WP-Safety

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Security & Risk Analysis

wordpress.org/plugins/better-wp-security

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K active installs v9.4.6 PHP 7.4+ WP 6.5+ Updated Feb 25, 2026
brute-force-protectionmalwarepassword-protectionsecuritytwo-factor-authentication
93
A · Safe
CVEs total19
Unpatched0
Last CVEJun 20, 2024
Plugin page Download
Safety Verdict

Is Solid Security – Password, Two Factor Authentication, and Brute Force Protection Safe to Use in 2026?

Generally Safe

Score 93/100

Solid Security – Password, Two Factor Authentication, and Brute Force Protection has a strong security track record. Known vulnerabilities have been patched promptly.

19 known CVEsLast CVE: Jun 20, 2024Updated 1mo ago
Risk Assessment

The "better-wp-security" v9.4.6 plugin exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of prepared SQL statements and properly escaped output, there are notable areas of concern. The presence of 6 unprotected entry points across AJAX handlers and REST API routes presents a significant attack surface, potentially allowing unauthorized access or manipulation of plugin functionalities. The two identified flows with unsanitized paths, though not currently classified as critical or high severity, warrant close scrutiny as they could lead to vulnerabilities if exploited in conjunction with other weaknesses.

The plugin's vulnerability history is a major red flag. With 19 known CVEs and a recent vulnerability discovered in June 2024, the plugin has a history of security flaws. The prevalence of high and medium severity vulnerabilities, including SQL injection, cross-site scripting, and access control issues, indicates recurring problems with input validation and permission handling. While there are currently no unpatched CVEs, the sheer volume and recency of past vulnerabilities suggest a continuous need for vigilance and prompt updates.

In conclusion, "better-wp-security" v9.4.6 has strengths in its implementation of secure coding practices like prepared statements and output escaping. However, the substantial unprotected attack surface and a troubling history of frequent and significant vulnerabilities necessitate a cautious approach. Users should ensure they are always running the latest version and be aware of the potential risks associated with the identified unprotected endpoints.

Key Concerns

  • Unprotected AJAX handlers (3)
  • Unprotected REST API routes (3)
  • Flows with unsanitized paths (2)
  • Total known CVEs (19)
  • High severity CVEs (7)
  • Medium severity CVEs (11)
  • Dangerous function 'unserialize' (2)
Vulnerabilities
19

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Security Vulnerabilities

CVEs by Year

3 CVEs in 2012
2012
3 CVEs in 2014
2014
1 CVE in 2015
2015
5 CVEs in 2016
2016
2 CVEs in 2018
2018
2 CVEs in 2021
2021
2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
7
Medium
11
Low
1

19 total CVEs

CVE-2022-44593medium · 5.3Use of Less Trusted Source

Solid Security <= 9.3.1 - IP Address Spoofing to Denial of Service

Jun 20, 2024 Patched in 9.3.2 (7d)
WF-88163d55-ab97-4697-a25b-d54615e2a843-better-wp-securitymedium · 5.3Protection Mechanism Failure

Solid Security Basic <= 9.0.0 - Unauthenticated Login Page Disclosure

Oct 31, 2023 Patched in 9.0.1 (84d)
CVE-2023-28786medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

iThemes Security <= 8.1.4 - Open Redirection via redirect_to_https

Mar 27, 2023 Patched in 8.1.5 (302d)
WF-21a1a6c2-0eb1-4ee3-abf0-76b84adca01b-better-wp-securitymedium · 5.3Protection Mechanism Failure

iThemes Security < 7.9.1 and iThemes Security Pro < 6.8.4 - Hidden Login Bypass

Apr 22, 2021 Patched in 7.9.1 (1006d)
CVE-2020-36176high · 7.5Incorrect User Management

iThemes Security <= 7.6.1 - Broken Password Mechanism

Jan 6, 2021 Patched in 7.7.0 (1112d)
CVE-2018-12636high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

iThemes Security <= 7.0.2 - Authenticated SQL Injection

Jun 25, 2018 Patched in 7.0.3 (2038d)
CVE-2018-7433high · 7.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security <= 6.9.0 - Cross-Site Scripting

Mar 5, 2018 Patched in 6.9.1 (2150d)
WF-8657003f-da37-4169-9f00-262d7f3d9a9c-better-wp-securitymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security <= 5.6.1 - Stored Cross-Site Scripting

Oct 6, 2016 Patched in 5.6.2 (2665d)
WF-0a49c8df-0524-41af-b095-b5953e6f68d8-better-wp-securitymedium · 5.3Observable Response Discrepancy

iThemes Security <= 5.6.1 - Sensitive Information Exposure via Diff Response

Sep 27, 2016 Patched in 5.6.2 (2674d)
WF-246eea09-abe5-41e9-811e-5cddedbbe01e-better-wp-securityhigh · 7.4Improper Access Control

iThemes Security <= 5.3.5 - Missing Capabilities Check

Apr 25, 2016 Patched in 5.3.6 (2829d)
WF-32d0f709-192a-4d9f-bfe9-15c1be4c4b95-better-wp-securitymedium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

iThemes Security < 5.3.1 - Insecure Backup/Logfile Generation

Apr 21, 2016 Patched in 5.3.1 (2833d)
WF-e9f0689d-aa35-4dfb-b264-5d7378ab1a54-better-wp-securitylow · 3.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security < 5.3.5 - Authenticated Cross-Site Scripting

Apr 5, 2016 Patched in 5.3.5 (2849d)
WF-c6168ee5-5df3-4d79-96bb-95029f2ac54b-better-wp-securitymedium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security <= 4.6.12 - Stored Cross-Site Scripting

