[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fw8Bz5YoSl0YkrxKlO5aNIw2776JZpeq3LGOlX-QGjhA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":36,"analysis":146,"fingerprints":416},"secure-tfa","Secure 2FA","1.0.0","Mohamed Endisha","https:\u002F\u002Fprofiles.wordpress.org\u002Fendisha\u002F","\u003Cp>Secure 2FA adds an extra layer of security to your WordPress login process by enabling 2FA via several authentication methods.\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Free two-factor authentication (2FA) plugin\u003C\u002Fli>\n\u003Cli>Multiple authentication methods: One-time password (OTP), Yubico OTP (YubiKey), Email OTP, and WhatsApp OTP\u003C\u002Fli>\n\u003Cli>Customizable OTP configurations: Expiration time, retries, and more\u003C\u002Fli>\n\u003Cli>Role-based enforcement: Require 2FA for all or specific roles while excluding others\u003C\u002Fli>\n\u003Cli>Supports WordPress Multisite and single-site installations\u003C\u002Fli>\n\u003Cli>Activity log tracking: Monitor authentication attempts and security events\u003C\u002Fli>\n\u003Cli>Rate limiting: Prevent brute-force attacks by limiting OTP requests per user\u003C\u002Fli>\n\u003Cli>Backup recovery codes: Allow users to regain access if they lose their primary 2FA method\u003C\u002Fli>\n\u003Cli>Automatic log cleanup: Enable or disable automatic deletion of old activity logs with configurable schedules\u003C\u002Fli>\n\u003Cli>UI control: Manage the visibility of the “Configure 2FA” option in the sidebar, admin toolbar, and user list\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Time-based One-Time Password 2FA Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Compatible with diifrent authotcitors apps susch as Google Authenticator and Duo etc.\u003C\u002Fli>\n\u003Cli>Generates QR codes during 2FA setup.\u003C\u002Fli>\n\u003Cli>Supports manual setup keys.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>WhatsApp 2FA Method\u003C\u002Fh3>\n\u003Cp>This method leverages Meta’s official API to send OTPs via WhatsApp authentication template. It supports the following features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Set a default template language.\u003C\u002Fli>\n\u003Cli>Support multiple template languages based on the user’s UI language (templates must match WhatsApp requirements).\u003C\u002Fli>\n\u003Cli>Define a base country for phone numbers when configuring 2FA.\u003C\u002Fli>\n\u003Cli>Restrict phone number selection by specifying an allowed countries list.\u003C\u002Fli>\n\u003Cli>Enable IP address lookup to detect the user’s country during 2FA setup.\u003C\u002Fli>\n\u003Cli>Allow or prevent multiple users from using the same phone number.\u003C\u002Fli>\n\u003Cli>Set custom phone number regex patterns to enforce specific formatting rules.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Email OTP 2FA Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Allow or disallow users to enter a different email when configuring email as a two-factor authentication method.\u003C\u002Fli>\n\u003Cli>Specify a custom email address from which OTPs will be sent.\u003C\u002Fli>\n\u003Cli>Customize email languages, subject lines, and message content based on supported languages.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Yubico OTP 2FA Method\u003C\u002Fh3>\n\u003Cp>Yubico OTP is a secure and convenient authentication method supported by all YubiKeys out of the box. It provides an additional layer of security as a second-factor authentication option.\u003C\u002Fp>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress 6.0 or newer.\u003C\u002Fli>\n\u003Cli>PHP version 7.4 or newer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Library and Services Usage\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>The plugin utilizes the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjackocnr\u002Fintl-tel-input\" rel=\"nofollow ugc\">intl-tel-input\u003C\u002Fa> library to provide phone number formatting functionality.  \u003C\u002Fli>\n\u003Cli>The plugin integrates with Meta’s WhatsApp Business API, which is subject to \u003Cstrong>Meta’s Terms of Service\u003C\u002Fstrong> and \u003Cstrong>pricing policies\u003C\u002Fstrong>. You may need to subscribe to a third-party WhatsApp API method or a Meta-approved Business Solution Provider to use this service. For details, visit \u003Ca href=\"https:\u002F\u002Fdevelopers.facebook.com\u002Fdocs\u002Fwhatsapp\" rel=\"nofollow ugc\">Meta’s WhatsApp Business API documentation\u003C\u002Fa>.  \u003C\u002Fli>\n\u003Cli>The plugin integrates with the \u003Cstrong>Yubico OTP API\u003C\u002Fstrong>. It securely sends the user’s one-time password (OTP) to Yubico’s verification service to authenticate login attempts. Review Yubico’s \u003Ca href=\"https:\u002F\u002Fwww.yubico.com\u002Fsupport\u002Fterms-conditions\u002Fyubico-website-terms-conditions\u002F\" rel=\"nofollow ugc\">Terms & Conditions\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwww.yubico.com\u002Fsupport\u002Fterms-conditions\u002Fprivacy-notice\u002F\" rel=\"nofollow ugc\">Privacy Notice\u003C\u002Fa> for more details.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>Secure 2FA is licensed under the GNU General Public License v2 or later.\u003C\u002Fp>\n","Secure 2FA adds an extra layer of security to your WordPress login process by enabling 2FA via several authentication methods.",10,452,0,"2025-04-10T13:24:00.000Z","6.7.5","6.0","7.4",[19,20,21],"2fa","login","tfa","https:\u002F\u002Fendisha.ly\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-tfa.1.0.0.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":29,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":31,"avg_security_score":32,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"endisha",6,1430,92,1,94,"2026-04-04T16:24:13.691Z",[37,61,80,103,124],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":52,"tags":53,"homepage":52,"download_link":58,"security_score":47,"vuln_count":59,"unpatched_count":13,"last_vuln_date":60,"fetched_at":26},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","6.9.4","3.0","",[19,54,55,56,57],"brute-force","firewall","login-security","security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip",4,"2023-12-20 00:00:00",{"slug":62,"name":63,"version":64,"author":65,"author_profile":66,"description":67,"short_description":68,"active_installs":69,"downloaded":70,"rating":71,"num_ratings":72,"last_updated":73,"tested_up_to":15,"requires_at_least":74,"requires_php":75,"tags":76,"homepage":52,"download_link":79,"security_score":32,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26},"wordfence-login-security","Wordfence Login Security","1.1.15","wfryan","https:\u002F\u002Fprofiles.wordpress.org\u002Fwfryan\u002F","\u003Ch3>WORDFENCE LOGIN SECURITY\u003C\u002Fh3>\n\u003Cp>Wordfence Login Security contains a subset of the functionality found in the full Wordfence plugin: Two-factor Authentication, XML-RPC Protection and Login Page CAPTCHA.\u003C\u002Fp>\n\u003Cp>Are you looking for comprehensive WordPress Security? \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwordfence\u002F\" rel=\"ugc\">Check out the full Wordfence plugin\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>TWO-FACTOR AUTHENTICATION\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Two-factor authentication (2FA), one of the most secure forms of remote system authentication available.\u003C\u002Fli>\n\u003Cli>Use any TOTP-based authenticator app or service like Google Authenticator, Authy, 1Password or FreeOTP.\u003C\u002Fli>\n\u003Cli>Enable 2FA for any WordPress user role.\u003C\u002Fli>\n\u003Cli>Completely free to use, no limits or restrictions of any kind.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>LOGIN PAGE CAPTCHA\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Easily enable Google ReCAPTCHA v3 on your login and registration pages.\u003C\u002Fli>\n\u003Cli>Stops bots from logging in without inconveniencing your site visitors.\u003C\u002Fli>\n\u003Cli>Robust protection against password guessing and credential stuffing attacks distributed across large IP pools\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>XML-RPC PROTECTION\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>XML-RPC is the biggest target for WordPress attacks, but is often overlooked.\u003C\u002Fli>\n\u003Cli>Protect XML-RPC with 2FA or disable it altogether if it’s not needed.