[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjxos36BTOtP8CQ9LSsz0yCpVJDT0ZL1lcLo_VFAV5t8":3,"$fcVOyFol_34JRW-5SHkbNVkVbq1W2ZvPfO5YMt0XOuhU":247,"$fk5mLqTyHfCTMq58FrQ1J62wvWEbLKTRmT3XM8csD8CA":251},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":37,"analysis":131,"fingerprints":233},"block-logins-cf","Block Logins with Cloudflare","1.1","supersoju","https:\u002F\u002Fprofiles.wordpress.org\u002Fsupersoju\u002F","\u003Cp>\u003Cstrong>Block Logins with Cloudflare\u003C\u002Fstrong> helps protect your WordPress site from brute-force attacks by blocking IPs at the Cloudflare firewall after a configurable number of failed login attempts.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Block IPs via Cloudflare after X failed login attempts\u003C\u002Fli>\n\u003Cli>Block IPs that generate excessive 404 responses (bots and scanners)\u003C\u002Fli>\n\u003Cli>Block IPs attacking via XML-RPC with intelligent detection\u003C\u002Fli>\n\u003Cli>Automatic unblocking after a configurable duration\u003C\u002Fli>\n\u003Cli>Whitelist IPs to never block or track them (supports IPv6 CIDR ranges)\u003C\u002Fli>\n\u003Cli>View and manually unblock blocked IPs from the admin\u003C\u002Fli>\n\u003Cli>Block source tracking — see whether each IP was blocked via login, XML-RPC, or 404\u003C\u002Fli>\n\u003Cli>Sync existing Cloudflare blocks into the local blocked IPs list\u003C\u002Fli>\n\u003Cli>Secure settings page with Cloudflare API token validation\u003C\u002Fli>\n\u003Cli>Hourly cron job for automatic maintenance\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin relies on the \u003Cstrong>Cloudflare API\u003C\u002Fstrong> to function. It communicates with Cloudflare’s external servers to block IP addresses at the firewall level.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What is the Cloudflare API and what is it used for?\u003C\u002Fstrong>\u003Cbr \u002F>\nThe Cloudflare API is a RESTful service provided by Cloudflare, Inc. that allows programmatic management of Cloudflare firewall rules. This plugin uses it to automatically block and unblock IP addresses based on failed login attempts, XML-RPC attacks, and 404 scanning activity.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent and when?\u003C\u002Fstrong>\u003Cbr \u002F>\nThe plugin sends the following data to Cloudflare’s API servers:\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong>During settings validation\u003C\u002Fstrong> (when you save Cloudflare credentials):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Your Cloudflare API token (for verification)\u003C\u002Fli>\n\u003Cli>Endpoint: \u003Ccode>https:\u002F\u002Fapi.cloudflare.com\u002Fclient\u002Fv4\u002Fuser\u002Ftokens\u002Fverify\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>When blocking an IP\u003C\u002Fstrong> (after a threshold is reached):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The IP address to be blocked\u003C\u002Fli>\n\u003Cli>Your Cloudflare email address and API key\u002Ftoken\u003C\u002Fli>\n\u003Cli>Your Cloudflare Zone ID\u003C\u002Fli>\n\u003Cli>A note describing the reason for the block\u003C\u002Fli>\n\u003Cli>Endpoint: \u003Ccode>https:\u002F\u002Fapi.cloudflare.com\u002Fclient\u002Fv4\u002Fzones\u002F{zone_id}\u002Ffirewall\u002Faccess_rules\u002Frules\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>When syncing from Cloudflare\u003C\u002Fstrong> (on demand):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Fetches existing firewall rules from your Cloudflare zone\u003C\u002Fli>\n\u003Cli>Endpoint: \u003Ccode>https:\u002F\u002Fapi.cloudflare.com\u002Fclient\u002Fv4\u002Fzones\u002F{zone_id}\u002Ffirewall\u002Faccess_rules\u002Frules\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>No personally identifiable information about your WordPress users is transmitted. Only IP addresses are sent to Cloudflare.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service provider information:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Service: Cloudflare API\u003Cbr \u002F>\n– Provider: Cloudflare, Inc.\u003Cbr \u002F>\n– Terms of Service: https:\u002F\u002Fwww.cloudflare.com\u002Fterms\u002F\u003Cbr \u002F>\n– Privacy Policy: https:\u002F\u002Fwww.cloudflare.com\u002Fprivacypolicy\u002F\u003Cbr \u002F>\n– API Documentation: https:\u002F\u002Fdevelopers.cloudflare.com\u002Fapi\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Required for functionality:\u003C\u002Fstrong>\u003Cbr \u002F>\nThis plugin requires a Cloudflare account and will not function without valid Cloudflare API credentials. The external API calls are essential to the plugin’s core functionality.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>GNU General Public License v2 or later\u003C\u002Fp>\n","Block brute-force login attempts by integrating with Cloudflare's firewall to automatically block IPs after failed logins.",0,107,"2026-03-27T18:41:00.000Z","7.0","6.0","7.4",[18,19,20,21,22],"brute-force","cloudflare","firewall","login","security","https:\u002F\u002Fgithub.com\u002Fsupersoju\u002Fblock-logins-cf","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblock-logins-cf.1.1.zip",100,null,"2026-04-06T09:54:40.288Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":33,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},3,620,95,259,76,"2026-05-19T19:22:51.797Z",[38,59,80,98,113],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":46,"downloaded":47,"rating":48,"num_ratings":49,"last_updated":50,"tested_up_to":14,"requires_at_least":51,"requires_php":16,"tags":52,"homepage":53,"download_link":54,"security_score":55,"vuln_count":56,"unpatched_count":11,"last_vuln_date":57,"fetched_at":58},"hide-my-wp","WP Ghost (Hide My WP Ghost) – Security & Firewall","7.0.01","John Darrel","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohndarrel\u002F","\u003Cp>\u003Cstrong>WP Ghost\u003C\u002Fstrong> (formerly known as \u003Cstrong>Hide My WP Ghost\u003C\u002Fstrong>) is a professional-grade, comprehensive \u003Cstrong>hack-prevention security solution for WordPress\u003C\u002Fstrong>. Built for speed and engineered for maximum defense, WP Ghost provides a multi-layered security architecture designed to block hacker bots, neutralize automated scanners, and stop the hack before the reconnaissance even begins.