Does ForceField have any unpatched vulnerabilities?

No. All known vulnerabilities in ForceField have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ForceField compatible with WordPress 6.8.5?

According to WordPress.org data, ForceField 1.0.9 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is ForceField updated?

ForceField was last updated on Jun 23, 2025. Frequent updates are generally a positive security signal.

What is ForceField's security score?

ForceField has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ForceField Security & Risk Analysis

wordpress.org/plugins/forcefield

Strong and Flexible Access, User Action, API, Behavioural and Role Protection

10 active installs v1.0.9 PHP + WP 4.0.0+ Updated Jun 23, 2025

admin-protectapi-accessbot-protectlogin-protectxml-rpc

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is ForceField Safe to Use in 2026?

Generally Safe

Score 100/100

ForceField has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9mo ago

Risk Assessment

The "forcefield" plugin v1.0.9 presents a mixed security posture. On the positive side, the plugin demonstrates strong practices in output escaping, with 100% of its numerous outputs properly escaped. It also shows a good adherence to using prepared statements for SQL queries, with 92% of its 26 queries utilizing this secure method. The absence of known historical vulnerabilities and unpatched CVEs is a significant strength, suggesting a relatively stable and well-maintained codebase regarding past security issues. Furthermore, a good number of capability checks are in place, indicating an effort to restrict access to certain functionalities.

However, significant concerns arise from the attack surface. The plugin exposes 17 AJAX handlers, a considerable number, with a striking 15 of them lacking any authentication checks. This directly translates to a high risk of unauthorized access and potential manipulation of plugin functionalities. The taint analysis also flags a critical issue with one high-severity flow exhibiting unsanitized paths, which could lead to security vulnerabilities if not addressed. While no dangerous functions or raw SQL queries were identified, and file operations and external HTTP requests appear to be within reasonable limits, the high number of unprotected AJAX endpoints and the critical taint flow represent immediate and pressing security risks that outweigh the plugin's positive attributes in terms of output and query security.

Key Concerns

15 unprotected AJAX handlers
1 critical severity taint flow
Bundled Freemius v1.0 library

Vulnerabilities

None known

ForceField Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

ForceField Code Analysis

Dangerous Functions

Raw SQL Queries

24 prepared

Unescaped Output

1067 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

92% prepared26 total queries

Output Escaping

100% escaped1067 total outputs

Data Flows

11 unsanitized

Data Flow Analysis

16 flows11 with unsanitized paths

forcefield_output_token (forcefield-auth.php:479)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

