[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQilIGTyXuetgqE_exz-VSYlZnIAN4v-mF8ZEtYwpmTU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":128,"fingerprints":281},"brutefort","BruteFort","0.0.7","Yoyal Limbu","https:\u002F\u002Fprofiles.wordpress.org\u002Fy0000el\u002F","\u003Cp>\u003Cstrong>BruteFort\u003C\u002Fstrong> is your WordPress site’s complete login security solution. Protect against brute force attacks, hide your login page with a custom URL, block countries using geo-blocking, and manage IP restrictions — all in one lightweight, performance-optimized plugin.\u003C\u002Fp>\n\u003Cp>Whether you’re running a blog, a WooCommerce store, or a membership site, BruteFort keeps bots, hackers, and unauthorized users out while maintaining fast page speeds.\u003C\u002Fp>\n\u003Ch4>🔐 Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>🌐 Geo Blocking (Country-Based Restrictions)\u003C\u002Fstrong>\u003Cbr \u002F>\n– Block or allow login attempts by country\u003Cbr \u002F>\n– Blacklist mode: Block specific countries from accessing wp-login.php\u003Cbr \u002F>\n– Whitelist mode: Only allow login from selected countries\u003Cbr \u002F>\n– IP geolocation detection (Cloudflare compatible)\u003Cbr \u002F>\n– Perfect for region-specific sites or blocking high-risk countries\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🔗 Custom Login URL (Hide wp-login.php)\u003C\u002Fstrong>\u003Cbr \u002F>\n– Hide default WordPress login page (wp-login.php)\u003Cbr \u002F>\n– Create custom login slug (e.g., yoursite.com\u002Fsecure-access)\u003Cbr \u002F>\n– Automatically redirect wp-login.php to 404\u003Cbr \u002F>\n– Prevent automated bot attacks targeting \u002Fwp-login.php\u003Cbr \u002F>\n– Easy to remember custom URLs for authorized users\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🛡️ Brute Force Protection & Rate Limiting\u003C\u002Fstrong>\u003Cbr \u002F>\n– Block brute force attacks with smart rate limiting\u003Cbr \u002F>\n– Set maximum login attempts per IP address\u003Cbr \u002F>\n– Configurable time windows and lockout durations\u003Cbr \u002F>\n– Progressive lockout extensions for repeated attacks\u003Cbr \u002F>\n– Custom error messages for locked users\u003C\u002Fp>\n\u003Cp>\u003Cstrong>📍 IP Whitelist & Blacklist Management\u003C\u002Fstrong>\u003Cbr \u002F>\n– Manage custom IP whitelists and blacklists\u003Cbr \u002F>\n– Add individual IPs or CIDR ranges\u003Cbr \u002F>\n– Instantly block suspicious IPs\u003Cbr \u002F>\n– Whitelist your own IP to prevent lockouts\u003Cbr \u002F>\n– Bulk IP management with easy interface\u003C\u002Fp>\n\u003Cp>\u003Cstrong>📊 Real-Time Monitoring & Logs\u003C\u002Fstrong>\u003Cbr \u002F>\n– View failed login attempts in real-time\u003Cbr \u002F>\n– Track IP addresses, usernames, and timestamps\u003Cbr \u002F>\n– Filter logs by status, date, or IP\u003Cbr \u002F>\n– Manual unlock for accidentally locked users\u003Cbr \u002F>\n– Export logs for security audits\u003C\u002Fp>\n\u003Cp>\u003Cstrong>⚡ Performance & Compatibility\u003C\u002Fstrong>\u003Cbr \u002F>\n– Lightweight and performance-optimized\u003Cbr \u002F>\n– Works with Cloudflare, proxy servers, and CDNs\u003Cbr \u002F>\n– Compatible with most security plugins\u003Cbr \u002F>\n– Dark mode UI support\u003Cbr \u002F>\n– No impact on page load speeds\u003C\u002Fp>\n\u003Ch4>🎯 Perfect For\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>WooCommerce stores\u003C\u002Fstrong> protecting customer data and preventing unauthorized access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Membership sites\u003C\u002Fstrong> restricting access by geographic location\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Corporate websites\u003C\u002Fstrong> blocking countries where business doesn’t operate\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Blog owners\u003C\u002Fstrong> hiding login page from automated bots and scanners\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Agencies\u003C\u002Fstrong> managing multiple client sites with different security requirements\u003C\u002Fli>\n\u003Cli>\u003Cstrong>High-traffic sites\u003C\u002Fstrong> experiencing frequent brute force attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>International sites\u003C\u002Fstrong> wanting region-specific login restrictions\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🚀 Why Choose BruteFort?