\u003C\u002Fp>\n\u003Cp>While traditional security tools focus on Detection (scanning for malware after a breach) or Signature-Filtering (blocking known exploits), \u003Cstrong>WP Ghost focuses on Architecture\u003C\u002Fstrong>. By implementing \u003Cstrong>Paths Security and Site Hardening\u003C\u002Fstrong>, we remove the digital footprints that make your site a target for automated botnets, providing a \u003Cstrong>proactive foundation that secures your site before it can even be identified as a target\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FQMdoSN8dk1c?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Cstrong>WP Ghost Global Stats:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>10 Million+ Monthly Brute-Force Attempts Blocked\u003C\u002Fli>\n\u003Cli>100 Million+ Monthly Security Threats Prevented\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Official websites:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpghost.com\u002F\" rel=\"nofollow ugc\">WP Ghost (wpghost.com)\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fhidemywpghost.com\u002F\" rel=\"nofollow ugc\">Hide My WP Ghost (hidemywpghost.com)\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Stop Attacks with Paths Security & Architectural Hardening\u003C\u002Fh3>\n\u003Cp>Most WordPress attacks are automated. Bots scan millions of sites per hour looking for default paths like \u002Fwp-admin or \u002Fwp-login.php to confirm a site is running WordPress. Once confirmed, they launch targeted exploits against known plugin or theme vulnerabilities.\u003C\u002Fp>\n\u003Cp>WP Ghost breaks this cycle. By changing and securing common paths, you reduce your attack surface by up to 90%. This isn’t “obscurity”, it’s Site Hardening. We re-engineer the visible structure of your site so it is no longer a low-hanging fruit for global botnets.\u003C\u002Fp>\n\u003Ch3>Key Protections Included\u003C\u002Fh3>\n\u003Cp>WP Ghost is packed with advanced defensive mechanisms to protect your site against:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Brute Force Attacks\u003C\u002Fstrong>: Blocks automated password guessing at the source.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SQL Injection & XSS\u003C\u002Fstrong>: Neutralizes malicious query strings and script injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-Day Exploits\u003C\u002Fstrong>: Secures paths for plugins before patches are even released.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC & REST API Attacks\u003C\u002Fstrong>: Shuts down common remote-access entry points.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Bot Reconnaissance\u003C\u002Fstrong>: Prevents “fingerprinting” that hackers use to map your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Spam & Scrapers\u003C\u002Fstrong>: Filters malicious traffic, saving bandwidth and server load.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Over 115 Free Security Features Included\u003C\u002Fh3>\n\u003Cp>We believe professional security should be accessible to everyone. The free version of WP Ghost includes a massive suite of tools to harden your WordPress architecture.\u003C\u002Fp>\n\u003Ch4>1. Change and Secure Paths (Paths Security)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Change wp-admin & wp-login.php\u003C\u002Fstrong>: Move your login to a unique URL and show a 404 error to intruders.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change Lost Password & Register URLs\u003C\u002Fstrong>: Secure all authentication entry points.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change wp-content & wp-includes\u003C\u002Fstrong>: Secure your core system folders from direct access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Anonymize Plugins & Themes\u003C\u002Fstrong>: Change visible plugin\u002Ftheme paths so hackers can’t identify your software version.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure admin-ajax.php & REST API\u003C\u002Fstrong>: Change the \u002Fwp-json path to prevent data scraping.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Presets\u003C\u002Fstrong>: One-click activation with three preset levels — from minimal to full protection with Firewall, Brute Force, Logs, and 2FA.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend Test\u003C\u002Fstrong>: Verify your site loads correctly after changing paths before confirming settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Redirects\u003C\u002Fstrong>: Set unique login\u002Flogout redirects based on user roles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Page Designer\u003C\u002Fstrong>: Customize your secured login page with your logo, colors, background, and 10 color schemes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2. Next-Gen Firewall & Authentication\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>8G & 7G Firewall Filters\u003C\u002Fstrong>: High-speed, lightweight server-edge filtering to block bad bots.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passkey Authentication (Passwordless 2FA)\u003C\u002Fstrong>: Use Face ID, Touch ID, or Windows Hello for un-phishable, device-based logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Standard 2FA (Code & Email)\u003C\u002Fstrong>: Add an extra verification layer to all user accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Headers\u003C\u002Fstrong>: Automatically implement CSP, HSTS, X-Frame-Options, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Blocking\u003C\u002Fstrong>: Manually blacklist suspicious traffic or referrers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Threats Log\u003C\u002Fstrong>: Track blocked attacks and malicious requests directly in your dashboard (limited view).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Events Log\u003C\u002Fstrong>: Monitor login activity, role changes, and user actions (limited view).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GEO Threats Map\u003C\u002Fstrong>: Visualize where attacks originate with an interactive world map showing the top 5 threat countries.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Optimization Score\u003C\u002Fstrong>: Real-time 0-100 score showing exactly how hardened your site is, with actionable recommendations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Temporary Logins\u003C\u002Fstrong>: Create time-limited access links for developers and clients without sharing passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>3. Deep Hiding & Footprint Removal\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Scrub Meta Tags\u003C\u002Fstrong>: Remove WordPress version numbers and generator tags.