[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fn1ym3oyljCw9fObIRes0Ypkdolz-bYu8XK1jTwfAdYk":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":138,"fingerprints":256},"rate-limit-co","Rate Limit Guard","1.1","IP Stresser Guard","https:\u002F\u002Fprofiles.wordpress.org\u002Fcostresser\u002F","\u003Cp>This plugin allows you to have a simple rate limit option to protect the site against DDoS or brute force and IP stresser attacks. It is suitable to Prevent against IP Stresser and booter scripts that want to increase the consumption of your site’s resources with a “Slow” method.\u003C\u002Fp>\n\u003Ch3>What is IP Stresser ?\u003C\u002Fh3>\n\u003Cp>An IP stresser is an online tool that is used to attack a server or a website by overwhelming its resources with a flood of Internet traffic. It is often used to test the strength and resilience of a server or a network, but it can also be used maliciously to bring down a website or a service by denying legitimate users access.\u003Cbr \u002F>\nIP stressers are often used by hackers to launch attacks on websites, but they can also be used by legitimate businesses and organizations to test their websites’ performance.\u003C\u002Fp>\n\u003Ch3>What is Slowloris  Attack?\u003C\u002Fh3>\n\u003Cp>Slowloris is a type of DDoD attack that targets web servers by keeping many HTTP connections open simultaneously and sending partial HTTP requests. This can tie up server resources and cause the server to reach its maximum concurrent connection limit, preventing legitimate users from accessing the website.\u003Cbr \u002F>\nIt’s worth noting that Layer 7 attacks are often more difficult to mitigate compared to lower-level attacks, as they can mimic legitimate traffic patterns and require more advanced detection and mitigation techniques. Implementing proper security measures, such as web application firewalls (WAFs) and rate-limiting mechanisms, can help protect against Layer 7 attacks.\u003C\u002Fp>\n\u003Ch3>Simple source code\u003C\u002Fh3>\n\u003Cp>this PHP Code help you to have a simple rate limit option to protect the site against DDoS or brute force attacks from IP Stresser It is suitable to Prevent against IP Stresser and booter scripts that want to increase the consumption of your site’s resources with a “Slow” method.\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FJhonvalta\u002Fprevent_IP_Stresser\" rel=\"nofollow ugc\">Prevent IP Stresser\u003C\u002Fa> on Github.\u003C\u002Fp>\n","This plugin safeguards your website from Layer 7 DDoS attacks and IP stressors by utilizing a rate limiting feature.",70,2889,60,2,"2024-12-06T19:56:00.000Z","6.7.5","4.0.1","7.0",[20,21,22,23,24],"brute-force","ddos","firewall","ip-stresser","security","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frate-limit-co.1.1.zip",92,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":33,"display_name":7,"profile_url":8,"plugin_count":34,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"costresser",1,30,88,"2026-04-04T02:29:04.151Z",[39,58,79,101,122],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":34,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":53,"tags":54,"homepage":56,"download_link":57,"security_score":49,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"mat-firewall","MAT Firewall","1.0.0","matpluginsofficial","https:\u002F\u002Fprofiles.wordpress.org\u002Fmatpluginsofficial\u002F","\u003Cp>\u003Cstrong>MAT Firewall\u003C\u002Fstrong> is a comprehensive WordPress security plugin designed to safeguard your website from malicious traffic, brute force attacks, and unauthorized access. Whether you’re running a small blog, business site, or eCommerce platform, \u003Cstrong>MAT Firewall\u003C\u002Fstrong> provides robust security while maintaining performance.\u003C\u002Fp>\n\u003Ch3>Key Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Advanced Firewall Rules\u003C\u002Fstrong> – Block or allow traffic based on IP, country, URI, HTTP methods, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting & Anti-Brute Force\u003C\u002Fstrong> – Set request limits to prevent spam, DDoS attacks, and abusive bot activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CDN Integration & Protection\u003C\u002Fstrong> – Secure your site with CDN IP whitelisting and anti-spoofing measures.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-Time Monitoring\u003C\u002Fstrong> – View blocked and allowed requests via a detailed security dashboard.