[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fr0g1oyD_k5qKOIQJFuLU14Dl28BQX0OgvpSJtvLkJP0":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":35,"analysis":134,"fingerprints":191},"configurable-hotlink-protection","Configurable Hotlink Protection","0.2","deltafactory","https:\u002F\u002Fprofiles.wordpress.org\u002Fdeltafactory\u002F","\u003Cp>Save bandwidth by easily blocking links to video, audio, and other files from unapproved 3rd-party sites.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Choose from a list of common file extensions and include your own\u003C\u002Fli>\n\u003Cli>Allow linking from multiple authorized websites\u003C\u002Fli>\n\u003Cli>Selectively control direct linking\u003C\u002Fli>\n\u003Cli>Generate the rules for your \u003Ccode>.htaccess\u003C\u002Fcode> file with minimal effort\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin modifies the site’s .htaccess file and requires mod_rewrite or compatible modules like \u003Ca href=\"http:\u002F\u002Fwww.helicontech.com\u002Fisapi_rewrite\u002F\" rel=\"nofollow ugc\">ISAPI_rewrite for IIS\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Notes\u003C\u002Fh4>\n\u003Cp>This plugin was inspired by the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwordpress-automatic-image-hotlink-protection\u002F\" rel=\"ugc\">Hotlink Protection\u003C\u002Fa> plugin. There was a need for a more flexible implementation and so this plugin was created.\u003C\u002Fp>\n","Save bandwidth by easily blocking links to video, audio, and other files from unapproved 3rd-party sites. Requires mod_rewrite.",30,5504,20,4,"2011-08-20T04:07:00.000Z","3.2.1","3.0","",[20,21,22,23],"hotlink","htaccess","mod_rewrite","protection","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fconfigurable-hotlink-protection\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fconfigurable-hotlink-protection.0.2.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":11,"trust_score":33,"computed_at":34},1,84,"2026-04-04T19:46:06.120Z",[36,58,78,99,118],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":46,"num_ratings":47,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":56,"download_link":57,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"zotya-htaccess-protect","htaccess protect","0.7.0","zoltanlaczko","https:\u002F\u002Fprofiles.wordpress.org\u002Fzoltanlaczko\u002F","\u003Cp>Using the password protection will give you extra security layer of protection from brute force hacking attacks. Additionally, it’s also an easy way to password protect your entire site, without needing to create separate WordPress users for each visitor.\u003C\u002Fp>\n\u003Cp>When you enable the password protection, the user won’t be able to see anything – not even see the protected page – until he\u002Fshe inserts the username\u002Fpassword. You can password protect the whole website, including the administrator pages; you can password protect the administrator pages; or you can password protect the WordPress login page.\u003C\u002Fp>\n\u003Cp>The plugin options include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enabling\u002Fdisabling the password protection to wp-login.php, WordPress admin pages.\u003C\u002Fli>\n\u003Cli>Modifying the existing users: you can change any .htaccess user’s password and remove the users.\u003C\u002Fli>\n\u003Cli>Create\u002Fmodify an unlimited number of .htaccess users;\u003C\u002Fli>\n\u003Cli>Protect your whole site, making it accessible to only those who have the .htaccess user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is originally was based on \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fhtaccess-site-access-control\u002F\" rel=\"ugc\">.htaccess Site Access Control\u003C\u002Fa>. That plugin was working fine but it was abandoned for years and not compatible with the latest WordPress. Most part of the plugin were refactored and translated.\u003C\u002Fp>\n","htaccess protect - Protect your wordpress login or admin pages with password.",900,10716,74,6,"2022-01-23T19:01:00.000Z","5.9.13","5.0","5.6",[21,53,54,23,55],"htpasswd","protect","security","https:\u002F\u002Fgithub.com\u002Fzoltanlaczko\u002Fwp-htaccess-protect\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzotya-htaccess-protect.0.7.0.zip",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":13,"num_ratings":68,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":18,"tags":72,"homepage":18,"download_link":77,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wordpress-automatic-image-hotlink-protection","Hotlink Protection","3.3.3","zuda","https:\u002F\u002Fprofiles.wordpress.org\u002Fzuda\u002F","\u003Cp>This plugin is adopted and being maintained. Caution: This plugin may not work on all setups and is best to be considered beta. It  has been updated to work on more setups than it previously worked on.