Apr 14, 2015 Patched in 4.6.13 (3206d)
WF-1ec45848-33b1-4088-ba06-9a12d291120e-better-wp-securityhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better WP Security <= 3.5.3 - Stored Cross-Site Scripting

Aug 1, 2014 Patched in 3.5.4 (3462d)
WF-5f7014fc-a502-4f72-899f-c21d3ca5e5b3-better-wp-securityhigh · 8.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security < 3.6.4 - Stored Cross-Site Scripting

Aug 1, 2014 Patched in 3.6.4 (3462d)
WF-f3e74fb9-edb5-4602-9aac-375701a82f84-better-wp-securitymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better WP Security <= 3.6.3 - Stored Cross-Site Scripting

Aug 1, 2014 Patched in 3.6.4 (3462d)
WF-d2137662-d328-4da7-986a-341ff1bdca63-better-wp-securitymedium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security < 3.4.4 - Cross-Site Scripting

Aug 20, 2012 Patched in 3.4.4 (4173d)
CVE-2012-4263high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iThemes Security < 3.2.5 - Cross-Site Scripting

May 11, 2012 Patched in 3.2.5 (4274d)
CVE-2012-4264medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better WP Security <= 3.2.4 - Multiple Cross-Site Scripting

May 11, 2012 Patched in 3.2.5 (4274d)
Code Analysis
Analyzed Mar 16, 2026

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Code Analysis

Dangerous Functions
2
Raw SQL Queries
22
146 prepared
Unescaped Output
57
286 escaped
Nonce Checks
16
Capability Checks
54
File Operations
24
External Requests
15
Bundled Libraries
0

Dangerous Functions Found

unserializeif ( $data['lockout_context'] && ! ( $context = unserialize( $data['lockout_context'] ) ) instanceofcore\lockout.php:667
unserializereturn @unserialize( $data, $options ); // @phpcs:ignorevendor-prod\deliciousbrains\wp-background-processing\classes\wp-background-process.php:881

SQL Query Safety

87% prepared168 total queries

Output Escaping

83% escaped343 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
<utilities> (core\modules\network-brute-force\utilities.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Attack Surface

Entry Points19
Unprotected6

AJAX Handlers 7

authwp_ajax_itsec_logs_pagecore\admin-pages\init.php:14
authwp_ajax_itsec_help_pagecore\admin-pages\init.php:15
authwp_ajax_itsec_debug_pagecore\admin-pages\init.php:16
authwp_ajax_itsec-set-user-settingcore\admin-pages\init.php:17
authwp_ajax_two_factor_backup_codes_generatecore\modules\two-factor\providers\class.two-factor-backup-codes.php:51
authwp_ajax_two-factor-totp-get-codecore\modules\two-factor\providers\class.two-factor-totp.php:43
authwp_ajax_two-factor-totp-verify-codecore\modules\two-factor\providers\class.two-factor-totp.php:44

REST API Routes 11

GET/wp-json/ithemes-security/rpcban-users/add-manycore\modules\ban-users\REST.php:57
GET/wp-json/ithemes-security/v1admin-noticescore\modules\core\class-rest-core-admin-notices-controller.php:6
GET/wp-json/ithemes-security/v1admin-notices/(?P<notice>[\w\-\.]+)/(?P<action>[\w\-]+)core\modules\core\class-rest-core-admin-notices-controller.php:12
GET/wp-json/ithemes-security/v1admin-notices/settingscore\modules\core\class-rest-core-admin-notices-controller.php:18
GET/wp-json/ithemes-security/rpc/file-change/file-treecore\modules\file-change\rest.php:3
GET/wp-json/ithemes-security/rpcfile-writing/get-config-rulescore\modules\file-writing\rest.php:3
GET/wp-json/ithemes-security/rpcglobal/detect-ipcore\modules\global\rest.php:3
GET/wp-json/ithemes-security/rpc/notification-center/notificationscore\modules\notification-center\rest.php:3
GET/wp-json/ithemes-security/rpc/notification-center/available-users-rolescore\modules\notification-center\rest.php:29
POST/wp-json/ithemes-security/v1site-scanner/verify-scancore\modules\site-scanner\REST\REST.php:24
GET/wp-json/ithemes-security/rpcdiscovercore\rest.php:55

