[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f43V8ERX5Ce12o_d5IeizXIGhRrl6986_sHpQDsIaAKw":3,"$feIL6UodkWHylLOUMBMYG3VsnxYbSSHUCIPcw94WhTUM":277,"$fkUmrM5m-oA9pYgU6c1L5VnXZ2lW8PcZA2nW3GPD1BmQ":282},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"discovery_status":31,"vulnerabilities":32,"developer":50,"crawl_stats":38,"alternatives":58,"analysis":175,"fingerprints":256},"bruteguard","BruteGuard – Brute Force Login Protection","0.1.4","EverPress","https:\u002F\u002Fprofiles.wordpress.org\u002Feverpress\u002F","\u003Cp>BruteGuard is a cloud powered brute force login protection that shields your site against botnet attacks.\u003C\u002Fp>\n\u003Ch3>Botnets and other malicious scripts attack millions of websites each and every day\u003C\u002Fh3>\n\u003Cp>BruteGuard is a brute force attack prevention plugin that guards you against botnets by connecting its users to track failed login attempts across all WordPress installations that use the plugin. Once you activate BruteGuard you become part of a inter-connected protection layer against botnet attacks.\u003C\u002Fp>\n\u003Ch3>BruteGuard logs failed attempts network wide\u003C\u002Fh3>\n\u003Cp>Our plugin logs and blocks IPs across the entire network. The more users use BruteGuard the safer the whole network including you gets.\u003C\u002Fp>\n\u003Cp>BruteGuard fully supports multi sites and is an additional security layer so can be used with any other security plugin.\u003C\u002Fp>\n","BruteGuard is a cloud powered brute force login protection that shields your site against botnet attacks.",200,6626,100,2,"2022-10-09T18:44:00.000Z","5.9.13","4.4","",[20,21,22,23,24],"brute-force","brute-force-attack","bruteforce","login","security","https:\u002F\u002Fbruteguard.co","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbruteguard.0.1.4.zip",64,1,"2025-04-17 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":38,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":38,"patch_diff_files":47,"patch_trac_url":38,"research_status":38,"research_verified":48,"research_rounds_completed":49,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":48,"poc_model_used":38,"poc_verification_depth":38},"CVE-2025-39408","bruteguard-brute-force-login-protection-reflected-cross-site-scripting","BruteGuard – Brute Force Login Protection \u003C= 0.1.4 - Reflected Cross-Site Scripting","The BruteGuard – Brute Force Login Protection plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 0.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=0.1.4","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-04-21 20:16:32",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fad40de6a-744c-4a78-912a-4fd76ae75dc1?source=api-prod",[],false,0,{"slug":51,"display_name":7,"profile_url":8,"plugin_count":52,"total_installs":53,"avg_security_score":54,"avg_patch_time_days":55,"trust_score":56,"computed_at":57},"everpress",28,120290,91,255,73,"2026-05-19T20:41:41.067Z",[59,90,110,132,153],{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":49,"num_ratings":49,"last_updated":69,"tested_up_to":18,"requires_at_least":70,"requires_php":18,"tags":71,"homepage":86,"download_link":87,"security_score":88,"vuln_count":49,"unpatched_count":49,"last_vuln_date":38,"fetched_at":89},"protect-ai-login","Protect Ai Login","1.0.0","anouny","https:\u002F\u002Fprofiles.wordpress.org\u002Fanouny\u002F","\u003Cp>Protect Ai Login changes default WordPress login URL to the url you define, denied brute force attacks, spam logins, and bot or automatic register. The plugin blocks access to default login url, generates a custom branded login panel, without creating a custom page on your website.\u003C\u002Fp>\n\u003Cp>The plugin offers protection with Google reCAPTCHA v2.\u003C\u002Fp>\n\u003Ch3>Plugin Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Define new login url easily from settings page.\u003C\u002Fli>\n\u003Cli>Protect against spam login, bot registration or signup, with the integration of Google reCaptcha.\u003C\u002Fli>\n\u003Cli>Secure AXS is compatible with any permalink setup including the default.\u003C\u002Fli>\n\u003Cli>Choose to allow users with the role “Editor” to access plugin settings.\u003C\u002Fli>\n\u003Cli>Fully branded login page with colors and login logo of your choice.\u003C\u002Fli>\n\u003Cli>Plugin doesn’t create new pages on your website for displaying the new login panel.\u003C\u002Fli>\n\u003Cli>Plugin is compatible with other major security & cache plugins.\u003C\u002Fli>\n\u003Cli>Test with wordpress 4.4.2\u003C\u002Fli>\n\u003C\u002Ful>\n","Change default login site to a custom URL, block spam, bot registration, and brute-force using Google reCAPTCHA.",10,1416,"2016-04-14T06:46:00.000Z","4.0",[72,73,74,75,76,21,77,78,23,79,80,81,82,83,24,84,85],"access","attack","axs","block","brute","captcha","force","no-captcha","nocaptcha","recaptcha","register","secure","sign","spam","https:\u002F\u002Fwordpress.org\u002Fplugins\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprotect-ai-login.zip",85,"2026-04-06T09:54:40.288Z",{"slug":91,"name":92,"version":93,"author":94,"author_profile":95,"description":96,"short_description":97,"active_installs":98,"downloaded":99,"rating":13,"num_ratings":14,"last_updated":100,"tested_up_to":101,"requires_at_least":102,"requires_php":103,"tags":104,"homepage":108,"download_link":109,"security_score":13,"vuln_count":49,"unpatched_count":49,"last_vuln_date":38,"fetched_at":30},"cloudsecure-wp-security","CloudSecure WP Security","1.4.7","cloudsecure","https:\u002F\u002Fprofiles.wordpress.org\u002Fcloudsecure\u002F","\u003Cp>管理画面とログインURLをサイバー攻撃から守る、安心の国産・日本語対応プラグインです。\u003Cbr \u002F>\nかんたんな設定を行うだけで、不正アクセスや不正ログインからあなたのWordPressを保護し、セキュリティが向上します。\u003Cbr \u002F>\nまた、各機能の有効・無効（ON・OFF）や設定などをお好みにカスタマイズし、いつでも保護状態を管理できます。\u003C\u002Fp>\n\u003Cp>ドキュメントやFAQなど、より詳細な情報は \u003Ca href=\"https:\u002F\u002Fwpplugin.cloudsecure.ne.jp\u002Fcloudsecure_wp_security\" rel=\"nofollow ugc\">こちら\u003C\u002Fa> でご覧いただけます。\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPressのマルチサイト機能には対応していません。\u003C\u002Fli>\n\u003Cli>WebサーバーのApache1.3、2.xにのみ対応しています。\u003C\u002Fli>\n\u003Cli>画像認証追加機能を利用するためには、PHPに拡張ライブラリ「gd」をインストールする必要があります。\u003C\u002Fli>\n\u003Cli>管理画面アクセス制限機能、ログインURL変更機能を利用するためには、Apacheに「mod_rewrite」を読み込む必要があります。\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>本プラグインの機能は以下のとおりです。\u003C\u002Fp>\n\u003Ch4>ログイン無効化\u003C\u002Fh4>\n\u003Cp>指定した期間内に指定した回数ログインに失敗した場合、指定した時間ログインを無効化（ブロック）します。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃など、不正なログインを試みる攻撃を防ぐための機能です。\u003Cbr \u002F>\nとくに、自動化された攻撃に有効です。