\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.",70000,1239075,80,25,"2025-01-15T17:05:00.000Z","4.7","7.0",[19,77,56,57,78],"captcha","two-factor-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordfence-login-security.1.1.15.zip",{"slug":81,"name":82,"version":83,"author":84,"author_profile":85,"description":86,"short_description":87,"active_installs":88,"downloaded":89,"rating":90,"num_ratings":91,"last_updated":92,"tested_up_to":50,"requires_at_least":93,"requires_php":94,"tags":95,"homepage":98,"download_link":99,"security_score":100,"vuln_count":101,"unpatched_count":13,"last_vuln_date":102,"fetched_at":26},"wp-hide-security-enhancer","WP Hide & Security Enhancer","2.8.3","nsp-code","https:\u002F\u002Fprofiles.wordpress.org\u002Fnsp-code\u002F","\u003Cp>Effortlessly conceal your WordPress site from detection! With over 99.99% of hacks targeting specific plugin and theme vulnerabilities, this plugin significantly boosts site security by making it invisible to hackers’ web scanners.\u003C\u002Fp>\n\u003Cp>By removing all traces of WordPress, including themes and plugins, potential exploits are rendered harmless. This method ensures that your site is safe without affecting SEO; in fact, it can enhance certain SEO aspects when used strategically.\u003C\u002Fp>\n\u003Cp>WP-Hide has launched the \u003Cstrong>easiest way to completely hide your WordPress\u003C\u002Fstrong> core files, login page, theme and plugins paths from being shown on front side. This is a huge improvement over Site Security, since no one will know whether you are running or not a WordPress. It also provides a simple way to clean up html by removing all WordPress fingerprints.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No file and directory change!\u003C\u002Fstrong>\u003Cbr \u002F>\nNo file and directory will be changed anywhere. Everything is processed virtually. The plugin code uses URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically without user intervention required at all.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Real hide of WordPress core files and plugins\u003C\u002Fstrong>\u003Cbr \u002F>\nThe plugin not only allows you to change default URLs of you WordPress, but it also hides\u002Fblocks such defaults. Other similar plugins, just change the slugs, but the defaults are still accessible, obviously revealing WordPress as CMS.\u003C\u002Fp>\n\u003Cp>You can change the default WordPress login URL from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. It becomes totally invisible.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FPJstAU34SlQ?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>Full plugin documentation available at \u003Ca href=\"https:\u002F\u002Fwp-hide.com\u002Fdocumentation\u002F\" rel=\"nofollow ugc\">WordPress Hide and Security Enhancer Documentation\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>When testing with WordPress theme and plugins detector services\u002Fsites, any setting change may not reflect right away on their reports, since they use cache. So, you may want to check again later, or try a different inner URL. Homepage URL usage is not mandatory.\u003C\u002Fp>\n\u003Cp>Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes make ita vulnerable spot for every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.\u003Cbr \u002F>\nStatistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.\u003Cbr \u002F>\nOver 99,9% of hacked WordPress websites are target of automated malware scripts, which search for certain WordPress fingerprints. This plugin hides or replaces those traces, making the hacking bots attacks useless.\u003C\u002Fp>\n\u003Cp>It works well with custom WordPress directory structures,e.g. custom plugins, themes, and upload folders.\u003C\u002Fp>\n\u003Cp>Once configured, you need to \u003Cstrong>clear server cache data and\u002For any cache plugins\u003C\u002Fstrong> (e.g. W3 Cache), for a new html data to be created. If you use CDN this should be cache clear as well.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Sample usage\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F192011678\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Main plugin functionality:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Customizes Admin URL\u003C\u002Fli>\n\u003Cli>Blocks default admin URL\u003C\u002Fli>\n\u003Cli>Blocks any direct folder access to completely hide the structure\u003C\u002Fli>\n\u003Cli>Customize wp-login.php filename\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication – Email Verification Code\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication – Authenticator App\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication – Recovery Codes\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication – Shortcode for front-side user settings interface\u003C\u002Fli>\n\u003Cli>2FA – Two-factor Authentication – My Account > Account Details – area