Shortcodes 1

[solid_security_user_profile_settings] core\modules\core\class-itsec-core-active.php:251
WordPress Hooks 397
actionadmin_noticesbetter-wp-security.php:22
actionadmin_noticesbetter-wp-security.php:32
actionnetwork_admin_menucore\admin-pages\init.php:9
actionadmin_menucore\admin-pages\init.php:11
filteritsec-user-setting-valid-itsec-settings-viewcore\admin-pages\init.php:20
actionshow_user_profilecore\admin-pages\init.php:22
actionedit_user_profilecore\admin-pages\init.php:23
actionadmin_enqueue_scriptscore\admin-pages\init.php:24
actionadmin_enqueue_scriptscore\admin-pages\page-dashboard.php:3
actionitsec-page-showcore\admin-pages\page-dashboard.php:96
actionitsec-page-showcore\admin-pages\page-debug.php:9
actionitsec-page-ajaxcore\admin-pages\page-debug.php:10
actionadmin_print_scriptscore\admin-pages\page-debug.php:11
actionadmin_print_stylescore\admin-pages\page-debug.php:12
actionadmin_enqueue_scriptscore\admin-pages\page-firewall.php:3
actionitsec-page-showcore\admin-pages\page-firewall.php:53
actionadmin_enqueue_scriptscore\admin-pages\page-go-pro.php:3
actionitsec-page-showcore\admin-pages\page-go-pro.php:8
actionitsec-page-showcore\admin-pages\page-logs.php:10
actionitsec-page-ajaxcore\admin-pages\page-logs.php:11
actionadmin_print_scriptscore\admin-pages\page-logs.php:12
actionadmin_print_stylescore\admin-pages\page-logs.php:13
filterscreen_settingscore\admin-pages\page-logs.php:15
actionadmin_enqueue_scriptscore\admin-pages\page-settings.php:2
filteradmin_viewport_metacore\admin-pages\page-settings.php:37
actionitsec-page-showcore\admin-pages\page-settings.php:43
actionadmin_enqueue_scriptscore\admin-pages\page-site-scan.php:3
actionitsec-page-showcore\admin-pages\page-site-scan.php:28
actionadmin_enqueue_scriptscore\admin-pages\page-tools.php:3
actionitsec-page-showcore\admin-pages\page-tools.php:32
actionadmin_enqueue_scriptscore\admin-pages\page-user-security.php:3
actionitsec-page-showcore\admin-pages\page-user-security.php:37
actionadmin_enqueue_scriptscore\admin-pages\page-vulnerabilities.php:3
actionitsec-page-showcore\admin-pages\page-vulnerabilities.php:43
actionitsec-settings-page-register-widgetscore\admin-pages\sidebar-widget.php:81
actionitsec-logs-page-register-widgetscore\admin-pages\sidebar-widget.php:82
filteruser_has_capcore\core.php:134
actionitsec-register-modulescore\core.php:138
actionplugins_loadedcore\core.php:163
actionplugins_loadedcore\core.php:164
actionplugins_loadedcore\core.php:165
actionitsec_scheduled_clear-lockscore\core.php:167
actionitsec_scheduled_clear-tokenscore\core.php:168
actionitsec_before_importcore\core.php:169
actionitsec_after_importcore\core.php:172
actionall_admin_noticescore\core.php:212
filterplugin_action_linkscore\core.php:241
filterplugin_row_metacore\core.php:242
actionwp_login_failedcore\core.php:245
actionithemes_sync_register_verbscore\core.php:246
actionitsec-settings-page-register-modulescore\deprecated\module-settings.php:136
filterrcp_get_ipcore\integrations\rcp.php:12
actionitsec_initialize_login_interstitial_session_from_global_statecore\integrations\rcp.php:25
actionitsec_scheduled_purge-lockoutscore\lockout.php:86
actionplugins_loadedcore\lockout.php:92
actioninitcore\lockout.php:94
actionafter_setup_themecore\lockout.php:98
filterauthenticatecore\lockout.php:101
actioninitcore\lockout.php:105
actionithemes_sync_register_verbscore\lockout.php:108
filteritsec-filter-itsec-get-everything-verbscore\lockout.php:109
filteritsec_notificationscore\lockout.php:111
filteritsec_lockout_notification_stringscore\lockout.php:112
filteritsec_logs_prepare_lockout_entry_for_list_displaycore\lockout.php:114
filterwp_robotscore\lockout.php:847
filterwp_die_handlercore\lockout.php:856
actionitsec_register_toolscore\modules\admin-user\active.php:8
actionitsec_execute_backup_croncore\modules\backup\class-itsec-backup.php:37
filterdebug_informationcore\modules\backup\class-itsec-backup.php:39
filteritsec_notificationscore\modules\backup\class-itsec-backup.php:41
filteritsec_backup_notification_stringscore\modules\backup\class-itsec-backup.php:42
actionitsec_scheduled_backupcore\modules\backup\class-itsec-backup.php:56
filteritsec_logs_prepare_backup_entry_for_list_displaycore\modules\backup\logs.php:5
filteritsec_logs_prepare_backup_entry_for_details_displaycore\modules\backup\logs.php:6
filteritsec_get_privacy_policy_for_retentioncore\modules\backup\privacy.php:9
filteritsec_get_privacy_policy_for_sendingcore\modules\backup\privacy.php:10
actionitsec_modules_do_plugin_uninstallcore\modules\backup\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\backup\setup.php:7
filteritsec_filter_apache_server_config_modificationcore\modules\ban-users\class-itsec-ban-users.php:40
filteritsec_filter_nginx_server_config_modificationcore\modules\ban-users\class-itsec-ban-users.php:41
filteritsec_filter_litespeed_server_config_modificationcore\modules\ban-users\class-itsec-ban-users.php:42
filteritsec_rest_prepare_ban_for_responsecore\modules\ban-users\class-itsec-ban-users.php:43
actionitsec_new_banned_ipcore\modules\ban-users\init.php:32
filteritsec_ban_hosts_rest_schemacore\modules\ban-users\REST.php:26
actionitsec_modules_do_plugin_uninstallcore\modules\ban-users\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\ban-users\setup.php:7
filterauthenticatecore\modules\brute-force\class-itsec-brute-force.php:13
filteritsec_lockout_modulescore\modules\brute-force\class-itsec-brute-force.php:14
filterjetpack_get_default_modulescore\modules\brute-force\class-itsec-brute-force.php:15
filteritsec_logs_prepare_brute_force_entry_for_list_displaycore\modules\brute-force\logs.php:5
filteritsec_logs_prepare_brute_force_entry_for_details_displaycore\modules\brute-force\logs.php:6
filteritsec_logs_prepare_brute_force_filter_row_action_for_codecore\modules\brute-force\logs.php:7
actionitsec_modules_do_plugin_uninstallcore\modules\brute-force\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\brute-force\setup.php:7
actionrest_api_initcore\modules\core\class-itsec-admin-notices.php:12
actionadmin_initcore\modules\core\class-itsec-admin-notices.php:15
actionrest_api_initcore\modules\core\class-itsec-core-active.php:25
