[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fO-rQWMe0SSH7Bfda3pN2xmdUuHzD2Aql3N4HKNxvIcU":3,"$flj5CUR3QadR3XToEgdZekPyO5I7yhDQqq3KMJCqjXyE":472,"$fv1KdR_-Mqx2YE-ZmsHZt2gXsp9HsXPBh5efWscw41AM":476},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"discovery_status":31,"vulnerabilities":32,"developer":33,"crawl_stats":29,"alternatives":38,"analysis":142,"fingerprints":419},"code9","Code9","1.0.13","Code9fair","https:\u002F\u002Fprofiles.wordpress.org\u002Fcode9fair\u002F","\u003Cp>Code9 2-step verification code for users. utility tool for wordpress. lightweight and high performance.\u003C\u002Fp>\n\u003Ch3>2-Step Verification Code\u003C\u002Fh3>\n\u003Cp>Code9 2-step verification code will add more protection to site admin area.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allow admin to create 2-step verification code to every user.\u003C\u002Fli>\n\u003Cli>Allow user to create 2-step verification code after active plugin.\u003C\u002Fli>\n\u003Cli>Can change 2-step verification code anytime at profile setting page.\u003C\u002Fli>\n\u003Cli>Blocked. if user type 2-step verification code wrong more than 4 attemps.\u003C\u002Fli>\n\u003Cli>Admin can force all user to type 2-step verification code again.\u003C\u002Fli>\n\u003Cli>Admin can active and deactive 2-step verification code anytime.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Anti Brute Force\u003C\u002Fh3>\n\u003Cp>Prevent attacker from continuous login. (Including xmlrpc.php)\u003Cbr \u002F>\n* If plugin detects that there is a continuous login. Plugin will redirect user to Recapcha page before allow user to continue login.\u003C\u002Fp>\n","Code9 2-step verification code for users. utility tool for wordpress. lightweight and high performance.",10,1411,100,1,"2023-05-03T02:54:00.000Z","6.2.9","4.1","5.6.4",[20,21,22,23,24],"2-step-login","2fa","two-step-authentication","verification-password","wordpress-authentication","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcode9\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcode9.zip",85,0,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":34,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"code9fair",30,84,"2026-05-20T04:30:06.093Z",[39,64,84,105,120],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":53,"requires_php":54,"tags":55,"homepage":59,"download_link":60,"security_score":61,"vuln_count":62,"unpatched_count":28,"last_vuln_date":63,"fetched_at":30},"wp-2fa","WP 2FA – Two-factor authentication for WordPress","3.1.1.2","Melapress","https:\u002F\u002Fprofiles.wordpress.org\u002Fmelapress\u002F","\u003Ch3>A free and easy-to-use two-factor authentication plugin for WordPress\u003C\u002Fh3>\n\u003Cp>Add an extra layer of security to your WordPress website login and protect your users. Enable two-factor authentication (2FA), the best protection against password leaks, automated password guessing, and brute force attacks.\u003C\u002Fp>\n\u003Cp>Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, enforce 2FA for all your website users, or for users with specific roles. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non-technical users can set up 2FA without requiring technical assistance.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FvRlX_NNGeFo?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Ffeatures\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Features\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fsupport\u002Fkb\u002Fwp-2fa-plugin-getting-started\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Getting Started\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Get the Premium!\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>🔒 WP 2FA key plugin features and capabilities\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Passkeys support\u003C\u002Fstrong> for passwordless logins   \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free two-factor authentication (2FA)\u003C\u002Fstrong> for all users  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple 2FA methods\u003C\u002Fstrong> supported, including authenticator app (TOTP) and code over email  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer API\u003C\u002Fstrong> to integrate any alternative 2FA method (WhatsApp, OTP Token, etc.)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Universal 2FA app support\u003C\u002Fstrong> – works with Google Authenticator, Authy, and any TOTP-compatible app  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup codes\u003C\u002Fstrong> (16 digits) for recovery access  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wizard-driven setup\u003C\u002Fstrong> – no technical knowledge required  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>2FA policies\u003C\u002Fstrong> to enforce setup with grace periods or instant activation  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API endpoints\u003C\u002Fstrong> for custom integrations and headless WordPress setups  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dashboard-free setup\u003C\u002Fstrong> – users can configure 2FA without WP admin access  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Editable email templates\u003C\u002Fstrong> for full customization  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Much more!