\u003C\u002Fp>\n\u003Cp>The WordPress Automatic Image Hotlink Protection plugin is a single step script designed to stop others from stealing your images. Simply add an .htaccess file to your root folder thereby stopping external web servers from linking directly to your files.\u003C\u002Fp>\n\u003Cp>The script automatically tests to to see if your web server is compatible with the script before adding the .htaccess file and setting the appropriate permissions. If deactivated, the script removes the code from your .htaccess file.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Please Note : This plugin works only with the primary domain, and the www. addition not subdomains, for example mycow.example.com would not work, but example.com should work.\u003C\u002Fli>\n\u003C\u002Ful>\n","The WordPress Automatic Image Hotlink Protection plugin is a single step script designed to stop others from stealing your images.",300,55491,5,"2018-08-16T10:57:00.000Z","4.9.29","4.0.0",[20,73,74,75,76],"hotlink-protection","hotlinking","image-protection","protect-image","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-automatic-image-hotlink-protection.zip",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":88,"num_ratings":89,"last_updated":90,"tested_up_to":91,"requires_at_least":92,"requires_php":18,"tags":93,"homepage":96,"download_link":97,"security_score":98,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"sar-one-click-security","SAR One Click Security","1.3","Samuel Aguilera","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamuelaguilera\u002F","\u003Cp>There’s a lot of WordPress security plugins with many many options and pages to setup. And that is fine if you know what to do.\u003Cbr \u002F>\nBut most of the times, you don’t need so much or simply you’re not sure about what to set or not.\u003C\u002Fp>\n\u003Cp>This plugin adds some extra security to your WordPress with only one click. \u003Cstrong>No options page, just activate it!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Like many other security plugins SAR One Click Security adds well known .htaccess rules, but only the ones probed to be safe to use in almost any type of site (including WooCommerce stores), to protect your WordPress from common attacks. This allows you to have a safer WordPress without worries about what protection you should be using.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Turn off ServerSignature directive, that may leak information about your web server.\u003C\u002Fli>\n\u003Cli>Turn off directory listing, avoiding bad configured hostings to leak your files.\u003C\u002Fli>\n\u003Cli>Blocks public access (from web) to following files that may leak information about your WordPress install: .htaccess, license.txt, readme.html, wp-config.php, wp-config-sample.php, install.php\u003C\u002Fli>\n\u003Cli>Blocks access to wp-login.php to dummy bots trying to register in WordPress sites that have registration disabled.\u003C\u002Fli>\n\u003Cli>Blocks requests looking for timthumb.php, reducing server load caused by bots trying to find it. (*)\u003C\u002Fli>\n\u003Cli>Blocks TRACE and TRACK request methods, preventing XST attacks.\u003C\u002Fli>\n\u003Cli>Blocks direct posting to wp-comments-post.php (most spammers do this) and access with blank User Agent, reducing spam comments a lot and also server load.\u003C\u002Fli>\n\u003Cli>Blocks direct access to PHP files in wp-content directory (this includes subdirectories like plugins or themes). Protecting you from a huge number of 0day exploits.\u003C\u002Fli>\n\u003Cli>Blocks direct POST to wp-login.php and access with blank User Agent, preventing most brute-force attacks and reducing server load.\u003C\u002Fli>\n\u003Cli>Blocks access to .txt files under any plugin\u002Ftheme directory to prevent scans for installed plugins\u002Fthemes.\u003C\u002Fli>\n\u003Cli>Blocks any query string trying to get a copy of the wp-config.php file.