WP-Safety

Iron Security – WordPress Security Plugin Security & Risk Analysis

wordpress.org/plugins/iron-security

Hardening tool that blocks hackers and protect against: Brute Force Attacks, Exploits, Injections, Clickjacking and other important functionalities.

40 active installs v2.5.3 PHP 7.4+ WP 4.7+ Updated Jul 23, 2025
2fafirewallloginmalwaresecurity
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Iron Security – WordPress Security Plugin Safe to Use in 2026?

Generally Safe

Score 100/100

Iron Security – WordPress Security Plugin has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago
Risk Assessment

The "iron-security" v2.5.3 plugin exhibits a concerning security posture primarily due to its extensive unprotected attack surface. All 35 identified AJAX handlers lack authentication checks, presenting a significant risk of unauthorized actions or data manipulation if these handlers are exploitable. While the code signals indicate good practices in SQL query preparation (67% prepared) and output escaping (86% properly escaped), and no critical taint flows were detected, the absence of authorization on such a large number of entry points is a critical weakness. The plugin's vulnerability history is clean, with no recorded CVEs, which is a positive sign of its general development quality. However, this clean history does not mitigate the immediate risks identified in the static analysis. The plugin has strengths in its code sanitization and data handling, but the fundamental flaw of exposed AJAX endpoints overshadows these positives, demanding immediate attention to secure these entry points.

Key Concerns

  • 35 unprotected AJAX handlers
  • Bundled Freemius v1.0 library
Vulnerabilities
None known

Iron Security – WordPress Security Plugin Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Iron Security – WordPress Security Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
14
28 prepared
Unescaped Output
23
138 escaped
Nonce Checks
42
Capability Checks
34
File Operations
6
External Requests
2
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

67% prepared42 total queries

Output Escaping

86% escaped161 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<two-factor-auth> (public\templates\two-factor-auth.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
35 unprotected

