[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_uG1DpSlakd9C9cmK0OIemAUrHPmAOvQL5H_ioxcX_U":3,"$flNG_eXVclOGJJ6d-dmotOrQyyY5Hy8kxfYnsQeZOj_U":196,"$fzi4IMO0_Hky40YVZuN0_ipEazw0j5KVnpyXOpjYy1Y8":201},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":38,"analysis":125,"fingerprints":180},"login-gatekeeper","Login Gatekeeper","1.0.0","learnhowwp","https:\u002F\u002Fprofiles.wordpress.org\u002Fthemeythemes\u002F","\u003Cp>Login Gatekeeper adds an extra layer of security to your WordPress login page by requiring a custom key and value in the login URL (e.g. \u003Ccode>\u002Fwp-login.php?secret=myvalue\u003C\u002Fcode>). You can restrict which user roles require the key, helping to prevent brute force and bot login attempts.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Stealth Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\nThe plugin does not modify the appearance or behavior of the default WordPress login page. Anyone accessing the login page without the correct secret and value will see the standard WordPress error message, even if they enter the correct username and password. This means attackers cannot detect that extra protection is in place.\u003C\u002Fp>\n\u003Cp>Easily configure your login key, value, and restricted roles from the WordPress admin settings page. The plugin also includes a risk confirmation step to prevent accidental lockout.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Lost your secret or value?\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you forget your login key or value, you can use the default WordPress “Lost your password?” feature. The secret key and value will be included in the password reset email, allowing you to regain access without needing to disable the plugin.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Require a custom key\u002Fvalue in the login URL\u003C\u002Fli>\n\u003Cli>Restrict login by user role\u003C\u002Fli>\n\u003Cli>Easy-to-use settings page\u003C\u002Fli>\n\u003Cli>Prevents brute force and bot login attempts\u003C\u002Fli>\n\u003Cli>No visible changes to the login page for added stealth\u003C\u002Fli>\n\u003Cli>Secret and value included in password reset email if forgotten\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Check Out Our Other Plugins\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-db-divi\u002F\" rel=\"ugc\">Divi Contact Form DB\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Foverlay-image-divi-module\u002F\" rel=\"ugc\">Divi Overlay on Images Module\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fpost-carousel-divi\u002F\" rel=\"ugc\">Divi Post Carousel Module\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmenu-cart-divi\u002F\" rel=\"ugc\">Divi Menu Cart Module\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fflip-cards-module-divi\u002F\" rel=\"ugc\">Divi Flip Cards Module\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fimage-carousel-divi\u002F\" rel=\"ugc\">Divi Image Carousel\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbreadcrumbs-divi-module\u002F\" rel=\"ugc\">Divi Breadcrumbs Module\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Protect your login page by requiring a secret key and value in the login URL.",0,216,"2025-08-16T17:52:00.000Z","6.8.5","5.0","7.0",[18,19,20,21,22],"brute-force","login","login-protection","security","user-roles","https:\u002F\u002Flearnhowwp.com\u002Flogin-gatekeeper","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-gatekeeper.1.0.0.zip",100,null,"2026-03-15T15:16:48.613Z","no_bundle",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"themeythemes",9,31050,96,30,91,"2026-05-19T21:40:05.009Z",[39,59,79,96,111],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":11,"num_ratings":11,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":52,"tags":53,"homepage":56,"download_link":57,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"security-hardener","Security Hardener","2.2.0","Marc Armengou","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarc4\u002F","\u003Cp>\u003Cstrong>Security Hardener\u003C\u002Fstrong> applies WordPress security best practices based on the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fhardening\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration \u002F Security \u002F Hardening\u003C\u002Fa> documentation and widely accepted hardening measures. It uses WordPress core functions and follows best practices without modifying core files.