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean HTML Comments\u003C\u002Fstrong>: Strip identifiable comments that reveal your tech stack.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Admin Toolbar\u003C\u002Fstrong>: Remove the toolbar for specific roles to hide backend indicators.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Emoticons & RSD\u003C\u002Fstrong>: Remove unnecessary header links that bloat code and reveal info.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>4. Advanced Disable Options\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Disable XML-RPC\u003C\u002Fstrong>: Shut down the most common vector for DDoS and brute force.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable REST API Access\u003C\u002Fstrong>: Restrict API access to authenticated users only.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend Lockdown\u003C\u002Fstrong>: Disable right-click, “View Source,” and text selection to prevent manual reconnaissance.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Directory Browsing\u003C\u002Fstrong>: Ensure your server folders are never visible to the public.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>5. Brute Force Protection\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Integrated ReCaptcha\u003C\u002Fstrong>: Supports Google V2, V3, Enterprise, and Math ReCaptcha.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Targeted Protection\u003C\u002Fstrong>: Enable brute force defense on Login, Signup, and WooCommerce pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Throttling\u003C\u002Fstrong>: Define your own lockout times and attempt limits.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>6. Extra Tools & Integrations\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Magic Links\u003C\u002Fstrong>: Log in securely without a password via a one-time email link.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Text & URL Mapping\u003C\u002Fstrong>: Change any class name or URL in your source code dynamically.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CDN & Cache Support\u003C\u002Fstrong>: Works perfectly with WP Rocket, Cloudflare, and Litespeed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Premium Hack-Prevention Features\u003C\u002Fh4>\n\u003Cp>For agencies and high-traffic sites, WP Ghost Premium adds advanced features focused on Security Intelligence, Automated Response, and Copyright Protection.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Ghost Mode\u003C\u002Fstrong>: Maximum security preset, changes all paths, hides all file extensions, and enables all hiding options in one click.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Block Automation\u003C\u002Fstrong>: Automatically block IP addresses that trigger repeated security threats.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>AI Copyright Protection\u003C\u002Fstrong>: Block 30+ AI training crawlers (GPTBot, ClaudeBot, PerplexityBot, and others) at the firewall level. List auto-updated with each release. Does not affect Google, Bing, or regular search visibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full Security Threats Log\u003C\u002Fstrong>: Unlimited entries with filters by threat type, status, country, and time range, full-text search, pagination, and CSV export.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full User Events Log\u003C\u002Fstrong>: Unlimited entries with filters, search, pagination, and CSV export.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloud Event Storage\u003C\u002Fstrong>: 30-day cloud retention for audits and incident reports.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time Email Alerts\u003C\u002Fstrong>: Get notified instantly of brute-force attempts or suspicious activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-Security (Country Blocking)\u003C\u002Fstrong>: Block entire countries or specific paths by country.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced File Hardening\u003C\u002Fstrong>: Hide file extensions (PHP, CSS, JS, JSON), secure wp-config.php, php.ini, and debug.log.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Database & Server Hardening\u003C\u002Fstrong>: Fix file permissions, change database prefix, regenerate SALT keys.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support\u003C\u002Fstrong>: Direct access to our security experts and founder-led assistance.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwpghost.com\u002Ffeatures\u002F\" rel=\"nofollow ugc\">Hide My WP Premium Feature\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Technical Compatibility\u003C\u002Fh3>\n\u003Cp>WP Ghost is engineered for the modern WordPress ecosystem:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Hosting Support\u003C\u002Fstrong>: Optimized for WP Engine, Inmotion Hosting, Hostgator Hosting, Godaddy Hosting, Host1plus, Payperhost, Fastcomet, Dreamhost, Bitnami Apache, Bitnami Nginx, Google Cloud Hosting, Amazon AWS Lightsail, Litespeed Hosting, Flywheels Hosting, Kinsta Hosting, Ploi.io, CloudPanel, RunCloud, Rocket Domain, Yunohost.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server Support\u003C\u002Fstrong>: Fully compatible with Nginx, Apache, LiteSpeed, and IIS.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugin Support\u003C\u002Fstrong>: Seamless integration with Woocommerce, WPML, WPMUDEV, W3 Total Cache, Gravity, WP Super Cache, WP Fastest Cache, Hummingbird Cache, Cachify Cache, Litespeed Cache, SiteGround Optimizer, Nitropack, Cache Enabler, CDN Enabler, WOT Cache, Autoptimize, Jetpack by WordPress, Contact Form 7, bbPress, Manage WP, All In One SEO, Rank Math, Yoast SEO, Squirrly SEO, WP-Rocket, Minify HTML, Solid Security, Sucuri Security, Really Simple SSL, WordFence Security, WP Cerber Security, BBQ Firewall, Anti-Malware Security, Back-Up WordPress, Elementor Page Builder, Divi Builder, Weglot Translate, AddToAny Share Btn, Limit Login Attempts Reloaded, Loginizer, Shield Security, Asset CleanUp, WP Hide & Security Enhancer, and more.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Stop the hack before it starts\u003C\u002Fstrong>. Join over 100,000 users who trust WP Ghost to secure their digital presence.