[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fabCmZIameBUXesow7n7h-r-TXU6tO3Sb1FfrYPTG1yU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":35,"analysis":129,"fingerprints":572},"esherpa-login-guard","eSherpa Login Guard","3.0.0","Ralf Naumann","https:\u002F\u002Fprofiles.wordpress.org\u002Fr2d3\u002F","\u003Cp>\u003Cstrong>eSherpa Login Guard\u003C\u002Fstrong> effectively and intelligently protects your WordPress site from brute-force attacks – Swiss precision, completely without external dependencies.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Honeypot-first bot defense\u003C\u002Fstrong>: JavaScript Honeypot detects non-browser bots and triggers immediate lockout logic.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protected username trap\u003C\u002Fstrong>: Immediate lockout for defined usernames (e.g., “admin”, “test”), independent of the regular counter.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Proactive User-Agent blocking\u003C\u002Fstrong>: Block known bot signatures before login processing (exact match or substring mode).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Blocked User-Agent attempt log\u003C\u002Fstrong>: Separate log table for blocked User-Agent requests including matching pattern.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress hardening options\u003C\u002Fstrong>: Disable XML-RPC (with fake-user honeypot response), hide REST user endpoint, and block author archive enumeration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optional bot password capture\u003C\u002Fstrong>: Store attempted passwords from detected JS-honeypot bots for incident analysis.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Neutral login error option\u003C\u002Fstrong>: Hide username enumeration by using neutral WordPress login error responses.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Live security visibility\u003C\u002Fstrong>: Live alarm in admin, lockout badge in menu, and detailed failed-attempt logs with IP\u002FUser-Agent filters.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive lockout durations\u003C\u002Fstrong>: Lockout time increases on repeat offenses (e.g., 15 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 30 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 60 \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> 120 minutes).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login page guidance\u003C\u002Fstrong>: Clear countdown and “X attempts remaining” notice for transparent lock state.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy-compliant\u003C\u002Fstrong>: IPs stored only as anonymized hashes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic cleanup\u003C\u002Fstrong> of old failed attempts (configurable).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Mobile-friendly admin tables\u003C\u002Fstrong>: Horizontal scrolling for wide security tables on small screens, including swipe hint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email notification\u003C\u002Fstrong> to admin on attacks against existing users.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Developed in Switzerland – fast, clean, performant, and multilingual ready.\u003C\u002Fp>\n\u003Cp>Compatible with WordPress 6.9 and tested up to PHP 8.5.3.\u003C\u002Fp>\n","Intelligent login protection with honeypot detection, WordPress hardening, and a clear security admin overview.",0,172,"2026-03-03T08:32:00.000Z","6.9.4","5.6","7.4",[18,19,20,21,22],"bot-protection","brute-force-protection","honeypot","login-security","wordpress-hardening","https:\u002F\u002Fesherpa.ch\u002Flogin-guard","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fesherpa-login-guard.3.0.0.