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable file editor in WordPress admin\u003Cbr \u002F>\n* Optionally disable all file modifications (blocks updates – use with caution)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable XML-RPC completely (enabled by default)\u003Cbr \u002F>\n* Remove pingback methods when XML-RPC is enabled\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Pingback Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable self-pingbacks\u003Cbr \u002F>\n* Remove X-Pingback header\u003Cbr \u002F>\n* Block incoming pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Block \u003Ccode>\u002F?author=N\u003C\u002Fcode> queries (returns 404)\u003Cbr \u002F>\n* Secure REST API user endpoints (require authentication)\u003Cbr \u002F>\n* Remove users from XML sitemaps\u003Cbr \u002F>\n* Prevent canonical redirects that expose usernames\u003Cbr \u002F>\n* Optionally block author feed pages (\u003Ccode>\u002Fauthor\u002Fusername\u002Ffeed\u002F\u003C\u002Fcode>)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generic error messages (no username\u002Fpassword hints)\u003Cbr \u002F>\n* Login honeypot — silently blocks bots before any credential check\u003Cbr \u002F>\n* IP-based rate limiting with configurable thresholds\u003Cbr \u002F>\n* Security event logging (last 100 events)\u003Cbr \u002F>\n* Automatic blocking after failed attempts\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Ccode>X-Frame-Options: SAMEORIGIN\u003C\u002Fcode> (clickjacking protection)\u003Cbr \u002F>\n* \u003Ccode>X-Content-Type-Options: nosniff\u003C\u002Fcode> (MIME sniffing protection)\u003Cbr \u002F>\n* \u003Ccode>Referrer-Policy: strict-origin-when-cross-origin\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>Permissions-Policy\u003C\u002Fcode> (restricts geolocation, microphone, camera)\u003Cbr \u002F>\n* Optional HSTS (HTTP Strict Transport Security) for HTTPS sites — max-age set to 1 year\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Additional Hardening:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Hide WordPress version (meta generator tag and asset query strings)\u003Cbr \u002F>\n* Remove obsolete wp_head items (RSD, WLW manifest, shortlink, emoji scripts)\u003Cbr \u002F>\n* Security event logging system\u003Cbr \u002F>\n* Optionally disable Application Passwords for API authentication\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>⚠️ \u003Cstrong>Important:\u003C\u002Fstrong> Always test security settings in a staging environment first. Some features may affect third-party integrations or plugins.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Privacy:\u003C\u002Fstrong> This plugin does not send data to external services and does not create custom database tables. It stores plugin settings and a security event log in the WordPress options table, and uses transients for temporary login attempt tracking. All data is preserved on uninstall by default and only deleted if the “Delete all data on uninstall” option is explicitly enabled.\u003C\u002Fp>\n","Basic hardening: secure headers, login honeypot, user enumeration blocking, generic login errors, rate limiting, and more.",200,990,"2026-04-02T19:24:00.000Z","6.9.4","6.9","8.2",[18,54,55,20,21],"hardening","headers","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-hardener\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-hardener.2.2.0.zip","2026-04-16T10:56:18.058Z",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":11,"num_ratings":11,"last_updated":69,"tested_up_to":70,"requires_at_least":71,"requires_php":72,"tags":73,"homepage":76,"download_link":77,"security_score":78,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"anti-brute-force-login-fraud-detector","Anti-Brute Force, Login Fraud Detector WordPress plugin","1.0.3","aispera31","https:\u002F\u002Fprofiles.wordpress.org\u002Faispera31\u002F","\u003Cp>Anti-Brute Force, Login Fraud Detector WordPress plugin is a security plugin that detects and blocks malicious IP addresses attempting to log into WordPress sites with real-time intelligence data from Criminal IP.