\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>💎 Upgrade to WP 2FA Premium and get even more benefits\u003C\u002Fh3>\n\u003Cp>The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.\u003C\u002Fp>\n\u003Cp>With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Check out WP 2FA Premium!\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Premium features list\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Everything in the free version\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full white labeling capabilities\u003C\u002Fstrong> to change all text and visuals in the wizards, emails, SMS, and 2FA pages\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Support for multiple passkeys per user\u003C\u002Fstrong> for flexible passwordless logins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-setup email 2FA\u003C\u002Fstrong> that automatically enrolls users without manual configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>YubiKey hardware key support\u003C\u002Fstrong> for enterprise-grade security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Additional 2FA methods\u003C\u002Fstrong> such as SMS, email link, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Trusted devices\u003C\u002Fstrong> so users can log in without 2FA for a configured period\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Require 2FA on password reset\u003C\u002Fstrong> to strengthen account protection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Allow next user login without 2FA\u003C\u002Fstrong> to help recover accounts locked out of authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-click WooCommerce integration\u003C\u002Fstrong> to enable 2FA for customers and store admins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>And much more!\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Refer to the \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Ffeatures\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">WP 2FA plugin features and benefits page\u003C\u002Fa> to learn more about the benefits of upgrading to WP 2FA Premium.\u003C\u002Fp>\n\u003Ch3>🛠️ Free and premium support\u003C\u002Fh3>\n\u003Cp>Support for the free edition of WP 2FA is free on the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fwp-2fa\u002F\" rel=\"ugc\">WordPress support forums\u003C\u002Fa>. Premium world-class support via one-to-one email is available to the Premium users – \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">upgrade to premium\u003C\u002Fa> to benefit from email support.\u003C\u002Fp>\n\u003Cp>For any other queries, feedback, or if you simply want to get in touch with us, please use our \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fcontact\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">contact form\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>MAINTAINED & SUPPORTED BY MELAPRESS\u003C\u002Fh4>\n\u003Cp>Melapress develops high-quality WordPress management and security plugins, such as Melapress Login Security, Melapress Role Editor, and WP Activity Log; the #1 user-rated activity log plugin for WordPress.\u003C\u002Fp>\n\u003Cp>Browse our list of \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">WordPress security and administration plugins\u003C\u002Fa> to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.\u003C\u002Fp>\n\u003Ch3>Installing WP 2FA\u003C\u002Fh3>\n\u003Ch3>From within WordPress\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Navigate to ‘Plugins’ > ‘Add New’\u003C\u002Fli>\n\u003Cli>Search for ‘WP 2FA’\u003C\u002Fli>\n\u003Cli>Install & activate WP 2FA from your Plugins page\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Manually\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download the plugin from the WordPress plugins repository\u003C\u002Fli>\n\u003Cli>Unzip the zip file and upload the folder to the ‘\u002Fwp-content\u002Fplugins\u002F directory’\u003C\u002Fli>\n\u003Cli>Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>As featured on:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.wpbeginner.com\u002Fplugins\u002Fhow-to-add-two-factor-authentication-for-wordpress\u002F\" rel=\"nofollow ugc\">WP Beginner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.isitwp.com\u002Fbest-wordpress-security-authentication-plugins\u002F\" rel=\"nofollow ugc\">IsitWP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpastra.com\u002Ftwo-factor-authentication-wordpress\u002F\" rel=\"nofollow ugc\">WP Astra\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fmainwp.com\u002Fhow-to-use-the-wp-2fa-plugin-on-your-child-sites\u002F\" rel=\"nofollow ugc\">MainWP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.fixrunner.com\u002Fwordpress-two-factor-authentication\u002F\" rel=\"nofollow ugc\">FixRunner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.inmotionhosting.com\u002Fsupport\u002Fedu\u002Fwordpress\u002Fplugins\u002Fwp-2fa\u002F\" rel=\"nofollow ugc\">Inmotion Hosting\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmarmite.com\u002Fen\u002Fwordpress-two-factor-authentication\u002F\" rel=\"nofollow ugc\">WP Marmite\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.",100000,1587353,94,164,"2026-03-16T09:13:00.000Z","6.9.4","5.5","7.4",[56,21,57,58,24],"2-factor-authentication","google-authenticator","two-factor-authentication","https:\u002F\u002Fmelapress.