[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHn37JlCgB4v-HBsQvr9BXkObarCGqfCpIsejW42bGPs":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":11,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":130,"fingerprints":193},"dessky-security","Dessky Security","1.3","dessky","https:\u002F\u002Fprofiles.wordpress.org\u002Fdessky\u002F","\u003Cp>Dessky Security is the ultralight plugin for basic Security Hardening. It is specially designed not to drain any resources from your website. Once you enable all major security measures your input is no longer required. Features include upload directory restriction, disabling of plugin\u002Ftheme editor, admin username check and more.\u003C\u002Fp>\n\u003Cp>This plugin was developed by \u003Ca href=\"https:\u002F\u002Fdessky.com\u002F\" rel=\"nofollow ugc\">Dessky Team\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Dessky Team does not provide support for the Dessky Security on the WordPress.org forums. In order to get support or make a suggestion from a Dessky Team you will have to Join Our Open Community and \u003Ca href=\"https:\u002F\u002Fdiscuss.dessky.org\u002Ft\u002Fdessky-security\" rel=\"nofollow ugc\">Start a Discussion\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdiscuss.dessky.org\u002Ft\u002Fdessky-security\" rel=\"nofollow ugc\">DISCUSS WITH THE DESSKY TEAM\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdiscuss.dessky.org\u002Ft\u002Fdessky-security\" rel=\"nofollow ugc\">JOIN OUR OPEN COMMUNITY\u003C\u002Fa>: The purpose of this open community is to have a collective place where the community can help each other, and we can get some feedback to improve Dessky Security as well. Joining the community is also a great way to connect with like-minded people and share your experience.\u003C\u002Fp>\n\u003Cp>You can also \u003Ca href=\"https:\u002F\u002Fdessky.me\u002F\" rel=\"nofollow ugc\">GET THE PREMIUM SUPPORT\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdessky.org\u002F\" rel=\"nofollow ugc\">User Documentation\u003C\u002Fa>: Although Dessky Security is already easy to set up, we’ve put together tutorials, guides, and some knowledge bases to help you set up and get started with it.\u003C\u002Fp>\n\u003Cp>I have further questions, how do I contact you?\u003C\u002Fp>\n\u003Cp>Please fill up the \u003Ca href=\"https:\u002F\u002Fdessky.com\u002Fcontact\u002F\" rel=\"nofollow ugc\">contact form\u003C\u002Fa> and we would be more than happy to assist.\u003C\u002Fp>\n\u003Cp>Credits: Dessky Security is based on the ‘Sucuri WordPress Security’ plugin developed by \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fddsucurinet\u002F\" rel=\"nofollow ugc\">Daniel Cid\u003C\u002Fa>.\u003C\u002Fp>\n","Dessky Security is the ultralight plugin for basic Security Hardening. It is specially designed not to drain any resources from your website.",100,5999,2,"2025-12-03T15:19:00.000Z","6.9.4","3.2","",[19,20,21,22,23],"hardening","security","site-hardening","wordpress-hardening","wordpress-security-check","https:\u002F\u002Fdessky.com\u002Fplugin\u002Fdessky-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdessky-security.1.3.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":32,"avg_security_score":11,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},4,20510,30,94,"2026-04-04T05:25:45.167Z",[37,56,75,94,114],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":26,"downloaded":45,"rating":26,"num_ratings":26,"last_updated":46,"tested_up_to":15,"requires_at_least":47,"requires_php":48,"tags":49,"homepage":54,"download_link":55,"security_score":11,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"esherpa-login-guard","eSherpa Login Guard","3.0.0","Ralf Naumann","https:\u002F\u002Fprofiles.wordpress.org\u002Fr2d3\u002F","\u003Cp>\u003Cstrong>eSherpa Login Guard\u003C\u002Fstrong> effectively and intelligently protects your WordPress site from brute-force attacks – Swiss precision, completely without external dependencies.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Honeypot-first bot defense\u003C\u002Fstrong>: JavaScript Honeypot detects non-browser bots and triggers immediate lockout logic.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected username trap\u003C\u002Fstrong>: Immediate lockout for defined usernames (e.g., “admin”, “test”), independent of the regular counter.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Proactive User-Agent blocking\u003C\u002Fstrong>: Block known bot signatures before login processing (exact match or substring mode).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Blocked User-Agent attempt log\u003C\u002Fstrong>: Separate log table for blocked User-Agent requests including matching pattern.