actionwp_enqueue_scriptscore\modules\core\class-itsec-core-active.php:26
actionlogin_enqueue_scriptscore\modules\core\class-itsec-core-active.php:27
actionadmin_enqueue_scriptscore\modules\core\class-itsec-core-active.php:28
actionwp_footercore\modules\core\class-itsec-core-active.php:29
actionadmin_footercore\modules\core\class-itsec-core-active.php:30
actioninitcore\modules\core\class-itsec-core-active.php:31
actionwp_print_scriptscore\modules\core\class-itsec-core-active.php:32
actionwp_footercore\modules\core\class-itsec-core-active.php:33
actionitsec_register_toolscore\modules\core\class-itsec-core-active.php:34
actionitsec_encryption_rotate_user_keyscore\modules\core\class-itsec-core-active.php:35
actionitsec_scheduled_enable-encryptioncore\modules\core\class-itsec-core-active.php:36
actionadmin_enqueue_scriptscore\modules\core\class-itsec-core-admin.php:9
actionitsec_dashboard_enqueue_scriptscore\modules\core\class-itsec-core-admin.php:10
actionadmin_bar_menucore\modules\core\class-itsec-core-admin.php:12
actionadmin_footercore\modules\core\class-itsec-core-admin.php:13
actionadmin_noticescore\modules\core\class-itsec-core-admin.php:16
filteritsec_meta_linkscore\modules\core\class-itsec-core-admin.php:20
filterstellarwp/telemetry/optin_argscore\modules\core\class-itsec-core-admin.php:23
filterdebug_informationcore\modules\core\class-itsec-core-admin.php:24
actionpre_get_userscore\modules\core\User_Query_Extension.php:17
actionpre_user_querycore\modules\core\User_Query_Extension.php:18
actionrest_api_initcore\modules\dashboard\class-itsec-dashboard-rest.php:11
filterrest_route_datacore\modules\dashboard\class-itsec-dashboard-rest.php:12
filterrest_pre_dispatchcore\modules\dashboard\class-itsec-dashboard-rest.php:13
filterrest_request_before_callbackscore\modules\dashboard\class-itsec-dashboard-rest.php:14
actioninitcore\modules\dashboard\class-itsec-dashboard.php:42
actionitsec_scheduled_dashboard-consolidate-eventscore\modules\dashboard\class-itsec-dashboard.php:43
actionafter_delete_postcore\modules\dashboard\class-itsec-dashboard.php:44
filtermap_meta_capcore\modules\dashboard\class-itsec-dashboard.php:45
actionitsec_log_addcore\modules\dashboard\class-itsec-dashboard.php:46
actionitsec_modules_do_plugin_upgradecore\modules\dashboard\setup.php:8
actionitsec_register_toolscore\modules\database-prefix\active.php:7
actionafter_password_resetcore\modules\email-confirmation\class-itsec-email-confirmation.php:6
actionprofile_updatecore\modules\email-confirmation\class-itsec-email-confirmation.php:7
actioninitcore\modules\file-change\class-itsec-file-change.php:26
actionithemes_sync_register_verbscore\modules\file-change\class-itsec-file-change.php:27
filteritsec_notificationscore\modules\file-change\class-itsec-file-change.php:28
filteritsec_file-change_notification_stringscore\modules\file-change\class-itsec-file-change.php:29
actionitsec_lib_write_to_filecore\modules\file-change\class-itsec-file-change.php:31
actionitsec_lib_delete_filecore\modules\file-change\class-itsec-file-change.php:32
filterheartbeat_receivedcore\modules\file-change\class-itsec-file-change.php:34
actionitsec_scheduler_register_eventscore\modules\file-change\class-itsec-file-change.php:36
actionitsec_scheduled_file-changecore\modules\file-change\class-itsec-file-change.php:37
actionitsec_scheduled_file-change-fastcore\modules\file-change\class-itsec-file-change.php:38
actionitsec_register_highlighted_logscore\modules\file-change\class-itsec-file-change.php:41
filteritsec_logs_prepare_file_change_entry_for_list_displaycore\modules\file-change\logs.php:5
filteritsec_logs_prepare_file_change_entry_for_details_displaycore\modules\file-change\logs.php:6
filteritsec_highlighted_log_file-change-report_notice_titlecore\modules\file-change\logs.php:7
filteritsec_highlighted_log_file-change-report_notice_messagecore\modules\file-change\logs.php:8
actionitsec_modules_do_plugin_deactivationcore\modules\file-change\setup.php:6
actionitsec_modules_do_plugin_uninstallcore\modules\file-change\setup.php:7
actionitsec_modules_do_plugin_upgradecore\modules\file-change\setup.php:8
actionitsec_register_toolscore\modules\file-permissions\active.php:7
actionitsec_register_toolscore\modules\file-writing\active.php:7
filteritsec_lockout_modulescore\modules\firewall\Firewall.php:30
filterdebug_informationcore\modules\firewall\Firewall.php:31
actioninitcore\modules\firewall\Firewall.php:37
actionitsec_vulnerability_was_seencore\modules\firewall\Ingestor.php:21
actionitsec_vulnerability_not_seencore\modules\firewall\Ingestor.php:22
filteritsec_logs_prepare_firewall_entry_for_list_displaycore\modules\firewall\Logs.php:16
filteritsec_logs_prepare_firewall_entry_for_details_displaycore\modules\firewall\Logs.php:17
filteritsec_rest_prepare_log_for_responsecore\modules\firewall\Logs.php:18
actionrest_api_initcore\modules\firewall\REST\REST.php:14
filteritsec_white_ipscore\modules\global\active.php:7
actioninitcore\modules\global\active.php:56
actionitsec_cron_testcore\modules\global\active.php:84
actionwp_logincore\modules\global\active.php:99
filterwp_update_attachment_metadatacore\modules\global\active.php:118
actionadmin_post_nopriv_itsec-check-loopbackcore\modules\global\active.php:145
actionitsec_register_toolscore\modules\global\active.php:151
filteritsec_logs_prepare_core_entry_for_list_displaycore\modules\global\logs.php:9
filteritsec_logs_prepare_core_entry_for_details_displaycore\modules\global\logs.php:10
filteritsec_logs_prepare_core_filter_row_action_for_codecore\modules\global\logs.php:11
filteritsec_get_privacy_policy_for_security_logscore\modules\global\privacy.php:9
filteritsec_get_privacy_policy_for_retentioncore\modules\global\privacy.php:10
filteritsec_get_privacy_policy_for_cookiescore\modules\global\privacy.php:11
actionitsec_modules_do_plugin_upgradecore\modules\global\setup.php:6
actionitsec_register_password_requirementscore\modules\hibp\class-itsec-hibp.php:24
actionitsec_modules_do_plugin_upgradecore\modules\hibp\setup.php:8
filteritsec_notificationscore\modules\hide-backend\class-itsec-hide-backend.php:17
filteritsec_hide-backend_notification_stringscore\modules\hide-backend\class-itsec-hide-backend.php:18