\u003C\u002Fp>\n","Hide and Secure WP paths with the complete WP security suite for Site Hardening. Includes 8G Firewall, Brute Force protection, and Passkeys.",100000,2526807,90,371,"2026-04-15T18:16:00.000Z","5.8",[18,20,39,21,22],"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhide-my-wp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhide-my-wp.zip",86,8,"2026-03-18 00:00:00","2026-04-16T10:56:18.058Z",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":69,"num_ratings":70,"last_updated":71,"tested_up_to":72,"requires_at_least":73,"requires_php":74,"tags":75,"homepage":77,"download_link":78,"security_score":79,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"ip-geo-block","IP Geo Block","3.0.17.4","tokkonopapa","https:\u002F\u002Fprofiles.wordpress.org\u002Ftokkonopapa\u002F","\u003Cp>The more you install themes and plugins, the more likely your sites will be vulnerable, even if you \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FHardening_WordPress\" title=\"Hardening WordPress « WordPress Codex\" rel=\"nofollow ugc\">securely harden your sites\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>While WordPress.org \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fabout\u002Fsecurity\u002F\" title=\"Security | WordPress.org\" rel=\"ugc\">provides\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fthemes\u002Ftheme-security\u002F\" title=\"Theme Security | Theme Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">excellent\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F\" title=\"Plugin Security | Plugin Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">resources\u003C\u002Fa>, themes and plugins may often get vulnerable due to developers’ \u003Ca href=\"https:\u002F\u002Fwww.google.com\u002Fsearch?q=human+factors+in+security\" title=\"human factors in security - Google Search\" rel=\"nofollow ugc\">human factors\u003C\u002Fa> such as lack of security awareness, misuse and disuse of the best practices in those resources.\u003C\u002Fp>\n\u003Cp>This plugin focuses on insights into such developers’ human factors instead of detecting the specific attack vectors after they were disclosed. This brings a smart and powerful methods named as “\u003Cstrong>WP Zero-day Exploit Prevention\u003C\u002Fstrong>” and “\u003Cstrong>WP Metadata Exploit Protection\u003C\u002Fstrong>“.\u003C\u002Fp>\n\u003Cp>Combined with those methods and IP address geolocation, you’ll be surprised to find a bunch of malicious or undesirable access blocked in the logs of this plugin after several days of installation.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Privacy by design:\u003C\u002Fstrong>\u003Cbr \u002F>\nIP address is always encrypted on recording in logs\u002Fcache. Moreover, it can be anonymized and restricted on sending to the 3rd parties such as geolocation APIs or whois service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Immigration control:\u003C\u002Fstrong>\u003Cbr \u002F>\nAccess to the basic and important entrances into back-end such as \u003Ccode>wp-comments-post.php\u003C\u002Fcode>, \u003Ccode>xmlrpc.php\u003C\u002Fcode>, \u003Ccode>wp-login.php\u003C\u002Fcode>, \u003Ccode>wp-signup.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-ajax.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-post.php\u003C\u002Fcode> will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FISO_3166-1_alpha-2#Officially_assigned_code_elements\" title=\"ISO 3166-1 alpha-2 - Wikipedia\" rel=\"nofollow ugc\">specify the countires\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FClassless_Inter-Domain_Routing\" title=\"Classless Inter-Domain Routing - Wikipedia\" rel=\"nofollow ugc\">CIDR notation\u003C\u002Fa> for a range of IP addresses and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAutonomous_system_(Internet)\" title=\"Autonomous system (Internet) - Wikipedia\" rel=\"nofollow ugc\">AS number\u003C\u002Fa> for a group of IP networks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Zero-day Exploit Prevention:\u003C\u002Fstrong>\u003Cbr \u002F>\nUnlike other security firewalls based on attack patterns (vectors), the original feature “\u003Cstrong>W\u003C\u002Fstrong>ord\u003Cstrong>P\u003C\u002Fstrong>ress \u003Cstrong>Z\u003C\u002Fstrong>ero-day \u003Cstrong>E\u003C\u002Fstrong>xploit \u003Cstrong>P\u003C\u002Fstrong>revention” (WP-ZEP) is focused on patterns of vulnerability. It is simple but still smart and strong enough to block any malicious accesses to \u003Ccode>wp-admin\u002F*.php\u003C\u002Fcode>, \u003Ccode>plugins\u002F*.php\u003C\u002Fcode> and \u003Ccode>themes\u002F*.php\u003C\u002Fcode> even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, \u003Cstrong>even if you have some vulnerable plugins and themes in your site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Guard against login attempts:\u003C\u002Fstrong>\u003Cbr \u002F>\nIn order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Minimize server load against brute-force attacks:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin as a \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FMust_Use_Plugins\" title=\"Must Use Plugins « WordPress Codex\" rel=\"nofollow ugc\">Must Use Plugins\u003C\u002Fa> so that this plugin can be loaded prior to regular plugins. It can massively \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fvalidation-timing.html\" title=\"Validation timing | IP Geo Block\" rel=\"nofollow ugc\">reduce the load on server\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Prevent malicious down\u002Fuploading:\u003C\u002Fstrong>\u003Cbr \u002F>\nA malicious request such as exposing \u003Ccode>wp-config.php\u003C\u002Fcode> or uploading malwares via vulnerable plugins\u002Fthemes can be blocked.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block badly-behaved bots and crawlers:\u003C\u002Fstrong>\u003Cbr \u002F>\nA simple logic may help to reduce the number of rogue bots and crawlers scraping your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Support of BuddyPress and bbPress:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin so that a registered user can login as a membership from anywhere, while a request such as a new user registration, lost password, creating a new topic and subscribing comment can be blocked by country. It is suitable for \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" title=\"BuddyPress — WordPress Plugins\" rel=\"ugc\">BuddyPress\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbbpress\u002F\" title=\"WordPress › bbPress « WordPress Plugins\" rel=\"ugc\">bbPress\u003C\u002Fa> to help reducing spams.