\u003Cbr \u002F>\nHackers attempting brute-force attacks on WordPress sites do not use normal IP addresses. Rather, they use VPN, Proxy, Tor, Hosting IP, etc. to avoid tracking. Criminal IP is an IP address-based intelligence search engine platform that scans worldwide IP addresses daily and collects such malicious information.\u003Cbr \u002F>\nThe number of detectable login attempts varies depending on the plan being used by the connected Criminal IP account. Users of the Free membership plan can use up to 500 login IP detections per month for free.\u003C\u002Fp>\n\u003Ch4>Block Login IP Address Options\u003C\u002Fh4>\n\u003Cp>VPN IP – When attempting to log in using a VPN\u003Cbr \u002F>\nTor IP – When attempting to log in from a Tor browser\u003Cbr \u002F>\nProxy IP – When attempting to log in using Proxy\u003Cbr \u002F>\nHosting IP – When attempting to log in from the IP address of a hosting server\u003C\u002Fp>\n\u003Ch4>Additional Features\u003C\u002Fh4>\n\u003Cp>Whitelist: Specific IP addresses can be added to the whitelist to allow login.\u003Cbr \u002F>\nLogin Wait Time: Users who are eventually restricted from logging in can try again after the set login wait time.\u003Cbr \u002F>\nBlocked IP List: Allows you to view a list of all IP addresses subject to login restrictions. The items that may be seen are as follows.\u003Cbr \u002F>\nIP address\u003Cbr \u002F>\nGeographic Information (Country)\u003Cbr \u002F>\nReason for Login Restriction (Tor\u002FVPN\u002FProxy\u002FHosting)\u003Cbr \u002F>\nDetected Date and Time\u003C\u002Fp>\n\u003Ch4>Installation\u003C\u002Fh4>\n\u003Cp>Installing the Criminal IP Anti-Brute Force, Login Fraud Detector plug-in is very simple.\u003Cbr \u002F>\n1. Go to the ‘Plugin’ menu on the WordPress dashboard.\u003Cbr \u002F>\n2. Search ‘Criminal IP’ or ‘Criminal IP Brute Force’ in the search window.\u003Cbr \u002F>\n3. Click the ‘Install and activate’ button.\u003Cbr \u002F>\n4. When the plugin is activated, an icon with the Criminal IP logo will be displayed on the WordPress dashboard sidebar. Click the icon to go to the dashboard and click the ‘Issue API Key’ button to go to Criminal IP.\u003Cbr \u002F>\n5. Create a Criminal IP account, log in, and create an API key in My Page.\u003Cbr \u002F>\n6. Copy and paste the issued API key into the ‘Criminal IP API key’ input column on the plugin settings tab.\u003Cbr \u002F>\n7. On the Settings tab, set the login limit target and login wait time. Click ‘Save Changes’ to finish setting up the plugin.\u003Cbr \u002F>\nPlease report any new features or bugs of the plugin through Criminal IP’s Customer Support. You can also contact support@aispera.com.\u003C\u002Fp>\n","Anti-Brute Force, Login Fraud Detector Wordpress plugin is a security plugin that detects and blocks malicious IP addresses attempting to log into Wor &hellip;",40,1684,"2023-10-20T09:40:00.000Z","6.3.8","5.7","5.6",[18,74,75,20,21],"brute-force-protection","limit-login","https:\u002F\u002Fcriminalip.io\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanti-brute-force-login-fraud-detector.1.0.3.zip",85,{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":11,"downloaded":87,"rating":11,"num_ratings":11,"last_updated":88,"tested_up_to":50,"requires_at_least":89,"requires_php":90,"tags":91,"homepage":94,"download_link":95,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"cyber-smart-defence","Cyber Smart Defence","3.1.3","cybersmartempire","https:\u002F\u002Fprofiles.wordpress.org\u002Fcybersmartempire\u002F","\u003Cp>Cyber Smart Defence is a lightweight WordPress security plugin designed to protect your website against unauthorized access, brute-force login attempts, and suspicious request patterns.\u003C\u002Fp>\n\u003Cp>The plugin runs quietly in the background and integrates directly with WordPress. It monitors login activity, blocks abusive behavior, and records security-related events for administrative review.\u003C\u002Fp>\n\u003Cp>No complex configuration is required. Once activated, protection is enabled automatically.