actionsetup_themecore\modules\hide-backend\class-itsec-hide-backend.php:24
actionsignup_hidden_fieldscore\modules\hide-backend\class-itsec-hide-backend.php:25
actionlogin_enqueue_scriptscore\modules\hide-backend\class-itsec-hide-backend.php:26
filtersite_urlcore\modules\hide-backend\class-itsec-hide-backend.php:28
filternetwork_site_urlcore\modules\hide-backend\class-itsec-hide-backend.php:29
filteradmin_urlcore\modules\hide-backend\class-itsec-hide-backend.php:30
filterwp_redirectcore\modules\hide-backend\class-itsec-hide-backend.php:31
filtercomment_moderation_textcore\modules\hide-backend\class-itsec-hide-backend.php:32
filteritsec_notify_admin_page_urlcore\modules\hide-backend\class-itsec-hide-backend.php:33
filtercomment_form_defaultscore\modules\hide-backend\class-itsec-hide-backend.php:35
filtercomment_reply_linkcore\modules\hide-backend\class-itsec-hide-backend.php:36
filterpost_comments_linkcore\modules\hide-backend\class-itsec-hide-backend.php:37
actionlogin_form_jetpack-ssocore\modules\hide-backend\class-itsec-hide-backend.php:165
filteritsec_get_privacy_policy_for_cookiescore\modules\hide-backend\privacy.php:13
actionitsec_modules_do_plugin_deactivationcore\modules\hide-backend\setup.php:6
actionitsec_modules_do_plugin_uninstallcore\modules\hide-backend\setup.php:7
actionitsec_modules_do_plugin_upgradecore\modules\hide-backend\setup.php:8
actionadmin_initcore\modules\hide-backend\setup.php:85
actionitsec_scheduled_malware-scancore\modules\malware-scheduling\class-itsec-malware-scheduling.php:11
actionitsec_scheduled_malware-scan-sitecore\modules\malware-scheduling\class-itsec-malware-scheduling.php:12
filteritsec_notificationscore\modules\malware-scheduling\class-itsec-malware-scheduling.php:14
filteritsec_malware-scheduling_notification_stringscore\modules\malware-scheduling\class-itsec-malware-scheduling.php:15
actionitsec_modules_do_plugin_deactivationcore\modules\malware-scheduling\setup.php:5
actionitsec_modules_do_plugin_uninstallcore\modules\malware-scheduling\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\malware-scheduling\setup.php:7
filterauthenticatecore\modules\network-brute-force\class-itsec-ipcheck.php:18
filteritsec_logs_prepare_ipcheck_entry_for_list_displaycore\modules\network-brute-force\logs.php:5
filteritsec_logs_prepare_ipcheck_entry_for_details_displaycore\modules\network-brute-force\logs.php:6
filteritsec_get_privacy_policy_for_sendingcore\modules\network-brute-force\privacy.php:13
actionitsec_modules_do_plugin_deactivationcore\modules\network-brute-force\setup.php:6
actionitsec_modules_do_plugin_uninstallcore\modules\network-brute-force\setup.php:7
actionitsec_modules_do_plugin_upgradecore\modules\network-brute-force\setup.php:8
actionwp_mail_failedcore\modules\notification-center\class-notification-center.php:569
actionitsec_change_admin_user_idcore\modules\notification-center\class-notification-center.php:589
actionitsec_module_settings_after_titlecore\modules\notification-center\class-notification-center.php:590
actionitsec_register_highlighted_logscore\modules\notification-center\class-notification-center.php:591
actioninitcore\modules\notification-center\class-notification-center.php:696
actionitsec_debug_pagecore\modules\notification-center\debug.php:9
actionitsec_debug_page_enqueuecore\modules\notification-center\debug.php:10
actionitsec_debug_module_request_notification-centercore\modules\notification-center\debug.php:11
filteritsec_logs_prepare_notification_center_entry_for_list_displaycore\modules\notification-center\logs.php:6
filteritsec_logs_prepare_notification_center_entry_for_details_displaycore\modules\notification-center\logs.php:7
filteritsec_highlighted_log_notification-center-send-failed_notice_titlecore\modules\notification-center\logs.php:8
filteritsec_highlighted_log_notification-center-send-failed_notice_messagecore\modules\notification-center\logs.php:9
actionitsec_notification_center_continue_upgradecore\modules\notification-center\settings.php:13
actionitsec_modules_do_plugin_uninstallcore\modules\notification-center\setup.php:8
actionitsec_modules_do_plugin_upgradecore\modules\notification-center\setup.php:9
actionitsec_initializedcore\modules\notification-center\setup.php:77
actionitsec_initializedcore\modules\notification-center\setup.php:130
actionuser_profile_update_errorscore\modules\password-requirements\class-itsec-password-requirements.php:14
actionvalidate_password_resetcore\modules\password-requirements\class-itsec-password-requirements.php:15
actionprofile_updatecore\modules\password-requirements\class-itsec-password-requirements.php:17
actionpassword_resetcore\modules\password-requirements\class-itsec-password-requirements.php:18
filterwp_authenticate_usercore\modules\password-requirements\class-itsec-password-requirements.php:19
actionadd_user_rolecore\modules\password-requirements\class-itsec-password-requirements.php:21
actionset_user_rolecore\modules\password-requirements\class-itsec-password-requirements.php:22
actionremove_user_rolecore\modules\password-requirements\class-itsec-password-requirements.php:23
actionitsec_validate_passwordcore\modules\password-requirements\class-itsec-password-requirements.php:25
actionwp_logincore\modules\password-requirements\class-itsec-password-requirements.php:28
actionitsec_login_interstitial_initcore\modules\password-requirements\class-itsec-password-requirements.php:30
actionitsec_register_user_group_settingscore\modules\password-requirements\class-itsec-password-requirements.php:31
actionitsec_modules_do_plugin_upgradecore\modules\password-requirements\setup.php:5
actionadmin_initcore\modules\privacy\class-itsec-privacy.php:5
filterwp_privacy_personal_data_exporterscore\modules\privacy\class-itsec-privacy.php:6
filterwp_privacy_personal_data_eraserscore\modules\privacy\class-itsec-privacy.php:7
actionitsec_register_toolscore\modules\salts\active.php:7
actionitsec_modules_do_plugin_uninstallcore\modules\salts\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\salts\setup.php:7
actionithemes_sync_register_verbscore\modules\security-check\active.php:9
filteritsec-ssl-support-probabilitycore\modules\security-check-pro\class-itsec-security-check-pro.php:19