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-2fa.3.1.1.2.zip",96,9,"2025-11-03 00:00:00",{"slug":65,"name":66,"version":67,"author":68,"author_profile":69,"description":70,"short_description":71,"active_installs":11,"downloaded":72,"rating":73,"num_ratings":14,"last_updated":74,"tested_up_to":75,"requires_at_least":76,"requires_php":74,"tags":77,"homepage":81,"download_link":82,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":83},"wp-2-step","WP 2 Step Authentication","1.5","Scriptonite","https:\u002F\u002Fprofiles.wordpress.org\u002Fscriptonite\u002F","\u003Cp>This plugin adds a layer of security to your login page. You have full control over who can use it and also who can use which type. Included in this release is login pin by email and login pin by sms. You can allow users to recieve their pins by email and allow admins to use sms, or you can allow sms and email for eveyone, the choice is yours.  Users can select their prefrences in their own profile page and set the cellphone they would like to recieve messages on if sms is used.\u003C\u002Fp>\n\u003Cp>The android app and pin code by email are free services and hook directly to your site and uses no 3rd party sites or services.  The sms service will require an account with \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fmembership-levels\u002F\" rel=\"nofollow ugc\">WP2step.com\u003C\u002Fa> to send the sms, you can sign up for free \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fmembership-levels\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.  WP2Step does not collect any login data or save any personal information from your users, they only recieve the pin and cell number along with your API key.  API keys can be used on multiple sites and are not limited to a single domain or user and are perfect for a admin developer with multiple sites looking to protect their account.\u003C\u002Fp>\n\u003Cp>Simply login as you would normally, your random pin will arrive instantly.  What kind of pin? You can decide and set the lenth and characters used as well as the time until it expires.  Have an idea for new features? Find a bug? We want to make this plugin as secure and benificial as possible so please let us know \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Ffeature-requests-and-bug-reports\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>We do not actively monitor this plugins support page, if you need support please open a ticket \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fsupport-tickets\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.whereyoursolutionis.wp2step\" rel=\"nofollow ugc\">Get The App Free on Google Play\u003C\u002Fa>\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.whereyoursolutionis.wp2step\" rel=\"nofollow ugc\">\u003C\u002Fp>\n\u003Cp>\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Upcoming Features\u003C\u002Fh3>\n\u003Cp>Recieve your login code via the free wp2step app for iOS, coming soon\u003C\u002Fp>\n","Simple 2 step authentication for the masses!",1681,20,"","3.9.40","3.0.1",[78,20,79,80,22],"2-step-authentication","login-security","login-with-pin","http:\u002F\u002Fwww.whereyoursolutionis.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-2-step.zip","2026-03-15T10:48:56.248Z",{"slug":85,"name":86,"version":87,"author":88,"author_profile":89,"description":90,"short_description":91,"active_installs":28,"downloaded":92,"rating":28,"num_ratings":28,"last_updated":93,"tested_up_to":94,"requires_at_least":95,"requires_php":96,"tags":97,"homepage":74,"download_link":101,"security_score":102,"vuln_count":103,"unpatched_count":28,"last_vuln_date":104,"fetched_at":30},"contentlock","ContentLock","1.0.6","Adam Solymosi","https:\u002F\u002Fprofiles.wordpress.org\u002Fadamfalcon\u002F","\u003Ch3>EMAIL-BASED VERIFICATION ✔️\u003C\u002Fh3>\n\u003Cp>ContentLock is a simple solution for setting \u003Cstrong>email-based access to your Pages, Posts, or Custom Post Types\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Do you want to provide quick access to someone (or a whole group) via email only, \u003Cstrong>without requiring any kind of registration\u003C\u002Fstrong>?\u003C\u002Fp>\n\u003Cp>Here is your plugin!\u003C\u002Fp>\n\u003Ch3>SECURE ACCESS TO YOUR CONTENT 🔑\u003C\u002Fh3>\n\u003Cp>ContentLock offers a solution that is independent of WordPress users and the registration system, allowing you to grant access to content that is hidden from other visitors.\u003C\u002Fp>\n\u003Cp>Compatible with popular page builders, editors and plugins: Gutenberg, Classic Editor, Elementor, Divi, etc.