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Login attempt monitoring\u003C\u002Fli>\n\u003Cli>Automatic temporary lockout after multiple failed login attempts\u003C\u002Fli>\n\u003Cli>IP-based threat detection\u003C\u002Fli>\n\u003Cli>Firewall protection against common malicious request patterns\u003C\u002Fli>\n\u003Cli>Secure threat logging for administrators\u003C\u002Fli>\n\u003Cli>Lightweight and performance-friendly\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an external service provided by Cyber Smart Empire to check IP reputation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* IP address of the visitor being checked\u003C\u002Fp>\n\u003Cp>\u003Cstrong>When data is sent\u003C\u002Fstrong>\u003Cbr \u002F>\n* Only when an IP reputation check is performed\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service provider\u003C\u002Fstrong>\u003Cbr \u002F>\n* Cyber Smart Empire\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Service URL\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy Policy\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Terms of Service\u003C\u002Fstrong>\u003Cbr \u002F>\n* https:\u002F\u002Fcybersmartempire.com\u002Fterms\u002F\u003C\u002Fp>\n","Lightweight WordPress security firewall with login protection and threat monitoring.",138,"2025-12-24T16:40:00.000Z","5.5","7.2",[18,92,20,21,93],"firewall","website-security","https:\u002F\u002Fcybersmartempire.com\u002Fcyberdefence\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcyber-smart-defence.zip",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":11,"downloaded":104,"rating":11,"num_ratings":11,"last_updated":105,"tested_up_to":50,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":109,"download_link":110,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"gatorio","Gatorio","1.1","sichtelement","https:\u002F\u002Fprofiles.wordpress.org\u002Fsichtelement\u002F","\u003Cp>Gatorio is a minimal WordPress security plugin that protects login endpoints against brute-force attacks.\u003C\u002Fp>\n\u003Cp>The plugin follows a strict privacy-first and KISS (keep it simple) philosophy.\u003C\u002Fp>\n\u003Cp>No dashboards.\u003Cbr \u002F>\nNo tracking.\u003Cbr \u002F>\nNo unnecessary complexity.\u003C\u002Fp>\n\u003Cp>Just effective login protection.\u003C\u002Fp>\n\u003Cp>Unlike many plugins, Gatorio blocks login attempts before authentication begins.\u003Cbr \u002F>\nThis prevents bypasses caused by plugins that override the default WordPress login flow.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Brute-force protection\u003C\u002Fli>\n\u003Cli>Login attempt limiter\u003C\u002Fli>\n\u003Cli>Temporary lockout\u003C\u002Fli>\n\u003Cli>Pre-authentication request blocking (init hook)\u003C\u002Fli>\n\u003Cli>Works with WordPress, WooCommerce and custom login forms\u003C\u002Fli>\n\u003Cli>Login delay (bot mitigation)\u003C\u002Fli>\n\u003Cli>Generic login errors (no information leakage)\u003C\u002Fli>\n\u003Cli>XML-RPC protection\u003C\u002Fli>\n\u003Cli>Username enumeration protection (REST API)\u003C\u002Fli>\n\u003Cli>IP hashing (privacy-friendly, no raw IP storage)\u003C\u002Fli>\n\u003C\u002Ful>\n","Lightweight brute-force protection for the WordPress login.",55,"2026-04-10T12:51:00.000Z","6.0","8.0",[18,19,20,21],"https:\u002F\u002Fgatorio.io","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgatorio.1.1.zip",{"slug":112,"name":113,"version":114,"author":115,"author_profile":116,"description":117,"short_description":118,"active_installs":11,"downloaded":119,"rating":11,"num_ratings":11,"last_updated":120,"tested_up_to":50,"requires_at_least":106,"requires_php":16,"tags":121,"homepage":123,"download_link":124,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":58},"luckduo-login-guard","Luckduo Login Guard","1.2","sophia0606","https:\u002F\u002Fprofiles.wordpress.org\u002Fsophia0606\u002F","\u003Cp>Luckduo Login Guard is a lightweight and powerful security plugin designed to protect your WordPress website from brute-force login attacks.\u003C\u002Fp>\n\u003Cp>It automatically limits login attempts, locks suspicious IP addresses, and provides an intuitive admin dashboard for managing login security.\u003C\u002Fp>\n\u003Cp>Perfect for website owners who want a simple yet effective way to secure their login page without slowing down their site.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Limit login attempts per IP address\u003C\u002Fli>\n\u003Cli>Automatically lock IPs after multiple failed attempts\u003C\u002Fli>\n\u003Cli>Track login success and failure logs\u003C\u002Fli>\n\u003Cli>Admin dashboard with easy-to-use settings\u003C\u002Fli>\n\u003Cli>View and manage locked IP addresses\u003C\u002Fli>\n\u003Cli>Unlock IP addresses manually\u003C\u002Fli>\n\u003Cli>Lightweight and fast – no performance impact\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Developed by Luckduo.