filteritsec_proxy_typescore\modules\security-check-pro\class-itsec-security-check-pro.php:22
filteritsec_build_ip_detector_for_security-checkcore\modules\security-check-pro\class-itsec-security-check-pro.php:23
actionitsec_register_toolscore\modules\security-check-pro\class-itsec-security-check-pro.php:26
filteritsec_get_privacy_policy_for_sharingcore\modules\security-check-pro\privacy.php:5
actionitsec_modules_do_plugin_upgradecore\modules\security-check-pro\setup.php:5
actionitsec_register_highlighted_logscore\modules\site-scanner\class-itsec-site-scanner.php:26
actionadmin_enqueue_scriptscore\modules\site-scanner\class-itsec-site-scanner.php:27
actionitsec_site_scanner_scan_completecore\modules\site-scanner\class-itsec-site-scanner.php:28
actionactivated_plugincore\modules\site-scanner\class-itsec-site-scanner.php:29
actiondeactivated_plugincore\modules\site-scanner\class-itsec-site-scanner.php:30
actiondeleted_plugincore\modules\site-scanner\class-itsec-site-scanner.php:31
actionswitch_themecore\modules\site-scanner\class-itsec-site-scanner.php:32
actiondeleted_themecore\modules\site-scanner\class-itsec-site-scanner.php:33
actionitsec_security_digest_beforecore\modules\site-scanner\class-itsec-site-scanner.php:34
filterdebug_informationcore\modules\site-scanner\class-itsec-site-scanner.php:36
filteritsec_logs_prepare_site-scanner_entry_for_list_displaycore\modules\site-scanner\logs.php:5
filteritsec_logs_prepare_site-scanner_entry_for_details_displaycore\modules\site-scanner\logs.php:6
filteritsec_highlighted_log_site-scanner-report_notice_titlecore\modules\site-scanner\logs.php:7
filteritsec_highlighted_log_site-scanner-report_notice_messagecore\modules\site-scanner\logs.php:8
actionadmin_enqueue_scriptscore\modules\site-scanner\logs.php:13
filteritsec_get_privacy_policy_for_sharingcore\modules\site-scanner\privacy.php:5
actionitsec_site_scanner_scan_completecore\modules\site-scanner\Repository\Latest_Scans_Repository.php:14
actionrest_api_initcore\modules\site-scanner\REST\REST.php:16
filteritsec_filter_wp_config_modificationcore\modules\ssl\class-itsec-ssl.php:42
filteroption_siteurlcore\modules\ssl\class-itsec-ssl.php:56
filteroption_homecore\modules\ssl\class-itsec-ssl.php:57
filterthe_contentcore\modules\ssl\class-itsec-ssl.php:63
filterscript_loader_srccore\modules\ssl\class-itsec-ssl.php:64
filterstyle_loader_srccore\modules\ssl\class-itsec-ssl.php:65
filterupload_dircore\modules\ssl\class-itsec-ssl.php:66
filterwp_safe_redirect_fallbackcore\modules\ssl\class-itsec-ssl.php:77
actionitsec_modules_do_plugin_uninstallcore\modules\ssl\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\ssl\setup.php:7
actionitsec_register_password_requirementscore\modules\strong-passwords\class-itsec-strong-passwords.php:29
actionadmin_enqueue_scriptscore\modules\strong-passwords\class-itsec-strong-passwords.php:30
actionresetpass_formcore\modules\strong-passwords\class-itsec-strong-passwords.php:31
actionitsec_password_requirements_change_formcore\modules\strong-passwords\class-itsec-strong-passwords.php:32
filterrandom_passwordcore\modules\strong-passwords\class-itsec-strong-passwords.php:33
filterrandom_passwordcore\modules\strong-passwords\class-itsec-strong-passwords.php:119
actionrest_api_initcore\modules\strong-passwords\REST\REST.php:14
actionitsec_modules_do_plugin_upgradecore\modules\strong-passwords\setup.php:8
filteritsec_filter_apache_server_config_modificationcore\modules\system-tweaks\class-itsec-system-tweaks.php:44
filteritsec_filter_nginx_server_config_modificationcore\modules\system-tweaks\class-itsec-system-tweaks.php:45
filteritsec_filter_litespeed_server_config_modificationcore\modules\system-tweaks\class-itsec-system-tweaks.php:46
actionitsec_modules_do_plugin_uninstallcore\modules\system-tweaks\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\system-tweaks\setup.php:7
filterwp_is_application_passwords_available_for_usercore\modules\two-factor\Application_Passwords_Core.php:11
filtermanage_application-passwords-user_columnscore\modules\two-factor\Application_Passwords_Core.php:12
actionmanage_application-passwords-user_custom_columncore\modules\two-factor\Application_Passwords_Core.php:13
actionmanage_application-passwords-user_custom_column_js_templatecore\modules\two-factor\Application_Passwords_Core.php:14
actionadmin_enqueue_scriptscore\modules\two-factor\Application_Passwords_Core.php:15
actionwp_create_application_password_formcore\modules\two-factor\Application_Passwords_Core.php:16
actionwp_authorize_application_password_formcore\modules\two-factor\Application_Passwords_Core.php:17
actionrest_api_initcore\modules\two-factor\Application_Passwords_Core.php:18
actionwp_authenticate_application_password_errorscore\modules\two-factor\Application_Passwords_Core.php:19
filterwp_is_application_passwords_available_for_usercore\modules\two-factor\Application_Passwords_Core.php:42
actioninitcore\modules\two-factor\class-itsec-two-factor-helper.php:48
actioninitcore\modules\two-factor\class-itsec-two-factor-helper.php:50
actionitsec_two_factor_overridecore\modules\two-factor\class-itsec-two-factor-interstitial.php:28
filteritsec-filter-failed-login-detailscore\modules\two-factor\class-itsec-two-factor-interstitial.php:175
actionitsec_login_interstitial_initcore\modules\two-factor\class-itsec-two-factor.php:48
actionshow_user_profilecore\modules\two-factor\class-itsec-two-factor.php:50
actionpersonal_options_updatecore\modules\two-factor\class-itsec-two-factor.php:51
actionedit_user_profilecore\modules\two-factor\class-itsec-two-factor.php:53
actionedit_user_profile_updatecore\modules\two-factor\class-itsec-two-factor.php:54
filterauthenticatecore\modules\two-factor\class-itsec-two-factor.php:56
filteritsec_is_user_using_two_factorcore\modules\two-factor\class-itsec-two-factor.php:57
actionitsec_passwordless_login_initialize_interstitialcore\modules\two-factor\class-itsec-two-factor.php:58
filteritsec_user_security_profile_datacore\modules\two-factor\class-itsec-two-factor.php:59
actionithemes_sync_register_verbscore\modules\two-factor\class-itsec-two-factor.php:61