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":30,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},"r2d3",1,30,94,"2026-04-04T05:32:59.247Z",[36,57,74,93,108],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":46,"num_ratings":47,"last_updated":48,"tested_up_to":14,"requires_at_least":49,"requires_php":50,"tags":51,"homepage":55,"download_link":56,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"honeypot-toolkit","Honeypot Toolkit","5.0.4","Jeff Sterup","https:\u002F\u002Fprofiles.wordpress.org\u002Ffoomagoo\u002F","\u003Cp>This plugin allows you to automatically insert your Project Honeypot links into all of your pages and block IP addresses that are listed on the Http:BL list from Project Honeypot. There is an option to block IP addresses that have been blocked by Spamcop using their blacklist and the SANS Internet Storm Center API as well.\u003Cbr \u002F>\nTo prevent bots from using brute force attacks and scanning your site there is an option to block users that fail to login a set number of times or use blocked user names. You can also block IP addresses that generate a large number of 404 errors. This plugin will also prevent WordPress User Enumeration and automatically block anyone attempting it.\u003C\u002Fp>\n","Automatically insert Project Honeypot links into your pages and block IP addresses that are listed on various block lists you can choose from.",400,19448,90,8,"2026-02-06T18:40:00.000Z","4.6.0","",[19,20,52,53,54],"login-monitor","project-honeypot","spam-prevention","https:\u002F\u002Fwww.sterup.com\u002Fwordpress-plugins\u002Fhoneypot-toolkit\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhoneypot-toolkit.5.0.4.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":25,"num_ratings":31,"last_updated":67,"tested_up_to":14,"requires_at_least":49,"requires_php":68,"tags":69,"homepage":50,"download_link":73,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"kaya-login-captcha","Kaya Login Captcha","1.0.2","Kaya Studio","https:\u002F\u002Fprofiles.wordpress.org\u002Fkayastudio\u002F","\u003Cp>\u003Cstrong>Why use “Kaya Login Captcha”?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin Adds a simple captcha on login form, register form and lost-password form.\u003C\u002Fp>\n\u003Cp>Easy install and use, captcha settings are fully customizable and you can choose the forms on which to display it. The blocked request HTTP status can be customized and the XML-RPC feature can be disabled.\u003C\u002Fp>\n\u003Cp>Captcha statistics are also available on the settings page, with the count of passed and blocked requests sorted by year and month.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Captcha available on the login form (Dashboard and WooCommerce).\u003C\u002Fli>\n\u003Cli>Captcha available on the lost-password form (Dashboard and WooCommerce).\u003C\u002Fli>\n\u003Cli>Captcha available on the register form (Dashboard and WooCommerce).\u003C\u002Fli>\n\u003Cli>Editable Captcha code length.\u003C\u002Fli>\n\u003Cli>Editable Captcha code format: numeric, alphabetic or alphanumeric.\u003C\u002Fli>\n\u003Cli>Random lines available in the background of the Captcha.\u003C\u002Fli>\n\u003Cli>Editable blocked request HTTP status.\u003C\u002Fli>\n\u003Cli>XML-RPC WordPress API deactivatable.\u003C\u002Fli>\n\u003Cli>Captcha statistics of passed and blocked requests sorted by year and month.\u003C\u002Fli>\n\u003Cli>Compatible with WordPress MultiSite and WooCommerce.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>“Kaya Login Captcha” is a professional login captcha system with fully customizable settings.\u003C\u002Fp>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>This plugin does not collect or store any user data. It does not set any cookies and does not connect to any third-party applications. This plugin only generate a captcha code to verify human action for selected forms on your settings.\u003C\u002Fp>\n\u003Ch4>Available Languages\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>English.\u003C\u002Fli>\n\u003Cli>French.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Feedback\u003C\u002Fh4>\n\u003Cp>Any suggestions or feedback is welcome, thank you for using or trying one of my plugins. Please take the time to let me know about your experiences and rate this plugin.