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>All-in-one solution\u003C\u002Fstrong>: Custom login URL + Geo blocking + IP restrictions in one plugin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy to use\u003C\u002Fstrong>: Simple, intuitive interface with no complex configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Performance-focused\u003C\u002Fstrong>: Minimal resource usage, no site slowdown\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SEO-friendly\u003C\u002Fstrong>: Properly handles redirects and 404s\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy-conscious\u003C\u002Fstrong>: No external API calls for basic features (optional geo API)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Regular updates\u003C\u002Fstrong>: Actively maintained with new features added regularly\u003C\u002Fli>\n\u003C\u002Ful>\n","BruteFort – Complete WordPress login security with custom login URLs, geo blocking, brute force protection, and IP restrictions in one plugin.",0,289,100,3,"2025-11-19T18:30:00.000Z","6.8.5","5.0","7.4",[20,21,22,23,24],"brute-force","custom-login-url","geo-blocking","ip-restriction","login-protection","https:\u002F\u002Fbrutefort.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbrutefort.0.0.7.zip",null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":13,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"y0000el",2,30,94,"2026-04-05T21:04:31.109Z",[37,56,76,93,112],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":13,"downloaded":45,"rating":11,"num_ratings":11,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":54,"download_link":55,"security_score":13,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28},"security-hardener","Security Hardener","1.0","Marc Armengou","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarc4\u002F","\u003Cp>\u003Cstrong>Security Hardener\u003C\u002Fstrong> implements the official WordPress hardening guidelines from the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fhardening\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration \u002F Security \u002F Hardening\u003C\u002Fa> documentation. It uses WordPress core functions and follows best practices without modifying core files.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable file editor in WordPress admin\u003Cbr \u002F>\n* Optionally disable all file modifications (blocks updates – use with caution)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable XML-RPC completely (enabled by default)\u003Cbr \u002F>\n* Remove pingback methods\u003Cbr \u002F>\n* Disable self-pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Block \u003Ccode>\u002F?author=N\u003C\u002Fcode> queries (returns 404)\u003Cbr \u002F>\n* Secure REST API user endpoints (require authentication)\u003Cbr \u002F>\n* Remove users from XML sitemaps\u003Cbr \u002F>\n* Prevent canonical redirects that expose usernames\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generic error messages (no username\u002Fpassword hints)\u003Cbr \u002F>\n* IP-based rate limiting with configurable thresholds\u003Cbr \u002F>\n* Security event logging (last 100 events)\u003Cbr \u002F>\n* Automatic blocking after failed attempts\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Ccode>X-Frame-Options: SAMEORIGIN\u003C\u002Fcode> (clickjacking protection)\u003Cbr \u002F>\n* \u003Ccode>X-Content-Type-Options: nosniff\u003C\u002Fcode> (MIME sniffing protection)\u003Cbr \u002F>\n* \u003Ccode>Referrer-Policy: strict-origin-when-cross-origin\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>Permissions-Policy\u003C\u002Fcode> (restricts geolocation, microphone, camera)\u003Cbr \u002F>\n* Optional