filteritsec-filter-itsec-get-everything-verbscore\modules\two-factor\class-itsec-two-factor.php:62
actionload-profile.phpcore\modules\two-factor\class-itsec-two-factor.php:64
actionload-user-edit.phpcore\modules\two-factor\class-itsec-two-factor.php:65
actionitsec_enqueue_profilecore\modules\two-factor\class-itsec-two-factor.php:66
filteritsec_rest_user_actions_schemacore\modules\two-factor\class-itsec-two-factor.php:68
actionitsec_user_action_send-2fa-remindercore\modules\two-factor\class-itsec-two-factor.php:69
filteritsec_notificationscore\modules\two-factor\class-itsec-two-factor.php:71
filteritsec_two-factor-email_notification_stringscore\modules\two-factor\class-itsec-two-factor.php:72
filteritsec_two-factor-confirm-email_notification_stringscore\modules\two-factor\class-itsec-two-factor.php:73
filteritsec_two-factor-reminder_notification_stringscore\modules\two-factor\class-itsec-two-factor.php:74
filterdebug_informationcore\modules\two-factor\class-itsec-two-factor.php:76
filteritsec_logs_prepare_two_factor_entry_for_list_displaycore\modules\two-factor\logs.php:7
filteritsec_logs_prepare_two_factor_entry_for_details_displaycore\modules\two-factor\logs.php:8
filteritsec_get_privacy_policy_for_sharingcore\modules\two-factor\privacy.php:5
actionadmin_noticescore\modules\two-factor\providers\class.two-factor-backup-codes.php:50
actionadmin_enqueue_scriptscore\modules\two-factor\providers\class.two-factor-totp.php:42
actionpersonal_options_updatecore\modules\two-factor\providers\class.two-factor-totp.php:47
actionedit_user_profile_updatecore\modules\two-factor\providers\class.two-factor-totp.php:48
actionrest_api_initcore\modules\two-factor\REST\REST.php:14
actionitsec_modules_do_plugin_uninstallcore\modules\two-factor\setup.php:9
actionitsec_modules_do_plugin_upgradecore\modules\two-factor\setup.php:10
actionitsec_initializedcore\modules\user-groups\Module\Module.php:46
filtermap_meta_capcore\modules\user-groups\Module\Module.php:47
actionitsec_create_user_groupcore\modules\user-groups\Module\Module.php:48
actionitsec_change_admin_user_idcore\modules\user-groups\Module\Module.php:49
filteritsec_rest_user_actions_schemacore\modules\user-groups\Module\Module.php:50
actionitsec_user_action_add-user-groupscore\modules\user-groups\Module\Module.php:51
filterdebug_informationcore\modules\user-groups\Module\Module.php:52
actionrest_api_initcore\modules\user-groups\REST\REST.php:20
filteritsec_filter_apache_server_config_modificationcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:44
filteritsec_filter_nginx_server_config_modificationcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:45
filteritsec_filter_litespeed_server_config_modificationcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:46
filteritsec_filter_wp_config_modificationcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:47
actionlogin_initcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:77
filterauthenticatecore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:78
actionlogin_initcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:81
filterauthenticatecore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:82
filterauthenticatecore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:88
filterxmlrpc_enabledcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:93
filterbloginfo_urlcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:94
filterxmlrpc_methodscore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:96
filterrest_dispatch_requestcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:99
actionuser_profile_update_errorscore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:103
actiontemplate_redirectcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:108
filterauthenticatecore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:119
filterauthenticatecore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:123
filtergettextcore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:161
filterrest_request_after_callbackscore\modules\wordpress-tweaks\class-itsec-wordpress-tweaks.php:262
actionitsec_modules_do_plugin_uninstallcore\modules\wordpress-tweaks\setup.php:6
actionitsec_modules_do_plugin_upgradecore\modules\wordpress-tweaks\setup.php:7
actionitsec-lib-clear-cachescore\modules.php:64
actionplugins_loadedcore\modules.php:868
filteritsec_notificationscore\notify.php:12
filteritsec_digest_notification_stringscore\notify.php:13
filteritsec_send_notification_digestcore\notify.php:14
actionshutdowncore\response.php:26
actionrest_api_initcore\rest.php:18
filterrest_response_link_curiescore\rest.php:19
filterrest_indexcore\rest.php:20
filterrest_namespace_indexcore\rest.php:21
filterrest_user_collection_paramscore\rest.php:22
filterrest_user_querycore\rest.php:23
filterrest_request_from_urlcore\rest.php:24
filterrest_avatar_sizescore\rest.php:25
filterrest_allowed_cors_headerscore\rest.php:26
filteritsec_filter_apache_server_config_modificationcore\rest.php:29
filteritsec_filter_litespeed_server_config_modificationcore\rest.php:30
filtercron_schedulesvendor-prod\deliciousbrains\wp-background-processing\classes\wp-background-process.php:114
actionadmin_initvendor-prod\stellarwp\telemetry\src\Telemetry\Admin\Admin_Subscriber.php:37
actionadmin_enqueue_scriptsvendor-prod\stellarwp\telemetry\src\Telemetry\Admin\Resources.php:39
actionadmin_enqueue_scriptsvendor-prod\stellarwp\telemetry\src\Telemetry\Admin\Resources.php:40
actionadmin_enqueue_scriptsvendor-prod\stellarwp\telemetry\src\Telemetry\Admin\Resources.php:41
actionshutdownvendor-prod\stellarwp\telemetry\src\Telemetry\Events\Event_Subscriber.php:41
actionadmin_footervendor-prod\stellarwp\telemetry\src\Telemetry\Exit_Interview\Exit_Interview_Subscriber.php:46
actioninitvendor-prod\stellarwp\telemetry\src\Telemetry\Last_Send\Last_Send_Subscriber.php:35
actionstellarwp/telemetry/optinvendor-prod\stellarwp\telemetry\src\Telemetry\Opt_In\Opt_In_Subscriber.php:42
actionadmin_initvendor-prod\stellarwp\telemetry\src\Telemetry\Opt_In\Opt_In_Subscriber.php:44
actioninitvendor-prod\stellarwp\telemetry\src\Telemetry\Opt_In\Opt_In_Subscriber.php:45
actionshutdownvendor-prod\stellarwp\telemetry\src\Telemetry\Telemetry\Telemetry_Subscriber.php:36