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Referrer suppressor for external links:\u003C\u002Fstrong>\u003Cbr \u002F>\nWhen you click an external hyperlink on admin screens, http referrer will be eliminated to hide a footprint of your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Multiple source of IP Geolocation databases:\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind GeoLite2 free databases\u003C\u002Fa> (it requires PHP 5.4.0+) and \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\u002F\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location LITE databases\u003C\u002Fa> can be installed in this plugin. Also free Geolocation REST APIs and whois information can be available for audit purposes.\u003Cbr \u002F>\nFather more, \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Farticle\u002Fapi-class-library.html\" title=\"CloudFlare & CloudFront API class library | IP Geo Block\" rel=\"nofollow ugc\">dedicated API class libraries\u003C\u002Fa> can be installed for CloudFlare and CloudFront as a reverse proxy service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Customizing response:\u003C\u002Fstrong>\u003Cbr \u002F>\nHTTP response code can be selectable as \u003Ccode>403 Forbidden\u003C\u002Fcode> to deny access pages, \u003Ccode>404 Not Found\u003C\u002Fcode> to hide pages or even \u003Ccode>200 OK\u003C\u002Fcode> to redirect to the top page.\u003Cbr \u002F>\nYou can also have a human friendly page (like \u003Ccode>404.php\u003C\u002Fcode>) in your parent\u002Fchild theme template directory to fit your site design.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Validation logs:\u003C\u002Fstrong>\u003Cbr \u002F>\nValidation logs for useful information to audit attack patterns can be manageable.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Cooperation with full spec security plugin:\u003C\u002Fstrong>\u003Cbr \u002F>\nThis plugin is lite enough to be able to cooperate with other full spec security plugin such as \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwordfence\u002F\" title=\"Wordfence Security — WordPress Plugins\" rel=\"ugc\">Wordfence Security\u003C\u002Fa>. See \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fpage-speed-performance.html\" title=\"Page speed performance | IP Geo Block\" rel=\"nofollow ugc\">this report\u003C\u002Fa> about page speed performance.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Extendability:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can customize the behavior of this plugin via \u003Ccode>add_filter()\u003C\u002Fcode> with \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002F\" title=\"Codex | IP Geo Block\" rel=\"nofollow ugc\">pre-defined filter hook\u003C\u002Fa>. See various use cases in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fblob\u002Fmaster\u002Fip-geo-block\u002Fsamples.php\" title=\"WordPress-IP-Geo-Block\u002Fsamples.php at master - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">samples.php\u003C\u002Fa> bundled within this package.\u003Cbr \u002F>\nYou can also get the extension \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\u002FWordPress-IP-Geo-Allow\" title=\"GitHub - ddur\u002FWordPress-IP-Geo-Allow: WordPress Plugin Exension for WordPress-IP-Geo-Block Plugin\" rel=\"nofollow ugc\">IP Geo Allow\u003C\u002Fa> by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\" title=\"ddur (Dragan) - GitHub\" rel=\"nofollow ugc\">Dragan\u003C\u002Fa>. It makes admin screens strictly private with more flexible way than specifying IP addresses.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Self blocking prevention and easy rescue:\u003C\u002Fstrong>\u003Cbr \u002F>\nWebsite owners do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fwhat-should-i-do-when-i-m-locked-out.html\" title=\"What should I do when I'm locked out? | IP Geo Block\" rel=\"nofollow ugc\">rescue yourself\u003C\u002Fa> easily.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Clean uninstallation:\u003C\u002Fstrong>\u003Cbr \u002F>\nNothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin’s functionality.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Attribution\u003C\u002Fh4>\n\u003Cp>This package includes GeoLite2 library distributed by MaxMind, available from \u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind\u003C\u002Fa> (it requires PHP 5.4.0+), and also includes IP2Location open source libraries available from \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Also thanks for providing the following great services and REST APIs for free.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fip-api.com\u002F\" title=\"IP-API.com - Free Geolocation API\" rel=\"nofollow ugc\">http:\u002F\u002Fip-api.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for non-commercial use)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fgeoiplookup.net\u002F\" title=\"What Is My IP Address | GeoIP Lookup\" rel=\"nofollow ugc\">http:\u002F\u002Fgeoiplookup.net\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfo.io\u002F\" title=\"IP Address API and Data Solutions\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfo.io\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>[https:\u002F\u002Fipapi.com\u002F](https:\u002F\u002Fipapi.com\u002F “ipapi – IP Address Lookup and Geolocation API) (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipdata.co\u002F\" title=\"ipdata.co - IP Geolocation and Threat Data API\" rel=\"nofollow ugc\">https:\u002F\u002Fipdata.co\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipstack.com\u002F\" title=\"ipstack - Free IP Geolocation API\" rel=\"nofollow ugc\">https:\u002F\u002Fipstack.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfodb.com\u002F\" title=\"Free IP Geolocation Tools and API| IPInfoDB\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfodb.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Development\u003C\u002Fh4>\n\u003Cp>Development of this plugin is promoted at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\" title=\"tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-Block\u003C\u002Fa> and class libraries to handle geo-location database are developed separately as “add-in”s at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-API\" title=\"tokkonopapa\u002FWordPress-IP-Geo-API - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>All contributions will always be welcome. Or visit my \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002F\" title=\"IP Geo Block\" rel=\"nofollow ugc\">development blog\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Known issues\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>No image is shown after drag & drop a image in grid view at “Media Library”. For more details, please refer to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fissues\u002F2\" title=\"No image is shown after drag & drop a image in grid view at \"Media Library\". - Issue #2 - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">this ticket at Github\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>From \u003Ca href=\"https:\u002F\u002Fmake.wordpress.org\u002Fcore\u002F2016\u002F03\u002F09\u002Fcomment-changes-in-wordpress-4-5\u002F\" title=\"Comment Changes in WordPress 4.5 – Make WordPress Core\" rel=\"nofollow ugc\">WordPress 4.5\u003C\u002Fa>, \u003Ccode>rel=nofollow\u003C\u002Fcode> had no longer be attached to the links in \u003Ccode>comment_content\u003C\u002Fcode>. This change prevents to block “\u003Ca href=\"https:\u002F\u002Fwww.owasp.org\u002Findex.php\u002FServer_Side_Request_Forgery\" title=\"Server Side Request Forgery - OWASP\" rel=\"nofollow ugc\">Server Side Request Forgeries\u003C\u002Fa>” (not Cross Site but a malicious internal link in the comment field).\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapps.wordpress.com\u002Fmobile\u002F\" title=\"WordPress.com Apps - Mobile Apps\" rel=\"nofollow ugc\">WordPress.com Mobile App\u003C\u002Fa> can’t execute image uploading because of its own authentication system via XMLRPC.\u003C\u002Fli>\n\u003C\u002Ful>\n","It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.",9000,778060,82,96,"2019-01-22T03:59:00.000Z","5.0.25","3.7","",[18,20,21,22,76],"vulnerability","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fip-geo-block\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fip-geo-block.3.0.17.4.zip",85,{"slug":81,"name":82,"version":83,"author":84,"author_profile":85,"description":86,"short_description":87,"active_installs":88,"downloaded":89,"rating":11,"num_ratings":11,"last_updated":90,"tested_up_to":91,"requires_at_least":51,"requires_php":92,"tags":93,"homepage":96,"download_link":97,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"ultimate-security","Ultimate Security – Login Protection, 2FA, CAPTCHA & Hardening","1.0.17","WP Ultimate Security","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpultimatesecurity\u002F","\u003Cp>Ultimate Security protects your WordPress site from brute force attacks, unauthorized access, and bots. Lightweight, modular, and privacy-focused.\u003C\u002Fp>\n\u003Cp>Check out the documentation for this plugin from here\u003C\u002Fp>\n\u003Cp>Link: \u003Ca href=\"https:\u002F\u002Fdocs.wpultimatesecurity.com\u002Fdocs\u002F\" rel=\"nofollow ugc\">Visit Documentation Site\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Two-Factor Authentication\u003C\u002Fstrong>\u003Cbr \u002F>\n* Email OTP verification\u003Cbr \u002F>\n* Google Authenticator, Authy, Microsoft Authenticator (TOTP\u002FHOTP)\u003Cbr \u002F>\n* 2FA status dashboard\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Protection\u003C\u002Fstrong>\u003Cbr \u002F>\n* Custom login URL (hide wp-admin)\u003Cbr \u002F>\n* Login attempt limits\u003Cbr \u002F>\n* Password policy enforcement\u003Cbr \u002F>\n* Session management\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Bot Protection\u003C\u002Fstrong>\u003Cbr \u002F>\n* Google reCAPTCHA v2\u002Fv3\u003Cbr \u002F>\n* Cloudflare Turnstile\u003Cbr \u002F>\n* Protect login, registration, comments, WooCommerce\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Hardening\u003C\u002Fstrong>\u003Cbr \u002F>\n* Security keys rotation\u003Cbr \u002F>\n* Auto-update controls\u003Cbr \u002F>\n* Site health monitoring\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Content Protection\u003C\u002Fstrong>\u003Cbr \u002F>\n* Right-click disable\u003Cbr \u002F>\n* Text selection control\u003Cbr \u002F>\n* Image drag prevention\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Tools\u003C\u002Fstrong>\u003Cbr \u002F>\n* Security Score dashboard\u003Cbr \u002F>\n* Settings backup\u002Frestore\u003Cbr \u002F>\n* Test mode for previewing rules\u003C\u002Fp>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to external services:\u003C\u002Fp>\n\u003Ch4>Cloudflare Turnstile\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>When: Turnstile CAPTCHA enabled\u003C\u002Fli>\n\u003Cli>Sends: Response token, site secret key\u003C\u002Fli>\n\u003Cli>URL: https:\u002F\u002Fchallenges.cloudflare.com\u002Fturnstile\u002Fv0\u002Fsiteverify\u003C\u002Fli>\n\u003Cli>Privacy: https:\u002F\u002Fwww.cloudflare.com\u002Fprivacypolicy\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Google reCAPTCHA\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>When: reCAPTCHA enabled\u003C\u002Fli>\n\u003Cli>Sends: Response token, site secret key\u003C\u002Fli>\n\u003Cli>URL: https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi\u002Fsiteverify\u003C\u002Fli>\n\u003Cli>Privacy: https:\u002F\u002Fpolicies.google.com\u002Fprivacy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>WordPress.org Salt API\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>When: Security keys rotation requested\u003C\u002Fli>\n\u003Cli>Sends: Request for random salt strings\u003C\u002Fli>\n\u003Cli>URL: https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n","Protect your WordPress site with 2FA, brute force protection, CAPTCHA, custom login URL, and security hardening.",10,1485,"2026-02-18T10:05:00.000Z","6.8.5","8.1",[18,20,94,22,95],"login-security","two-factor-authentication","https:\u002F\u002Fwww.wpultimatesecurity.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-security.1.0.17.zip",{"slug":99,"name":100,"version":101,"author":102,"author_profile":103,"description":104,"short_description":105,"active_installs":11,"downloaded":106,"rating":11,"num_ratings":11,"last_updated":107,"tested_up_to":108,"requires_at_least":15,"requires_php":16,"tags":109,"homepage":111,"download_link":112,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"custom-login-url-login-designer","Dotsquares Custom Login URL & Security Suite","1.6.4","maheshsharmads","https:\u002F\u002Fprofiles.wordpress.org\u002Fmaheshsharmads\u002F","\u003Cp>\u003Cstrong>Dotsquares Custom Login URL & Security Suite\u003C\u002Fstrong> helps secure your WordPress site by allowing you to change the default login URL and apply additional security layers — all from one beautifully designed dashboard.