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress hardening options\u003C\u002Fstrong>: Disable XML-RPC (with fake-user honeypot response), hide REST user endpoint, and block author archive enumeration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional bot password capture\u003C\u002Fstrong>: Store attempted passwords from detected JS-honeypot bots for incident analysis.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Neutral login error option\u003C\u002Fstrong>: Hide username enumeration by using neutral WordPress login error responses.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Live security visibility\u003C\u002Fstrong>: Live alarm in admin, lockout badge in menu, and detailed failed-attempt logs with IP\u002FUser-Agent filters.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive lockout durations\u003C\u002Fstrong>: Lockout time increases on repeat offenses (e.g., 15 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 30 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 60 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 120 minutes).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login page guidance\u003C\u002Fstrong>: Clear countdown and “X attempts remaining” notice for transparent lock state.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy-compliant\u003C\u002Fstrong>: IPs stored only as anonymized hashes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic cleanup\u003C\u002Fstrong> of old failed attempts (configurable).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Mobile-friendly admin tables\u003C\u002Fstrong>: Horizontal scrolling for wide security tables on small screens, including swipe hint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email notification\u003C\u002Fstrong> to admin on attacks against existing users.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Developed in Switzerland – fast, clean, performant, and multilingual ready.\u003C\u002Fp>\n\u003Cp>Compatible with WordPress 6.9 and tested up to PHP 8.5.3.\u003C\u002Fp>\n","Intelligent login protection with honeypot detection, WordPress hardening, and a clear security admin overview.",172,"2026-03-03T08:32:00.000Z","5.6","7.4",[50,51,52,53,22],"bot-protection","brute-force-protection","honeypot","login-security","https:\u002F\u002Fesherpa.ch\u002Flogin-guard","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fesherpa-login-guard.3.0.0.zip",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":11,"num_ratings":66,"last_updated":67,"tested_up_to":68,"requires_at_least":47,"requires_php":17,"tags":69,"homepage":73,"download_link":74,"security_score":11,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"netsensai-shield","NETSENSAI Shield","1.4.9","Rafal Gierlicki","https:\u002F\u002Fprofiles.wordpress.org\u002Frgierlicki\u002F","\u003Cp>NETSENSAI Shield offers a range of security features, including:\u003C\u002Fp>\n\u003Cp>Changing the login URL to reduce brute force attack risks.\u003C\u002Fp>\n\u003Cp>Disabling the REST API (WP API JSON) for non-logged-in users.\u003C\u002Fp>\n\u003Cp>Disabling XML-RPC to prevent unauthorized access.\u003C\u002Fp>\n\u003Cp>Disabling the WordPress file editor to avoid accidental or malicious changes.\u003C\u002Fp>\n\u003Cp>Disabling Application Passwords to block unauthorized API access.\u003C\u002Fp>\n\u003Cp>Applying advanced HTTP security headers (e.g., HSTS, X-Frame-Options, Content-Security-Policy).\u003C\u002Fp>\n\u003Cp>Integration with W3 Total Cache:\u003C\u002Fp>\n\u003Cp>Permanently disable .htaccess writes by W3TC\u003C\u002Fp>\n\u003Cp>Runtime disabling of Page Cache UI\u003C\u002Fp>\n\u003Cp>One-time full cache flush on first admin page load\u003C\u002Fp>\n\u003Cp>Automatic cache flush on Secure Options save\u003C\u002Fp>\n\u003Cp>Physical cleanup and permanent disable via the W3TC API\u003C\u002Fp>\n\u003Cp>Suppression of Site Health REST API availability notices for non-logged-in users (removes false Site Health errors while maintaining full API blocking).\u003C\u002Fp>\n\u003Cp>In addition, the plugin provides helpful user feedback:\u003C\u002Fp>\n\u003Cp>Email notifications when the login URL changes – sends a localized HTML email (Polish or English) with your old and new login links, change date and the plugin logo, so you remember to update your bookmarks.\u003C\u002Fp>\n\u003Cp>Admin popup when disabling the WP API JSON – displays a friendly modal warning that disabling the REST API may break plugins like WooCommerce or contact forms. The popup includes a purchase link to upgrade to the PRO version if you need this feature without losing functionality.