for 2FA user settings interface\u003C\u002Fli>\n\u003Cli>Google Captcha \u003C\u002Fli>\n\u003Cli>Blocks default wp-login.php\u003C\u002Fli>\n\u003Cli>Blocks default wp-signup.php\u003C\u002Fli>\n\u003Cli>Blocks XML-RPC API\u003C\u002Fli>\n\u003Cli>Creates New XML-RPC paths\u003C\u002Fli>\n\u003Cli>Adjusts theme URL\u003C\u002Fli>\n\u003Cli>Creates New child Theme URL\u003C\u002Fli>\n\u003Cli>Changes theme style file name\u003C\u002Fli>\n\u003Cli>Cleans any headers for theme style file\u003C\u002Fli>\n\u003Cli>Customizes wp-include \u003C\u002Fli>\n\u003Cli>Blocks default wp-include paths\u003C\u002Fli>\n\u003Cli>Blocks default wp-content\u003C\u002Fli>\n\u003Cli>Customizes plugins URL\u003C\u002Fli>\n\u003Cli>Changes Individual plugin URL \u003C\u002Fli>\n\u003Cli>Blocks default plugins paths\u003C\u002Fli>\n\u003Cli>Creates New upload URL\u003C\u002Fli>\n\u003Cli>Blocks default upload URL\u003C\u002Fli>\n\u003Cli>Removes WordPress version\u003C\u002Fli>\n\u003Cli>Blocks Meta Generator\u003C\u002Fli>\n\u003Cli>Disables the emoji and required javascript code\u003C\u002Fli>\n\u003Cli>Removes pingback tag\u003C\u002Fli>\n\u003Cli>Removes wlwmanifest Meta\u003C\u002Fli>\n\u003Cli>Removes rsd_link Meta\u003C\u002Fli>\n\u003Cli>Removes wpemoji\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Minifies Html, Css, JavaScript\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Security Headers\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>and many more.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>No other plugin functionality will be blocked or interfered in any way by WP-Hide\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin allows to change the default Admin URL from \u003Cstrong>wp-login.php\u003C\u002Fstrong> and \u003Cstrong>wp-admin\u003C\u002Fstrong> to something else. All original links turn the default theme to “404 Not Found” page, as if nothing exists there. Besides the huge security advantage, the WP-Hide plugin saves lots of server processing time by reducing php code and MySQL usage since brute-force attacks target the weakURL.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important:\u003C\u002Fstrong> Compared to all other similar plugins which mainly use redirects, this plugin turns a default theme to“404 error” page for all \u003Cstrong>blocked URL\u003C\u002Fstrong> functionalities, without revealing the link existence at all.\u003C\u002Fp>\n\u003Cp>Since version 1.2, WP-Hide change individual plugin URLs and made them unrecognizable. For example,the change of the default WooCommerce plugin URL and its dependencies from domain.com\u002Fwp-content\u002Fplugins\u002Fwoocommerce\u002F into domain.com\u002Fecommerce\u002Fcdn\u002F or anything customized.\u003C\u002Fp>\n\u003Ch4>Plugin Sections\u003C\u002Fh4>\n\u003Cp>**Hide -> Scan\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Exhaustive system security examination with analysis and improvements guidance and fixes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Theme\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Theme Path – Changes default theme path\u003C\u002Fli>\n\u003Cli>New Style File Path – Changes default style file name and path\u003C\u002Fli>\n\u003Cli>Remove description header from Style file – Replaces any WordPress metadata information (like theme name, version etc.,) from style file\u003C\u002Fli>\n\u003Cli>Child – New Theme Path – Changes default child theme path\u003C\u002Fli>\n\u003Cli>Child – New Style File Path – Changes child theme style-sheet file path and name\u003C\u002Fli>\n\u003Cli>Child – Remove description header from Style file – Replaces any WordPress metadata information (like theme name, version etc.,) from style file\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > WP includes\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Include Path – Changes default wp-include path\u002FURL\u003C\u002Fli>\n\u003Cli>Block wp-include URL – Blocks default wp-include URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > WP content\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Content Path – Change default wp-content path\u002FURL\u003C\u002Fli>\n\u003Cli>Block wp-content URL – Blocks the default content URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Plugins\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Plugin Path – Changes default wp-content\u002Fplugins path\u002FURL\u003C\u002Fli>\n\u003Cli>Block plugin URL – Blocks default