合、指定した時間ログインを無効化（ブロック）します。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃など、不正なログインを試みる攻撃を防ぐための機能です。\u003Cbr \u002F>\nとくに、自動化された攻撃に有効です。\u003C\u002Fp>\n\u003Ch4>ログインURL変更\u003C\u002Fh4>\n\u003Cp>ログインURL（wp-login.php）を変更します。\u003Cbr \u002F>\n半角英小文字、半角数字、ハイフン、アンダースコアのいずれかを使用し、4文字以上12文字以下でお好みの名前（文字列）に設定できます。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃など、不正なログインを試みる攻撃を受けにくくするための機能です。\u003C\u002Fp>\n\u003Ch4>ログインエラーメッセージ統一\u003C\u002Fh4>\n\u003Cp>ログイン時、ユーザー名、パスワード、画像認証のどれを間違えても同一のメッセージを表示します。\u003Cbr \u002F>\nユーザー名の存在を調査する攻撃を受けにくくするための機能です。\u003C\u002Fp>\n\u003Ch4>2段階認証\u003C\u002Fh4>\n\u003Cp>ログイン時、ユーザー名とパスワードの入力に加え、別のコードで追加認証を行います。\u003Cbr \u002F>\n利用するには、\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.google.android.apps.authenticator2\" rel=\"nofollow ugc\">Google Authenticator\u003C\u002Fa> アプリケーションでデバイスを登録する必要があります。\u003Cbr \u002F>\nアプリケーションに表示された6桁の認証コードをログイン画面で入力し、すべての情報が一致すればログインできます。\u003Cbr \u002F>\nユーザー名やパスワードを不正入手した第三者によるログインやなりすましを防止し、セキュリティを強化します。\u003C\u002Fp>\n\u003Ch4>画像認証追加\u003C\u002Fh4>\n\u003Cp>画像データ上にランダムに表示される文字の入力を求め、一致しなければ次の画面に進めないようにする機能です。\u003Cbr \u002F>\nログインフォーム、コメントフォーム、パスワードリセットフォーム、ユーザー登録フォームに設定できます。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃などの不正なログインを試みる攻撃や、悪意のあるプログラムからの機械的な不正アクセスを防止する機能です。\u003C\u002Fp>\n\u003Ch4>管理画面アクセス制限\u003C\u002Fh4>\n\u003Cp>管理画面にログインしていない接続元IPアドレスから管理ページ（\u002Fwp-admin\u002F以降）にアクセスすると、404エラー（Not Found）を返します。\u003Cbr \u002F>\n24時間以上管理画面にログインしていない接続元IPアドレスが対象です。\u003Cbr \u002F>\nログインすると接続元IPアドレスが記録され、管理画面にアクセスできるようになります。\u003Cbr \u002F>\nこの機能を除外するページ（wp-admin以下）を指定できます。\u003C\u002Fp>\n\u003Ch4>設定ファイルアクセス防止\u003C\u002Fh4>\n\u003Cp>WordPressのシステムに関するファイルへの不正アクセスを遮断する機能です。\u003C\u002Fp>\n\u003Ch4>ユーザー名漏えい防止\u003C\u002Fh4>\n\u003Cp>「?author=数字」アクセスによるユーザー名の漏えいを防止します。\u003C\u002Fp>\n\u003Ch4>XML-RPC無効化\u003C\u002Fh4>\n\u003Cp>XML-RPC機能、またはピンバック機能を無効化し、その乱用から管理画面を保護します。\u003C\u002Fp>\n\u003Ch4>REST API無効化\u003C\u002Fh4>\n\u003Cp>REST APIを無効化し、その悪用から管理画面を守ります。\u003C\u002Fp>\n\u003Ch4>シンプルWAF\u003C\u002Fh4>\n\u003Cp>WordPressへの攻撃に対して、基本的な防御機能を備えたシンプルなWAF（Web Application Firewall）機能です。\u003Cbr \u002F>\nSQLインジェクションやクロスサイトスクリプティングなどの一般的な攻撃を遮断します。\u003C\u002Fp>\n\u003Ch4>ログイン通知\u003C\u002Fh4>\n\u003Cp>ログインがあったとき、ユーザーにメールで通知します。\u003Cbr \u002F>\n心当たりのないメールを受信した場合、不正なログインを疑ってください。\u003C\u002Fp>\n\u003Ch4>アップデート通知\u003C\u002Fh4>\n\u003Cp>WordPress、プラグイン、テーマの更新が必要になったとき、管理者にメールで通知します。\u003Cbr \u002F>\n更新の確認は24時間ごとに行われます。\u003Cbr \u002F>\n常に最新版を使用することが、セキュリティの基本です。\u003C\u002Fp>\n\u003Ch4>サーバーエラー通知\u003C\u002Fh4>\n\u003Cp>サーバーエラー「HTTPステータスコード500（Internal Server Error）」が発生したとき、エラーの履歴を記録し、管理者にメールで通知します。\u003Cbr \u002F>\n1時間以内に同じタイプのエラーが発生した場合、エラーの履歴は記録しますが、メールでの通知は行いません。\u003C\u002Fp>\n\u003Ch4>ログイン履歴\u003C\u002Fh4>\n\u003Cp>管理画面にログインした履歴を表示します。\u003Cbr \u002F>\nそれぞれの項目で絞り込んでの検索も可能です。\u003Cbr \u002F>\nログイン通知と同様、不正なログインの気づきを促す機能です。\u003C\u002Fp>\n","管理画面とログインURLをサイバー攻撃から守る、国産・日本語対応のセキュリティ対策プラグインです。 かんたんな設定を行うだけで、不正アクセスや不正ログインからあなたのWordPressを保護します。",100000,604268,"2026-03-13T05:42:00.000Z","5.3.15","7.1",[137,21,138,23,139],"anti-spam","login-lock","waf","https:\u002F\u002Fwpplugin.cloudsecure.ne.jp\u002Fcloudsecure_wp_security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcloudsecure-wp-security.1.4.5.zip",{"slug":143,"name":144,"version":145,"author":146,"author_profile":147,"description":148,"short_description":149,"active_installs":131,"downloaded":150,"rating":87,"num_ratings":151,"last_updated":152,"tested_up_to":90,"requires_at_least":153,"requires_php":154,"tags":155,"homepage":158,"download_link":159,"security_score":160,"vuln_count":161,"unpatched_count":75,"last_vuln_date":162,"fetched_at":28},"gotmls","Anti-Malware Security and Brute-Force Firewall","4.23.88","Eli","https:\u002F\u002Fprofiles.wordpress.org\u002Fscheeeli\u002F","\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Download Definition Updates to protect against new threats.