\u003C\u002Fp>\n","Adds a simple captcha on login form, register form and lost-password form.",200,2708,"2025-12-03T10:41:00.000Z","5.3",[19,70,71,21,72],"captcha","login","spam","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkaya-login-captcha.1.0.2.zip",{"slug":75,"name":76,"version":77,"author":78,"author_profile":79,"description":80,"short_description":81,"active_installs":82,"downloaded":83,"rating":11,"num_ratings":11,"last_updated":84,"tested_up_to":85,"requires_at_least":86,"requires_php":87,"tags":88,"homepage":50,"download_link":92,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"fortress-login-pro","Fortress Login Pro – Secure, Hide & Rename Login URL","1.1.3","Hamdi Saidani","https:\u002F\u002Fprofiles.wordpress.org\u002Fhamdisaidani\u002F","\u003Cp>\u003Cstrong>Fortress Login Pro\u003C\u002Fstrong> is a battle-ready security plugin that replaces your WordPress login page (\u003Ccode>wp-login.php\u003C\u002Fcode>) with a private, rotating URL that only you control.\u003C\u002Fp>\n\u003Cp>🛡️ It doesn’t just hide the login—it lets you track, rotate, and control it.\u003C\u002Fp>\n\u003Cp>Perfect for freelancers, agencies, eCommerce owners, and anyone tired of blind brute-force attacks.\u003C\u002Fp>\n\u003Ch3>🔐 Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom Login URL:\u003C\u002Fstrong> Hide \u003Ccode>wp-login.php\u003C\u002Fcode> and set your own private login path  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto-Rotate Slugs:\u003C\u002Fstrong> Automatically change your login URL on a custom schedule  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dual-Slug Rotation Safety:\u003C\u002Fstrong> Keep the old URL live until the new one is used (fail-safe)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Slug Generator:\u003C\u002Fstrong> Choose readable word combos or full-random slugs (with number support)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Access Logs & Charts:\u003C\u002Fstrong> See IPs, timestamps, referrers, and user-agents by login attempt  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Export Logs:\u003C\u002Fstrong> Download access history or slug changes in CSV or JSON  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Slug History Panel:\u003C\u002Fstrong> Restore, archive, or delete old slugs anytime  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>SMTP Configuration:\u003C\u002Fstrong> Set up outgoing email for login slug alerts and rotation notices  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Test Email & Rotation:\u003C\u002Fstrong> Built-in checks before activating rotation so you don’t get locked out  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>System File Protection:\u003C\u002Fstrong> Optional toggle to block access to \u003Ccode>install.php\u003C\u002Fcode> and \u003Ccode>setup-config.php\u003C\u002Fcode> via \u003Ccode>.htaccess\u003C\u002Fcode>  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean UI:\u003C\u002Fstrong> Fast, modern dashboard with zero bloat or upsell traps  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>✅ Works With\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WooCommerce, Easy Digital Downloads, and major eCommerce plugins  \u003C\u002Fli>\n\u003Cli>Membership systems like MemberPress, Paid Memberships Pro  \u003C\u002Fli>\n\u003Cli>Popular security plugins: Wordfence, iThemes, Sucuri  \u003C\u002Fli>\n\u003Cli>Caching tools like WP Rocket, Cloudflare, W3 Total Cache  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚀 Why Fortress (vs limit login or captcha plugins)?\u003C\u002Fh3>\n\u003Cp>Most plugins try to \u003Cstrong>respond\u003C\u002Fstrong> to brute-force.\u003Cbr \u002F>\nFortress prevents it by removing the login form from public view.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No login page = no attack surface.