HSTS (HTTP Strict Transport Security) for HTTPS sites\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Additional Hardening:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Hide WordPress version\u003Cbr \u002F>\n* Clean up \u003Ccode>wp_head\u003C\u002Fcode> output\u003Cbr \u002F>\n* Remove unnecessary meta tags and links\u003Cbr \u002F>\n* Security event logging system\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>⚠️ \u003Cstrong>Important:\u003C\u002Fstrong> Always test security settings in a staging environment first. Some features may affect third-party integrations or plugins.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Privacy:\u003C\u002Fstrong> This plugin does not send data to external services and does not create custom database tables. It stores plugin settings and a security event log in the WordPress options table, and uses transients for temporary login attempt tracking. All data is deleted on uninstall.\u003C\u002Fp>\n","Basic hardening: secure headers, user enumeration blocking, generic login errors, IP-based rate limiting, and WordPress security improvements.",496,"2026-03-05T12:13:00.000Z","6.9.4","6.9","8.2",[20,51,52,24,53],"hardening","headers","security","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-hardener\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-hardener.1.0.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":11,"num_ratings":11,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":69,"tags":70,"homepage":73,"download_link":74,"security_score":75,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28},"anti-brute-force-login-fraud-detector","Anti-Brute Force, Login Fraud Detector WordPress plugin","1.0.3","aispera31","https:\u002F\u002Fprofiles.wordpress.org\u002Faispera31\u002F","\u003Cp>Anti-Brute Force, Login Fraud Detector WordPress plugin is a security plugin that detects and blocks malicious IP addresses attempting to log into WordPress sites with real-time intelligence data from Criminal IP.\u003Cbr \u002F>\nHackers attempting brute-force attacks on WordPress sites do not use normal IP addresses. Rather, they use VPN, Proxy, Tor, Hosting IP, etc. to avoid tracking. Criminal IP is an IP address-based intelligence search engine platform that scans worldwide IP addresses daily and collects such malicious information.\u003Cbr \u002F>\nThe number of detectable login attempts varies depending on the plan being used by the connected Criminal IP account. Users of the Free membership plan can use up to 500 login IP detections per month for free.\u003C\u002Fp>\n\u003Ch4>Block Login IP Address Options\u003C\u002Fh4>\n\u003Cp>VPN IP – When attempting to log in using a VPN\u003Cbr \u002F>\nTor IP – When attempting to log in from a Tor browser\u003Cbr \u002F>\nProxy IP – When attempting to log in using Proxy\u003Cbr \u002F>\nHosting IP – When attempting to log in from the IP address of a hosting server\u003C\u002Fp>\n\u003Ch4>Additional Features\u003C\u002Fh4>\n\u003Cp>Whitelist: Specific IP addresses can be added to the whitelist to allow login.\u003Cbr \u002F>\nLogin Wait Time: Users who are eventually restricted from logging in can try again after the set login wait time.\u003Cbr \u002F>\nBlocked IP List: Allows you to view a list of all IP addresses subject to login restrictions. The items that may be seen are as follows.\u003Cbr \u002F>\nIP address\u003Cbr \u002F>\nGeographic Information (Country)\u003Cbr \u002F>\nReason for Login Restriction (Tor\u002FVPN\u002FProxy\u002FHosting)\u003Cbr \u002F>\nDetected Date and Time\u003C\u002Fp>\n\u003Ch4>Installation\u003C\u002Fh4>\n\u003Cp>Installing the Criminal IP Anti-Brute Force, Login Fraud Detector plug-in is very simple.\u003Cbr \u002F>\n1. Go to the ‘Plugin’ menu on the WordPress dashboard.\u003Cbr \u002F>\n2. Search ‘Criminal IP’ or ‘Criminal IP Brute Force’ in the search window.\u003Cbr \u002F>\n3. Click the ‘Install and activate’ button.