\u003C\u002Fli>\n\u003Cli>Blocks gf_page=upload query string argument, this was deprecated in Gravity Forms on May 2015, if your copy of Gravity Forms still uses it, update now!\u003C\u002Fli>\n\u003Cli>Removes version information from page headers. This includes not only the page header (html or xhtml) but also feed headers (rss, rss2, atom, rdf) and opml comments. Only the version number is removed, not the entire generator information.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(*) If your theme uses TimThumb, you can disable that blocking rule, check FAQ before installing the plugin to see how.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.9.2 or higher. (Works with WordPress network\u002Fmultisite installation).\u003C\u002Fli>\n\u003Cli>Apache 2.4.x web server\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It has been tested in many servers including large providers like HostGator, Godaddy and 1&1 with optimal results, and it will work fine in any decent hosting service (that allows you to set options from .htaccess files).\u003C\u002Fp>\n\u003Cp>Anyway, if you get any problem after activating the plugin, check FAQ for instructions on how to manually uninstall it.\u003C\u002Fp>\n\u003Cp>If you’re not sure of which server is your hosting company using or if they allow to use custom .htaccess rules, I would recommend you to contact with your host support \u003Cstrong>before\u003C\u002Fstrong> installing the plugin.\u003C\u002Fp>\n\u003Ch4>Usage\u003C\u002Fh4>\n\u003Cp>To apply above mentioned security rules simply install and activate the plugin, no options page, no user setup!\u003C\u002Fp>\n\u003Cp>If you need to remove the security rules for some reason, simply deactivate the plugin. If you want to add them again, activate the plugin again, that easy 😉\u003C\u002Fp>\n\u003Cp>And remember, \u003Cstrong>if your theme uses TimThumb, check FAQ before installing the plugin\u003C\u002Fstrong>.\u003C\u002Fp>\n","Adds some extra security to your WordPress with only one click.",200,13616,100,7,"2025-03-03T20:53:00.000Z","6.7.5","3.9.2",[94,95,21,23,55],"firewall","hardening","http:\u002F\u002Fwww.samuelaguilera.com\u002Farchivo\u002Fprotege-wordpress-facilmente.xhtml","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsar-one-click-security.1.3.zip",92,{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":107,"downloaded":108,"rating":27,"num_ratings":27,"last_updated":109,"tested_up_to":70,"requires_at_least":110,"requires_php":18,"tags":111,"homepage":116,"download_link":117,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"undasecure","UndaSecure","1.2.16","asantosundanet","https:\u002F\u002Fprofiles.wordpress.org\u002Fasantosundanet\u002F","\u003Cp>This plugins adds markers in \u002F.htaccess and \u002Fwp-content\u002Fuploads\u002F.htaccess to secure against attacks and optimize Apache configurations for SEO propouses.\u003C\u002Fp>\n\u003Cp>Sets protection in ROOT\u002F.htaccess for wp-config.php, .htaccess, xmlrpc.php, wp-cron.php.\u003Cbr \u002F>\nSets block author scans in ROOT\u002F.htaccess.\u003C\u002Fp>\n\u003Cp>Sets GZIP\u002FDEFLATE in ROOT\u002F.htaccess.\u003Cbr \u002F>\nSets Header add Access-Control-Allow-Origin in ROOT\u002F.htaccess.\u003Cbr \u002F>\nSets ExpiresActive in ROOT\u002F.htaccess.\u003Cbr \u002F>\nSets Header unset Etag in ROOT\u002F.htaccess.\u003C\u002Fp>\n\u003Cp>Create or add to \u002Fwp-content\u002Fuploads\u002F.htaccess protection for files only.\u003C\u002Fp>\n\u003Cp>Removes files on each WP update to prevent exposing WP version number (readme.html, wp-config-sample.php, license.txt).\u003C\u002Fp>\n","Adds secure optimizations to .htaccess file",10,1341,"2018-04-06T07:59:00.000Z","4.0",[112,113,114,100,115],"htaccess-protection","optimization","secure","uploads-folder-protection","https:\u002F\u002Fwww.undanet.