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lightweight & Optimized\u003C\u002Fstrong> – Runs efficiently without slowing down your site.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>🚀 \u003Cstrong>Upgrade to MAT Firewall Pro\u003C\u002Fstrong> for \u003Cstrong>unlimited rules, dynamic blocking, enhanced rate-limiting, and priority support.\u003C\u002Fstrong>\u003Cbr \u002F>\n🔗 \u003Ca href=\"https:\u002F\u002Fpro.matplugins.com\" rel=\"nofollow ugc\">Learn More & Upgrade\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Upgrade to MAT Firewall Pro\u003C\u002Fh3>\n\u003Cp>Unlock \u003Cstrong>premium security features\u003C\u002Fstrong> with \u003Cstrong>MAT Firewall Pro\u003C\u002Fstrong>:\u003Cbr \u002F>\n✅ \u003Cstrong>Unlimited Custom Rules\u003C\u002Fstrong>\u003Cbr \u002F>\n✅ \u003Cstrong>Advanced Rate-Limiting & Dynamic Blocking\u003C\u002Fstrong>\u003Cbr \u002F>\n✅ \u003Cstrong>Detailed Security Analytics\u003C\u002Fstrong>\u003Cbr \u002F>\n✅ \u003Cstrong>Priority Support\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>🔥 \u003Cstrong>Upgrade now:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fpro.matplugins.com\" rel=\"nofollow ugc\">MAT Firewall Pro\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>License & Copyright\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under \u003Cstrong>GPLv2 or later\u003C\u002Fstrong>.\u003Cbr \u002F>\nMore details: \u003Ca href=\"https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\" rel=\"nofollow ugc\">GNU GPL License\u003C\u002Fa>.\u003C\u002Fp>\n","MAT Firewall is a powerful WordPress security plugin that helps protect your website from malicious attacks, brute force attempts, and unauthorized ac …",10,413,100,"2025-04-25T08:26:00.000Z","6.8.5","6.0","8.0",[20,21,22,55,24],"malware","https:\u002F\u002Fmatplugins.com\u002Fmat-firewall","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmat-firewall.1.0.0.zip",{"slug":59,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":66,"downloaded":67,"rating":68,"num_ratings":69,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":25,"tags":73,"homepage":25,"download_link":76,"security_score":68,"vuln_count":77,"unpatched_count":28,"last_vuln_date":78,"fetched_at":30},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","6.9.4","3.0",[74,20,22,75,24],"2fa","login-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip",4,"2023-12-20 00:00:00",{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":87,"downloaded":88,"rating":68,"num_ratings":89,"last_updated":90,"tested_up_to":71,"requires_at_least":91,"requires_php":92,"tags":93,"homepage":96,"download_link":97,"security_score":98,"vuln_count":99,"unpatched_count":28,"last_vuln_date":100,"fetched_at":30},"gotmls","Anti-Malware Security and Brute-Force Firewall","4.23.88","Eli","https:\u002F\u002Fprofiles.wordpress.org\u002Fscheeeli\u002F","\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Download Definition Updates to protect against new threats.\u003C\u002Fli>\n\u003Cli>Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.\u003C\u002Fli>\n\u003Cli>Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.\u003C\u002Fli>\n\u003Cli>Upgrade vulnerable versions of timthumb scripts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Premium Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Patch your wp-login and XMLRPC to block Brute-Force and DDoS attacks.\u003C\u002Fli>\n\u003Cli>Check the integrity of your WordPress Core files.\u003C\u002Fli>\n\u003Cli>Automatically download new Definition Updates when running a Complete Scan.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Register this plugin at \u003Ca href=\"http:\u002F\u002Fgotmls.net\u002F\" rel=\"nofollow ugc\">GOTMLS.NET\u003C\u002Fa> and get access to new definitions of “Known Threats” and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for “Potential Threats” and leaves it up to you to identify and remove the malicious ones.\u003C\u002Fp>\n\u003Cp>NOTICE: This plugin makes calls to GOTMLS.NET to check for updates not unlike what WordPress does when checking your plugins and themes for new versions. Staying up-to-date is an essential part of any security plugin and this plugin can let you know when there are new plugin and definition update available. If you’re allergic to “phone home” scripts then don’t use this plugin (or WordPress at all for that matter).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Special thanks to:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clarus Dignus for design suggestions and graphic design work on the banner image.