\u003C\u002Fp>\n\u003Ch3>FEATURES 🚀\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Create groups for standalone email lists\u003C\u002Fli>\n\u003Cli>Set access for multiple groups simultaneously\u003C\u002Fli>\n\u003Cli>Import emails from a CSV file\u003C\u002Fli>\n\u003Cli>Unlock content with an email verification code\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure access to your content (Pages, Posts, or Custom Post Types) with ContentLock's email-based two-step verification!",1645,"2025-03-24T20:50:00.000Z","6.7.5","6.2","7.0",[21,98,99,100,22],"block-content","content-protect","locker","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontentlock.1.0.6.zip",90,3,"2024-06-21 00:00:00",{"slug":106,"name":107,"version":108,"author":109,"author_profile":110,"description":111,"short_description":112,"active_installs":28,"downloaded":113,"rating":28,"num_ratings":28,"last_updated":114,"tested_up_to":94,"requires_at_least":95,"requires_php":54,"tags":115,"homepage":117,"download_link":118,"security_score":119,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"si-2fa-login-security","SI 2FA Login Security","1.2","Stroke Infotech","https:\u002F\u002Fprofiles.wordpress.org\u002Fstrokeinfotech\u002F","\u003Cp>Secure WordPress login with this two factor authentication (MFA \u002F 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in.\u003C\u002Fp>\n\u003Cp>Features\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports standard TOTP protocols (and so supports Google Authenticator, Authy, and many others).\u003C\u002Fli>\n\u003Cli>Displays graphical QR codes for easy scanning into apps on your phone\u002Ftablet\u003C\u002Fli>\n\u003Cli>MFA can be turned on or off by each user\u003C\u002Fli>\n\u003Cli>Supports front-end editing of settings, via shortcode (i.e. users don’t need access to the WP dashboard).\u003C\u002Fli>\n\u003Cli>\n\u003Cp>User login history\u003C\u002Fp>\n\u003Cp>[si2flose_twofactor_user_settings]\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Simplified user interface and code base for ease of use and performance\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect MFA code.\u003C\u002Fli>\n\u003Cli>When using the front-end shortcode, require the user to enter the current MFA code correctly to be able to activate MFA\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How Does MFA \u002F 2FA Work?\u003C\u002Fh4>\n\u003Cp>This plugin uses the industry standard MFA \u002F 2FA algorithm \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FTime-based_One-time_Password_Algorithm\" rel=\"nofollow ugc\">TOTP\u003C\u002Fa> for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.\u003C\u002Fp>\n\u003Cp>A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.\u003C\u002Fp>\n\u003Ch4>Plugin Notes\u003C\u002Fh4>\n\u003Cp>This plugin began life in early 2025 as a friendly fork and enhancement of “wp mfa authentication” plugin.\u003C\u002Fp>\n\u003Cp>This plugin requires PHP version 5.3 or higher and support for either php-openssl or \u003Ca href=\"http:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fmcrypt.installation.php\" rel=\"nofollow ugc\">PHP mcrypt\u003C\u002Fa>. The vast majority of PHP setups will have one of these. If not, ask your hosting company.\u003C\u002Fp>\n\u003Col>\n\u003Cli>Search for ‘SI 2FA Login Security’ in the ‘Plugins’ menu in WordPress.\u003C\u002Fli>\n\u003Cli>Click the ‘Install’ button. (Make sure you picks the right one)\u003C\u002Fli>\n\u003Cli>Activate the plugin through the ‘Plugins’ menu in WordPress\u003C\u002Fli>\n\u003Cli>Find site-wide settings in 2FA User Settings ; find your own user settings in the top-level menu entry “2FA User Settings”.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If you want to add a section to the front-end of your site where users can configure their two-factor authentication settings, use this shortcode:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[si2flose_twofactor_user_settings]\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Secure WordPress login with SI 2FA Login Security - supports WP, Woo + other login forms, TOTP (Google Authenticator, Authy, etc.)",633,"2025-03-05T06:05:00.000Z",[56,21,116,58,24],"multi-step-authentication","https:\u002F\u002Fstrokeinfotech.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsi-2fa-login-security.1.2.zip",92,{"slug":121,"name":122,"version":123,"author":124,"author_profile":125,"description":126,"short_description":127,"active_installs":128,"downloaded":129,"rating":49,"num_ratings":130,"last_updated":131,"tested_up_to":52,"requires_at_least":132,"requires_php":96,"tags":133,"homepage":138,"download_link":139,"security_score":61,"vuln_count":140,"unpatched_count":28,"last_vuln_date":141,"fetched_at":30},"wordfence","Wordfence Security – Firewall, Malware Scan, and Login Security","8.1.4","Mark Maunder","https:\u002F\u002Fprofiles.wordpress.org\u002Fmmaunder\u002F","\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fi4ZN2TwlaBE?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER\u003C\u002Fh4>\n\u003Cp>WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time.\u003C\u002Fp>\n\u003Cp>Choose the right protection for you: \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fpricing\u002F\" rel=\"nofollow ugc\">Wordfence Free, Premium, Care or Response\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Wordfence is widely acknowledged as the number one WordPress security research team in the World. Our plugin provides a comprehensive suite of security features, and our team’s research is what powers our plugin and provides the level of security that we are known for.