15 unprotected

ForceField Attack Surface

Entry Points17

Unprotected15

AJAX Handlers 17

noprivwp_ajax_forcefield_loginforcefield-auth.php:462

noprivwp_ajax_forcefield_registerforcefield-auth.php:463

noprivwp_ajax_forcefield_signupforcefield-auth.php:464

authwp_ajax_forcefield_signupforcefield-auth.php:465

noprivwp_ajax_forcefield_lostpassforcefield-auth.php:466

noprivwp_ajax_forcefield_postpassforcefield-auth.php:467

authwp_ajax_forcefield_postpassforcefield-auth.php:468

noprivwp_ajax_forcefield_commentforcefield-auth.php:469

authwp_ajax_forcefield_commentforcefield-auth.php:470

noprivwp_ajax_forcefield_buddypressforcefield-auth.php:471

noprivwp_ajax_forcefield_unblockforcefield-auth.php:472

authwp_ajax_forcefield_unblockforcefield-auth.php:473

authwp_ajax_forcefield_unblock_ipforcefield-block.php:621

authwp_ajax_forcefield_blocklist_clearforcefield-block.php:689

authwp_ajax_wqhelper_reminder_dismisswordquest.php:394

authwp_ajax_wqhelper_load_feed_catwordquest.php:406

authwp_ajax_wqhelper_update_sidebar_boxeswordquest.php:419

WordPress Hooks 71

filterwp_is_application_passwords_availableforcefield-apis.php:36

filterxmlrpc_methodsforcefield-apis.php:65

filterxmlrpc_enabledforcefield-apis.php:79

filterxmlrpc_login_errorforcefield-apis.php:92

actionplugins_loadedforcefield-apis.php:124

filterxmlrpc_methodsforcefield-apis.php:137

filterwp_headersforcefield-apis.php:155

actionpre_pingforcefield-apis.php:167

filterxmlrpc_allow_anonymous_commentsforcefield-apis.php:187

filterrest_authentication_errorsforcefield-apis.php:210

filterrest_authentication_errorsforcefield-apis.php:296

actionplugins_loadedforcefield-apis.php:328

filterrest_jsonp_enabledforcefield-apis.php:341

filterrest_endpointsforcefield-apis.php:366

filterrest_allow_anonymous_commentsforcefield-apis.php:382

filterwp_mail_from_nameforcefield-auth.php:118

actioninitforcefield-auth.php:183

filterwp_mail_from_nameforcefield-auth.php:254

actionlogin_formforcefield-auth.php:382

actionregister_formforcefield-auth.php:383

actionsignup_extra_fieldsforcefield-auth.php:384

actionsignup_blogformforcefield-auth.php:385

actionlostpassword_formforcefield-auth.php:386

actioncomment_formforcefield-auth.php:387

filterthe_password_formforcefield-auth.php:404

actionbp_after_account_details_fieldsforcefield-auth.php:416

filterauthenticateforcefield-auth.php:645

filterxmlrpc_login_errorforcefield-auth.php:680

filterxmlrpc_login_errorforcefield-auth.php:689

filterxmlrpc_login_errorforcefield-auth.php:715

filterauthenticateforcefield-auth.php:757

filtersecure_auth_redirectforcefield-auth.php:835

filterregister_postforcefield-auth.php:988

filterwpmu_validate_user_signupforcefield-auth.php:1167

actionallow_password_resetforcefield-auth.php:1342

actionlogin_form_postpassforcefield-auth.php:1518

filterpreprocess_commentforcefield-auth.php:1689

actionbp_signup_validateforcefield-auth.php:1864

actionplugins_loadedforcefield-block.php:119

actionplugins_loadedforcefield-block.php:795

actionplugins_loadedforcefield-block.php:824

actioninitforcefield-block.php:986

filterforcefield_admin_menu_addedforcefield.php:87

actionadmin_footerforcefield.php:116

actionforcefield_add_settingsforcefield.php:139

actionforcefield_loader_helpersforcefield.php:161

filterforcefield_optionsforcefield.php:671

actionadmin_noticesforcefield.php:777

actionadmin_noticesforcefield.php:781

filterlogin_errorsforcefield.php:1242

filtercron_schedulesforcefield.php:1280

actionadmin_initloader.php:1330

actionadmin_initloader.php:1331

actionadmin_menuloader.php:1334

filterplugin_action_linksloader.php:1337

actionadmin_enqueue_scriptsloader.php:1343

actionadmin_enqueue_scriptsloader.php:1345

actionplugins_loadedloader.php:1353

actionadmin_initloader.php:1585

filterconnect_messageloader.php:1708

actionall_admin_noticesloader.php:1863

actionplugins_loadedloader.php:3368

actionadmin_initwordquest.php:93

actionadmin_footerwordquest.php:363

actionadmin_footerwordquest.php:376

actionadmin_noticeswordquest.php:605

actionadmin_footerwordquest.php:1679

actionupdate-custom_wordquest_plugin_installwordquest.php:1739

actionwp_dashboard_setupwordquest.php:3121

actionadmin_footerwordquest.php:3159

filterwp_feed_cache_transient_lifetimewordquest.php:3655

Scheduled Events 1

forcefield_blocklist_table_cleanup

Maintenance & Trust

ForceField Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 23, 2025

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

ForceField Alternatives

BotFirewall | Stop Spam Bots & Secure Login

botfirewall

100

BotFirewall is a powerful and modern plugin designed to protect your WordPress site from malicious bots, spam, and DDoS attacks.

20 No CVEs

Disable XML-RPC-API

disable-xml-rpc-api

100

A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website

100K No CVEs

Disable XML-RPC Pingback

disable-xml-rpc-pingback

100

Stops abuse of your site's XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.

60K No CVEs

ClickCease Click Fraud Protection

clickcease-click-fraud-protection

Protect your website and ad campaigns from bots, competitors, and click fraud with ClickCease's advanced fraud prevention and real-time monitoring.

10K 2 CVEs

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress

fluent-security

Enhance the Security and User Experience of Your Site with Login/Signup Security, Two-Factor Email Authentication, Social Logins and more...

10K 2 CVEs

Developer Profile

ForceField Developer Profile

Tony Hayes

5 plugins · 250 total installs

trust score

Avg Security Score

87/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ForceField

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