\u003C\u002Fp>\n\u003Ch4>ログインURL変更\u003C\u002Fh4>\n\u003Cp>ログインURL（wp-login.php）を変更します。\u003Cbr \u002F>\n半角英小文字、半角数字、ハイフン、アンダースコアのいずれかを使用し、4文字以上12文字以下でお好みの名前（文字列）に設定できます。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃など、不正なログインを試みる攻撃を受けにくくするための機能です。\u003C\u002Fp>\n\u003Ch4>ログインエラーメッセージ統一\u003C\u002Fh4>\n\u003Cp>ログイン時、ユーザー名、パスワード、画像認証のどれを間違えても同一のメッセージを表示します。\u003Cbr \u002F>\nユーザー名の存在を調査する攻撃を受けにくくするための機能です。\u003C\u002Fp>\n\u003Ch4>2段階認証\u003C\u002Fh4>\n\u003Cp>ログイン時、ユーザー名とパスワードの入力に加え、別のコードで追加認証を行います。\u003Cbr \u002F>\n利用するには、\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.google.android.apps.authenticator2\" rel=\"nofollow ugc\">Google Authenticator\u003C\u002Fa> アプリケーションでデバイスを登録する必要があります。\u003Cbr \u002F>\nアプリケーションに表示された6桁の認証コードをログイン画面で入力し、すべての情報が一致すればログインできます。\u003Cbr \u002F>\nユーザー名やパスワードを不正入手した第三者によるログインやなりすましを防止し、セキュリティを強化します。\u003C\u002Fp>\n\u003Ch4>画像認証追加\u003C\u002Fh4>\n\u003Cp>画像データ上にランダムに表示される文字の入力を求め、一致しなければ次の画面に進めないようにする機能です。\u003Cbr \u002F>\nログインフォーム、コメントフォーム、パスワードリセットフォーム、ユーザー登録フォームに設定できます。\u003Cbr \u002F>\nブルートフォースアタックやパスワードリスト攻撃などの不正なログインを試みる攻撃や、悪意のあるプログラムからの機械的な不正アクセスを防止する機能です。\u003C\u002Fp>\n\u003Ch4>ユーザー名漏えい防止\u003C\u002Fh4>\n\u003Cp>「?author=数字」アクセスによるユーザー名の漏えいを防止します。\u003C\u002Fp>\n\u003Ch4>XML-RPC無効化\u003C\u002Fh4>\n\u003Cp>XML-RPC機能、またはピンバック機能を無効化し、その乱用から管理画面を保護します。\u003C\u002Fp>\n\u003Ch4>REST API無効化\u003C\u002Fh4>\n\u003Cp>REST APIを無効化し、その悪用から管理画面を守ります。\u003C\u002Fp>\n\u003Ch4>管理画面アクセス制限\u003C\u002Fh4>\n\u003Cp>管理画面にログインしていない接続元IPアドレスから管理ページ（\u002Fwp-admin\u002F以降）にアクセスすると、404エラー（Not Found）を返します。\u003Cbr \u002F>\n24時間以上管理画面にログインしていない接続元IPアドレスが対象です。\u003Cbr \u002F>\nログインすると接続元IPアドレスが記録され、管理画面にアクセスできるようになります。\u003Cbr \u002F>\nこの機能を除外するページ（wp-admin以下）を指定できます。\u003C\u002Fp>\n\u003Ch4>設定ファイルアクセス防止\u003C\u002Fh4>\n\u003Cp>WordPressのシステムに関するファイルへの不正アクセスを遮断する機能です。\u003C\u002Fp>\n\u003Ch4>シンプルWAF\u003C\u002Fh4>\n\u003Cp>WordPressへの攻撃に対して、基本的な防御機能を備えたシンプルなWAF（Web Application Firewall）機能です。\u003Cbr \u002F>\nSQLインジェクションやクロスサイトスクリプティングなどの一般的な攻撃を遮断します。\u003C\u002Fp>\n\u003Ch4>ログイン通知\u003C\u002Fh4>\n\u003Cp>ログインがあったとき、ユーザーにメールで通知します。\u003Cbr \u002F>\n心当たりのないメールを受信した場合、不正なログインを疑ってください。\u003C\u002Fp>\n\u003Ch4>アップデート通知\u003C\u002Fh4>\n\u003Cp>WordPress、プラグイン、テーマの更新が必要になったとき、WordPressの管理者ユーザーにメールで通知します。\u003Cbr \u002F>\n更新の確認は24時間ごとに行われます。\u003Cbr \u002F>\n常に最新版を使用することが、セキュリティの基本です。\u003C\u002Fp>\n\u003Ch4>サーバーエラー通知\u003C\u002Fh4>\n\u003Cp>サーバーエラー「HTTPステータスコード500（Internal Server Error）」が発生したとき、エラーの履歴を記録し、WordPressの管理者ユーザーにメールで通知します。\u003Cbr \u002F>\n1時間以内に同じタイプのエラーが発生した場合、エラーの履歴は記録しますが、メールでの通知は行いません。\u003C\u002Fp>\n\u003Ch4>ログイン履歴\u003C\u002Fh4>\n\u003Cp>管理画面にログインした履歴を表示します。\u003Cbr \u002F>\nそれぞれの項目で絞り込んでの検索も可能です。\u003Cbr \u002F>\nログイン通知と同様、不正なログインの気づきを促す機能です。\u003C\u002Fp>\n","管理画面とログインURLをサイバー攻撃から守る、国産・日本語対応のセキュリティ対策プラグインです。 かんたんな設定を行うだけで、不正アクセスや不正ログインからあなたのWordPressを保護します。",100000,698583,"2026-04-13T03:08:00.000Z","6.9.4","5.3.15","7.1",[105,20,106,24,107],"anti-spam","login-lock","waf","https:\u002F\u002Fwpplugin.cloudsecure.ne.jp\u002Fcloudsecure_wp_security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcloudsecure-wp-security.1.4.7.zip",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":98,"downloaded":118,"rating":119,"num_ratings":120,"last_updated":121,"tested_up_to":122,"requires_at_least":123,"requires_php":124,"tags":125,"homepage":127,"download_link":128,"security_score":129,"vuln_count":130,"unpatched_count":49,"last_vuln_date":131,"fetched_at":30},"hide-my-wp","WP Ghost (Hide My WP Ghost) – Security & Firewall","7.0.01","John Darrel","https:\u002F\u002Fprofiles.wordpress.org\u002Fjohndarrel\u002F","\u003Cp>\u003Cstrong>WP Ghost\u003C\u002Fstrong> (formerly known as \u003Cstrong>Hide My WP Ghost\u003C\u002Fstrong>) is a professional-grade, comprehensive \u003Cstrong>hack-prevention security solution for WordPress\u003C\u002Fstrong>. Built for speed and engineered for maximum defense, WP Ghost provides a multi-layered security architecture designed to block hacker bots, neutralize automated scanners, and stop the hack before the reconnaissance even begins.\u003C\u002Fp>\n\u003Cp>While traditional security tools focus on Detection (scanning for malware after a breach) or Signature-Filtering (blocking known exploits), \u003Cstrong>WP Ghost focuses on Architecture\u003C\u002Fstrong>. By implementing \u003Cstrong>Paths Security and Site Hardening\u003C\u002Fstrong>, we remove the digital footprints that make your site a target for automated botnets, providing a \u003Cstrong>proactive foundation that secures your site before it can even be identified as a target\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FQMdoSN8dk1c?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Cstrong>WP Ghost Global Stats:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>10 Million+ Monthly Brute-Force Attempts Blocked\u003C\u002Fli>\n\u003Cli>100 Million+ Monthly Security Threats Prevented\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Official websites:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpghost.com\u002F\" rel=\"nofollow ugc\">WP Ghost (wpghost.com)\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fhidemywpghost.com\u002F\" rel=\"nofollow ugc\">Hide My WP Ghost (hidemywpghost.com)\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Stop Attacks with Paths Security & Architectural Hardening\u003C\u002Fh3>\n\u003Cp>Most WordPress attacks are automated. Bots scan millions of sites per hour looking for default paths like \u002Fwp-admin or \u002Fwp-login.php to confirm a site is running WordPress. Once confirmed, they launch targeted exploits against known plugin or theme vulnerabilities.\u003C\u002Fp>\n\u003Cp>WP Ghost breaks this cycle. By changing and securing common paths, you reduce your attack surface by up to 90%. This isn’t “obscurity”, it’s Site Hardening. We re-engineer the visible structure of your site so it is no longer a low-hanging fruit for global botnets.\u003C\u002Fp>\n\u003Ch3>Key Protections Included\u003C\u002Fh3>\n\u003Cp>WP Ghost is packed with advanced defensive mechanisms to protect your site against:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Brute Force Attacks\u003C\u002Fstrong>: Blocks automated password guessing at the source.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SQL Injection & XSS\u003C\u002Fstrong>: Neutralizes malicious query strings and script injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-Day Exploits\u003C\u002Fstrong>: Secures paths for plugins before patches are even released.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC & REST API Attacks\u003C\u002Fstrong>: Shuts down common remote-access entry points.