\u003Cbr \u002F>\n4. When the plugin is activated, an icon with the Criminal IP logo will be displayed on the WordPress dashboard sidebar. Click the icon to go to the dashboard and click the ‘Issue API Key’ button to go to Criminal IP.\u003Cbr \u002F>\n5. Create a Criminal IP account, log in, and create an API key in My Page.\u003Cbr \u002F>\n6. Copy and paste the issued API key into the ‘Criminal IP API key’ input column on the plugin settings tab.\u003Cbr \u002F>\n7. On the Settings tab, set the login limit target and login wait time. Click ‘Save Changes’ to finish setting up the plugin.\u003Cbr \u002F>\nPlease report any new features or bugs of the plugin through Criminal IP’s Customer Support. You can also contact support@aispera.com.\u003C\u002Fp>\n","Anti-Brute Force, Login Fraud Detector Wordpress plugin is a security plugin that detects and blocks malicious IP addresses attempting to log into Wor &hellip;",40,1629,"2023-10-20T09:40:00.000Z","6.3.8","5.7","5.6",[20,71,72,24,53],"brute-force-protection","limit-login","https:\u002F\u002Fcriminalip.io\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanti-brute-force-login-fraud-detector.1.0.3.zip",85,{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":11,"num_ratings":11,"last_updated":86,"tested_up_to":16,"requires_at_least":17,"requires_php":87,"tags":88,"homepage":91,"download_link":92,"security_score":13,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28},"fortress-login-pro","Fortress Login Pro – Secure, Hide & Rename Login URL","1.1.3","Hamdi Saidani","https:\u002F\u002Fprofiles.wordpress.org\u002Fhamdisaidani\u002F","\u003Cp>\u003Cstrong>Fortress Login Pro\u003C\u002Fstrong> is a battle-ready security plugin that replaces your WordPress login page (\u003Ccode>wp-login.php\u003C\u002Fcode>) with a private, rotating URL that only you control.\u003C\u002Fp>\n\u003Cp>🛡️ It doesn’t just hide the login—it lets you track, rotate, and control it.\u003C\u002Fp>\n\u003Cp>Perfect for freelancers, agencies, eCommerce owners, and anyone tired of blind brute-force attacks.\u003C\u002Fp>\n\u003Ch3>🔐 Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom Login URL:\u003C\u002Fstrong> Hide \u003Ccode>wp-login.php\u003C\u002Fcode> and set your own private login path  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto-Rotate Slugs:\u003C\u002Fstrong> Automatically change your login URL on a custom schedule  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dual-Slug Rotation Safety:\u003C\u002Fstrong> Keep the old URL live until the new one is used (fail-safe)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Slug Generator:\u003C\u002Fstrong> Choose readable word combos or full-random slugs (with number support)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Access Logs & Charts:\u003C\u002Fstrong> See IPs, timestamps, referrers, and user-agents by login attempt  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Export Logs:\u003C\u002Fstrong> Download access history or slug changes in CSV or JSON  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Slug History Panel:\u003C\u002Fstrong> Restore, archive, or delete old slugs anytime  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>SMTP Configuration:\u003C\u002Fstrong> Set up outgoing email for login slug alerts and rotation notices  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Test Email & Rotation:\u003C\u002Fstrong> Built-in checks before activating rotation so you don’t get locked out  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>System File Protection:\u003C\u002Fstrong> Optional toggle to block access to \u003Ccode>install.php\u003C\u002Fcode> and \u003Ccode>setup-config.php\u003C\u002Fcode> via \u003Ccode>.htaccess\u003C\u002Fcode>  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean UI:\u003C\u002Fstrong> Fast, modern dashboard with zero bloat or upsell traps  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>✅ Works With\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WooCommerce, Easy Digital Downloads, and major eCommerce plugins  \u003C\u002Fli>\n\u003Cli>Membership systems like MemberPress, Paid Memberships Pro  \u003C\u002Fli>\n\u003Cli>Popular security plugins: Wordfence, iThemes, Sucuri  \u003C\u002Fli>\n\u003Cli>Caching tools like WP Rocket, Cloudflare, W3 Total Cache  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚀 Why Fortress (vs limit login or captcha plugins)?