\u003C\u002Fp>\n\u003Cp>Scoped styling – the custom colour for the “Save changes” button is now limited to the Secure Options page, so other admin pages keep the default WordPress look.\u003C\u002Fp>\n\u003Cp>Promotional banner assistant – notifies administrators of summer discount codes and NETSENSAI Shield PRO features.\u003C\u002Fp>\n\u003Cp>The free version provides both core and advanced Level 3 security functionalities. A PRO version offers extended support, additional features, and automatic protection enhancements.\u003C\u002Fp>\n","Hardens and protects your site by locking down login, REST API, XML‑RPC, file editor, and applying HTTP security headers.",1000,6022,5,"2025-10-14T20:18:00.000Z","6.8.5",[70,19,71,20,72],"cybersecurity","protection","wordpress-security","https:\u002F\u002Fwww.netsensai.pl\u002Fstore\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnetsensai-shield.1.4.9.zip",{"slug":76,"name":77,"version":6,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":11,"num_ratings":84,"last_updated":85,"tested_up_to":86,"requires_at_least":87,"requires_php":17,"tags":88,"homepage":91,"download_link":92,"security_score":93,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"sar-one-click-security","SAR One Click Security","Samuel Aguilera","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamuelaguilera\u002F","\u003Cp>There’s a lot of WordPress security plugins with many many options and pages to setup. And that is fine if you know what to do.\u003Cbr \u002F>\nBut most of the times, you don’t need so much or simply you’re not sure about what to set or not.\u003C\u002Fp>\n\u003Cp>This plugin adds some extra security to your WordPress with only one click. \u003Cstrong>No options page, just activate it!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Like many other security plugins SAR One Click Security adds well known .htaccess rules, but only the ones probed to be safe to use in almost any type of site (including WooCommerce stores), to protect your WordPress from common attacks. This allows you to have a safer WordPress without worries about what protection you should be using.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Turn off ServerSignature directive, that may leak information about your web server.\u003C\u002Fli>\n\u003Cli>Turn off directory listing, avoiding bad configured hostings to leak your files.\u003C\u002Fli>\n\u003Cli>Blocks public access (from web) to following files that may leak information about your WordPress install: .htaccess, license.txt, readme.html, wp-config.php, wp-config-sample.php, install.php\u003C\u002Fli>\n\u003Cli>Blocks access to wp-login.php to dummy bots trying to register in WordPress sites that have registration disabled.\u003C\u002Fli>\n\u003Cli>Blocks requests looking for timthumb.php, reducing server load caused by bots trying to find it. (*)\u003C\u002Fli>\n\u003Cli>Blocks TRACE and TRACK request methods, preventing XST attacks.\u003C\u002Fli>\n\u003Cli>Blocks direct posting to wp-comments-post.php (most spammers do this) and access with blank User Agent, reducing spam comments a lot and also server load.\u003C\u002Fli>\n\u003Cli>Blocks direct access to PHP files in wp-content directory (this includes subdirectories like plugins or themes). Protecting you from a huge number of 0day exploits.\u003C\u002Fli>\n\u003Cli>Blocks direct POST to wp-login.php and access with blank User Agent, preventing most brute-force attacks and reducing server load.\u003C\u002Fli>\n\u003Cli>Blocks access to .txt files under any plugin\u002Ftheme directory to prevent scans for installed plugins\u002Fthemes.\u003C\u002Fli>\n\u003Cli>Blocks any query string trying to get a copy of the wp-config.php file.\u003C\u002Fli>\n\u003Cli>Blocks gf_page=upload query string argument, this was deprecated in Gravity Forms on May 2015, if your copy of Gravity Forms still uses it, update now!\u003C\u002Fli>\n\u003Cli>Removes version information from page headers. This includes not only the page header (html or xhtml) but also feed headers (rss, rss2, atom, rdf) and opml comments. Only the version number is removed, not the entire generator information.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(*) If your theme uses TimThumb, you can disable that blocking rule, check FAQ before installing the plugin to see how.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.9.2 or higher. (Works with WordPress network\u002Fmultisite installation).\u003C\u002Fli>\n\u003Cli>Apache 2.4.x web server\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It has been tested in many servers including large providers like HostGator, Godaddy and 1&1 with optimal results, and it will work fine in any decent hosting service (that allows you to set options from .htaccess files).