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Bot Reconnaissance\u003C\u002Fstrong>: Prevents “fingerprinting” that hackers use to map your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Spam & Scrapers\u003C\u002Fstrong>: Filters malicious traffic, saving bandwidth and server load.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Over 115 Free Security Features Included\u003C\u002Fh3>\n\u003Cp>We believe professional security should be accessible to everyone. The free version of WP Ghost includes a massive suite of tools to harden your WordPress architecture.\u003C\u002Fp>\n\u003Ch4>1. Change and Secure Paths (Paths Security)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Change wp-admin & wp-login.php\u003C\u002Fstrong>: Move your login to a unique URL and show a 404 error to intruders.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change Lost Password & Register URLs\u003C\u002Fstrong>: Secure all authentication entry points.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change wp-content & wp-includes\u003C\u002Fstrong>: Secure your core system folders from direct access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Anonymize Plugins & Themes\u003C\u002Fstrong>: Change visible plugin\u002Ftheme paths so hackers can’t identify your software version.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure admin-ajax.php & REST API\u003C\u002Fstrong>: Change the \u002Fwp-json path to prevent data scraping.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Presets\u003C\u002Fstrong>: One-click activation with three preset levels — from minimal to full protection with Firewall, Brute Force, Logs, and 2FA.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend Test\u003C\u002Fstrong>: Verify your site loads correctly after changing paths before confirming settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Redirects\u003C\u002Fstrong>: Set unique login\u002Flogout redirects based on user roles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Page Designer\u003C\u002Fstrong>: Customize your secured login page with your logo, colors, background, and 10 color schemes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>2. Next-Gen Firewall & Authentication\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>8G & 7G Firewall Filters\u003C\u002Fstrong>: High-speed, lightweight server-edge filtering to block bad bots.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Passkey Authentication (Passwordless 2FA)\u003C\u002Fstrong>: Use Face ID, Touch ID, or Windows Hello for un-phishable, device-based logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Standard 2FA (Code & Email)\u003C\u002Fstrong>: Add an extra verification layer to all user accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Headers\u003C\u002Fstrong>: Automatically implement CSP, HSTS, X-Frame-Options, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & User Agent Blocking\u003C\u002Fstrong>: Manually blacklist suspicious traffic or referrers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Threats Log\u003C\u002Fstrong>: Track blocked attacks and malicious requests directly in your dashboard (limited view).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Events Log\u003C\u002Fstrong>: Monitor login activity, role changes, and user actions (limited view).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GEO Threats Map\u003C\u002Fstrong>: Visualize where attacks originate with an interactive world map showing the top 5 threat countries.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Optimization Score\u003C\u002Fstrong>: Real-time 0-100 score showing exactly how hardened your site is, with actionable recommendations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Temporary Logins\u003C\u002Fstrong>: Create time-limited access links for developers and clients without sharing passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>3. Deep Hiding & Footprint Removal\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Scrub Meta Tags\u003C\u002Fstrong>: Remove WordPress version numbers and generator tags.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean HTML Comments\u003C\u002Fstrong>: Strip identifiable comments that reveal your tech stack.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Admin Toolbar\u003C\u002Fstrong>: Remove the toolbar for specific roles to hide backend indicators.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Emoticons & RSD\u003C\u002Fstrong>: Remove unnecessary header links that bloat code and reveal info.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>4. Advanced Disable Options\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Disable XML-RPC\u003C\u002Fstrong>: Shut down the most common vector for DDoS and brute force.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable REST API Access\u003C\u002Fstrong>: Restrict API access to authenticated users only.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend Lockdown\u003C\u002Fstrong>: Disable right-click, “View Source,” and text selection to prevent manual reconnaissance.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Directory Browsing\u003C\u002Fstrong>: Ensure your server folders are never visible to the public.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>5. Brute Force Protection\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Integrated ReCaptcha\u003C\u002Fstrong>: Supports Google V2, V3, Enterprise, and Math ReCaptcha.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Targeted Protection\u003C\u002Fstrong>: Enable brute force defense on Login, Signup, and WooCommerce pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Throttling\u003C\u002Fstrong>: Define your own lockout times and attempt limits.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>6. Extra Tools & Integrations\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Magic Links\u003C\u002Fstrong>: Log in securely without a password via a one-time email link.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Text & URL Mapping\u003C\u002Fstrong>: Change any class name or URL in your source code dynamically.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CDN & Cache Support\u003C\u002Fstrong>: Works perfectly with WP Rocket, Cloudflare, and Litespeed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Premium Hack-Prevention Features\u003C\u002Fh4>\n\u003Cp>For agencies and high-traffic sites, WP Ghost Premium adds advanced features focused on Security Intelligence, Automated Response, and Copyright Protection.