\u003C\u002Fli>\n\u003Cli>Jelena Kovacevic and Andrew Kurtis of webhostinghub.com for providing the Spanish translation.\u003C\u002Fli>\n\u003Cli>Marcelo Guernieri for the Brazilian Portuguese translation.\u003C\u002Fli>\n\u003Cli>Umut Can Alparslan for the Turkish translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmichacassola\u002F\" rel=\"nofollow ugc\">Micha Cassola\u003C\u002Fa> for the German translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fsitustarget\u002F\" rel=\"nofollow ugc\">Robi Erwin Setiawan\u003C\u002Fa> for the Indonesian translation.\u003C\u002Fli>\n\u003C\u002Ful>\n","This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.",100000,7622347,781,"2026-03-09T14:47:00.000Z","3.3","5.6",[94,20,22,95,24],"anti-malware","scanner","https:\u002F\u002Fgotmls.net\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgotmls.4.23.88.zip",83,9,"2025-10-28 15:41:58",{"slug":102,"name":103,"version":104,"author":105,"author_profile":106,"description":107,"short_description":108,"active_installs":109,"downloaded":110,"rating":111,"num_ratings":112,"last_updated":113,"tested_up_to":114,"requires_at_least":115,"requires_php":25,"tags":116,"homepage":119,"download_link":120,"security_score":121,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"ip-geo-block","IP Geo Block","3.0.17.4","tokkonopapa","https:\u002F\u002Fprofiles.wordpress.org\u002Ftokkonopapa\u002F","\u003Cp>The more you install themes and plugins, the more likely your sites will be vulnerable, even if you \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FHardening_WordPress\" title=\"Hardening WordPress « WordPress Codex\" rel=\"nofollow ugc\">securely harden your sites\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>While WordPress.org \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fabout\u002Fsecurity\u002F\" title=\"Security | WordPress.org\" rel=\"ugc\">provides\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fthemes\u002Ftheme-security\u002F\" title=\"Theme Security | Theme Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">excellent\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F\" title=\"Plugin Security | Plugin Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">resources\u003C\u002Fa>, themes and plugins may often get vulnerable due to developers’ \u003Ca href=\"https:\u002F\u002Fwww.google.com\u002Fsearch?q=human+factors+in+security\" title=\"human factors in security - Google Search\" rel=\"nofollow ugc\">human factors\u003C\u002Fa> such as lack of security awareness, misuse and disuse of the best practices in those resources.\u003C\u002Fp>\n\u003Cp>This plugin focuses on insights into such developers’ human factors instead of detecting the specific attack vectors after they were disclosed. This brings a smart and powerful methods named as “\u003Cstrong>WP Zero-day Exploit Prevention\u003C\u002Fstrong>” and “\u003Cstrong>WP Metadata Exploit Protection\u003C\u002Fstrong>“.\u003C\u002Fp>\n\u003Cp>Combined with those methods and IP address geolocation, you’ll be surprised to find a bunch of malicious or undesirable access blocked in the logs of this plugin after several days of installation.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Privacy by design:\u003C\u002Fstrong>\u003Cbr \u002F>\nIP address is always encrypted on recording in logs\u002Fcache. Moreover, it can be anonymized and restricted on sending to the 3rd parties such as geolocation APIs or whois service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Immigration control:\u003C\u002Fstrong>\u003Cbr \u002F>\nAccess to the basic and important entrances into back-end such as \u003Ccode>wp-comments-post.php\u003C\u002Fcode>, \u003Ccode>xmlrpc.php\u003C\u002Fcode>, \u003Ccode>wp-login.php\u003C\u002Fcode>, \u003Ccode>wp-signup.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-ajax.