Does Loginizer have any unpatched vulnerabilities?

No. All known vulnerabilities in Loginizer have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Loginizer compatible with WordPress 6.9.4?

According to WordPress.org data, Loginizer 2.0.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Loginizer compatible with PHP 5.5+?

Loginizer requires PHP 5.5 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Loginizer updated?

Loginizer was last updated on Mar 2, 2026. Frequent updates are generally a positive security signal.

What is Loginizer's security score?

Loginizer has a WP-Safety security score of 87/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Loginizer Security & Risk Analysis

wordpress.org/plugins/loginizer

Loginizer is a WordPress security plugin which helps you fight against bruteforce attacks.

1.0M active installs v2.0.6 PHP 5.5+ WP 3.0+ Updated Mar 2, 2026

accessadminloginloginizersecurity

A · Safe

CVEs total8

Unpatched0

Last CVENov 4, 2024

Plugin page Download

Safety Verdict

Is Loginizer Safe to Use in 2026?

Generally Safe

Score 87/100

Loginizer has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Nov 4, 2024Updated 1mo ago

Risk Assessment

Loginizer v2.0.6 presents a mixed security posture. The static analysis indicates a good foundation with 100% of identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) having authorization checks. Furthermore, a significant majority of SQL queries utilize prepared statements (83%), and the plugin demonstrates good practice with 22 nonce checks and 24 capability checks, suggesting developers are aware of common WordPress security mechanisms. However, a low percentage of output escaping (26%) is a significant concern, indicating a high potential for Cross-Site Scripting (XSS) vulnerabilities where user-provided data is rendered without proper sanitization.

The vulnerability history is concerning, with 8 known CVEs, including 2 critical and 2 high severity issues. The common vulnerability types such as Improper Authentication, CSRF, XSS, and SQL Injection highlight recurring security weaknesses within the plugin's development. While there are currently no unpatched vulnerabilities, the history suggests a pattern of security flaws that have required past fixes. The presence of the Guzzle library as a bundled dependency could also introduce risks if not kept up-to-date, though its version is not specified.

In conclusion, while Loginizer v2.0.6 has implemented some strong security practices, particularly around access control for entry points, the low rate of output escaping and the historical prevalence of critical and high-severity vulnerabilities warrant caution. The plugin's attack surface is well-protected at the entry point level, but the potential for XSS due to insufficient output sanitization remains a significant risk. Users should be aware of this history and monitor for future updates that address the identified weaknesses, especially in output handling.

Key Concerns

Low output escaping rate
History of critical vulnerabilities
History of high vulnerabilities
Bundled library (potential risk)

Vulnerabilities

Loginizer Security Vulnerabilities

CVEs by Year

2 CVEs in 2017

2017

1 CVE in 2018

2018

1 CVE in 2020

2020

2 CVEs in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

8 total CVEs

CVE-2024-10097high · 8.1Improper Authentication

Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass via WordPress.com OAuth provider

Nov 4, 2024 Patched in 1.9.3 (108d)

CVE-2023-2296medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Loginizer <= 1.7.8 - Reflected Cross-Site Scripting via 'limit_session[count]'

May 2, 2023 Patched in 1.7.9 (266d)

CVE-2022-45079medium · 4.3Cross-Site Request Forgery (CSRF)

Loginizer <= 1.7.5 - Cross-Site Request Forgery

Dec 5, 2022 Patched in 1.7.6 (414d)

CVE-2022-45084medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Loginizer <= 1.7.5 - Reflected Cross-Site Scripting via 'name'

May 12, 2022 Patched in 1.7.6 (621d)

CVE-2020-27615critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Loginizer <= 1.6.3 - SQL Injection

Oct 21, 2020 Patched in 1.6.4 (1189d)

CVE-2018-11366medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting

May 22, 2018 Patched in 1.4.0 (2072d)

CVE-2017-12650critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Loginizer <= 1.3.5 - Blind SQL Injection

Aug 8, 2017 Patched in 1.3.6 (2359d)

CVE-2017-12651high · 8.8Cross-Site Request Forgery (CSRF)

Loginizer <= 1.3.5 - Cross-Site Request Forgery

Aug 8, 2017 Patched in 1.3.6 (2359d)