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Final Word\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Fortress Login Pro\u003C\u002Fstrong> doesn’t just hide your login—it makes you smarter about who’s trying to reach it.\u003C\u002Fp>\n\u003Cp>Real logs. Real control. No BS.\u003Cbr \u002F>\nReady to lock down WordPress the way it should’ve shipped.\u003C\u002Fp>\n\u003Cp>Try our companion plugin: \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fnotification-blocker\u002F\" rel=\"ugc\">Notification Blocker\u003C\u002Fa> — hide noisy dashboard alerts with one click.\u003C\u002Fp>\n","Hide and rotate your WordPress login URL. Track access, export logs, and prevent brute-force attacks with real-time visibility.",10,612,"2025-05-09T10:19:00.000Z","6.8.5","5.0","7.2",[19,89,21,90,91],"custom-login-url","security","wp-admin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffortress-login-pro.1.1.3.zip",{"slug":94,"name":95,"version":60,"author":96,"author_profile":97,"description":98,"short_description":99,"active_installs":11,"downloaded":100,"rating":11,"num_ratings":11,"last_updated":50,"tested_up_to":14,"requires_at_least":101,"requires_php":16,"tags":102,"homepage":50,"download_link":106,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":107},"simple-login-guard","Simple Login Guard – Monitor & Block Attempts","Aman Brar","https:\u002F\u002Fprofiles.wordpress.org\u002Famandeepwebspero\u002F","\u003Cp>\u003Cstrong>Simple Login Guard\u003C\u002Fstrong> is a lightweight login security plugin designed to protect your WordPress website from brute-force attacks.\u003Cbr \u002F>\nIt monitors every login attempt, logs failed and successful logins, tracks suspicious behavior, and automatically blocks IP addresses that exceed your configured threshold — keeping your site safe without slowing it down.\u003C\u002Fp>\n\u003Cp>No confusing settings. No bulky security suite.\u003Cbr \u002F>\nJust \u003Cstrong>simple, effective login protection\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>🔐 Key Features\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Monitor Failed & Successful Login Attempts\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Logs every attempt with username, IP, timestamp, and status.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Automatic IP Blocking\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Block IPs that exceed a defined number of failed attempts within a time window.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customizable Security Rules\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Failed attempts threshold\u003Cbr \u002F>\n  – Lockout duration\u003Cbr \u002F>\n  – Time window for counting attempts\u003Cbr \u002F>\n  – Retention period for logs\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Manual Block \u002F Unblock IPs\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Block or unblock IP addresses from the admin dashboard.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Lightweight and Fast\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Uses optimized database queries and caching to avoid performance issues.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Safe Logging Table\u003C\u002Fstrong>\u003Cbr \u002F>\n  – Creates a separate database table for login attempts, leaving core tables untouched.\u003C\u002Fp>\n\u003Ch3>📊 Admin Dashboard\u003C\u002Fh3>\n\u003Cp>The plugin includes an easy-to-use interface under:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Tools \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Simple Login Guard\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Sections include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Settings\u003C\u002Fli>\n\u003Cli>Blocked IPs List\u003C\u002Fli>\n\u003C\u002Ful>\n","Monitor failed login attempts and automatically block IPs after multiple failures. Lightweight and easy to