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-post.php\u003C\u002Fcode> will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FISO_3166-1_alpha-2#Officially_assigned_code_elements\" title=\"ISO 3166-1 alpha-2 - Wikipedia\" rel=\"nofollow ugc\">specify the countires\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FClassless_Inter-Domain_Routing\" title=\"Classless Inter-Domain Routing - Wikipedia\" rel=\"nofollow ugc\">CIDR notation\u003C\u002Fa> for a range of IP addresses and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAutonomous_system_(Internet)\" title=\"Autonomous system (Internet) - Wikipedia\" rel=\"nofollow ugc\">AS number\u003C\u002Fa> for a group of IP networks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Zero-day Exploit Prevention:\u003C\u002Fstrong>\u003Cbr \u002F>\nUnlike other security firewalls based on attack patterns (vectors), the original feature “\u003Cstrong>W\u003C\u002Fstrong>ord\u003Cstrong>P\u003C\u002Fstrong>ress \u003Cstrong>Z\u003C\u002Fstrong>ero-day \u003Cstrong>E\u003C\u002Fstrong>xploit \u003Cstrong>P\u003C\u002Fstrong>revention” (WP-ZEP) is focused on patterns of vulnerability. It is simple but still smart and strong enough to block any malicious accesses to \u003Ccode>wp-admin\u002F*.php\u003C\u002Fcode>, \u003Ccode>plugins\u002F*.php\u003C\u002Fcode> and \u003Ccode>themes\u002F*.php\u003C\u002Fcode> even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, \u003Cstrong>even if you have some vulnerable plugins and themes in your site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Guard against login attempts:\u003C\u002Fstrong>\u003Cbr \u002F>\nIn order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Minimize server load against brute-force attacks:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin as a \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FMust_Use_Plugins\" title=\"Must Use Plugins « WordPress Codex\" rel=\"nofollow ugc\">Must Use Plugins\u003C\u002Fa> so that this plugin can be loaded prior to regular plugins. It can massively \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fvalidation-timing.html\" title=\"Validation timing | IP Geo Block\" rel=\"nofollow ugc\">reduce the load on server\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Prevent malicious down\u002Fuploading:\u003C\u002Fstrong>\u003Cbr \u002F>\nA malicious request such as exposing \u003Ccode>wp-config.php\u003C\u002Fcode> or uploading malwares via vulnerable plugins\u002Fthemes can be blocked.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block badly-behaved bots and crawlers:\u003C\u002Fstrong>\u003Cbr \u002F>\nA simple logic may help to reduce the number of rogue bots and crawlers scraping your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Support of BuddyPress and bbPress:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin so that a registered user can login as a membership from anywhere, while a request such as a new user registration, lost password, creating a new topic and subscribing comment can be blocked by country. It is suitable for \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" title=\"BuddyPress — WordPress Plugins\" rel=\"ugc\">BuddyPress\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbbpress\u002F\" title=\"WordPress › bbPress « WordPress Plugins\" rel=\"ugc\">bbPress\u003C\u002Fa> to help reducing spams.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Referrer suppressor for external links:\u003C\u002Fstrong>\u003Cbr \u002F>\nWhen you click an external hyperlink on admin screens, http referrer will be eliminated to hide a footprint of your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Multiple source of IP Geolocation databases:\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind GeoLite2 free databases\u003C\u002Fa> (it requires PHP 5.4.0+) and \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\u002F\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location LITE databases\u003C\u002Fa> can be installed in this plugin. Also free Geolocation REST APIs and whois information can be available for audit purposes.\u003Cbr \u002F>\nFather more, \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Farticle\u002Fapi-class-library.html\" title=\"CloudFlare & CloudFront API class library | IP Geo Block\" rel=\"nofollow ugc\">dedicated API class libraries\u003C\u002Fa> can be installed for CloudFlare and CloudFront as a reverse proxy service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Customizing response:\u003C\u002Fstrong>\u003Cbr \u002F>\nHTTP response code can be selectable as \u003Ccode>403 Forbidden\u003C\u002Fcode> to deny access pages, \u003Ccode>404 Not Found\u003C\u002Fcode> to hide pages or even \u003Ccode>200 OK\u003C\u002Fcode> to redirect to the top page.\u003Cbr \u002F>\nYou can also have a human friendly page (like \u003Ccode>404.php\u003C\u002Fcode>) in your parent\u002Fchild theme template directory to fit your site design.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Validation logs:\u003C\u002Fstrong>\u003Cbr \u002F>\nValidation logs for useful information to audit attack patterns can be manageable.