\u003C\u002Fp>\n\u003Cp>Anyway, if you get any problem after activating the plugin, check FAQ for instructions on how to manually uninstall it.\u003C\u002Fp>\n\u003Cp>If you’re not sure of which server is your hosting company using or if they allow to use custom .htaccess rules, I would recommend you to contact with your host support \u003Cstrong>before\u003C\u002Fstrong> installing the plugin.\u003C\u002Fp>\n\u003Ch4>Usage\u003C\u002Fh4>\n\u003Cp>To apply above mentioned security rules simply install and activate the plugin, no options page, no user setup!\u003C\u002Fp>\n\u003Cp>If you need to remove the security rules for some reason, simply deactivate the plugin. If you want to add them again, activate the plugin again, that easy 😉\u003C\u002Fp>\n\u003Cp>And remember, \u003Cstrong>if your theme uses TimThumb, check FAQ before installing the plugin\u003C\u002Fstrong>.\u003C\u002Fp>\n","Adds some extra security to your WordPress with only one click.",200,13616,7,"2025-03-03T20:53:00.000Z","6.7.5","3.9.2",[89,19,90,71,20],"firewall","htaccess","http:\u002F\u002Fwww.samuelaguilera.com\u002Farchivo\u002Fprotege-wordpress-facilmente.xhtml","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsar-one-click-security.1.3.zip",92,{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":11,"downloaded":102,"rating":103,"num_ratings":13,"last_updated":104,"tested_up_to":105,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":111,"download_link":112,"security_score":113,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"secure-http-headers","Secure HTTP Headers","1.0","shasha310","https:\u002F\u002Fprofiles.wordpress.org\u002Fshasha310\u002F","\u003Cp>Harden your web applications.\u003C\u002Fp>\n\u003Cp>HTTP header fields are components of the header section of request and response messages. The headers define the operating parameters of an HTTP transaction.\u003C\u002Fp>\n\u003Cp>Securing HTTP headers will improve the resilience of your web application against many common attacks including those that are on the OWASP top 10 list.\u003C\u002Fp>\n\u003Cp>Securing headers can also improve your SEO rank and in addition to preventing websites from being marked as dangerous by browsers and antivirus applications.\u003C\u002Fp>\n\u003Cp>Protect sensitive user information and be compliant with privacy regulations. Defend users from stealing private data by protecting website cookies. Use the proper directive such as “secure”, “httponly” and “samesite”, all of those will be applied automatically by “Secure HTTP Headers” plugin.\u003C\u002Fp>\n\u003Cp>Secure HTTP Headers will automatically analyze any website and will build up secure headers directives, by the latest best practice.\u003C\u002Fp>\n\u003Cp>In addition, Secure HTTP Headers offers fully configurable options, apply or skip any header directive as needed.\u003C\u002Fp>\n\u003Cp>Install and activate Secure HTTP Headers with full confidence, the deactivation of this plugin will return your website header directives to their original state.\u003C\u002Fp>\n\u003Ch3>Main plugin functionality\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>HTTP Strict Transport Security – helps to protect websites against man-in-the-middle attacks and cookie hijacking\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Frame-Options – helps to protect users against ClickJacking attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Content-Type-Options  – helps to prevent the browser from MIME-sniffing\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Referrer-Policy – helps to control how much referrer information should be included with requests\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Clear-Site-Data – helps to ensure that data is deleted from the browser if the user logs out\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Download-Options – helps to control how IE 8 will handle downloaded HTML files\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Access-Control-Allow-Origin – helps to ensure whether the response can be shared with requesting code from the given origin\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Embedder-Policy – helps to prevent a document from loading any cross-origin resources that don’t explicitly grant the document permission\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Permissions-Policy – helps to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Opener-Policy – helps to protect websites against a set of cross-origin attacks