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Ghost Mode\u003C\u002Fstrong>: Maximum security preset, changes all paths, hides all file extensions, and enables all hiding options in one click.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Block Automation\u003C\u002Fstrong>: Automatically block IP addresses that trigger repeated security threats.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>AI Copyright Protection\u003C\u002Fstrong>: Block 30+ AI training crawlers (GPTBot, ClaudeBot, PerplexityBot, and others) at the firewall level. List auto-updated with each release. Does not affect Google, Bing, or regular search visibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full Security Threats Log\u003C\u002Fstrong>: Unlimited entries with filters by threat type, status, country, and time range, full-text search, pagination, and CSV export.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full User Events Log\u003C\u002Fstrong>: Unlimited entries with filters, search, pagination, and CSV export.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloud Event Storage\u003C\u002Fstrong>: 30-day cloud retention for audits and incident reports.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time Email Alerts\u003C\u002Fstrong>: Get notified instantly of brute-force attempts or suspicious activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geo-Security (Country Blocking)\u003C\u002Fstrong>: Block entire countries or specific paths by country.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced File Hardening\u003C\u002Fstrong>: Hide file extensions (PHP, CSS, JS, JSON), secure wp-config.php, php.ini, and debug.log.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Database & Server Hardening\u003C\u002Fstrong>: Fix file permissions, change database prefix, regenerate SALT keys.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Priority Support\u003C\u002Fstrong>: Direct access to our security experts and founder-led assistance.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwpghost.com\u002Ffeatures\u002F\" rel=\"nofollow ugc\">Hide My WP Premium Feature\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Technical Compatibility\u003C\u002Fh3>\n\u003Cp>WP Ghost is engineered for the modern WordPress ecosystem:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Hosting Support\u003C\u002Fstrong>: Optimized for WP Engine, Inmotion Hosting, Hostgator Hosting, Godaddy Hosting, Host1plus, Payperhost, Fastcomet, Dreamhost, Bitnami Apache, Bitnami Nginx, Google Cloud Hosting, Amazon AWS Lightsail, Litespeed Hosting, Flywheels Hosting, Kinsta Hosting, Ploi.io, CloudPanel, RunCloud, Rocket Domain, Yunohost.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server Support\u003C\u002Fstrong>: Fully compatible with Nginx, Apache, LiteSpeed, and IIS.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugin Support\u003C\u002Fstrong>: Seamless integration with Woocommerce, WPML, WPMUDEV, W3 Total Cache, Gravity, WP Super Cache, WP Fastest Cache, Hummingbird Cache, Cachify Cache, Litespeed Cache, SiteGround Optimizer, Nitropack, Cache Enabler, CDN Enabler, WOT Cache, Autoptimize, Jetpack by WordPress, Contact Form 7, bbPress, Manage WP, All In One SEO, Rank Math, Yoast SEO, Squirrly SEO, WP-Rocket, Minify HTML, Solid Security, Sucuri Security, Really Simple SSL, WordFence Security, WP Cerber Security, BBQ Firewall, Anti-Malware Security, Back-Up WordPress, Elementor Page Builder, Divi Builder, Weglot Translate, AddToAny Share Btn, Limit Login Attempts Reloaded, Loginizer, Shield Security, Asset CleanUp, WP Hide & Security Enhancer, and more.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Stop the hack before it starts\u003C\u002Fstrong>. Join over 100,000 users who trust WP Ghost to secure their digital presence.\u003C\u002Fp>\n","Hide and Secure WP paths with the complete WP security suite for Site Hardening. Includes 8G Firewall, Brute Force protection, and Passkeys.",2526807,90,371,"2026-04-15T18:16:00.000Z","7.0","5.8","7.4",[20,126,111,23,24],"firewall","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhide-my-wp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhide-my-wp.zip",86,8,"2026-03-18 00:00:00",{"slug":133,"name":134,"version":135,"author":136,"author_profile":137,"description":138,"short_description":139,"active_installs":140,"downloaded":141,"rating":142,"num_ratings":143,"last_updated":144,"tested_up_to":145,"requires_at_least":146,"requires_php":124,"tags":147,"homepage":150,"download_link":151,"security_score":54,"vuln_count":28,"unpatched_count":49,"last_vuln_date":152,"fetched_at":30},"wp-fail2ban","WP fail2ban – Advanced Security","5.4.1","invisnet","https:\u002F\u002Fprofiles.wordpress.org\u002Finvisnet\u002F","\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.fail2ban.org\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">fail2ban\u003C\u002Fa> is one of the simplest and most effective security measures you can implement to protect your WordPress site.\u003C\u002Fp>\n\u003Cp>\u003Cem>WP fail2ban\u003C\u002Fem> provides the link between WordPress and \u003Ccode>fail2ban\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1\nOct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cem>WPf2b\u003C\u002Fem> comes with three \u003Ccode>fail2ban\u003C\u002Fcode> filters: \u003Ccode>wordpress-hard.conf\u003C\u002Fcode>, \u003Ccode>wordpress-soft.conf\u003C\u002Fcode>, and \u003Ccode>wordpress-extra.conf\u003C\u002Fcode>. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Failed Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\nThe very first feature of \u003Cem>WPf2b\u003C\u002Fem>: logging failed login attempts so the IP can be banned. Just as useful today as it was then.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block User Enumeration\u003C\u002Fstrong>\u003Cbr \u002F>\nOne of the most common precursors to a password-guessing brute force attack is \u003Ca href=\"https:\u002F\u002Fwp-fail2ban.com\u002Ffeatures\u002Fblock-user-enumeration\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">user enumeration\u003C\u002Fa>. \u003Cem>WPf2b\u003C\u002Fem> can block it, stopping the attack before it starts.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block username logins\u003C\u002Fstrong>\u003Cbr \u002F>\nSometimes it’s not possible to block user enumeration (for example, if your theme provides Author profiles). \u003Cem>WPf2b\u003C\u002Fem> can require users to login with their email address instead of their username.