\u003C\u002Fli>\n\u003Cli>Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.\u003C\u002Fli>\n\u003Cli>Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.\u003C\u002Fli>\n\u003Cli>Upgrade vulnerable versions of timthumb scripts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Premium Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Patch your wp-login and XMLRPC to block Brute-Force and DDoS attacks.\u003C\u002Fli>\n\u003Cli>Check the integrity of your WordPress Core files.\u003C\u002Fli>\n\u003Cli>Automatically download new Definition Updates when running a Complete Scan.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Register this plugin at \u003Ca href=\"http:\u002F\u002Fgotmls.net\u002F\" rel=\"nofollow ugc\">GOTMLS.NET\u003C\u002Fa> and get access to new definitions of “Known Threats” and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for “Potential Threats” and leaves it up to you to identify and remove the malicious ones.\u003C\u002Fp>\n\u003Cp>NOTICE: This plugin makes calls to GOTMLS.NET to check for updates not unlike what WordPress does when checking your plugins and themes for new versions. Staying up-to-date is an essential part of any security plugin and this plugin can let you know when there are new plugin and definition update available. If you’re allergic to “phone home” scripts then don’t use this plugin (or WordPress at all for that matter).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Special thanks to:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clarus Dignus for design suggestions and graphic design work on the banner image.\u003C\u002Fli>\n\u003Cli>Jelena Kovacevic and Andrew Kurtis of webhostinghub.com for providing the Spanish translation.\u003C\u002Fli>\n\u003Cli>Marcelo Guernieri for the Brazilian Portuguese translation.\u003C\u002Fli>\n\u003Cli>Umut Can Alparslan for the Turkish translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmichacassola\u002F\" rel=\"nofollow ugc\">Micha Cassola\u003C\u002Fa> for the German translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fsitustarget\u002F\" rel=\"nofollow ugc\">Robi Erwin Setiawan\u003C\u002Fa> for the Indonesian translation.\u003C\u002Fli>\n\u003C\u002Ful>\n","This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.",7622347,781,"2026-03-09T14:47:00.000Z","3.3","5.6",[156,21,94,157,23],"anti-malware","scanner","https:\u002F\u002Fgotmls.net\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgotmls.4.23.88.zip",83,9,"2025-10-28 15:41:58",{"attackSurface":164,"codeSignals":215,"taintFlows":285,"riskAssessment":286,"analyzedAt":302},{"hooks":165,"ajaxHandlers":211,"restRoutes":212,"shortcodes":213,"cronEvents":214,"entryPointCount":75,"unprotectedCount":75},[166,172,176,181,186,191,195,199,203,207],{"type":167,"name":168,"callback":169,"file":170,"line":171},"action","admin_init","page_init","admin\\admin-class.php",24,{"type":167,"name":173,"callback":174,"file":170,"line":175},"admin_menu","add_plugin_page",25,{"type":167,"name":177,"callback":178,"file":179,"line":180},"wp_login_failed","ax_logwriter_login_failed_hook","includes\\plugin-class.php",37,{"type":182,"name":183,"callback":184,"priority":14,"file":179,"line":185},"filter","xmlrpc_pingback_error","ax_logwriter_pingback_error_hook",38,{"type":182,"name":187,"callback":188,"priority":189,"file":179,"line":190},"plugin_row_meta","ax_logwriter_row_meta",10,40,{"type":167,"name":192,"callback":193,"file":179,"line":194},"plugins_loaded","ax_logwriter_load_plugin_textdomain",41,{"type":167,"name":196,"callback":197,"file":179,"line":198},"xmlrpc_call","ax_logwriter_pingback_request_hook",48,{"type":182,"name":200,"callback":201,"file":179,"line":202},"the_generator","anonymous",65,{"type":182,"name":204,"callback":205,"file":179,"line":206},"xmlrpc_enabled","__return_false",73,{"type":182,"name":208,"callback":209,"priority":189,"file":179,"line":210},"xmlrpc_login_error","ax_logwriter_xmlrpc_login_failed_hook",81,[],[],[],[],{"dangerousFunctions":216,"sqlUsage":220,"outputEscaping":222,"fileOperations":283,"externalRequests":75,"nonceChecks":75,"capabilityChecks":75,"bundledLibraries":284},[217],{"fn":218,"file":179,"line":202,"context":219},"create_function","add_filter('the_generator', create_function('', 