dubbed XS-Leaks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Resource-Policy – helps to protect websites against speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Permitted-Cross-Domain-Policies – helps to control how cross-domain requests from Flash and PDF documents are handled\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Http-Only flag – helps to protect websites against Cross-Site Scripting, or XSS attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Secure flag – helps to ensure that cookie is sent over a secure connection\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Samesite Lax flag – helps to protect websites against CSRF and XSSI attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Expect-CT – helps to prevent the use of misissued certificates for a website. Note: The Expect-CT will likely become obsolete in June 2021\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>What are the optional extras?\u003C\u002Fh3>\n\u003Cp>Magnisec is offering “Secure HTTP Headers enhanced”\u003C\u002Fp>\n\u003Cp>A plugin that contains, in addition, an engine that watches and builds in any website changes a CSP – Content Security Policy that is best practice and recommended by all professional securities experts, that mitigate XSS -Cross site Scripting, one of the most common and destructive attacks.\u003C\u002Fp>\n\u003Cp>Price: 50$ \u002Fyear for a domain.\u003C\u002Fp>\n\u003Cp>More details and installation \u003Ca href=\"https:\u002F\u002Fmagnisec.com\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n","Secure HTTP headers - Essential, and easy.",2542,60,"2021-04-13T08:27:00.000Z","5.7.15","5.3","7.2",[109,19,110,20],"cookies","headers","https:\u002F\u002Fmagnisec.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-http-headers.1.0.zip",85,{"slug":115,"name":116,"version":97,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":11,"downloaded":121,"rating":26,"num_ratings":26,"last_updated":122,"tested_up_to":15,"requires_at_least":123,"requires_php":124,"tags":125,"homepage":128,"download_link":129,"security_score":11,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"security-hardener","Security Hardener","Marc Armengou","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarc4\u002F","\u003Cp>\u003Cstrong>Security Hardener\u003C\u002Fstrong> implements the official WordPress hardening guidelines from the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fhardening\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration \u002F Security \u002F Hardening\u003C\u002Fa> documentation. It uses WordPress core functions and follows best practices without modifying core files.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable file editor in WordPress admin\u003Cbr \u002F>\n* Optionally disable all file modifications (blocks updates – use with caution)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable XML-RPC completely (enabled by default)\u003Cbr \u002F>\n* Remove pingback methods\u003Cbr \u002F>\n* Disable self-pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Block \u003Ccode>\u002F?author=N\u003C\u002Fcode> queries (returns 404)\u003Cbr \u002F>\n* Secure REST API user endpoints (require authentication)\u003Cbr \u002F>\n* Remove users from XML sitemaps\u003Cbr \u002F>\n* Prevent canonical redirects that expose usernames\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generic error messages (no username\u002Fpassword hints)\u003Cbr \u002F>\n* IP-based rate limiting with configurable thresholds\u003Cbr \u002F>\n* Security event logging (last 100 events)\u003Cbr \u002F>\n* Automatic blocking after failed attempts\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Ccode>X-Frame-Options: SAMEORIGIN\u003C\u002Fcode> (clickjacking protection)\u003Cbr \u002F>\n* \u003Ccode>X-Content-Type-Options: nosniff\u003C\u002Fcode> (MIME sniffing protection)\u003Cbr \u002F>\n* \u003Ccode>Referrer-Policy: strict-origin-when-cross-origin\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>Permissions-Policy\u003C\u002Fcode> (restricts geolocation, microphone, camera)\u003Cbr \u002F>\n* Optional HSTS (HTTP Strict Transport Security) for HTTPS sites\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Additional Hardening:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Hide WordPress version\u003Cbr \u002F>\n* Clean up \u003Ccode>wp_head\u003C\u002Fcode> output\u003Cbr \u002F>\n* Remove unnecessary meta tags and links\u003Cbr \u002F>\n* Security event logging system\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>⚠️ \u003Cstrong>Important:\u003C\u002Fstrong> Always test security settings in a staging environment first. Some features may affect third-party integrations or plugins.