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Blocking Users\u003C\u002Fstrong>\u003Cbr \u002F>\nAnther of the older \u003Cem>WPf2b\u003C\u002Fem> features: the login process can be aborted for specified usernames.\u003Cbr \u002F>\nSay a bot collected your site’s usernames before you blocked user enumeration. Once you’ve changed all the usernames, add the old ones to the list; anything using them will trigger a “hard” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Empty Username Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\nSome bots will try to login without a username; harmless, but annoying. These attempts are logged as a “soft” fail so the more persistent bots will be banned.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Spam\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will log a spammer’s IP address as a “hard” fail when their comment is marked as spam; the Premium version will also log the IP when Akismet discards “obvious” spam.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Attempted Comments\u003C\u002Fstrong>\u003Cbr \u002F>\nSome spam bots try to comment on everything, even things that aren’t there. \u003Cem>WPf2b\u003C\u002Fem> detects these and logs them as a “hard” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Pingbacks\u003C\u002Fstrong>\u003Cbr \u002F>\nPingbacks are a great feature, but they can be abused to attack the rest of the WWW. Rather than disable them completely, \u003Cem>WPf2b\u003C\u002Fem> effectively rate-limits potential attackers by logging the IP address as a “soft” fail.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block XML‑RPC Requests\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nThe only reason most sites need XML‑RPC (other than Pingbacks) is for Jetpack; \u003Cem>WPf2b\u003C\u002Fem> Premium can block XML‑RPC while allowing Jetpack and\u002For Pingbacks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block Countries\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nSometimes you just need a bigger hammer – if you’re seeing nothing but attacks from some countries, block them!\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Cloudflare and Proxy Servers\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will work with \u003Ca href=\"https:\u002F\u002Fwp-fail2ban.com\u002Ffeatures\u002Fcloudflare-and-proxy-servers\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">Cloudflare\u003C\u002Fa>, and the Premium version will automatically update the list of Cloudflare IP addresses.\u003Cbr \u002F>\nYou can also configure your own list of trusted proxies.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>syslog Dashboard Widget\u003C\u002Fstrong>\u003Cbr \u002F>\nEver wondered what’s being logged? The dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Site Health Check\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> will (try to) check that your \u003Ccode>fail2ban\u003C\u002Fcode> configuration is sane and that the filters are up to date; out-of-date filters are the primary cause of \u003Cem>WPf2b\u003C\u002Fem> not working as well as it can.\u003Cbr \u002F>\nWhen did you last run the Site Health tool?\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>\u003Ccode>mu-plugins\u003C\u002Fcode> Support\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>WPf2b\u003C\u002Fem> can easily be configured as a “must-use plugin” – see \u003Ca href=\"https:\u002F\u002Fdocs.wp-fail2ban.com\u002Fen\u002F5.4\u002Fconfiguration.html?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1#mu-plugins-support\" rel=\"nofollow ugc\">Configuration\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>API to Extend \u003Cem>WPf2b\u003C\u002Fem>\u003C\u002Fstrong>\u003Cbr \u002F>\nIf your plugin can detect behaviour which should be blocked, why reinvent the wheel?\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Event Hooks\u003C\u002Fstrong> [Premium]\u003Cbr \u002F>\nNeed to do something special when \u003Cem>WPf2b\u003C\u002Fem> detects a particular event? \u003Ca href=\"https:\u002F\u002Fdocs.wp-fail2ban.com\u002Fen\u002F5.4\u002Fdevelopers\u002Fevents.html?utm_source=wordpress.org&utm_medium=readme&utm_campaign=wp-fail2ban-premium-5.4.1\" rel=\"nofollow ugc\">There’s a hook for that\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Premium\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Web Application Firewall (WAF)\u003C\u002Fli>\n\u003Cli>Akismet support.\u003C\u002Fli>\n\u003Cli>Block XML‑RPC while allowing Jetpack and\u002For Pingbacks.\u003C\u002Fli>\n\u003Cli>Block Countries.\u003C\u002Fli>\n\u003Cli>Auto-update Cloudflare IPs.\u003C\u002Fli>\n\u003Cli>Event log.\u003C\u002Fli>\n\u003Cli>Event hooks.\u003C\u002Fli>\n\u003C\u002Ful>\n","WP fail2ban uses fail2ban to protect your WordPress site.",70000,1980109,84,71,"2025-04-29T15:21:00.000Z","6.8.5","4.2",[20,148,23,24,149],"fail2ban","syslog","https:\u002F\u002Fwp-fail2ban.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-fail2ban.5.4.1.zip","2019-02-25 00:00:00",{"slug":105,"name":154,"version":155,"author":156,"author_profile":157,"description":158,"short_description":159,"active_installs":160,"downloaded":161,"rating":119,"num_ratings":162,"last_updated":163,"tested_up_to":101,"requires_at_least":164,"requires_php":124,"tags":165,"homepage":170,"download_link":171,"security_score":172,"vuln_count":173,"unpatched_count":49,"last_vuln_date":174,"fetched_at":30},"Titan Anti-spam & Security","7.5.0","Themeisle","https:\u002F\u002Fprofiles.wordpress.org\u002Fthemeisle\u002F","\u003Cp>Titan Anti-Spam & Security is a complete protection solution designed to secure your website against spam, login attacks, and unauthorized access.\u003C\u002Fp>\n\u003Cp>Websites are constantly targeted by automated spam bots, brute force login attempts, and malicious access patterns. Titan helps you block spam comments, protect your login page, enforce strong authentication, and apply essential security hardening rules from a single dashboard.\u003C\u002Fp>\n\u003Cp>Whether you run a blog, business site, WooCommerce store, membership platform, or agency network, Titan helps you:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Stop comment spam automatically\u003C\u002Fli>\n\u003Cli>Protect your login area from brute force attacks\u003C\u002Fli>\n\u003Cli>Limit login attempts and lock suspicious activity\u003C\u002Fli>\n\u003Cli>Monitor login activity and security events\u003C\u002Fli>\n\u003Cli>Apply security hardening best practices\u003C\u002Fli>\n\u003Cli>Enable two-factor authentication for stronger account security in \u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=2fa\" rel=\"nofollow ugc\">Pro\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Create backups with advanced storage options in \u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=backup\" rel=\"nofollow ugc\">Pro\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Titan is designed to reduce risk without affecting legitimate visitors or requiring captcha challenges.