\u003C\u002Fp>\n\u003Cp>At Wordfence, WordPress security isn’t a division of our business – WordPress security is all we do. We employ a global 24-hour dedicated incident response team that provides our priority customers with a 1 hour response time for any security incident.\u003C\u002Fp>\n\u003Cp>The sun never sets on our global security team and we run a sophisticated threat intelligence platform to aggregate, analyze and produce ground breaking security research on the newest security threats.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more.\u003C\u002Fstrong> Our \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002F\" rel=\"nofollow ugc\">Threat Defense Feed\u003C\u002Fa> arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe.\u003C\u002Fp>\n\u003Cp>Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.\u003C\u002Fp>\n\u003Ch3>🔥 WORDPRESS FIREWALL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002F\" rel=\"nofollow ugc\">Web Application Firewall\u003C\u002Fa>\u003C\u002Fstrong> identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time firewall rule and malware signature [Premium]\u003C\u002Fstrong> updates via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002F\" rel=\"nofollow ugc\">Real-time IP Blocklist\u003C\u002Fa> [Premium]\u003C\u002Fstrong> blocks all requests from the most malicious IPs, protecting your site while reducing load.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protects your site at the endpoint\u003C\u002Fstrong>, enabling deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, cannot be bypassed and cannot leak data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fscan\u002F\" rel=\"nofollow ugc\">Integrated malware scanner\u003C\u002Fa>\u003C\u002Fstrong> blocks requests that include malicious code or content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002Fbrute-force\u002F\" rel=\"nofollow ugc\">Protection from brute force\u003C\u002Fa>\u003C\u002Fstrong> attacks by limiting login attempts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📡 WORDPRESS SECURITY SCANNER\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malware scanner\u003C\u002Fstrong> checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time malware signature updates [Premium]\u003C\u002Fstrong> via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compares with WordPress.org repository\u003C\u002Fstrong> your core files, themes and plugins, checking their integrity and reporting any changes to you.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Repair WordPress core, theme, and plugin files\u003C\u002Fstrong> that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malware Removal Tools\u003C\u002Fstrong> “Delete File” and “Delete All Deletable Files” options allow for efficient malware removal. Remember to investigate the scan results and backup files first!\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your site for known security vulnerabilities\u003C\u002Fstrong> and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your content safety\u003C\u002Fstrong> by scanning file contents, posts and comments for dangerous URLs and suspicious content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks to see if your site or IP have been blocklisted [Premium]\u003C\u002Fstrong> for malicious activity, generating spam or other security issues.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔒 LOGIN SECURITY\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Two-factor authentication (2FA)\u003C\u002Fa>\u003C\u002Fstrong>, one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F\" rel=\"nofollow ugc\">Login Page CAPTCHA\u003C\u002Fa>\u003C\u002Fstrong> stops bots from logging in.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F#woocommerce-and-custom-integrations\" rel=\"nofollow ugc\">2FA for WooCommerce and custom integrations\u003C\u002Fa>\u003C\u002Fstrong> allow for 2FA to be setup on custom account pages\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC\u003C\u002Fstrong> options including disabling or adding 2FA.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Security:\u003C\u002Fstrong> Block logins for administrators using known compromised passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📋 SECURITY AUDIT LOG [Premium]\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Faudit-log\" rel=\"nofollow ugc\">The Audit Log\u003C\u002Fa>\u003C\u002Fstrong> monitors all changes and actions in security-sensitive areas of the site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remote tamper-proof data storage\u003C\u002Fstrong> via Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Monitor events and actions\u003C\u002Fstrong> ranging  from user creation and editing to plugin\u002Ftheme installation and updates to post and page changes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable\u003C\u002Fstrong> to log all events or significant events only, which includes all authentication, site configuration, and site functionality events.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌐 WORDFENCE CENTRAL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fwordfence-central\u002F\" rel=\"nofollow ugc\">Wordfence Central\u003C\u002Fa>\u003C\u002Fstrong> is a powerful and efficient way to manage the security for multiple sites in one place.