Code Analysis

Analyzed Mar 16, 2026

Loginizer Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

478

165 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

83% prepared12 total queries

Output Escaping

26% escaped643 total outputs

Data Flows

All sanitized

Data Flow Analysis

7 flows

loginizer_social_order (main\ajax.php:179)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Loginizer Attack Surface

Entry Points10

Unprotected0

AJAX Handlers 10

authwp_ajax_loginizer_dismiss_csrfmain\ajax.php:9

authwp_ajax_loginizer_dismiss_backuplymain\ajax.php:10

authwp_ajax_loginizer_dismiss_social_alertmain\ajax.php:11

authwp_ajax_loginizer_dismiss_newslettermain\ajax.php:12

authwp_ajax_loginizer_failed_login_exportmain\ajax.php:13

authwp_ajax_loginizer_exportmain\ajax.php:14

authwp_ajax_loginizer_social_ordermain\ajax.php:15

authwp_ajax_loginizer_dismiss_license_alertmain\ajax.php:16

authwp_ajax_loginizer_dismiss_softwp_alertmain\ajax.php:17

authwp_ajax_loginizer_close_update_noticemain\ajax.php:18

WordPress Hooks 23

actionplugins_loadedinit.php:230

actioninitinit.php:276

filterauthenticateinit.php:326

actionwp_login_failedinit.php:330

actionwp_login_errorsinit.php:334

actionwoocommerce_login_failedinit.php:335

actionwp_logininit.php:336

actionwp_login_failedinit.php:339

filterwp_login_errorsinit.php:343

actionlogin_forminit.php:350

actioninitinit.php:368

actioninitloginizer.php:64

actionadmin_menumain\admin.php:8

actionadmin_noticesmain\admin.php:9

actionadmin_footermain\admin.php:10

actionadmin_initmain\admin.php:11

actionadmin_noticesmain\admin.php:35

actionadmin_noticesmain\admin.php:39

actionadmin_noticesmain\admin.php:75

filtersoftaculous_plugin_update_noticemain\admin.php:76

actionadmin_noticesmain\admin.php:101

actionadmin_noticesmain\admin.php:115

filterinstall_plugin_complete_actionsmain\admin.php:296

Maintenance & Trust

Loginizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 2, 2026

PHP min version5.5

Downloads29.8M

Community Trust

Rating96/100

Number of ratings1,020

Active installs1.0M

Alternatives

Loginizer Alternatives

Secure Admin Access

secure-admin-access

100

Secure Your Website Admin And Dashboard Access & Modify Login Page Design & Login Attempts for login protection

10 No CVEs

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

Hide and Secure WP paths, wp-login, wp-admin, and more. Hack Prevention, Security, Brute Force protection, 8G Firewall, 2FA Passkey Login, and more.

100K 7 CVEs

Remove Dashboard Access

remove-dashboard-access-for-non-admins

Disable Dashboard access for users of a specific role or capability. Disallowed users are redirected to a chosen URL. Get set up in seconds.

30K No CVEs

WP Limit Login Attempts

wp-limit-login-attempts

Limit rate of login attempts and block IP temporarily. Brute force attack protection. GDPR compliant. Captcha enabled.

10K 1 unpatched

Easy Basic Authentication – Add basic auth to site or admin area

easy-basic-authentication

100

Secure your WordPress site with easy and effective basic authentication. Restrict access, monitor attempts, and enhance security.

600 No CVEs

Developer Profile

Loginizer Developer Profile

Softaculous

10 plugins · 4.1M total installs

trust score

Avg Security Score

95/100

Avg Patch Time

333 days

View full developer profile

Detection Fingerprints

How We Detect Loginizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/loginizer/css/loginizer.css/wp-content/plugins/loginizer/css/loginizer-admin.css/wp-content/plugins/loginizer/js/loginizer.js/wp-content/plugins/loginizer/js/loginizer-admin.js

Script Paths

/wp-content/plugins/loginizer/js/loginizer.js/wp-content/plugins/loginizer/js/loginizer-admin.js

Version Parameters

loginizer/css/loginizer.css?ver=loginizer/css/loginizer-admin.css?ver=loginizer/js/loginizer.js?ver=loginizer/js/loginizer-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

loginizer-wraploginizer-formloginizer-message

HTML Comments

Data Attributes

data-loginizer-nonce

JS Globals

loginizer_ajax_object

FAQ