\u003C\u002Fp>\n\u003Ch3>Quick links\u003C\u002Fh3>\n\u003Cp>📘 \u003Ca href=\"https:\u002F\u002Fdocs.themeisle.com\u002Ftitan-anti-spam-security\u002F\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa> – Complete setup and configuration guide\u003Cbr \u002F>\n💬 \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fanti-spam\u002F\" rel=\"ugc\">Support Forum\u003C\u002Fa> – Get help with spam protection, login security, and plugin settings from the community and support team.\u003Cbr \u002F>\n⭐ \u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=quicklinks\" rel=\"nofollow ugc\">Go Pro\u003C\u002Fa> – Unlock Machine Learning spam detection, two-factor authentication, backups, and priority support.\u003C\u002Fp>\n\u003Ch3>Anti Spam Protection\u003C\u002Fh3>\n\u003Cp>Spam comments can damage your SEO, clutter your database, and waste moderation time. Titan provides automated spam protection that works in the background without interrupting real users.\u003C\u002Fp>\n\u003Cp>Every comment is checked against a global spam database and evaluated using intelligent filtering rules. Suspicious comments are automatically marked as spam and hidden from public view.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Automatic spam comment blocking:\u003C\u002Fstrong> Blocks spam comments in real time using a global spam database and intelligent filtering rules. Suspicious submissions are automatically marked as spam before they appear publicly.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Block spam comments without captcha:\u003C\u002Fstrong> Protect your site from comment spam without forcing visitors to solve captcha challenges. Real users experience a smooth commenting process.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Save spam comments for review:\u003C\u002Fstrong> Optionally store filtered spam comments in the moderation area so you can verify filtering accuracy and review blocked content.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Detailed spam processing logs:\u003C\u002Fstrong> View logs of processed comments to understand how spam filtering works and monitor spam activity trends.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy policy link integration:\u003C\u002Fstrong> Display a privacy policy notice under comment forms to help with transparency and compliance requirements.\u003C\u002Fp>\n\u003Cp>This ensures real visitors can interact freely while bots are filtered automatically.\u003C\u002Fp>\n\u003Ch3>Security Hardening Tools\u003C\u002Fh3>\n\u003Cp>Titan includes built-in security hardening options that reduce publicly exposed information and protect your website from common automated attacks.\u003C\u002Fp>\n\u003Cp>Many bots scan websites looking for version numbers, exposed login patterns, weak passwords, or XML-RPC endpoints. Titan helps minimize those risks with configurable hardening controls that strengthen overall site security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Strong Password Enforcement:\u003C\u002Fstrong> Force users to create strong passwords based on the WordPress password strength meter. Weak passwords are a leading cause of account compromise. Enforcing strong credentials significantly improves login security and reduces unauthorized** access risks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Hide Author Login:\u003C\u002Fstrong> Attackers can attempt to discover usernames using author archive URLs. Titan prevents user enumeration by restricting access patterns that reveal valid login names. This reduces the effectiveness of targeted brute force login attacks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Disable XML-RPC:\u003C\u002Fstrong> XML-RPC can be abused for automated login attacks and pingback spam. Disabling XML-RPC reduces exposure to remote brute force attempts and limits unnecessary resource usage.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Hide Version Information:\u003C\u002Fstrong> WordPress core and plugins sometimes expose version numbers in the source code. Attackers use this information to target known vulnerabilities. Titan removes version references to reduce fingerprinting risks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Remove Version Query Strings:\u003C\u002Fstrong> JavaScript and CSS files often include version query parameters. Removing these prevents attackers from identifying the exact WordPress or plugin version running on your site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Remove Meta Generator Tag:\u003C\u002Fstrong> The generator meta tag can reveal your CMS version. Titan removes it to reduce publicly visible system information and lower exposure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Remove HTML Comments:\u003C\u002Fstrong> Some themes and plugins output HTML comments that may expose structural details. Titan can remove these comments to limit unnecessary information disclosure.\u003C\u002Fp>\n\u003Cp>Together, these security hardening options reduce your attack surface and strengthen your website without affecting normal functionality.\u003C\u002Fp>\n\u003Ch3>Activity Monitoring and Logs\u003C\u002Fh3>\n\u003Cp>Security is not only about blocking attacks. It is also about visibility and awareness.\u003C\u002Fp>\n\u003Cp>Titan includes built-in monitoring tools that help you understand login behavior and security activity on your website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Attempts Log:\u003C\u002Fstrong> Track failed login attempts in real time. See which IP addresses are attempting access, how many retries were made, and when lockouts were triggered. This helps you evaluate brute force protection effectiveness.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Activity Logger:\u003C\u002Fstrong> Monitor security-related events across your site, including login activity and system actions. Identify suspicious patterns before they escalate.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Error Log Viewer:\u003C\u002Fstrong> View plugin-related errors directly from the dashboard. Diagnose configuration issues quickly without accessing server files.