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Cooperation with full spec security plugin:\u003C\u002Fstrong>\u003Cbr \u002F>\nThis plugin is lite enough to be able to cooperate with other full spec security plugin such as \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwordfence\u002F\" title=\"Wordfence Security — WordPress Plugins\" rel=\"ugc\">Wordfence Security\u003C\u002Fa>. See \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fpage-speed-performance.html\" title=\"Page speed performance | IP Geo Block\" rel=\"nofollow ugc\">this report\u003C\u002Fa> about page speed performance.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Extendability:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can customize the behavior of this plugin via \u003Ccode>add_filter()\u003C\u002Fcode> with \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002F\" title=\"Codex | IP Geo Block\" rel=\"nofollow ugc\">pre-defined filter hook\u003C\u002Fa>. See various use cases in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fblob\u002Fmaster\u002Fip-geo-block\u002Fsamples.php\" title=\"WordPress-IP-Geo-Block\u002Fsamples.php at master - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">samples.php\u003C\u002Fa> bundled within this package.\u003Cbr \u002F>\nYou can also get the extension \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\u002FWordPress-IP-Geo-Allow\" title=\"GitHub - ddur\u002FWordPress-IP-Geo-Allow: WordPress Plugin Exension for WordPress-IP-Geo-Block Plugin\" rel=\"nofollow ugc\">IP Geo Allow\u003C\u002Fa> by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\" title=\"ddur (Dragan) - GitHub\" rel=\"nofollow ugc\">Dragan\u003C\u002Fa>. It makes admin screens strictly private with more flexible way than specifying IP addresses.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Self blocking prevention and easy rescue:\u003C\u002Fstrong>\u003Cbr \u002F>\nWebsite owners do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fwhat-should-i-do-when-i-m-locked-out.html\" title=\"What should I do when I'm locked out? | IP Geo Block\" rel=\"nofollow ugc\">rescue yourself\u003C\u002Fa> easily.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Clean uninstallation:\u003C\u002Fstrong>\u003Cbr \u002F>\nNothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin’s functionality.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Attribution\u003C\u002Fh4>\n\u003Cp>This package includes GeoLite2 library distributed by MaxMind, available from \u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind\u003C\u002Fa> (it requires PHP 5.4.0+), and also includes IP2Location open source libraries available from \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Also thanks for providing the following great services and REST APIs for free.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fip-api.com\u002F\" title=\"IP-API.com - Free Geolocation API\" rel=\"nofollow ugc\">http:\u002F\u002Fip-api.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for non-commercial use)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fgeoiplookup.net\u002F\" title=\"What Is My IP Address | GeoIP Lookup\" rel=\"nofollow ugc\">http:\u002F\u002Fgeoiplookup.net\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfo.io\u002F\" title=\"IP Address API and Data Solutions\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfo.io\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>[https:\u002F\u002Fipapi.com\u002F](https:\u002F\u002Fipapi.com\u002F “ipapi – IP Address Lookup and Geolocation API) (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipdata.co\u002F\" title=\"ipdata.co - IP Geolocation and Threat Data API\" rel=\"nofollow ugc\">https:\u002F\u002Fipdata.co\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipstack.com\u002F\" title=\"ipstack - Free IP Geolocation API\" rel=\"nofollow ugc\">https:\u002F\u002Fipstack.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfodb.com\u002F\" title=\"Free IP Geolocation Tools and API| IPInfoDB\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfodb.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Development\u003C\u002Fh4>\n\u003Cp>Development of this plugin is promoted at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\" title=\"tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-Block\u003C\u002Fa> and class libraries to handle geo-location database are developed separately as “add-in”s at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-API\" title=\"tokkonopapa\u002FWordPress-IP-Geo-API - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>All contributions will always be welcome. Or visit my \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002F\" title=\"IP Geo Block\" rel=\"nofollow ugc\">development blog\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Known issues\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>No image is shown after drag & drop a image in grid view at “Media Library”. For more details, please refer to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fissues\u002F2\" title=\"No image is shown after drag & drop a image in grid view at \"Media Library\". - Issue #2 - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">this ticket at Github\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>From \u003Ca href=\"https:\u002F\u002Fmake.wordpress.org\u002Fcore\u002F2016\u002F03\u002F09\u002Fcomment-changes-in-wordpress-4-5\u002F\" title=\"Comment Changes in WordPress 4.5 – Make WordPress Core\" rel=\"nofollow ugc\">WordPress 4.5\u003C\u002Fa>, \u003Ccode>rel=nofollow\u003C\u002Fcode> had no longer be attached to the links in \u003Ccode>comment_content\u003C\u002Fcode>. This change prevents to block “\u003Ca href=\"https:\u002F\u002Fwww.owasp.org\u002Findex.php\u002FServer_Side_Request_Forgery\" title=\"Server Side Request Forgery - OWASP\" rel=\"nofollow ugc\">Server Side Request Forgeries\u003C\u002Fa>” (not Cross Site but a malicious internal link in the comment field).\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapps.wordpress.com\u002Fmobile\u002F\" title=\"WordPress.com Apps - Mobile Apps\" rel=\"nofollow ugc\">WordPress.com Mobile App\u003C\u002Fa> can’t execute image uploading because of its own authentication system via XMLRPC.\u003C\u002Fli>\n\u003C\u002Ful>\n","It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.",9000,777726,82,96,"2019-01-22T03:59:00.000Z","5.0.25","3.7",[20,22,117,24,118],"login","vulnerability","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fip-geo-block\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fip-geo-block.3.0.17.4.zip",85,{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":130,"downloaded":131,"rating":49,"num_ratings":77,"last_updated":132,"tested_up_to":71,"requires_at_least":52,"requires_php":133,"tags":134,"homepage":25,"download_link":137,"security_score":49,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"stop-xml-rpc-attacks","Stop XML-RPC Attacks","2.0.0","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Stop XML-RPC Attacks protects your WordPress site from XML-RPC brute force attacks, DDoS attempts, and reconnaissance probes while maintaining compatibility with essential services like Jetpack and WooCommerce.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Three security modes: Full Disable, Guest Disable, or Selective Blocking\u003C\u002Fli>\n\u003Cli>Blocks dangerous methods: system.multicall, pingback.ping, and more\u003C\u002Fli>\n\u003Cli>Compatible with Jetpack and WooCommerce\u003C\u002Fli>\n\u003Cli>Optional user enumeration blocking\u003C\u002Fli>\n\u003Cli>Attack logging for monitoring\u003C\u002Fli>\n\u003Cli>Zero configuration required – works out of the box\u003C\u002Fli>\n\u003Cli>Clean, intuitive admin interface\u003C\u002Fli>\n\u003C\u002Ful>\n","Blocks dangerous XML-RPC methods while preserving Jetpack, WooCommerce, and mobile apps compatibility.",6000,26717,"2026-01-01T13:41:00.000Z","7.4",[20,21,135,24,136],"jetpack","xmlrpc","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-xml-rpc-attacks.2.0.0.zip",{"attackSurface":139,"codeSignals":155,"taintFlows":172,"riskAssessment":247,"analyzedAt":255},{"hooks":140,"ajaxHandlers":151,"restRoutes":152,"shortcodes":153,"cronEvents":154,"entryPointCount":28,"unprotectedCount":28},[141,147],{"type":142,"name":143,"callback":144,"file":145,"line":146},"action","admin_menu","rtlimguard_menu","rate-limit.php",11,{"type":142,"name":148,"callback":149,"file":145,"line":150},"plugins_loaded","rtlimguard_guardstart",410,[],[],[],[],{"dangerousFunctions":156,"sqlUsage":157,"outputEscaping":168,"fileOperations":28,"externalRequests":28,"nonceChecks":14,"capabilityChecks":34,"bundledLibraries":171},[],{"prepared":158,"raw":159,"locations":160},6,3,[161,163,166],{"file":145,"line":49,"context":162},"$wpdb->get_var() with variable interpolation",{"file":145,"line":164,"context":165},139,"$wpdb->query() with variable