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Centralized management:\u003C\u002Fstrong> Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Powerful templates\u003C\u002Fstrong> make configuring Wordfence a breeze.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Highly configurable alerts\u003C\u002Fstrong> can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Track and alert on important security events\u003C\u002Fstrong> including administrator logins, breached password usage and surges in attack activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free to use\u003C\u002Fstrong> for unlimited sites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛠️ SECURITY TOOLS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Flive-traffic\u002F\" rel=\"nofollow ugc\">Live Traffic\u003C\u002Fa>\u003C\u002Fstrong> monitors visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block attackers by IP\u003C\u002Fstrong> or build advanced rules based on IP Range, Hostname, User Agent and Referrer.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002Fcountry-blocking\u002F\" rel=\"nofollow ugc\">Country blocking\u003C\u002Fa>\u003C\u002Fstrong> available with Wordfence Premium.\u003C\u002Fli>\n\u003C\u002Ful>\n","Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.",5000000,407330579,4861,"2025-12-20T21:06:00.000Z","4.7",[21,134,135,136,137],"firewall","malware","scanner","security","https:\u002F\u002Fwww.wordfence.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordfence.8.1.4.zip",12,"2022-09-06 00:00:00",{"attackSurface":143,"codeSignals":235,"taintFlows":288,"riskAssessment":404,"analyzedAt":418},{"hooks":144,"ajaxHandlers":194,"restRoutes":231,"shortcodes":232,"cronEvents":233,"entryPointCount":234,"unprotectedCount":234},[145,151,156,161,166,171,176,180,184,187,191],{"type":146,"name":147,"callback":148,"file":149,"line":150},"action","init","closure","code9.php",28,{"type":146,"name":152,"callback":153,"priority":11,"file":154,"line":155},"wp_login","code9_anti_brute_force_unblock","function\u002Fcode9_anti_brute_foce.php",15,{"type":157,"name":158,"callback":159,"priority":14,"file":154,"line":160},"filter","authenticate","code9_anti_brute_force",268,{"type":146,"name":162,"callback":163,"file":164,"line":165},"admin_init","code9_api","function\u002Fcode9_api.php",27,{"type":146,"name":167,"callback":168,"file":169,"line":170},"admin_menu","code9_menu_page","function\u002Fcode9_menu_page_register.php",18,{"type":146,"name":172,"callback":173,"file":174,"line":175},"auth_redirect","code9_security_2_step_middleware","function\u002Fcode9_security.php",457,{"type":146,"name":177,"callback":178,"file":174,"line":179},"clear_auth_cookie","code9_security_2_step_logout",467,{"type":146,"name":181,"callback":182,"file":174,"line":183},"edit_user_profile","code9_security_2_step_code_edit",518,{"type":146,"name":185,"callback":182,"file":174,"line":186},"show_user_profile",519,{"type":146,"name":188,"callback":189,"file":174,"line":190},"personal_options_update","code9_security_2_step_code_edit_update",528,{"type":146,"name":192,"callback":189,"file":174,"line":193},"edit_user_profile_update",529,[195,201,206,211,215,219,223,227],{"action":196,"nopriv":197,"callback":198,"hasNonce":197,"hasCapCheck":197,"file":199,"line":200},"security_2_step_blockingtime_update",false,"code9_api_security_2_step_blockingtime_update","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_blockingtime_update.php",19,{"action":202,"nopriv":197,"callback":203,"hasNonce":197,"hasCapCheck":197,"file":204,"line":205},"security_2_step_get","code9_api_security_2_step_get","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_get.php",13,{"action":207,"nopriv":197,"callback":208,"hasNonce":197,"hasCapCheck":197,"file":209,"line":210},"security_2_step_key_iv_reset","code9_api_security_2_step_key_iv_reset","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_key_iv_reset.php",17,{"action":212,"nopriv":197,"callback":213,"hasNonce":197,"hasCapCheck":197,"file":214,"line":170},"security_2_step_update","code9_api_security_2_step_update","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_update.php",{"action":216,"nopriv":197,"callback":217,"hasNonce":197,"hasCapCheck":197,"file":218,"line":210},"security_anti_brute_force_blocked_remove","code9_api_security_anti_brute_force_blocked_remove","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_anti_brute_force_blocked_remove.php",{"action":220,"nopriv":197,"callback":221,"hasNonce":197,"hasCapCheck":197,"file":222,"line":155},"security_anti_brute_force_logs_get","code9_api_security_anti_brute_force_logs_get","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_anti_brute_force_logs_get.php",{"action":224,"nopriv":197,"callback":225,"hasNonce":197,"hasCapCheck":197,"file":226,"line":170},"security_anti_brute_force_update","code9_api_security_anti_brute_force_update","plugin\u002Fsecurity\u002Fapi\u002Fsecurity_anti_brute_force_update.php",{"action":228,"nopriv":197,"callback":229,"hasNonce":197,"hasCapCheck":197,"file":230,"line":150},"spa_security","code9_spa_security","plugin\u002Fsecurity\u002Fspa.php",[],[],[],8,{"dangerousFunctions":236,"sqlUsage":237,"outputEscaping":239,"fileOperations":28,"externalRequests":28,"nonceChecks":28,"capabilityChecks":28,"bundledLibraries":287},[],{"prepared":14,"raw":28,"locations":238},[],{"escaped":14,"rawEcho":240,"locations":241},22,[242,245,247,249,251,253,255,257,259,261,263,265,267,269,271,273,275,278,280,282,284,286],{"file":174,"line":243,"context":244},347,"raw