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Debug Information Export:\u003C\u002Fstrong> Export diagnostic information when contacting support. This reduces troubleshooting time and speeds up issue resolution.\u003C\u002Fp>\n\u003Cp>With proper monitoring and logging, you are not only blocking attacks but also gaining insight into how your website is being targeted.\u003C\u002Fp>\n\u003Ch3>PRO Anti Spam Features\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Machine Learning spam detection:\u003C\u002Fstrong> Advanced spam filtering powered by Machine Learning improves detection accuracy by analyzing behavioral patterns across large datasets.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Scan existing comments for spam:\u003C\u002Fstrong> Identify previously approved spam comments and clean up your database.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Scan registered users for spam accounts:\u003C\u002Fstrong> Detect and flag suspicious user accounts that may have been created by spam bots.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Enhanced background spam analysis:\u003C\u002Fstrong> Apply additional invisible tests that improve spam protection without affecting legitimate visitors.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=antispam\" rel=\"nofollow ugc\">Upgrade to unlock\u003C\u002Fa> advanced anti-spam capabilities.\u003C\u002Fp>\n\u003Ch3>PRO Two Factor Authentication\u003C\u002Fh3>\n\u003Cp>Two-factor authentication adds an additional verification step beyond a password. Even if a password is compromised, attackers cannot access the account without the second authentication factor.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>QR Code Setup:\u003C\u002Fstrong> Scan a QR code with an authenticator app to activate two-factor authentication quickly and securely.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Manual Secret Key Configuration:\u003C\u002Fstrong> Set up two-factor authentication manually if QR code scanning is unavailable.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Per User 2FA Management:\u003C\u002Fstrong> Enable or manage two-factor authentication individually for specific users or roles.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Compatible with TOTP Apps:\u003C\u002Fstrong> Works with popular authenticator apps such as Google Authenticator and other TOTP-compatible applications.\u003C\u002Fp>\n\u003Cp>Two-factor authentication significantly strengthens login security for administrators and users.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=2fa\" rel=\"nofollow ugc\">Upgrade to Titan Pro\u003C\u002Fa> to enable Two Factor Authentication and advanced account protection.\u003C\u002Fp>\n\u003Ch3>PRO Backup and Recovery\u003C\u002Fh3>\n\u003Cp>Regular backups are essential for website security and recovery planning. If something goes wrong, having a recent backup allows you to restore your site quickly.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Scheduled Automatic Backups:\u003C\u002Fstrong> Automatically create backups at defined intervals to ensure recent recovery points are always available.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Manual Backup Creation:\u003C\u002Fstrong> Generate a backup instantly before making major changes to your website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>FTP Storage Support:\u003C\u002Fstrong> Store backups on a remote FTP server for additional protection and redundancy.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Dropbox Storage Integration:\u003C\u002Fstrong> Save backups to Dropbox for secure off-site storage.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Automatic Archive Cleanup:\u003C\u002Fstrong> Remove older backup files automatically to manage storage usage efficiently.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Adjustable Backup Performance:\u003C\u002Fstrong> Control backup speed to balance performance and server resource usage.\u003C\u002Fp>\n\u003Cp>Backups can be managed directly from the Titan dashboard for centralized control.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftitansitescanner.com\u002F?utm_source=wordpressorg&utm_medium=readme&utm_campaign=backup\" rel=\"nofollow ugc\">Upgrade to Titan Pro\u003C\u002Fa> to unlock scheduled backups and external storage options.\u003C\u002Fp>\n\u003Ch3>Use Cases\u003C\u002Fh3>\n\u003Cp>Titan is suitable for:\u003C\u002Fp>\n\u003Cp>• Blogs receiving large volumes of comment spam\u003Cbr \u002F>\n• WooCommerce stores protecting customer login pages\u003Cbr \u002F>\n• Membership websites securing user accounts\u003Cbr \u002F>\n• Agencies managing multiple client websites\u003Cbr \u002F>\n• Educational platforms enforcing stronger authentication\u003Cbr \u002F>\n• Website owners looking for anti-spam and login security in one plugin\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>Need help? Open a new thread in the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fanti-spam\u002F\" rel=\"ugc\">Support Forum\u003C\u002Fa>, and we’ll be happy to assist.\u003C\u002Fp>\n\u003Ch3>Documentation\u003C\u002Fh3>\n\u003Cp>Discover how to make the most of Robin with our detailed and user-friendly \u003Ca href=\"https:\u002F\u002Fdocs.themeisle.com\u002F\" rel=\"nofollow ugc\">documentation\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Titan is backed by Themeisle, trusted by over 1 million WordPress users worldwide.\u003C\u002Fp>\n","Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication &hellip;",60000,3442821,369,"2026-03-11T17:54:00.000Z","5.6",[166,167,168,24,169],"antispam","brute-force-protection","limit-login-attempts","two-factor-authentication","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fanti-spam\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanti-spam.7.5.0.zip",98,3,"2024-07-11 00:00:00",{"attackSurface":176,"codeSignals":212,"taintFlows":242,"riskAssessment":243,"analyzedAt":255},{"hooks":177,"ajaxHandlers":208,"restRoutes":209,"shortcodes":210,"cronEvents":211,"entryPointCount":49,"unprotectedCount":49},[178,184,187,190,195,201,205],{"type":179,"name":180,"callback":181,"file":182,"line":183},"action","admin_menu","add_menu_page","classes\\admin.class.php",7,{"type":179,"name":185,"callback":186,"file":182,"line":130},"admin_init","register_settings",{"type":179,"name":185,"callback":188,"file":182,"line":189},"maybe_redirect",9,{"type":179,"name":191,"callback":192,"priority":193,"file":182,"line":194},"wp_version_check","clear_transients",99,11,{"type":196,"name":197,"callback":198,"priority":67,"file":199,"line":200},"filter","authenticate","check_preauth","classes\\bruteguard.class.php",18,{"type":179,"name":202,"callback":203,"file":199,"line":204},"wp_login_failed","log_failed_attempt",19,{"type":179,"name":185,"callback":206,"file":199,"line":207},"maybe_update_headers",20,[],[],[],[],{"dangerousFunctions":213,"sqlUsage":214,"outputEscaping":219,"fileOperations":49,"externalRequests":173,"nonceChecks":49,"capabilityChecks":28,"bundledLibraries":241},[],{"prepared":28,"raw":28,"locations":215},[216],{"file":199,"line":217,"context":218},216,"$wpdb->get_var() with