Iron Security – WordPress Security Plugin Attack Surface

Entry Points35
Unprotected35

AJAX Handlers 35

authwp_ajax_iron_security_verify_2fa_codeincludes\class-iron-security.php:108
authwp_ajax_iron_security_verify_2fa_setupincludes\class-iron-security.php:111
authwp_ajax_iron_security_save_2fa_settingsincludes\class-iron-security.php:114
authwp_ajax_iron_security_toggle_2faincludes\class-iron-security.php:117
authwp_ajax_iron_security_save_2fa_settings_loginlogoutincludes\class-iron-security.php:118
noprivwp_ajax_iron_security_check_2fa_requiredincludes\class-iron-security.php:121
authwp_ajax_iron_security_toggle_xmlrpcincludes\class-iron-security.php:170
authwp_ajax_iron_security_toggle_wp_versionincludes\class-iron-security.php:173
authwp_ajax_iron_security_toggle_security_headersincludes\class-iron-security.php:176
authwp_ajax_iron_security_toggle_direct_accessincludes\class-iron-security.php:181
authwp_ajax_iron_security_toggle_php_uploadsincludes\class-iron-security.php:184
authwp_ajax_iron_security_toggle_file_editorincludes\class-iron-security.php:189
authwp_ajax_iron_security_toggle_rest_apiincludes\class-iron-security.php:192
authwp_ajax_iron_security_toggle_plugin_autoupdateincludes\class-iron-security.php:195
authwp_ajax_iron_security_toggle_core_autoupdateincludes\class-iron-security.php:198
authwp_ajax_iron_security_toggle_custom_urlincludes\class-iron-security.php:203
authwp_ajax_iron_security_save_custom_urlincludes\class-iron-security.php:206
authwp_ajax_iron_security_toggle_session_timeoutincludes\class-iron-security.php:211
authwp_ajax_iron_security_save_session_timeoutincludes\class-iron-security.php:214
authwp_ajax_iron_security_toggle_limit_loginincludes\class-iron-security.php:219
authwp_ajax_iron_security_save_limit_loginincludes\class-iron-security.php:222
authwp_ajax_iron_security_toggle_limit_adminsincludes\class-iron-security.php:227
authwp_ajax_iron_security_save_limit_adminsincludes\class-iron-security.php:230
authwp_ajax_iron_security_toggle_admin_id_protectionincludes\class-iron-security.php:235
authwp_ajax_iron_security_toggle_change_admin_usernameincludes\class-iron-security.php:239
authwp_ajax_iron_security_save_change_admin_usernameincludes\class-iron-security.php:242
authwp_ajax_iron_security_toggle_user_enumincludes\class-iron-security.php:262
authwp_ajax_iron_security_save_user_enum_messageincludes\class-iron-security.php:265
authwp_ajax_iron_security_get_admin_infoincludes\class-iron-security.php:284
authwp_ajax_iron_security_extend_sessionincludes\class-iron-security.php:286
authwp_ajax_iron_security_get_logsincludes\class-iron-security.php:288
authwp_ajax_iron_security_clear_logsincludes\class-iron-security.php:289
authwp_ajax_iron_security_get_settingsincludes\class-iron-security.php:291
authwp_ajax_iron_security_toggle_ai_bot_blockingincludes\class-iron-security.php:292
authwp_ajax_iron_security_get_system_infoincludes\class-iron-security.php:295
WordPress Hooks 76
filterauto_update_pluginadmin\classes\general-security.php:282
filterauto_update_pluginadmin\classes\general-security.php:284
filterallow_major_auto_core_updatesadmin\classes\general-security.php:320
filterallow_minor_auto_core_updatesadmin\classes\general-security.php:321
filterauto_update_coreadmin\classes\general-security.php:322
filterauto_update_translationadmin\classes\general-security.php:323
filterallow_major_auto_core_updatesadmin\classes\general-security.php:328
filterallow_minor_auto_core_updatesadmin\classes\general-security.php:329
filterauto_update_coreadmin\classes\general-security.php:330
filterauto_update_translationadmin\classes\general-security.php:331
actionlogin_initadmin\classes\login-logout-functionality.php:156
actionlogin_formadmin\classes\login-logout-functionality.php:163
actionadmin_initadmin\classes\login-logout-functionality.php:167
filterlogin_messageadmin\classes\login-logout-functionality.php:174
filterrest_endpointsadmin\classes\login-logout-functionality.php:592
actionadmin_noticesadmin\classes\login-logout-functionality.php:1095
actionset_user_roleadmin\classes\login-logout-functionality.php:1107
actionshow_user_profileadmin\classes\WpironTwoFactorAuth.php:408
actionuser_profile_update_errorsadmin\classes\WpironTwoFactorAuth.php:450
actionplugins_loadedincludes\class-iron-security.php:71
actioninitincludes\class-iron-security.php:98
actioninitincludes\class-iron-security.php:100
actionlogin_formincludes\class-iron-security.php:101
actionwp_loginincludes\class-iron-security.php:102
actionadmin_noticesincludes\class-iron-security.php:103
actionshow_user_profileincludes\class-iron-security.php:104
actionedit_user_profileincludes\class-iron-security.php:105
actionpersonal_options_updateincludes\class-iron-security.php:106
actionedit_user_profile_updateincludes\class-iron-security.php:107
actionadmin_initincludes\class-iron-security.php:124
actionwp_logoutincludes\class-iron-security.php:125
filterplugin_action_links_iron-security/iron-security.phpincludes\class-iron-security.php:127
actionactivated_pluginincludes\class-iron-security.php:133
actiondeactivated_pluginincludes\class-iron-security.php:134
actiondeleted_pluginincludes\class-iron-security.php:135
actionadmin_enqueue_scriptsincludes\class-iron-security.php:137
actionadmin_enqueue_scriptsincludes\class-iron-security.php:138
actionadmin_menuincludes\class-iron-security.php:139
actioninitincludes\class-iron-security.php:141
actionlogin_initincludes\class-iron-security.php:142
actiontemplate_redirectincludes\class-iron-security.php:144
actionparse_requestincludes\class-iron-security.php:145
actioninitincludes\class-iron-security.php:146
filterlogin_urlincludes\class-iron-security.php:147
filtersite_urlincludes\class-iron-security.php:148
filterquery_varsincludes\class-iron-security.php:149
filterauth_cookie_expirationincludes\class-iron-security.php:151
actionwp_login_failedincludes\class-iron-security.php:152
actionwp_loginincludes\class-iron-security.php:153
filterauthenticateincludes\class-iron-security.php:154
actionlogin_formincludes\class-iron-security.php:155
actionupdate_option_wpironis_plugin_settings_generalincludes\class-iron-security.php:161
filterupload_mimesincludes\class-iron-security.php:166
filterwp_handle_upload_prefilterincludes\class-iron-security.php:167
actionset_user_roleincludes\class-iron-security.php:246
actionuser_registerincludes\class-iron-security.php:252
actioninitincludes\class-iron-security.php:259
filterlogin_errorsincludes\class-iron-security.php:260
filterallow_major_auto_core_updatesincludes\class-iron-security.php:273
filterallow_minor_auto_core_updatesincludes\class-iron-security.php:274
filterauto_update_coreincludes\class-iron-security.php:275
filterauto_update_translationincludes\class-iron-security.php:276
filterallow_major_auto_core_updatesincludes\class-iron-security.php:278
filterallow_minor_auto_core_updatesincludes\class-iron-security.php:279
filterauto_update_coreincludes\class-iron-security.php:280
filterauto_update_translationincludes\class-iron-security.php:281
actionwp_logoutincludes\class-iron-security.php:290
actionwp_enqueue_scriptsincludes\class-iron-security.php:301
actionwp_enqueue_scriptsincludes\class-iron-security.php:302
filterxmlrpc_enabledincludes\class-iron-security.php:303
actioninitincludes\class-iron-security.php:304
filterrest_authentication_errorsincludes\class-iron-security.php:305
filterrest_endpointsincludes\class-iron-security.php:306
filterthe_generatorpublic\class-iron-security-public.php:51
filterstyle_loader_srcpublic\class-iron-security-public.php:52
filterscript_loader_srcpublic\class-iron-security-public.php:53
Maintenance & Trust