output",{"file":174,"line":246,"context":244},355,{"file":174,"line":248,"context":244},357,{"file":174,"line":250,"context":244},362,{"file":174,"line":252,"context":244},385,{"file":174,"line":254,"context":244},386,{"file":174,"line":256,"context":244},398,{"file":174,"line":258,"context":244},404,{"file":174,"line":260,"context":244},408,{"file":174,"line":262,"context":244},426,{"file":174,"line":264,"context":244},432,{"file":174,"line":266,"context":244},434,{"file":174,"line":268,"context":244},435,{"file":174,"line":270,"context":244},477,{"file":174,"line":272,"context":244},480,{"file":174,"line":274,"context":244},508,{"file":276,"line":277,"context":244},"page\u002Fdashboard.php",45,{"file":276,"line":279,"context":244},67,{"file":281,"line":103,"context":244},"plugin\u002Fsecurity\u002Fspa\u002Fsecurity.php",{"file":281,"line":283,"context":244},6,{"file":281,"line":285,"context":244},7,{"file":281,"line":234,"context":244},[],[289,316,331,353,362,370,379,387,396],{"entryPoint":290,"graph":291,"unsanitizedCount":314,"severity":315},"code9_security_2_step_middleware (function\u002Fcode9_security.php:53)",{"nodes":292,"edges":311},[293,298,303,307],{"id":294,"type":295,"label":296,"file":174,"line":297},"n0","source","$_POST['c9-code']",306,{"id":299,"type":300,"label":301,"file":174,"line":297,"wp_function":302},"n1","sink","update_option() [Settings Manipulation]","update_option",{"id":304,"type":295,"label":305,"file":174,"line":306},"n2","$_SERVER",378,{"id":308,"type":300,"label":309,"file":174,"line":266,"wp_function":310},"n3","echo() [XSS]","echo",[312,313],{"from":294,"to":299,"sanitized":197},{"from":304,"to":308,"sanitized":197},2,"medium",{"entryPoint":317,"graph":318,"unsanitizedCount":314,"severity":330},"code9_security_2_step_code_edit_update (function\u002Fcode9_security.php:521)",{"nodes":319,"edges":327},[320,323,324,326],{"id":294,"type":295,"label":321,"file":174,"line":322},"$_POST['user_id']",524,{"id":299,"type":300,"label":301,"file":174,"line":322,"wp_function":302},{"id":304,"type":295,"label":325,"file":174,"line":322},"$_POST['c9-2-step-code']",{"id":308,"type":300,"label":301,"file":174,"line":322,"wp_function":302},[328,329],{"from":294,"to":299,"sanitized":197},{"from":304,"to":308,"sanitized":197},"low",{"entryPoint":332,"graph":333,"unsanitizedCount":352,"severity":330},"\u003Ccode9_security> (function\u002Fcode9_security.php:0)",{"nodes":334,"edges":347},[335,336,337,338,339,341,343,345],{"id":294,"type":295,"label":296,"file":174,"line":297},{"id":299,"type":300,"label":301,"file":174,"line":297,"wp_function":302},{"id":304,"type":295,"label":305,"file":174,"line":306},{"id":308,"type":300,"label":309,"file":174,"line":266,"wp_function":310},{"id":340,"type":295,"label":321,"file":174,"line":322},"n4",{"id":342,"type":300,"label":301,"file":174,"line":322,"wp_function":302},"n5",{"id":344,"type":295,"label":325,"file":174,"line":322},"n6",{"id":346,"type":300,"label":301,"file":174,"line":322,"wp_function":302},"n7",[348,349,350,351],{"from":294,"to":299,"sanitized":197},{"from":304,"to":308,"sanitized":197},{"from":340,"to":342,"sanitized":197},{"from":344,"to":346,"sanitized":197},4,{"entryPoint":354,"graph":355,"unsanitizedCount":14,"severity":330},"code9_api_security_2_step_blockingtime_update (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_blockingtime_update.php:3)",{"nodes":356,"edges":360},[357,359],{"id":294,"type":295,"label":358,"file":199,"line":234},"$_POST['timeout']",{"id":299,"type":300,"label":301,"file":199,"line":234,"wp_function":302},[361],{"from":294,"to":299,"sanitized":197},{"entryPoint":363,"graph":364,"unsanitizedCount":14,"severity":330},"\u003Csecurity_2_step_blockingtime_update> (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_blockingtime_update.php:0)",{"nodes":365,"edges":368},[366,367],{"id":294,"type":295,"label":358,"file":199,"line":234},{"id":299,"type":300,"label":301,"file":199,"line":234,"wp_function":302},[369],{"from":294,"to":299,"sanitized":197},{"entryPoint":371,"graph":372,"unsanitizedCount":14,"severity":330},"code9_api_security_2_step_update (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_update.php:3)",{"nodes":373,"edges":377},[374,376],{"id":294,"type":295,"label":375,"file":214,"line":234},"$_POST['security_2_step']",{"id":299,"type":300,"label":301,"file":214,"line":234,"wp_function":302},[378],{"from":294,"to":299,"sanitized":197},{"entryPoint":380,"graph":381,"unsanitizedCount":14,"severity":330},"\u003Csecurity_2_step_update> (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_2_step_update.php:0)",{"nodes":382,"edges":385},[383,384],{"id":294,"type":295,"label":375,"file":214,"line":234},{"id":299,"type":300,"label":301,"file":214,"line":234,"wp_function":302},[386],{"from":294,"to":299,"sanitized":197},{"entryPoint":388,"graph":389,"unsanitizedCount":14,"severity":330},"code9_api_security_anti_brute_force_update (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_anti_brute_force_update.php:3)",{"nodes":390,"edges":394},[391,393],{"id":294,"type":295,"label":392,"file":226,"line":234},"$_POST['security_anti_brute_force']",{"id":299,"type":300,"label":301,"file":226,"line":234,"wp_function":302},[395],{"from":294,"to":299,"sanitized":197},{"entryPoint":397,"graph":398,"unsanitizedCount":14,"severity":330},"\u003Csecurity_anti_brute_force_update> (plugin\u002Fsecurity\u002Fapi\u002Fsecurity_anti_brute_force_update.php:0)",{"nodes":399,"edges":402},[400,401],{"id":294,"type":295,"label":392,"file":226,"line":234},{"id":299,"type":300,"label":301,"file":226,"line":234,"wp_function":302},[403],{"from":294,"to":299,"sanitized":197},{"summary":405,"deductions":406},"The \"code9\" v1.0.13 plugin presents a significant security risk due to a large number of unprotected AJAX handlers. While the plugin demonstrates good practices in its handling of SQL queries and avoids dangerous functions, file operations, and external HTTP requests, the absence of authentication and capability checks on all its AJAX entry points is a major concern. This leaves the plugin vulnerable to unauthorized access and potential malicious manipulation by any authenticated user on the WordPress site.\n\nThe static analysis revealed a concerning pattern where 100% of the analyzed taint flows had unsanitized paths. Although these flows were not classified as critical or high severity, the presence of numerous unsanitized paths on all entry points suggests a general lack of robust input validation. Furthermore, the extremely low percentage of properly escaped output (4%) indicates a high likelihood of cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website.\n\nThe plugin's vulnerability history is clean, with no recorded CVEs. This, combined with the absence of critical or high-severity taint flows, might suggest that the plugin has not yet been targeted or that past vulnerabilities were promptly addressed. However, the identified issues in the static analysis, particularly the unprotected AJAX endpoints and poor output escaping, create a fertile ground for new vulnerabilities. The overall security posture is weakened by the lack of essential security controls on its primary attack vectors, despite strengths in other areas.",[407,409,411,413,416],{"reason":408,"points":11},"8 AJAX handlers without auth checks",{"reason":410,"points":234},"4% properly escaped output",{"reason":412,"points":285},"9 flows with unsanitized paths",{"reason":414,"points":415},"0 Nonce checks on AJAX",5,{"reason":417,"points":415},"0 Capability checks","2026-04-16T12:02:40.690Z",{"wat":420,"direct":451},{"assetPaths":421,"generatorPatterns":447,"scriptPaths":448,"versionParams":449},[422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446],"\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcode9.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fmermaid.min.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fspa.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fgridjs.umd.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Flanguage.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcrypto-js.min.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Faes.min.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcrypto.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcookie.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fapi.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fquery.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fstring_random.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fform_obj.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fdom_loading.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fslider.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fconfirm\u002Fconfirm.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fconfirm\u002Fconfirm.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fnoti\u002Fnoti.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fnoti\u002Fnoti.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fpopup\u002Fpopup.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fpopup\u002Fpopup.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fpopup_drag\u002Fpopup_drag.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Fpopup_drag\u002Fpopup_drag.js","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Ftab\u002Ftab.css","\u002Fwp-content\u002Fplugins\u002Fcode9\u002Fassets\u002Fcomponent\u002Ftab\u002Ftab.js",[],[424,425,426,427,428,429,430,431,432,433,434,435,436,438,440,442,444,446],[450],"code9.css?ver=1.0.1",{"cssClasses":452,"htmlComments":465,"htmlAttributes":466,"restEndpoints":468,"jsGlobals":469,"shortcodeOutput":471},[453,454,455,456,457,458,459,460,461,462,463,464],"c9-margin-bottom-small","c9-title","c9-logo","c9-grid","c9-side","c9-width-auto@m","c9-width-1-1","c9-side-middle","c9-text-uppercase","c9-width-expand@m","c9-main","c9-loading",[],[467],"data-link",[],[470],"C9_WP",[],{"error":473,"url":474,"statusCode":258,"statusMessage":475,"message":475},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fcode9\u002Fbundle","no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":28,"versions":477},[]]