variable interpolation",{"escaped":194,"rawEcho":220,"locations":221},13,[222,226,228,229,230,232,233,234,235,236,237,239,240],{"file":223,"line":224,"context":225},"views\\admin.php",34,"raw output",{"file":223,"line":227,"context":225},74,{"file":223,"line":227,"context":225},{"file":223,"line":227,"context":225},{"file":223,"line":231,"context":225},78,{"file":223,"line":231,"context":225},{"file":223,"line":231,"context":225},{"file":223,"line":142,"context":225},{"file":223,"line":142,"context":225},{"file":223,"line":142,"context":225},{"file":223,"line":238,"context":225},88,{"file":223,"line":238,"context":225},{"file":223,"line":238,"context":225},[],[],{"summary":244,"deductions":245},"The bruteguard plugin v0.1.4 presents a mixed security posture. On the positive side, the static analysis reveals a very limited attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks. The absence of dangerous functions and file operations is also a strong indicator of good coding practices in those areas. However, the plugin exhibits weaknesses in output escaping, with less than half of its outputs being properly escaped, suggesting a potential for cross-site scripting vulnerabilities. The use of external HTTP requests also warrants attention, as these can sometimes be vectors for attack if not handled carefully.\n\nThe vulnerability history is a significant concern. The presence of one known medium-severity CVE, specifically related to Cross-site Scripting, which is also currently unpatched, indicates a direct and actionable security risk. The fact that the last vulnerability was recent further emphasizes the need for immediate attention to this known issue. While the plugin doesn't show critical or high severity vulnerabilities in its history or taint analysis, the unpatched medium CVE coupled with the poor output escaping metrics points to a real and present danger to sites using this plugin.\n\nIn conclusion, while bruteguard v0.1.4 has a small attack surface and avoids certain risky coding practices, the unpatched cross-site scripting vulnerability and the high percentage of improperly escaped output are critical weaknesses. The plugin's security is significantly undermined by the known, unaddressed vulnerability. Users should be strongly advised to either ensure this vulnerability is patched or to refrain from using this version of the plugin.",[246,249,252],{"reason":247,"points":248},"Unpatched Medium CVE",15,{"reason":250,"points":251},"Low Output Escaping Percentage",6,{"reason":253,"points":254},"SQL queries not fully prepared",5,"2026-03-16T20:25:19.920Z",{"wat":257,"direct":265},{"assetPaths":258,"generatorPatterns":261,"scriptPaths":262,"versionParams":263},[259,260],"\u002Fwp-content\u002Fplugins\u002Fbruteguard\u002Fassets\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fbruteguard\u002Fassets\u002Fjs\u002Fadmin.js",[],[260],[264,4],"bruteguard-admin",{"cssClasses":266,"htmlComments":271,"htmlAttributes":272,"restEndpoints":274,"jsGlobals":275,"shortcodeOutput":276},[267,268,269,270],"bruteguard-apikey-field","bruteguard-email-field","bruteguard-email","bruteguard-email-submit",[],[273],"data-key",[],[4],[],{"error":278,"url":279,"statusCode":280,"statusMessage":281,"message":281},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fbruteguard\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":254,"versions":283},[284,290,298,306,314],{"version":6,"download_url":26,"svn_tag_url":285,"released_at":38,"has_diff":48,"diff_files_changed":286,"diff_lines":38,"trac_diff_url":287,"vulnerabilities":288,"is_current":278},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbruteguard\u002Ftags\u002F0.1.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbruteguard%2Ftags%2F0.1.3&new_path=%2Fbruteguard%2Ftags%2F0.1.4",[289],{"id":34,"url_slug":35,"title":36,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":38},{"version":291,"download_url":292,"svn_tag_url":293,"released_at":38,"has_diff":48,"diff_files_changed":294,"diff_lines":38,"trac_diff_url":295,"vulnerabilities":296,"is_current":48},"0.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbruteguard.0.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbruteguard\u002Ftags\u002F0.1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbruteguard%2Ftags%2F0.1.2&new_path=%2Fbruteguard%2Ftags%2F0.1.3",[297],{"id":34,"url_slug":35,"title":36,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":38},{"version":299,"download_url":300,"svn_tag_url":301,"released_at":38,"has_diff":48,"diff_files_changed":302,"diff_lines":38,"trac_diff_url":303,"vulnerabilities":304,"is_current":48},"0.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbruteguard.0.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbruteguard\u002Ftags\u002F0.1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbruteguard%2Ftags%2F0.1.1&new_path=%2Fbruteguard%2Ftags%2F0.1.2",[305],{"id":34,"url_slug":35,"title":36,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":38},{"version":307,"download_url":308,"svn_tag_url":309,"released_at":38,"has_diff":48,"diff_files_changed":310,"diff_lines":38,"trac_diff_url":311,"vulnerabilities":312,"is_current":48},"0.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbruteguard.0.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbruteguard\u002Ftags\u002F0.1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbruteguard%2Ftags%2F0.1.0&new_path=%2Fbruteguard%2Ftags%2F0.1.1",[313],{"id":34,"url_slug":35,"title":36,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":38},{"version":315,"download_url":316,"svn_tag_url":317,"released_at":38,"has_diff":48,"diff_files_changed":318,"diff_lines":38,"trac_diff_url":38,"vulnerabilities":319,"is_current":48},"0.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbruteguard.0.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbruteguard\u002Ftags\u002F0.1.0\u002F",[],[320],{"id":34,"url_slug":35,"title":36,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":38}]