wp-content\u002Fplugins URL\u003C\u002Fli>\n\u003Cli>New path \u002F URL for Every Active Plugin\u003C\u002Fli>\n\u003Cli>Customize path and name for any active plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Uploads\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Upload Path – Changes default media files path\u002FURL\u003C\u002Fli>\n\u003Cli>Block upload URL – Blocks default media files URL\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Comments\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New wp-comments-post.php Path\u003C\u002Fli>\n\u003Cli>Block wp-comments-post.php\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Author\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Author Path\u003C\u002Fli>\n\u003Cli>Prevent Access to Author Archives\u003C\u002Fli>\n\u003Cli>Block default path\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Search\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Search Path\u003C\u002Fli>\n\u003Cli>Block default path\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > XML-RPC\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New XML-RPC Path – Changes default XML-RPC path \u002F URL\u003C\u002Fli>\n\u003Cli>Block default xmlrpc.php – Blocks default XML-RPC URL\u003C\u002Fli>\n\u003Cli>Disable XML-RPC authentication – Filters whether XML-RPC methods require authentication\u003C\u002Fli>\n\u003Cli>Remove pingback – Removes pingback link tag from theme\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > JSON REST\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clean the REST API response\u003C\u002Fli>\n\u003Cli>Disable JSON REST V1 service – Disables an API service for WordPress which is active by default\u003C\u002Fli>\n\u003Cli>Disable JSON REST V2 service – Disables an API service for WordPress which is active by default\u003C\u002Fli>\n\u003Cli>Block any JSON REST calls – Any call for JSON REST API service will be blocked\u003C\u002Fli>\n\u003Cli>Disable output the REST API link tag into page header\u003C\u002Fli>\n\u003Cli>Disable JSON REST WP RSD endpoint from XML-RPC responses\u003C\u002Fli>\n\u003Cli>Disable Sends a Link header for the REST API\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > Root Files\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Block license.txt – Blocks access to license.txt root file\u003C\u002Fli>\n\u003Cli>Block readme.html – Blocks access to readme.html root file\u003C\u002Fli>\n\u003Cli>Block wp-activate.php – Blocks access to wp-activate.php file\u003C\u002Fli>\n\u003Cli>Block wp-cron.php – Blocks outside access to wp-cron.php file\u003C\u002Fli>\n\u003Cli>Block wp-signup.php – Blocks default wp-signup.php file\u003C\u002Fli>\n\u003Cli>Block other wp-*.php files – Blocks other wp-.php files within WordPress Root\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Rewrite > URL Slash\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>URL’s add Slash – Add a slash to any links without it. This disguisesthe existence of a file, folder or a wrong URL, which will all be slashed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Core\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disabling Directory Listing\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Meta\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove WordPress Generator Meta\u003C\u002Fli>\n\u003Cli>Remove Other Generator Meta\u003C\u002Fli>\n\u003Cli>Remove Shortlink Meta\u003C\u002Fli>\n\u003Cli>Remove DNS Prefetch\u003C\u002Fli>\n\u003Cli>Remove Resource Hints\u003C\u002Fli>\n\u003Cli>Remove wlwmanifest Meta\u003C\u002Fli>\n\u003Cli>Remove feed_links Meta\u003C\u002Fli>\n\u003Cli>Disable output the REST API link tag into page header\u003C\u002Fli>\n\u003Cli>Remove rsd_link Meta\u003C\u002Fli>\n\u003Cli>Remove adjacent_posts_rel Meta\u003C\u002Fli>\n\u003Cli>Remove profile link\u003C\u002Fli>\n\u003Cli>Remove canonical link\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Block Detectors\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Block Detectors\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Emulate CMS\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Emulate CMS\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Admin Bar\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove WordPress Admin Bar for specified urser roles\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Feed\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove feed|rdf|rss|rss2|atom