use.",159,"5.5",[103,19,104,105,21],"block-ip","limit-login-attempts","login-attempts","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-login-guard.1.0.2.zip","2026-03-15T10:48:56.248Z",{"slug":109,"name":110,"version":111,"author":112,"author_profile":113,"description":114,"short_description":115,"active_installs":116,"downloaded":117,"rating":118,"num_ratings":119,"last_updated":120,"tested_up_to":14,"requires_at_least":121,"requires_php":50,"tags":122,"homepage":50,"download_link":126,"security_score":118,"vuln_count":127,"unpatched_count":11,"last_vuln_date":128,"fetched_at":27},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","3.0",[123,124,125,21,90],"2fa","brute-force","firewall","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip",4,"2023-12-20 00:00:00",{"attackSurface":130,"codeSignals":237,"taintFlows":445,"riskAssessment":561,"analyzedAt":571},{"hooks":131,"ajaxHandlers":224,"restRoutes":230,"shortcodes":231,"cronEvents":232,"entryPointCount":31,"unprotectedCount":11},[132,138,143,146,150,154,158,163,167,171,175,178,182,186,190,195,198,202,206,209,212,216,220],{"type":133,"name":134,"callback":135,"priority":82,"file":136,"line":137},"action","admin_menu","esherpa_login_guard_menu","esherpa-login-guard.php",131,{"type":133,"name":139,"callback":140,"priority":141,"file":136,"line":142},"login_init","esherpa_check_blocked_user_agent",5,161,{"type":133,"name":139,"callback":144,"file":136,"line":145},"esherpa_check_progressive_lockout",225,{"type":133,"name":147,"callback":148,"priority":82,"file":136,"line":149},"wp_login_failed","esherpa_handle_login_failed",260,{"type":133,"name":151,"callback":152,"priority":82,"file":136,"line":153},"wp_login","esherpa_log_successful_login",367,{"type":133,"name":155,"callback":156,"file":136,"line":157},"clear_auth_cookie","esherpa_log_logout",399,{"type":159,"name":160,"callback":161,"file":136,"line":162},"filter","xmlrpc_enabled","__return_false",433,{"type":159,"name":164,"callback":165,"file":136,"line":166},"xmlrpc_methods","__return_empty_array",434,{"type":133,"name":168,"callback":169,"priority":31,"file":136,"line":170},"init","esherpa_fake_xmlrpc_honeypot",435,{"type":159,"name":172,"callback":173,"file":136,"line":174},"rest_endpoints","closure",479,{"type":133,"name":176,"callback":173,"file":136,"line":177},"template_redirect",489,{"type":133,"name":179,"callback":180,"file":136,"line":181},"login_form","esherpa_add_js_honeypot_field",499,{"type":133,"name":183,"callback":184,"file":136,"line":185},"admin_init","esherpa_login_guard_register_neutral_error_setting",502,{"type":159,"name":187,"callback":188,"file":136,"line":189},"login_errors","esherpa_login_guard_completely_neutral_error",508,{"type":159,"name":191,"callback":192,"priority":193,"file":136,"line":194},"the_content","esherpa_guard_insert_message_other_forms",999,1162,{"type":133,"name":179,"callback":196,"file":136,"line":197},"esherpa_guard_show_message_on_wplogin",1196,{"type":133,"name":199,"callback":200,"file":136,"line":201},"esherpa_login_guard_cleanup_event","esherpa_login_guard_cleanup_old_logins",1265,{"type":133,"name":203,"callback":204,"file":136,"line":205},"plugins_loaded","esherpa_login_guard_ensure_cleanup_cron",1292,{"type":133,"name":203,"callback":207,"file":136,"line":208},"esherpa_login_guard_check_and_upgrade_tables",1293,{"type":133,"name":203,"callback":210,"file":136,"line":211},"esherpa_login_guard_load_textdomain",1294,{"type":159,"name":213,"callback":214,"priority":82,"file":136,"line":215},"gettext","esherpa_login_guard_gettext_fallback",1765,{"type":159,"name":217,"callback":218,"priority":82,"file":136,"line":219},"gettext_with_context","esherpa_login_guard_gettext_with_context_fallback",1766,{"type":133,"name":221,"callback":222,"file":136,"line":223},"admin_enqueue_scripts","esherpa_login_guard_admin_assets",1884,[225],{"action":226,"nopriv":227,"callback":226,"hasNonce":228,"hasCapCheck":228,"file":136,"line":229},"esherpa_guard_check_new_failed",false,true,1788,[],[],[233,235],{"hook":199,"callback":199,"file":136,"line":234},1255,{"hook":199,"callback":199,"file":136,"line":236},1297,{"dangerousFunctions":238,"sqlUsage":239,"outputEscaping":277,"fileOperations":31,"externalRequests":11,"nonceChecks":443,"capabilityChecks":31,"bundledLibraries":444},[],{"prepared":240,"raw":241,"locations":242},24,16,[243,246,248,250,252,255,257,259,261,263,265,267,269,271,273,275],{"file":136,"line":244,"context":245},118,"$wpdb->get_var() with