Does NoHackMe Defender have any unpatched vulnerabilities?

No. All known vulnerabilities in NoHackMe Defender have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is NoHackMe Defender compatible with WordPress 6.5.8?

According to WordPress.org data, NoHackMe Defender 1.1.0 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

Is NoHackMe Defender compatible with PHP 7.4+?

NoHackMe Defender requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is NoHackMe Defender updated?

NoHackMe Defender was last updated on Jun 26, 2024. Frequent updates are generally a positive security signal.

What is NoHackMe Defender's security score?

NoHackMe Defender has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

NoHackMe Defender Security & Risk Analysis

wordpress.org/plugins/nohackme-defender

Enhance your WordPress security by blocking IPs that send too many or suspicious requests.

20 active installs v1.1.0 PHP 7.4+ WP 6.0+ Updated Jun 26, 2024

anti-hackfirewallip-blockingprotectionsecurity

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is NoHackMe Defender Safe to Use in 2026?

Generally Safe

Score 92/100

NoHackMe Defender has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The 'nohackme-defender' plugin v1.1.0 presents a generally good security posture with several strengths, including a complete absence of known CVEs and a robust use of prepared statements for all SQL queries. All identified entry points, including AJAX handlers, are protected by authentication checks, and there are no direct REST API routes exposed. Nonce and capability checks are also present, indicating an awareness of common WordPress security practices.

However, there are notable areas of concern. The presence of four 'unserialize' calls is a significant risk, as it can lead to Remote Code Execution vulnerabilities if untrusted data is passed to it. While no critical or high severity taint flows were found, the single flow with unsanitized paths warrants attention. Furthermore, the output escaping is only properly implemented in 59% of cases, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is output without sufficient sanitization. The plugin also performs file operations and makes external HTTP requests, which are potential vectors if not handled with extreme care.

Given the plugin's clean vulnerability history, it suggests a potentially proactive development approach or simply a lack of past exploitation. Nevertheless, the identified code signals, particularly the use of 'unserialize' and insufficient output escaping, represent tangible security risks that should be addressed to maintain a strong security posture.

Key Concerns

Use of unserialize function
Unsanitized paths in taint flow
Low percentage of properly escaped output
File operations performed
External HTTP requests made

Vulnerabilities

None known

NoHackMe Defender Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

NoHackMe Defender Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

103

149 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$reason = @unserialize(_pdxglobal_get_file_via_wpfs(NOHACKME_DEFENDER_BANNED_PATH . $ip));nohackme-defender.php:214

unserialize$ips = @unserialize($data);nohackme-defender.php:560

unserialize$settings = @unserialize(file_get_contents($settings_path . 'settings'));nohackme.php:47

unserialize$cur_ips = @unserialize(file_get_contents($settings_path . 'cur_ips_counters'));nohackme.php:129

Output Escaping

59% escaped252 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

nohackme_defender_get_settings_page (nohackme-defender.php:775)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

NoHackMe Defender Attack Surface

Entry Points7

Unprotected0

AJAX Handlers 7

authwp_ajax_nohackme_defender_restore_defaultsajax.php:5

noprivwp_ajax_nohackme_defender_restore_defaultsajax.php:6

authwp_ajax_nohackme_defender_restore_defaults_ips_googleajax.php:35

noprivwp_ajax_nohackme_defender_restore_defaults_ips_googleajax.php:36

authwp_ajax_nohackme_defender_restore_defaults_ips_yandexajax.php:65

noprivwp_ajax_nohackme_defender_restore_defaults_ips_yandexajax.php:66

authwp_ajax_pdxglobal_dismiss_daily_noticenohackme-defender.php:1194

WordPress Hooks 11

actionnohackme_defender_daily_eventnohackme-defender.php:116

actionadmin_menunohackme-defender.php:709

actionadmin_initnohackme-defender.php:712

actionadmin_enqueue_scriptsnohackme-defender.php:1121

actionplugins_loadednohackme-defender.php:1127

actionadmin_noticesnohackme-defender.php:1139

actionadmin_initnohackme-defender.php:1143

actionadmin_noticesnohackme-defender.php:1162

actionadmin_footernohackme-defender.php:1209

actionadmin_noticesnohackme-defender.php:1212

filterplugin_action_links_nohackme_defender/nohackme_defender.phpnohackme-defender.php:1246

Scheduled Events 1

nohackme_defender_daily_event

Maintenance & Trust

NoHackMe Defender Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedJun 26, 2024

PHP min version7.4

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs20

Alternatives

NoHackMe Defender Alternatives

Guardify Firewall

guardify

100

Guardify is a powerful WordPress firewall plugin designed to protect your website from a wide range of threats, including brute force attacks, SQL inj …

10 No CVEs