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Privacy:\u003C\u002Fstrong> This plugin does not send data to external services and does not create custom database tables. It stores plugin settings and a security event log in the WordPress options table, and uses transients for temporary login attempt tracking. All data is deleted on uninstall.\u003C\u002Fp>\n","Basic hardening: secure headers, user enumeration blocking, generic login errors, IP-based rate limiting, and WordPress security improvements.",496,"2026-03-05T12:13:00.000Z","6.9","8.2",[126,19,110,127,20],"brute-force","login-protection","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-hardener\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-hardener.1.0.zip",{"attackSurface":131,"codeSignals":163,"taintFlows":184,"riskAssessment":185,"analyzedAt":192},{"hooks":132,"ajaxHandlers":154,"restRoutes":160,"shortcodes":161,"cronEvents":162,"entryPointCount":137,"unprotectedCount":137},[133,140,144,149],{"type":134,"name":135,"callback":136,"priority":137,"file":138,"line":139},"action","admin_enqueue_scripts","DesskyScanInterface::enqueue_scripts",1,"dessky-security.php",140,{"type":134,"name":141,"callback":142,"file":138,"line":143},"admin_menu","DesskyScanInterface::add_interface_menu",141,{"type":145,"name":146,"callback":147,"file":138,"line":148},"filter","admin_footer_text","desskyscan_admin_footer_text",157,{"type":145,"name":150,"callback":151,"priority":152,"file":138,"line":153},"plugin_row_meta","desskyscan_row_meta",10,162,[155],{"action":156,"nopriv":157,"callback":158,"hasNonce":157,"hasCapCheck":157,"file":138,"line":159},"desskyscan_rated",false,"desskyscan_process_rated",2467,[],[],[],{"dangerousFunctions":164,"sqlUsage":165,"outputEscaping":168,"fileOperations":182,"externalRequests":26,"nonceChecks":137,"capabilityChecks":137,"bundledLibraries":183},[],{"prepared":166,"raw":26,"locations":167},3,[],{"escaped":137,"rawEcho":169,"locations":170},6,[171,174,175,176,178,180],{"file":138,"line":172,"context":173},1051,"raw output",{"file":138,"line":172,"context":173},{"file":138,"line":172,"context":173},{"file":138,"line":177,"context":173},1052,{"file":138,"line":179,"context":173},1553,{"file":138,"line":181,"context":173},2134,19,[],[],{"summary":186,"deductions":187},"The dessky-security plugin v1.3 demonstrates a mixed security posture.  On the positive side, it utilizes prepared statements for all SQL queries, has no recorded historical vulnerabilities (CVEs), and avoids external HTTP requests.  However, significant concerns arise from the static analysis, particularly the presence of one AJAX handler that lacks authentication checks.  This creates a direct, unprotected entry point into the plugin's functionality, which is a critical security weakness.\n\nThe limited output escaping is also a concern, with only 14% of outputs being properly escaped. This suggests a higher risk of cross-site scripting (XSS) vulnerabilities if user-controlled data is involved in these unescaped outputs.  The absence of taint analysis results (zero flows analyzed) makes it difficult to fully assess the risk of data manipulation, but the other identified issues warrant attention.\n\nOverall, while the plugin avoids some common pitfalls like raw SQL and outdated libraries, the unprotected AJAX handler and insufficient output escaping significantly elevate its risk profile. The lack of historical vulnerabilities is a positive indicator, but it does not negate the immediate risks identified in the current version's code. Addressing the unprotected AJAX endpoint and improving output escaping are crucial steps to enhance its security.",[188,190],{"reason":189,"points":152},"AJAX handler without authentication",{"reason":191,"points":169},"Low percentage of properly escaped output","2026-03-16T21:03:46.070Z",{"wat":194,"direct":203},{"assetPaths":195,"generatorPatterns":198,"scriptPaths":199,"versionParams":200},[196,197],"\u002Fwp-content\u002Fplugins\u002Fdessky-security\u002Fcss\u002Fdessky-style.css","\u002Fwp-content\u002Fplugins\u002Fdessky-security\u002Fjs\u002Fdessky-script.js",[],[197],[201,202],"dessky-security\u002Fcss\u002Fdessky-style.css?ver=","dessky-security\u002Fjs\u002Fdessky-script.js?ver=",{"cssClasses":204,"htmlComments":206,"htmlAttributes":210,"restEndpoints":213,"jsGlobals":214,"shortcodeOutput":216},[205],"dessky-scan-container",[207,208,209],"\u003C!-- Dessky Security -->","\u003C!-- End Dessky Security -->","\u003C!-- Dessky Scan Admin Interface -->",[211,212],"data-dessky-ajax-url","data-dessky-nonce",[],[215],"dessky_security_vars",[]]