variable interpolation",{"file":136,"line":247,"context":245},141,{"file":136,"line":249,"context":245},525,{"file":136,"line":251,"context":245},584,{"file":136,"line":253,"context":254},585,"$wpdb->get_results() with variable interpolation",{"file":136,"line":256,"context":245},588,{"file":136,"line":258,"context":254},589,{"file":136,"line":260,"context":245},605,{"file":136,"line":262,"context":254},619,{"file":136,"line":264,"context":245},743,{"file":136,"line":266,"context":254},744,{"file":136,"line":268,"context":254},807,{"file":136,"line":270,"context":245},808,{"file":136,"line":272,"context":254},930,{"file":136,"line":274,"context":245},931,{"file":136,"line":276,"context":245},1313,{"escaped":278,"rawEcho":279,"locations":280},130,81,[281,284,286,288,290,292,294,296,298,300,302,304,306,308,310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,418,419,421,423,425,427,429,431,433,435,437,439,441],{"file":136,"line":282,"context":283},473,"raw output",{"file":136,"line":285,"context":283},564,{"file":136,"line":287,"context":283},574,{"file":136,"line":289,"context":283},595,{"file":136,"line":291,"context":283},611,{"file":136,"line":293,"context":283},614,{"file":136,"line":295,"context":283},649,{"file":136,"line":297,"context":283},651,{"file":136,"line":299,"context":283},689,{"file":136,"line":301,"context":283},711,{"file":136,"line":303,"context":283},719,{"file":136,"line":305,"context":283},720,{"file":136,"line":307,"context":283},728,{"file":136,"line":309,"context":283},747,{"file":136,"line":311,"context":283},748,{"file":136,"line":313,"context":283},815,{"file":136,"line":315,"context":283},817,{"file":136,"line":317,"context":283},879,{"file":136,"line":319,"context":283},935,{"file":136,"line":321,"context":283},938,{"file":136,"line":323,"context":283},940,{"file":136,"line":325,"context":283},976,{"file":136,"line":327,"context":283},978,{"file":136,"line":329,"context":283},980,{"file":136,"line":331,"context":283},983,{"file":136,"line":333,"context":283},984,{"file":136,"line":335,"context":283},985,{"file":136,"line":337,"context":283},986,{"file":136,"line":339,"context":283},987,{"file":136,"line":341,"context":283},988,{"file":136,"line":343,"context":283},989,{"file":136,"line":345,"context":283},990,{"file":136,"line":347,"context":283},991,{"file":136,"line":349,"context":283},992,{"file":136,"line":351,"context":283},997,{"file":136,"line":353,"context":283},1000,{"file":136,"line":355,"context":283},1001,{"file":136,"line":357,"context":283},1002,{"file":136,"line":359,"context":283},1009,{"file":136,"line":361,"context":283},1014,{"file":136,"line":363,"context":283},1017,{"file":136,"line":365,"context":283},1021,{"file":136,"line":367,"context":283},1024,{"file":136,"line":369,"context":283},1028,{"file":136,"line":371,"context":283},1031,{"file":136,"line":373,"context":283},1034,{"file":136,"line":375,"context":283},1038,{"file":136,"line":377,"context":283},1041,{"file":136,"line":379,"context":283},1045,{"file":136,"line":381,"context":283},1049,{"file":136,"line":383,"context":283},1051,{"file":136,"line":385,"context":283},1054,{"file":136,"line":387,"context":283},1059,{"file":136,"line":389,"context":283},1062,{"file":136,"line":391,"context":283},1064,{"file":136,"line":393,"context":283},1068,{"file":136,"line":395,"context":283},1071,{"file":136,"line":397,"context":283},1074,{"file":136,"line":399,"context":283},1076,{"file":136,"line":401,"context":283},1080,{"file":136,"line":403,"context":283},1083,{"file":136,"line