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fundasecure.1.2.16.zip",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":27,"downloaded":126,"rating":27,"num_ratings":27,"last_updated":127,"tested_up_to":128,"requires_at_least":50,"requires_php":18,"tags":129,"homepage":132,"download_link":133,"security_score":88,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"security-made-easy","Security Made Easy","0.4","VeryEasy","https:\u002F\u002Fprofiles.wordpress.org\u002Fveryeasy\u002F","\u003Cp>A set and forget solution for WordPress security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Add cross-site scripting (XSS) protection\u003C\u002Fli>\n\u003Cli>Add a powerful, yet lightweight and hands-free firewall\u003C\u002Fli>\n\u003Cli>Disable directory indexing\u003C\u002Fli>\n\u003Cli>Disable theme\u002Fplugin file editing\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Ask for help: \u003Ca href=\"mailto:help@veryeasy.io\" rel=\"nofollow ugc\">help@veryeasy.io\u003C\u002Fa>\u003C\u002Fp>\n","A set and forget solution for WordPress security.",1444,"2025-09-01T04:02:00.000Z","6.8.5",[130,21,23,55,131],"guard","spam","https:\u002F\u002Fveryeasy.io\u002Fsecurity-made-easy","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-made-easy.zip",{"attackSurface":135,"codeSignals":164,"taintFlows":180,"riskAssessment":181,"analyzedAt":190},{"hooks":136,"ajaxHandlers":160,"restRoutes":161,"shortcodes":162,"cronEvents":163,"entryPointCount":27,"unprotectedCount":27},[137,142,145,149,153,156],{"type":138,"name":139,"callback":139,"file":140,"line":141},"action","admin_init","configurable-hotlink-protection.php",14,{"type":138,"name":143,"callback":143,"file":140,"line":144},"admin_menu",15,{"type":146,"name":147,"callback":147,"file":140,"line":148},"filter","pre_update_option_hotlink_extensions",16,{"type":146,"name":150,"callback":151,"file":140,"line":152},"ext2type","ext2type_filter_hack",33,{"type":146,"name":154,"callback":154,"priority":107,"file":140,"line":155},"contextual_help_list",55,{"type":146,"name":157,"callback":158,"file":140,"line":159},"plugin_action_links_configurable-hotlink-protection\u002Fconfigurable-hotlink-protection.php","plugin_action_links",56,[],[],[],[],{"dangerousFunctions":165,"sqlUsage":166,"outputEscaping":168,"fileOperations":32,"externalRequests":27,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":179},[],{"prepared":27,"raw":27,"locations":167},[],{"escaped":107,"rawEcho":169,"locations":170},3,[171,175,177],{"file":172,"line":173,"context":174},"settings-page.php",17,"raw output",{"file":172,"line":176,"context":174},52,{"file":172,"line":178,"context":174},80,[],[],{"summary":182,"deductions":183},"The 'configurable-hotlink-protection' plugin version 0.2 exhibits a seemingly robust security posture based on the static analysis provided.  The absence of identifiable attack surface vectors like AJAX handlers, REST API routes, shortcodes, and cron events, particularly those lacking authentication checks, is a significant positive. Furthermore, the complete absence of dangerous functions, raw SQL queries (all using prepared statements), and external HTTP requests further strengthens its security profile. The presence of file operations, while not inherently a risk, warrants attention in the context of potential privilege escalation or data manipulation if not handled with extreme care.\n\nWhile the plugin boasts no known CVEs, a critical area of concern is the lack of nonce checks and capability checks. This absence of access control mechanisms on any potential (though currently not identified) entry points is a major weakness.  The 77% output escaping rate, while mostly good, leaves a small window for potential cross-site scripting (XSS) vulnerabilities if the unescaped outputs are ever exposed to user-controlled input. The lack of any taint analysis results is neutral; it means no problematic flows were found, but also that the analysis might have been limited or not applicable.\n\nIn conclusion, the plugin's strengths lie in its minimal attack surface and secure handling of database operations. However, the critical omission of nonce and capability checks presents a significant security risk, as it implies that any future or undiscovered entry points would be unprotected. The minor concern regarding output escaping also warrants careful review.",[184,186,188],{"reason":185,"points":107},"Missing Nonce Checks",{"reason":187,"points":107},"Missing Capability Checks",{"reason":189,"points":14},"Partial Output Escaping (23%)","2026-03-16T22:38:19.647Z",{"wat":192,"direct":198},{"assetPaths":193,"generatorPatterns":194,"scriptPaths":195,"versionParams":197},[],[],[196],"\u002Fwp-content\u002Fplugins\u002Fconfigurable-hotlink-protection\u002Fsettings-page.js",[],{"cssClasses":199,"htmlComments":200,"htmlAttributes":203,"restEndpoints":204,"jsGlobals":205,"shortcodeOutput":206},[],[201,202],"\u003C!-- BEGIN Configurable Hotlink Protection -->","\u003C!-- END Configurable Hotlink Protection -->",[],[],[],[]]