\u003C\u002Fh3>\n\u003Cp>Most plugins try to \u003Cstrong>respond\u003C\u002Fstrong> to brute-force.\u003Cbr \u002F>\nFortress prevents it by removing the login form from public view.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No login page = no attack surface.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Final Word\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Fortress Login Pro\u003C\u002Fstrong> doesn’t just hide your login—it makes you smarter about who’s trying to reach it.\u003C\u002Fp>\n\u003Cp>Real logs. Real control. No BS.\u003Cbr \u002F>\nReady to lock down WordPress the way it should’ve shipped.\u003C\u002Fp>\n\u003Cp>Try our companion plugin: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fnotification-blocker\u002F\" rel=\"ugc\">Notification Blocker\u003C\u002Fa> — hide noisy dashboard alerts with one click.\u003C\u002Fp>\n","Hide and rotate your WordPress login URL. Track access, export logs, and prevent brute-force attacks with real-time visibility.",10,612,"2025-05-09T10:19:00.000Z","7.2",[71,21,89,53,90],"login-security","wp-admin","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffortress-login-pro.1.1.3.zip",{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":84,"downloaded":101,"rating":13,"num_ratings":102,"last_updated":91,"tested_up_to":103,"requires_at_least":104,"requires_php":105,"tags":106,"homepage":109,"download_link":110,"security_score":13,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":111},"login-secure","Login Secure","1.0.1","Rizwan Abbasi","https:\u002F\u002Fprofiles.wordpress.org\u002Frizwanabbasi\u002F","\u003Ch3>Try it out on your free dummy site:\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftastewp.com\u002Fnew?pre-installed-plugin-slug=login-secure&redirect=options-general.php%3Fpage%3Dlogin-secure&ni=true\" rel=\"nofollow ugc\">Click Here\u003C\u002Fa>\u003Cbr \u002F>\nLogin Secure is an easy-to-use and user-friendly WordPress plugin that secures your website from unauthorized users. Blocks default WordPress login URLs and require a special code in WordPress Login URL.\u003C\u002Fp>\n\u003Cp>After installing and activating the plugin, go to ‘Settings>>Login Secure’ link. Enter a unique string and click save changes.\u003Cbr \u002F>\nYour WordPress login URL will be the one displayed on that page.\u003C\u002Fp>\n\u003Cp>After storing a unique string, your default WordPress login URL will not work, even user can not log in by going to\u003Cbr \u002F>\nhttp:\u002F\u002Fexample.com\u002Fwp-admin where example.com is your WordPress installation link.\u003C\u002Fp>\n","Try it out on your free dummy site:",1252,1,"5.8.13","4.6","5.2.4",[107,20,21,108,53],"block-login-url","secure-login","http:\u002F\u002Frizwanabbasi.com\u002Flogin-secure\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-secure.zip","2026-03-15T10:48:56.248Z",{"slug":113,"name":114,"version":115,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":11,"downloaded":120,"rating":11,"num_ratings":11,"last_updated":121,"tested_up_to":47,"requires_at_least":122,"requires_php":87,"tags":123,"homepage":126,"download_link":127,"security_score":13,"vuln_count":11,"unpatched_count":11,"last_vuln_date":27,"fetched_at":28},"cyber-smart-defence","Cyber Smart Defence","3.1.3","cybersmartempire","https:\u002F\u002Fprofiles.wordpress.org\u002Fcybersmartempire\u002F","\u003Cp>Cyber Smart Defence is a lightweight WordPress security plugin designed to protect your website against unauthorized access, brute-force login attempts, and suspicious request patterns.\u003C\u002Fp>\n\u003Cp>The plugin runs quietly in the background and integrates directly with WordPress. It monitors login activity, blocks abusive behavior, and records security-related events for administrative review.