links\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Robots.txt\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable admin URL within Robots.txt\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Emoji\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable Emoji\u003C\u002Fli>\n\u003Cli>Disable TinyMC Emoji\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Styles\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove Version\u003C\u002Fli>\n\u003Cli>Remove ID from link tags\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Scripts\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove Version\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Oembed\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove Oembed\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove Link Header\u003C\u002Fli>\n\u003Cli>Remove X-Powered-By Header\u003C\u002Fli>\n\u003Cli>Remove Server Header\u003C\u002Fli>\n\u003Cli>Remove X-Pingback Header\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > HTML\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Remove HTML Comments\u003C\u002Fli>\n\u003Cli>Minify Html, CSS, JavaScript\u003C\u002Fli>\n\u003Cli>Remove general classes from body tag\u003C\u002Fli>\n\u003Cli>Remove ID from Menu items\u003C\u002Fli>\n\u003Cli>Remove class from Menu items\u003C\u002Fli>\n\u003Cli>Remove general classes from post\u003C\u002Fli>\n\u003Cli>Remove general classes from images\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> General \u002F Html > User Interactions\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable Mouse right click\u003C\u002Fli>\n\u003Cli>Disable Text Selection\u003C\u002Fli>\n\u003Cli>Disable Copy\u003C\u002Fli>\n\u003Cli>Disable Cut\u003C\u002Fli>\n\u003Cli>Disable Paste\u003C\u002Fli>\n\u003Cli>Disable Print\u003C\u002Fli>\n\u003Cli>Disable Print Screen\u003C\u002Fli>\n\u003Cli>Disable Developer Tools\u003C\u002Fli>\n\u003Cli>Disable View Source\u003C\u002Fli>\n\u003Cli>Disable Drag \u002F Drop\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Admin > wp-login.php\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New wp-login.php – Maps a new wp-login.php instead of the default one\u003C\u002Fli>\n\u003Cli>Block default wp-login.php – Blocks default wp-login.php file from being accessible\u003C\u002Fli>\n\u003Cli>Customize the default login page Logo image \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Hide -> Admin > Admin URL\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>New Admin URL – Creates a new admin URL instead of the default ”\u002Fwp-admin”. This also applies for admin-ajax.php calls\u003C\u002Fli>\n\u003Cli>Disable customized Admin Url redirect to the Login page\u003C\u002Fli>\n\u003Cli>Block default Admin Url – Blocks default admin URL and files from being accessible\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> 2FA\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enable 2FA\u003C\u002Fli>\n\u003Cli>Enable the 2FA for specific roles\u003C\u002Fli>\n\u003Cli>Enforce User to Configure 2FA\u003C\u002Fli>\n\u003Cli>Primary option for Two-Factor\u003C\u002Fli>\n\u003Cli>Disable 2FA when using Temporary Login\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> 2FA Email\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Activate 2FA Email\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> 2FA Auth App\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Activate Authenticator app (TOTP)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> 2FA Recovery Codes\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Activate 2FA Recovery Codes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> Captcha\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Google Captcha V2\u003C\u002Fli>\n\u003Cli>Google Captcha V3\u003C\u002Fli>\n\u003Cli>CloudFlare Turnstile ( PRO )\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Settings -> CDN\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>CDN Url – Sets-up CDN if applied. Some providers replace site assets with custom URLs.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security -> Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>HTTP Response Headers are a powerful tool to Harden Your Website Security.