Iron Security – WordPress Security Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 23, 2025
PHP min version7.4
Downloads4K

Community Trust

Rating100/100
Number of ratings1
Active installs40
Alternatives

Iron Security – WordPress Security Plugin Alternatives

ArkHost Security Pack

ArkHost Security Pack

arkhost-security-pack

A
100

WordPress security without the nonsense. No upsells, no premium tier, no fake threat counters.

0 No CVEs
Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
Developer Profile

Iron Security – WordPress Security Plugin Developer Profile

WpIron

4 plugins · 490 total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Iron Security – WordPress Security Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/iron-security/admin/css/admin.css/wp-content/plugins/iron-security/admin/css/dashboard.css/wp-content/plugins/iron-security/admin/css/transitions.css/wp-content/plugins/iron-security/admin/js/iron-security-admin.js/wp-content/plugins/iron-security/admin/js/session-timeout.js/wp-content/plugins/iron-security/admin/js/iron-security-2fa-admin.js/wp-content/plugins/iron-security/admin/css/iron-security-2fa.css/wp-content/plugins/iron-security/admin/js/iron-security-2fa-login.js
Script Paths
/wp-content/plugins/iron-security/admin/js/iron-security-admin.js/wp-content/plugins/iron-security/admin/js/session-timeout.js/wp-content/plugins/iron-security/admin/js/iron-security-2fa-admin.js/wp-content/plugins/iron-security/admin/js/iron-security-2fa-login.js
Version Parameters
iron-security/css/admin.css?v=iron-security/css/dashboard.css?v=iron-security/css/transitions.css?v=iron-security-admin.js?v=session-timeout.js?v=iron-security-2fa-admin.js?v=1.0.0iron-security-2fa.css?v=1.0.0iron-security-2fa-login.js?v=1.0.0

HTML / DOM Fingerprints

CSS Classes
wpironis-plugin
Data Attributes
data-nonce="iron_security_session_nonce"data-nonce="iron_security_2fa_ajax"data-nonce="iron_security_nonce"
JS Globals
ironSecurityTimeoutironSecurity2FAironSecuritySettings
FAQ

Frequently Asked Questions about Iron Security – WordPress Security Plugin