interpolation",{"file":145,"line":167,"context":165},294,{"escaped":169,"rawEcho":28,"locations":170},35,[],[],[173,197,226,238],{"entryPoint":174,"graph":175,"unsanitizedCount":14,"severity":196},"rtlimguard_guardstart (rate-limit.php:301)",{"nodes":176,"edges":192},[177,182,186],{"id":178,"type":179,"label":180,"file":145,"line":181},"n0","source","$_SERVER (x2)",379,{"id":183,"type":184,"label":185,"file":145,"line":181},"n1","transform","→ rtlimguard_blocked()",{"id":187,"type":188,"label":189,"file":145,"line":190,"wp_function":191},"n2","sink","echo() [XSS]",336,"echo",[193,195],{"from":178,"to":183,"sanitized":194},false,{"from":183,"to":187,"sanitized":194},"medium",{"entryPoint":198,"graph":199,"unsanitizedCount":14,"severity":196},"\u003Crate-limit> (rate-limit.php:0)",{"nodes":200,"edges":220},[201,204,208,211,214,216,218],{"id":178,"type":179,"label":202,"file":145,"line":203},"$_REQUEST",104,{"id":183,"type":188,"label":205,"file":145,"line":206,"wp_function":207},"get_results() [SQLi]",116,"get_results",{"id":187,"type":179,"label":209,"file":145,"line":210},"$_REQUEST['page']",256,{"id":212,"type":188,"label":189,"file":145,"line":213,"wp_function":191},"n3",254,{"id":215,"type":179,"label":180,"file":145,"line":181},"n4",{"id":217,"type":184,"label":185,"file":145,"line":181},"n5",{"id":219,"type":188,"label":189,"file":145,"line":190,"wp_function":191},"n6",[221,223,224,225],{"from":178,"to":183,"sanitized":222},true,{"from":187,"to":212,"sanitized":222},{"from":215,"to":217,"sanitized":194},{"from":217,"to":219,"sanitized":194},{"entryPoint":227,"graph":228,"unsanitizedCount":28,"severity":237},"rtlimguard_init (rate-limit.php:19)",{"nodes":229,"edges":234},[230,231,232,233],{"id":178,"type":179,"label":202,"file":145,"line":203},{"id":183,"type":188,"label":205,"file":145,"line":206,"wp_function":207},{"id":187,"type":179,"label":209,"file":145,"line":210},{"id":212,"type":188,"label":189,"file":145,"line":213,"wp_function":191},[235,236],{"from":178,"to":183,"sanitized":222},{"from":187,"to":212,"sanitized":222},"low",{"entryPoint":239,"graph":240,"unsanitizedCount":34,"severity":246},"prepare_items (rate-limit.php:86)",{"nodes":241,"edges":244},[242,243],{"id":178,"type":179,"label":202,"file":145,"line":203},{"id":183,"type":188,"label":205,"file":145,"line":206,"wp_function":207},[245],{"from":178,"to":183,"sanitized":194},"high",{"summary":248,"deductions":249},"The \"rate-limit-co\" plugin v1.1 exhibits a generally strong security posture based on the provided static analysis. The complete absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the plugin's attack surface.  Furthermore, the code demonstrates good practices with 100% output escaping and a high percentage of SQL queries utilizing prepared statements. The presence of nonce and capability checks, although limited, is also a positive sign.\n\nHowever, the taint analysis reveals some concerning flows. Three out of four analyzed flows have unsanitized paths, with one identified as high severity. This indicates a potential for sensitive data to be processed or exposed without proper sanitization, which could lead to various vulnerabilities depending on the nature of the data and the plugin's functionality. The vulnerability history is clean, with no recorded CVEs, which is excellent. This suggests that the development team has a history of producing secure code or has been diligent in addressing any past issues.\n\nIn conclusion, while the plugin's design and general coding practices are commendable, the high-severity taint flow with unsanitized paths presents a significant area of concern that requires immediate attention. The absence of known vulnerabilities is a strong positive, but the identified taint issues highlight a critical weakness that could be exploited. A thorough investigation and remediation of these unsanitized flows are crucial to ensure the plugin's overall security.",[250,253],{"reason":251,"points":252},"High severity taint flow with unsanitized path",12,{"reason":254,"points":158},"3 flows with unsanitized paths","2026-03-16T21:37:11.249Z",{"wat":257,"direct":263},{"assetPaths":258,"generatorPatterns":260,"scriptPaths":261,"versionParams":262},[259],"\u002Fwp-content\u002Fplugins\u002Frate-limit-co\u002Fheader.png",[],[],[],{"cssClasses":264,"htmlComments":268,"htmlAttributes":269,"restEndpoints":271,"jsGlobals":272,"shortcodeOutput":274},[265,266,267],"notice-error","notice-success","notice-info",[],[270],"data-wp-nonce",[],[273],"window.location.href",[]]