'return \"\";'));",{"prepared":75,"raw":75,"locations":221},[],{"escaped":223,"rawEcho":224,"locations":225},44,28,[226,229,231,233,235,237,239,241,243,245,247,249,251,253,255,257,259,261,263,265,267,269,271,273,275,277,279,281],{"file":170,"line":227,"context":228},67,"raw output",{"file":170,"line":230,"context":228},101,{"file":170,"line":232,"context":228},106,{"file":170,"line":234,"context":228},107,{"file":170,"line":236,"context":228},141,{"file":170,"line":238,"context":228},151,{"file":170,"line":240,"context":228},158,{"file":170,"line":242,"context":228},165,{"file":170,"line":244,"context":228},528,{"file":170,"line":246,"context":228},533,{"file":170,"line":248,"context":228},545,{"file":170,"line":250,"context":228},548,{"file":170,"line":252,"context":228},553,{"file":170,"line":254,"context":228},557,{"file":170,"line":256,"context":228},574,{"file":170,"line":258,"context":228},605,{"file":170,"line":260,"context":228},608,{"file":170,"line":262,"context":228},613,{"file":170,"line":264,"context":228},622,{"file":170,"line":266,"context":228},624,{"file":170,"line":268,"context":228},633,{"file":170,"line":270,"context":228},635,{"file":170,"line":272,"context":228},644,{"file":170,"line":274,"context":228},646,{"file":170,"line":276,"context":228},655,{"file":170,"line":278,"context":228},657,{"file":170,"line":280,"context":228},666,{"file":170,"line":282,"context":228},668,3,[],[],{"summary":287,"deductions":288},"The \"authentication-and-xmlrpc-log-writer\" plugin v1.2.2 exhibits a mixed security posture. While it boasts a small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and all SQL queries use prepared statements, several concerning signals are present. The use of the deprecated `create_function` is a significant red flag, as it can lead to code injection vulnerabilities if not handled with extreme care. Additionally, the output escaping rate is only 61%, indicating a substantial number of potentially unescaped outputs which could be susceptible to Cross-Site Scripting (XSS) attacks. The plugin's vulnerability history is also a major concern, with one known medium-severity CVE that is currently unpatched. This suggests a recurring pattern of vulnerabilities, specifically XSS, that have not been fully addressed, raising doubts about the ongoing maintainability and security diligence of the plugin.",[289,292,295,297,300],{"reason":290,"points":291},"Unpatched medium severity CVE",17,{"reason":293,"points":294},"Low output escaping percentage (61%)",7,{"reason":296,"points":189},"Use of dangerous function: create_function",{"reason":298,"points":299},"No nonce checks",5,{"reason":301,"points":299},"No capability checks","2026-03-16T21:36:56.925Z",{"wat":304,"direct":311},{"assetPaths":305,"generatorPatterns":307,"scriptPaths":308,"versionParams":309},[306],"\u002Fwp-content\u002Fplugins\u002Fauthentication-and-xmlrpc-log-writer\u002Fadmin\u002Fcss\u002Fstyle.css",[],[],[310],"authentication-and-xmlrpc-log-writer\u002Fadmin\u002Fcss\u002Fstyle.css?ver=",{"cssClasses":312,"htmlComments":316,"htmlAttributes":317,"restEndpoints":318,"jsGlobals":319,"shortcodeOutput":320},[313,314,315],"axlw_admin_logviewer_header","axlw_admin_logviewer_content-subhead","axlw_admin_logviewer_content",[],[],[],[],[]]