Scheduled Events 1

itsec_cron_test
Maintenance & Trust

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 25, 2026
PHP min version7.4
Downloads37.3M

Community Trust

Rating92/100
Number of ratings3,981
Active installs700K
Alternatives

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Alternatives

All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Titan Anti-spam & Security

Titan Anti-spam & Security

anti-spam

A
98

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication &hellip;

60K 3 CVEs
Bearmor Security

Bearmor Security

bearmor-security

A
100

Lightweight, powerful WordPress security for small businesses. Malware scanning, login protection, 2FA, hardening - most features FREE.

50 No CVEs
VMP Security – Firewall, Malware Scan, and Login Security

VMP Security – Firewall, Malware Scan, and Login Security

vmpfence-security

A
100

Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.

0 No CVEs
Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
Developer Profile

Solid Security – Password, Two Factor Authentication, and Brute Force Protection Developer Profile

StellarWP

26 plugins · 3.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
462 days
View full developer profile
Detection Fingerprints

How We Detect Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/better-wp-security/lib/icon-fonts/load.php/wp-content/plugins/better-wp-security/core/core.php/wp-content/plugins/better-wp-security/vendor-prod/autoload.php
Script Paths
/wp-content/plugins/better-wp-security/core/admin-pages/init.php

HTML / DOM Fingerprints

CSS Classes
itsec-admin-page-refs
JS Globals
ITSEC_Coreitsec_settings_pageitsec_logs_pageitsec_tools_pageitsec_vulnerabilities_pageitsec_user_security_page+4 more
REST Endpoints
/wp-json/itsec/v1/settings
FAQ

Frequently Asked Questions about Solid Security – Password, Two Factor Authentication, and Brute Force Protection