\u003C\u002Fp>\n","Short Description: Protect your WordPress login from brute-force attacks with IP lock and login attempt limits.",86,"2026-03-26T08:34:00.000Z",[18,122,19,20,21],"limit-login-attempts","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fluckduo-login-guard.1.2.zip",{"attackSurface":126,"codeSignals":162,"taintFlows":170,"riskAssessment":171,"analyzedAt":179},{"hooks":127,"ajaxHandlers":158,"restRoutes":159,"shortcodes":160,"cronEvents":161,"entryPointCount":11,"unprotectedCount":11},[128,134,137,144,148,153],{"type":129,"name":130,"callback":131,"file":132,"line":133},"action","admin_menu","add_settings_page","includes\\class-lwp-login-gatekeeper-admin.php",54,{"type":129,"name":135,"callback":136,"file":132,"line":104},"admin_init","register_settings",{"type":138,"name":139,"callback":140,"priority":141,"file":142,"line":143},"filter","authenticate","maybe_block_login",99,"includes\\class-lwp-login-gatekeeper-login-guard.php",49,{"type":129,"name":145,"callback":146,"file":142,"line":147},"login_form","add_hidden_login_key_field",50,{"type":138,"name":149,"callback":150,"priority":151,"file":142,"line":152},"retrieve_password_message","append_key_to_reset_email",10,51,{"type":129,"name":154,"callback":155,"file":156,"line":157},"plugins_loaded","get_instance","login-gatekeeper.php",23,[],[],[],[],{"dangerousFunctions":163,"sqlUsage":164,"outputEscaping":166,"fileOperations":11,"externalRequests":11,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":169},[],{"prepared":11,"raw":11,"locations":165},[],{"escaped":167,"rawEcho":11,"locations":168},29,[],[],[],{"summary":172,"deductions":173},"The 'login-gatekeeper' v1.0.0 plugin exhibits a strong initial security posture based on the provided static analysis. The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the plugin's attack surface. Furthermore, the code analysis reveals no dangerous functions, file operations, or external HTTP requests. All SQL queries are properly prepared, and all output is correctly escaped. The lack of any recorded historical vulnerabilities further reinforces this positive assessment, suggesting a consistent focus on secure development practices.\n\nHowever, a notable concern arises from the complete absence of nonce checks and capability checks. While the current attack surface is zero, this lack of fundamental security controls means that if any new entry points are introduced in future versions, they would be inherently vulnerable to CSRF and unauthorized access. The taint analysis showing zero flows, while positive, could be a result of the minimal attack surface, and does not necessarily guarantee future safety if code changes. Therefore, while 'login-gatekeeper' appears secure in its current state, the omission of basic security mechanisms represents a significant future risk.\n\nIn conclusion, 'login-gatekeeper' v1.0.0 is currently very secure due to a minimal attack surface and diligent coding practices regarding SQL and output escaping. The absence of historical vulnerabilities is a strong positive indicator. The primary weakness lies in the complete lack of nonce and capability checks, which, while not exploitable in the current version, poses a substantial risk for future maintainability and security. This plugin is recommended for use in its current version, but with a strong caveat regarding the need for implementing these security measures in any future updates.",[174,177],{"reason":175,"points":176},"Missing nonce checks",20,{"reason":178,"points":176},"Missing capability checks","2026-03-17T07:14:19.390Z",{"wat":181,"direct":189},{"assetPaths":182,"generatorPatterns":184,"scriptPaths":185,"versionParams":186},[183],"\u002Fwp-content\u002Fplugins\u002Flogin-gatekeeper\u002Fassets\u002Fcss\u002Flogin-gatekeeper.css",[],[],[187,188],"login-gatekeeper\u002Fassets\u002Fcss\u002Flogin-gatekeeper.css?ver=","login-gatekeeper\u002Fassets\u002Fjs\u002Flogin-gatekeeper.js?ver=",{"cssClasses":190,"htmlComments":191,"htmlAttributes":192,"restEndpoints":193,"jsGlobals":194,"shortcodeOutput":195},[],[],[],[],[],[],{"error":197,"url":198,"statusCode":199,"statusMessage":200,"message":200},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Flogin-gatekeeper\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":11,"versions":202},[]]