\u003C\u002Fp>\n\u003Ch4>🔑 Login Security\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Custom login slug — redirect wp-login.php to your own secret URL\u003C\u002Fli>\n\u003Cli>Optionally hide wp-login.php (returns 404 for guests)\u003C\u002Fli>\n\u003Cli>Optionally block wp-admin for non-logged-in users\u003C\u002Fli>\n\u003Cli>Brute force protection with configurable lockout thresholds\u003C\u002Fli>\n\u003Cli>Login honeypot trap (hidden field that catches bots)\u003C\u002Fli>\n\u003Cli>Two-Factor Authentication (TOTP — works with Google Authenticator, Authy, etc.)\u003C\u002Fli>\n\u003Cli>Weak username detection (blocks “admin”, “root”, “test”, etc.)\u003C\u002Fli>\n\u003Cli>Force logout after inactivity (configurable timeout)\u003C\u002Fli>\n\u003Cli>Manual approval for new user registrations\u003C\u002Fli>\n\u003Cli>Prevent display name from matching username\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🛡️ Firewall\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable XML-RPC (common attack vector)\u003C\u002Fli>\n\u003Cli>Block bad bots and fake user agents (40+ known bots)\u003C\u002Fli>\n\u003Cli>Block POST requests with empty User-Agent headers\u003C\u002Fli>\n\u003Cli>Rate limiting per IP address\u003C\u002Fli>\n\u003Cli>IP blacklist and whitelist (supports CIDR ranges)\u003C\u002Fli>\n\u003Cli>Geo-blocking by country code\u003C\u002Fli>\n\u003Cli>Restrict REST API for non-logged-in users\u003C\u002Fli>\n\u003Cli>Prevent user enumeration via ?author= scans\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🔍 Malware & File Scanner\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Deep scan of WordPress core, plugins, themes and uploads\u003C\u002Fli>\n\u003Cli>40+ malware signature patterns (PHP shells, backdoors, crypto miners, pharma hacks, SEO spam injections)\u003C\u002Fli>\n\u003Cli>Detects known web shells by filename (c99, r57, WSO, b374k, adminer, etc.)\u003C\u002Fli>\n\u003Cli>WordPress core file integrity check (compares against official api.wordpress.org checksums)\u003C\u002Fli>\n\u003Cli>Detects PHP files hidden inside the uploads folder\u003C\u002Fli>\n\u003Cli>Suspicious code pattern detection (eval, exec, base64_decode combos, etc.)\u003C\u002Fli>\n\u003Cli>File change detection using MD5 hash baseline\u003C\u002Fli>\n\u003Cli>File permission scanner (755\u002F644 standards)\u003C\u002Fli>\n\u003Cli>.htaccess security rules generator\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>👥 User & Session Management\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>View and kill active user sessions\u003C\u002Fli>\n\u003Cli>Session tracking with IP and user-agent logging\u003C\u002Fli>\n\u003Cli>Manual user approval workflow\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>📊 Monitoring & Logs\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Security event log (login, logout, failed attempts, plugin\u002Ftheme changes)\u003C\u002Fli>\n\u003Cli>IP blocking log with unblock controls\u003C\u002Fli>\n\u003Cli>Real-time security score (A–F grade with per-check breakdown)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>⚙️ Other Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Maintenance mode with custom message\u003C\u002Fli>\n\u003Cli>Database backup download\u003C\u002Fli>\n\u003Cli>Email alerts for security events\u003C\u002Fli>\n\u003Cli>Beautiful admin dashboard with quick-toggle switches\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Important\u003C\u002Fh3>\n\u003Cp>Hardening actions such as \u003Cstrong>DB prefix change\u003C\u002Fstrong> and \u003Cstrong>wp-content rename\u003C\u002Fstrong> are advanced operations.\u003Cbr \u002F>\nAlways run these features on a \u003Cstrong>staging environment\u003C\u002Fstrong> and ensure you have a \u003Cstrong>full backup\u003C\u002Fstrong> before applying them on production.\u003C\u002Fp>\n","Change your WordPress login URL, design the login page, and enhance your site's security with built-in protection tools.",662,"2026-03-30T11:09:00.000Z","6.9.4",[18,20,21,110,22],"malware-scanner","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcustom-login-url-login-designer","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-login-url-login-designer.1.6.4.zip",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":11,"downloaded":121,"rating":11,"num_ratings":11,"last_updated":122,"tested_up_to":108,"requires_at_least":123,"requires_php":124,"tags":125,"homepage":128,"download_link":129,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":130},"cyber-smart-defence","Cyber Smart Defence","3.1.3","cybersmartempire","https:\u002F\u002Fprofiles.wordpress.org\u002Fcybersmartempire\u002F","\u003Cp>Cyber Smart Defence is a lightweight WordPress security plugin designed to protect your website against unauthorized access, brute-force login attempts, and suspicious request patterns.\u003C\u002Fp>\n\u003Cp>The plugin runs quietly in the background and integrates directly with WordPress. It monitors login activity, blocks abusive behavior, and records security-related events for administrative review.\u003C\u002Fp>\n\u003Cp>No complex configuration is required. Once activated, protection is enabled automatically.