\u003C\u002Fp>\n\u003Cp>No complex configuration is required. Once activated, protection is enabled automatically.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Login attempt monitoring\u003C\u002Fli>\n\u003Cli>Automatic temporary lockout after multiple failed login attempts\u003C\u002Fli>\n\u003Cli>IP-based threat detection\u003C\u002Fli>\n\u003Cli>Firewall protection against common malicious request patterns\u003C\u002Fli>\n\u003Cli>Secure threat logging for administrators\u003C\u002Fli>\n\u003Cli>Lightweight and performance-friendly\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an external service provided by Cyber Smart Empire to check IP reputation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* IP address of the visitor being checked\u003C\u002Fp>\n\u003Cp>\u003Cstrong>When data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* Only when an IP reputation check is performed\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service provider\u003C\u002Fstrong>\u003Cbr \u002F>\n* Cyber Smart Empire\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service URL\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy Policy\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Terms of Service\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fterms\u002F\u003C\u002Fp>\n","Lightweight WordPress security firewall with login protection and threat monitoring.",138,"2025-12-24T16:40:00.000Z","5.5",[20,124,24,53,125],"firewall","website-security","https:\u002F\u002Fcybersmartempire.com\u002Fcyberdefence\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcyber-smart-defence.zip",{"attackSurface":129,"codeSignals":231,"taintFlows":244,"riskAssessment":272,"analyzedAt":280},{"hooks":130,"ajaxHandlers":215,"restRoutes":216,"shortcodes":229,"cronEvents":230,"entryPointCount":32,"unprotectedCount":32},[131,137,142,145,149,154,157,162,167,171,175,178,182,186,190,192,196,200,205,209,212],{"type":132,"name":133,"callback":134,"priority":84,"file":135,"line":136},"filter","doing_it_wrong_trigger_error","filter_doing_it_wrong","brutefort.php",68,{"type":138,"name":139,"callback":140,"file":135,"line":141},"action","init","load_plugin_textdomain",168,{"type":132,"name":143,"callback":143,"priority":84,"file":135,"line":144},"plugin_row_meta",170,{"type":138,"name":146,"callback":147,"file":135,"line":148},"admin_notices","show_admin_notices",267,{"type":138,"name":150,"callback":151,"file":152,"line":153},"activate_brutefort\u002Fbrutefort.php","brutef_free_activated","includes\\helpers.php",39,{"type":138,"name":155,"callback":156,"file":152,"line":64},"deactivate_brutefort\u002Fbrutefort.php","brutef_free_deactivated",{"type":138,"name":158,"callback":159,"file":160,"line":161},"rest_api_init","register_rest_routes","includes\\Routes\\Routes.php",26,{"type":132,"name":163,"callback":164,"priority":33,"file":165,"line":166},"authenticate","check_before_login","includes\\Security\\LoginGuard.php",115,{"type":138,"name":168,"callback":169,"file":165,"line":170},"wp_login_failed","log_failed_attempt",116,{"type":138,"name":172,"callback":173,"priority":84,"file":165,"line":174},"wp_login","log_success",117,{"type":138,"name":139,"callback":176,"file":177,"line":161},"add_rewrite_rule","includes\\Services\\LoginUrlService.php",{"type":132,"name":179,"callback":180,"file":177,"line":181},"query_vars","add_query_var",27,{"type":138,"name":183,"callback":184,"file":177,"line":185},"parse_request","handle_parse_request",28,{"type":132,"name":187,"callback":188,"priority":84,"file":177,"line":189},"site_url","filter_site_url",29,{"type":132,"name":191,"callback":188,"priority":84,"file":177,"line":33},"network_site_url",{"type":132,"name":193,"callback":194,"priority":84,"file":177,"line":195},"wp_redirect","filter_wp_redirect",31,{"type":138,"name":197,"callback":198,"file":177,"line":199},"login_init","handle_redirects",32,{"type":138,"name":201,"callback":202,"file":203,"line":204},"admin_menu","register_menu","includes\\Settings.php",24,{"type":138,"name":206,"callback":207,"file":203,"line":208},"admin_enqueue_scripts","enqueue_assets",25,{"type":138,"name":210,"callback":211,"file":203,"line":161},"plugins_loaded","include_classes",{"type":138,"name":213,"callback":214,"file":203,"line":181},"admin_init","redirect_after_activation",[],[217,225],{"namespace":218,"route":219,"methods":220,"callback":222,"permissionCallback":27,"file":223,"line":224},"brutefort\u002Fv1","\u002Fgeo-settings",[221],"GET","anonymous","includes\\Routes\\GeoRoutes.php",37,{"namespace":218,"route":226,"methods":227,"callback":222,"permissionCallback":27,"file":228,"line":224},"\u002Flogin-url-settings",[221],"includes\\Routes\\LoginUrlRoutes.php",[],[],{"dangerousFunctions":232,"sqlUsage":233,"outputEscaping":240,"fileOperations":102,"externalRequests":102,"nonceChecks":102,"capabilityChecks":242,"bundledLibraries":243},[],{"prepared":234,"raw":102,"locations":235},21,[236],{"file":237,"line":238,"context":239},"includes\\Database\\Database.php",104,"$wpdb->query() with variable interpolation",{"escaped":204,"rawEcho":11,"locations":241},[],6,[],[245,264],{"entryPoint":246,"graph":247,"unsanitizedCount":11,"severity":263},"show_admin_notices (brutefort.php:274)",{"nodes":248,"edges":260},[249,254],{"id":250,"type":251,"label":252,"file":135,"line":253},"n0","source","$_SERVER",282,{"id":255,"type":256,"label":257,"file":135,"line":258,"wp_function":259},"n1","sink","echo() [XSS]",303,"echo",[261],{"from":250,"to":255,"sanitized":262},true,"low",{"entryPoint":265,"graph":266,"unsanitizedCount":11,"severity":263},"\u003Cbrutefort> (brutefort.php:0)",{"nodes":267,"edges":270},[268,269],{"id":250,"type":251,"label":252,"file":135,"line":253},{"id":255,"type":256,"label":257,"file":135,"line":258,"wp_function":259},[271],{"from":250,"to":255,"sanitized":262},{"summary":273,"deductions":274},"The 'brutefort' plugin v0.0.7 exhibits a generally good security posture in its static analysis. The complete absence of dangerous functions, the high percentage of SQL queries using prepared statements, and the 100% proper output escaping are positive indicators. The plugin also correctly uses nonce checks and capability checks for a significant portion of its operations.  There are no recorded vulnerabilities (CVEs) for this plugin, suggesting a history of secure development or a lack of historical scrutiny.\n\nHowever, the plugin presents a notable security concern due to its attack surface. It exposes two REST API routes without any permission callbacks, meaning any user, including unauthenticated ones, could potentially interact with these endpoints. This lack of authorization on the exposed REST API routes is the primary risk identified. While taint analysis shows no critical or high severity issues, the exposed REST API routes represent a potential entry point for unauthorized actions if not properly secured within the plugin's logic.\n\nIn conclusion, while the 'brutefort' plugin demonstrates good internal coding practices regarding SQL and output sanitization, the open nature of its REST API endpoints is a significant weakness. The absence of historical vulnerabilities is a positive sign, but it does not mitigate the immediate risk posed by the unprotected entry points.",[275,277],{"reason":276,"points":84},"REST API routes exposed without permission callbacks",{"reason":278,"points":279},"Unprotected REST API entry points",5,"2026-03-17T06:35:07.203Z",{"wat":282,"direct":291},{"assetPaths":283,"generatorPatterns":286,"scriptPaths":287,"versionParams":288},[284,285],"\u002Fwp-content\u002Fplugins\u002Fbrutefort\u002Fassets\u002Fcss\u002Fbrutefort.css","\u002Fwp-content\u002Fplugins\u002Fbrutefort\u002Fassets\u002Fjs\u002Fbrutefort.js",[],[285],[289,290],"brutefort\u002Fassets\u002Fcss\u002Fbrutefort.css?ver=","brutefort\u002Fassets\u002Fjs\u002Fbrutefort.js?ver=",{"cssClasses":292,"htmlComments":293,"htmlAttributes":294,"restEndpoints":295,"jsGlobals":296,"shortcodeOutput":297},[],[],[],[],[],[]]