":405,"context":283},1086,{"file":136,"line":407,"context":283},1088,{"file":136,"line":409,"context":283},1092,{"file":136,"line":411,"context":283},1095,{"file":136,"line":413,"context":283},1097,{"file":136,"line":415,"context":283},1101,{"file":136,"line":417,"context":283},1104,{"file":136,"line":417,"context":283},{"file":136,"line":420,"context":283},1108,{"file":136,"line":422,"context":283},1111,{"file":136,"line":424,"context":283},1116,{"file":136,"line":426,"context":283},1119,{"file":136,"line":428,"context":283},1124,{"file":136,"line":430,"context":283},1127,{"file":136,"line":432,"context":283},1129,{"file":136,"line":434,"context":283},1133,{"file":136,"line":436,"context":283},1136,{"file":136,"line":438,"context":283},1139,{"file":136,"line":440,"context":283},1145,{"file":136,"line":442,"context":283},1238,3,[],[446,463,517,528],{"entryPoint":447,"graph":448,"unsanitizedCount":31,"severity":462},"esherpa_render_guard_message_direct (esherpa-login-guard.php:1203)",{"nodes":449,"edges":460},[450,455],{"id":451,"type":452,"label":453,"file":136,"line":454},"n0","source","$_SERVER",1204,{"id":456,"type":457,"label":458,"file":136,"line":442,"wp_function":459},"n1","sink","echo() [XSS]","echo",[461],{"from":451,"to":456,"sanitized":227},"medium",{"entryPoint":464,"graph":465,"unsanitizedCount":11,"severity":516},"esherpa_login_guard_admin_page (esherpa-login-guard.php:517)",{"nodes":466,"edges":509},[467,470,474,478,480,484,489,491,496,500,503,507],{"id":451,"type":452,"label":468,"file":136,"line":469},"$_POST (x5)",532,{"id":456,"type":457,"label":471,"file":136,"line":472,"wp_function":473},"update_option() [Settings Manipulation]",534,"update_option",{"id":475,"type":452,"label":476,"file":136,"line":477},"n2","$_POST['cleanup_days']",540,{"id":479,"type":457,"label":471,"file":136,"line":477,"wp_function":473},"n3",{"id":481,"type":452,"label":482,"file":136,"line":483},"n4","$_GET (x4)",778,{"id":485,"type":457,"label":486,"file":136,"line":487,"wp_function":488},"n5","get_results() [SQLi]",783,"get_results",{"id":490,"type":452,"label":482,"file":136,"line":483},"n6",{"id":492,"type":457,"label":493,"file":136,"line":494,"wp_function":495},"n7","get_var() [SQLi]",787,"get_var",{"id":497,"type":452,"label":498,"file":136,"line":499},"n8","$_GET (x2)",779,{"id":501,"type":457,"label":458,"file":136,"line":502,"wp_function":459},"n9",812,{"id":504,"type":452,"label":505,"file":136,"line":506},"n10","$_POST (x2)",570,{"id":508,"type":457,"label":458,"file":136,"line":317,"wp_function":459},"n11",[510,511,512,513,514,515],{"from":451,"to":456,"sanitized":228},{"from":475,"to":479,"sanitized":228},{"from":481,"to":485,"sanitized":228},{"from":490,"to":492,"sanitized":228},{"from":497,"to":501,"sanitized":228},{"from":504,"to":508,"sanitized":228},"low",{"entryPoint":518,"graph":519,"unsanitizedCount":11,"severity":516},"esherpa_guard_check_new_failed (esherpa-login-guard.php:1789)",{"nodes":520,"edges":526},[521,524],{"id":451,"type":452,"label":522,"file":136,"line":523},"$_POST",1798,{"id":456,"type":457,"label":486,"file":136,"line":525,"wp_function":488},1799,[527],{"from":451,"to":456,"sanitized":228},{"entryPoint":529,"graph":530,"unsanitizedCount":11,"severity":516},"\u003Cesherpa-login-guard> (esherpa-login-guard.php:0)",{"nodes":531,"edges":552},[532,533,534,535,536,537,538,539,540,541,542,543,544,546,548,550],{"id":451,"type":452,"label":468,"file":136,"line":469},{"id":456,"type":457,"label":471,"file":136,"line":472,"wp_function":473},{"id":475,"type":452,"label":476,"file":136,"line":477},{"id":479,"type":457,"label":471,"file":136,"line":477,"wp_function":473},{"id":481,"type":452,"label":482,"file":136,"line":483},{"id":485,"type":457,"label":486,"file":136,"line":487,"wp_function":488},{"id":490,"type":452,"label":482,"file":136,"line":483},{"id":492,"type":457,"label":493,"file":136,"line":494,"wp_function":495},{"id":497,"type":452,"label":498,"file":136,"line":499},{"id