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Login attempt monitoring\u003C\u002Fli>\n\u003Cli>Automatic temporary lockout after multiple failed login attempts\u003C\u002Fli>\n\u003Cli>IP-based threat detection\u003C\u002Fli>\n\u003Cli>Firewall protection against common malicious request patterns\u003C\u002Fli>\n\u003Cli>Secure threat logging for administrators\u003C\u002Fli>\n\u003Cli>Lightweight and performance-friendly\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an external service provided by Cyber Smart Empire to check IP reputation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* IP address of the visitor being checked\u003C\u002Fp>\n\u003Cp>\u003Cstrong>When data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* Only when an IP reputation check is performed\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service provider\u003C\u002Fstrong>\u003Cbr \u002F>\n* Cyber Smart Empire\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service URL\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy Policy\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Terms of Service\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fterms\u002F\u003C\u002Fp>\n","Lightweight WordPress security firewall with login protection and threat monitoring.",138,"2025-12-24T16:40:00.000Z","5.5","7.2",[18,20,126,22,127],"login-protection","website-security","https:\u002F\u002Fcybersmartempire.com\u002Fcyberdefence\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcyber-smart-defence.zip","2026-03-15T15:16:48.613Z",{"attackSurface":132,"codeSignals":183,"taintFlows":196,"riskAssessment":224,"analyzedAt":232},{"hooks":133,"ajaxHandlers":177,"restRoutes":178,"shortcodes":179,"cronEvents":180,"entryPointCount":11,"unprotectedCount":11},[134,141,145,149,152,156,159,163,166,169,171,175],{"type":135,"name":136,"callback":137,"priority":138,"file":139,"line":140},"action","plugins_loaded","cfblocklogins_migrate_from_old_prefix",1,"block-logins-cf.php",51,{"type":135,"name":142,"callback":143,"file":139,"line":144},"wp_login_failed","cfblocklogins_track_failed_logins",111,{"type":135,"name":146,"callback":147,"file":139,"line":148},"admin_menu","closure",482,{"type":135,"name":150,"callback":147,"file":139,"line":151},"admin_init",516,{"type":135,"name":153,"callback":154,"file":139,"line":155},"admin_enqueue_scripts","cfblocklogins_enqueue_admin_scripts",660,{"type":135,"name":157,"callback":147,"file":139,"line":158},"cfblocklogins_cron_unblock",1631,{"type":135,"name":160,"callback":161,"priority":138,"file":139,"line":162},"template_redirect","cfblocklogins_track_404",1883,{"type":135,"name":164,"callback":147,"file":139,"line":165},"xmlrpc_call",1926,{"type":135,"name":167,"callback":147,"file":139,"line":168},"admin_notices",1931,{"type":135,"name":150,"callback":147,"file":139,"line":170},1989,{"type":172,"name":173,"callback":147,"priority":88,"file":139,"line":174},"filter","xmlrpc_login_error",2082,{"type":135,"name":164,"callback":147,"priority":138,"file":139,"line":176},2097,[],[],[],[181],{"hook":157,"callback":157,"file":139,"line":182},1621,{"dangerousFunctions":184,"sqlUsage":185,"outputEscaping":188,"fileOperations":11,"externalRequests":56,"nonceChecks":88,"capabilityChecks":194,"bundledLibraries":195},[],{"prepared":186,"raw":11,"locations":187},6,[],{"escaped":189,"rawEcho":138,"locations":190},229,[191],{"file":139,"line":192,"context":193},2130,"raw output",11,[],[197,216],{"entryPoint":198,"graph":199,"unsanitizedCount":11,"severity":215},"cfblocklogins_blocked_page (block-logins-cf.php:894)",{"nodes":200,"edges":212},[201,206],{"id":202,"type":203,"label":204,"file":139,"line":205},"n0","source","$_POST (x8)",908,{"id":207,"type":208,"label":209,"file":139,"line":210,"wp_function":211},"n1","sink","echo() [XSS]",913,"echo",[213],{"from":202,"to":207,"sanitized":214},true,"low",{"entryPoint":217,"graph":218,"unsanitizedCount":11,"severity":215},"\u003Cblock-logins-cf> (block-logins-cf.php:0)",{"nodes":219,"edges":222},[220,221],{"id":202,"type":203,"label":204,"file":139,"line":205},{"id":207,"type":208,"label":209,"file":139,"line":210,"wp_function":211},[223],{"from":202,"to":207,"sanitized":214},{"summary":225,"deductions":226},"The \"block-logins-cf\" v1.1 plugin exhibits a generally strong security posture based on the provided static analysis.  A significant strength is the complete absence of direct SQL injection risks, with all queries utilizing prepared statements.  Furthermore, all identified output is properly escaped, mitigating common cross-site scripting (XSS) vulnerabilities. The plugin also demonstrates good practice by implementing nonce and capability checks for its internal operations, and it lacks a broad attack surface exposed to unauthenticated users. The vulnerability history is also a positive indicator, with no recorded CVEs, suggesting a history of secure development or prompt patching of any past issues.\n\nWhile the static analysis reveals no critical or high-severity issues within the code, there are a few areas to consider. The presence of 8 external HTTP requests, while not inherently a vulnerability, could be a potential vector if the external services are compromised or if the plugin doesn't handle responses securely. The single cron event, if not properly secured or if it performs sensitive operations without adequate checks, could present a risk, though the analysis doesn't detail its specifics. The lack of direct vulnerabilities in the analysis and history is commendable, but the plugin's limited feature set (implied by the low number of entry points and code signals) might mean fewer opportunities for vulnerabilities to manifest.  Overall, the plugin appears to be developed with security in mind, but ongoing vigilance regarding its external dependencies and the functionality of its cron event is advisable.",[227,230],{"reason":228,"points":229},"External HTTP requests present a potential risk",2,{"reason":231,"points":138},"Cron event may pose a risk if not secured","2026-04-16T12:59:41.968Z",{"wat":234,"direct":240},{"assetPaths":235,"generatorPatterns":236,"scriptPaths":237,"versionParams":238},[],[],[],[239],"block-logins-cf\u002Fblock-logins-cf.php?ver=",{"cssClasses":241,"htmlComments":242,"htmlAttributes":243,"restEndpoints":244,"jsGlobals":245,"shortcodeOutput":246},[],[],[],[],[],[],{"error":214,"url":248,"statusCode":249,"statusMessage":250,"message":250},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fblock-logins-cf\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":229,"versions":252},[253,259],{"version":6,"download_url":24,"svn_tag_url":254,"released_at":26,"has_diff":255,"diff_files_changed":256,"diff_lines":26,"trac_diff_url":257,"vulnerabilities":258,"is_current":214},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fblock-logins-cf\u002Ftags\u002F1.1\u002F",false,[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fblock-logins-cf%2Ftags%2F1.0&new_path=%2Fblock-logins-cf%2Ftags%2F1.1",[],{"version":260,"download_url":261,"svn_tag_url":262,"released_at":26,"has_diff":255,"diff_files_changed":263,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":264,"is_current":255},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblock-logins-cf.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fblock-logins-cf\u002Ftags\u002F1.0\u002F",[],[]]