":501,"type":457,"label":458,"file":136,"line":502,"wp_function":459},{"id":504,"type":452,"label":505,"file":136,"line":506},{"id":508,"type":457,"label":458,"file":136,"line":317,"wp_function":459},{"id":545,"type":452,"label":453,"file":136,"line":454},"n12",{"id":547,"type":457,"label":458,"file":136,"line":442,"wp_function":459},"n13",{"id":549,"type":452,"label":522,"file":136,"line":523},"n14",{"id":551,"type":457,"label":486,"file":136,"line":525,"wp_function":488},"n15",[553,554,555,556,557,558,559,560],{"from":451,"to":456,"sanitized":228},{"from":475,"to":479,"sanitized":228},{"from":481,"to":485,"sanitized":228},{"from":490,"to":492,"sanitized":228},{"from":497,"to":501,"sanitized":228},{"from":504,"to":508,"sanitized":228},{"from":545,"to":547,"sanitized":228},{"from":549,"to":551,"sanitized":228},{"summary":562,"deductions":563},"The \"esherpa-login-guard\" plugin v3.0.0 exhibits a generally good security posture with several positive indicators. The absence of known CVEs and a history of vulnerabilities is a strong sign of diligent maintenance and secure development. Static analysis reveals a limited attack surface, with no exposed REST API routes or shortcodes, and the single AJAX handler appears to be protected by an authentication check. The presence of nonce checks and capability checks further strengthens its security defenses.\n\nHowever, there are areas for improvement. The plugin utilizes raw SQL queries for 40% of its database interactions, which presents a potential risk of SQL injection if input is not meticulously sanitized. While the taint analysis did not reveal critical or high severity flows, one unsanitized path was identified, which warrants attention. Additionally, only 62% of output escaping is properly handled, leaving room for potential cross-site scripting (XSS) vulnerabilities. The single file operation should also be carefully reviewed to ensure it's not being used in a way that could lead to arbitrary file access or modification.\n\nIn conclusion, \"esherpa-login-guard\" v3.0.0 is a relatively secure plugin with a clean vulnerability history and a well-controlled attack surface. The primary concerns revolve around the unescaped outputs and the use of prepared statements in a significant portion of SQL queries, along with the single identified unsanitized flow. Addressing these specific points would elevate the plugin's security to an even higher standard.",[564,566,569],{"reason":565,"points":82},"SQL queries not using prepared statements",{"reason":567,"points":568},"Output escaping not properly handled",6,{"reason":570,"points":141},"Flows with unsanitized paths","2026-03-17T06:18:45.208Z",{"wat":573,"direct":582},{"assetPaths":574,"generatorPatterns":577,"scriptPaths":578,"versionParams":579},[575,576],"\u002Fwp-content\u002Fplugins\u002Fesherpa-login-guard\u002Fcss\u002Fadmin-style.css","\u002Fwp-content\u002Fplugins\u002Fesherpa-login-guard\u002Fjs\u002Fadmin-script.js",[],[576],[580,581],"esherpa-login-guard\u002Fcss\u002Fadmin-style.css?ver=","esherpa-login-guard\u002Fjs\u002Fadmin-script.js?ver=",{"cssClasses":583,"htmlComments":591,"htmlAttributes":598,"restEndpoints":602,"jsGlobals":603,"shortcodeOutput":605},[584,585,586,587,588,589,590],"esherpa-login-guard-page","esherpa-login-guard-admin-wrap","esherpa-login-guard-message-success","esherpa-login-guard-message-error","esherpa-login-guard-stats-table","esherpa-login-guard-stats-table th","esherpa-login-guard-stats-table td",[592,593,594,595,596,597],"\u003C!-- esherpa_login_guard_admin_page -->","\u003C!-- esherpa_login_guard_message_container -->","\u003C!-- esherpa_login_guard_stats_container -->","\u003C!-- esherpa_login_guard_settings_form -->","\u003C!-- esherpa_login_guard_table_header -->","\u003C!-- esherpa_login_guard_table_row -->",[599,600,601],"data-esherpa-login-guard-action","data-esherpa-login-guard-nonce","data-esherpa-login-guard-id",[],[604],"window.esherpa_login_guard_ajax_object",[]]