\u003Cbr \u002F>\n* Cross-Origin-Embedder-Policy (COEP)\u003Cbr \u002F>\n* Cross-Origin-Opener-Policy (COOP)\u003Cbr \u002F>\n* Cross-Origin-Resource-Policy (CORP)\u003Cbr \u002F>\n* Referrer-Policy\u003Cbr \u002F>\n* X-Content-Type-Options\u003Cbr \u002F>\n* X-Download-Options\u003Cbr \u002F>\n* X-Frame-Options (XFO)\u003Cbr \u002F>\n* X-Permitted-Cross-Domain-Policies\u003Cbr \u002F>\n* X-XSS-Protection\u003C\u002Fp>\n\u003Cp>This free version works with Apache and IIS server types. For all server types, check with \u003Ca href=\"https:\u002F\u002Fwp-hide.com\u002F\" rel=\"nofollow ugc\">WP Hide PRO\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>This is a basic version that can hide everything for basic sites, example \u003Ca href=\"https:\u002F\u002Fdemo.wp-hide.com\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fdemo.wp-hide.com\u002F\u003C\u002Fa>. When using complex plugins and themes, the WP Hide PRO may be required. We provide free assistance to hide everything on your site, along with the commercial product.\u003C\u002Fp>\n\u003Cp>Anything wrong with this plugin on your site? Just use the forum or get in touch with us at \u003Ca href=\"https:\u002F\u002Fwp-hide.com\u002Fcontact\u002F\" rel=\"nofollow ugc\">Contact\u003C\u002Fa> and we’ll check it out.\u003C\u002Fp>\n\u003Cp>A website example can be found at \u003Ca href=\"https:\u002F\u002Fdemo.wp-hide.com\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fdemo.wp-hide.com\u002F\u003C\u002Fa> or our website \u003Ca href=\"https:\u002F\u002Fwp-hide.com\u002F\" rel=\"nofollow ugc\">WP Hide and Security Enhancer\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Plugin homepage at \u003Ca href=\"https:\u002F\u002Fwp-hide.com\u002F\" rel=\"nofollow ugc\">WordPress Hide and Security Enhancer\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>This plugin is developed by \u003Ca href=\"https:\u002F\u002Fwww.nsp-code.com\" rel=\"nofollow ugc\">Nsp-Code\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Localization\u003C\u002Fh3>\n\u003Cp>Please help and translate this plugin to your language at \u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fwp-hide-security-enhancer\" rel=\"nofollow ugc\">https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fwp-hide-security-enhancer\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>You are kindly asked to promote this plugin if it comes up to your expectations via an article on your site or any other place. If you liked this code\u002FWP-Hide or if it helped with your project, why not leave a 5 star review on this board.\u003C\u002Fp>\n","Protect your website by concealing vulnerable WordPress traces, plugins, themes, login\u002Fadmin url. 2FA, Captcha, Firewall, Security Headers etc.",60000,3363758,86,275,"2026-03-06T08:34:00.000Z","4.0","5.4",[19,96,97,20,57],"headers","hide","https:\u002F\u002Fwp-hide.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hide-security-enhancer.2.8.3.zip",96,3,"2024-12-05 16:25:18",{"slug":104,"name":105,"version":106,"author":107,"author_profile":108,"description":109,"short_description":110,"active_installs":111,"downloaded":112,"rating":32,"num_ratings":113,"last_updated":114,"tested_up_to":50,"requires_at_least":115,"requires_php":116,"tags":117,"homepage":120,"download_link":121,"security_score":122,"vuln_count":30,"unpatched_count":13,"last_vuln_date":123,"fetched_at":26},"login-with-ajax","Login With Ajax – Fast Logins, 2FA, Redirects","4.5.1","Marcus (aka @msykes)","https:\u002F\u002Fprofiles.wordpress.org\u002Fnetweblogic\u002F","\u003Cp>Login With Ajax is for sites that need user logins or registrations and would like to avoid the normal wordpress login pages, or add AJAX effects to the regular login pages. This plugin adds the capability of placing a login widget in the sidebar with smooth AJAX login effects.\u003C\u002Fp>\n\u003Cp>Some of the features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>AJAX-powered logins, no screen refreshes!\n\u003Cul>\n\u003Cli>Login\u003C\u002Fli>\n\u003Cli>Registration\u003C\u002Fli>\n\u003Cli>Remember\u002FReset Password\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>PassKeys \u003Cstrong>(new in 4.4)\u003C\u002Fstrong>\n\u003Cul>\n\u003Cli>Next-Generation security, no passwords required!\u003C\u002Fli>\n\u003Cli>Users can log in without a username AND password.\u003C\u002Fli>\n\u003Cli>Biometric support (fingerprint, face ID, etc.)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>2FA – Two-Factor Authentication\n\u003Cul>\n\u003Cli>TOTP – Time-based One-Time Password\u003C\u002Fli>\n\u003Cli>Scan a QR code with popular authenticator apps like Google Authenticator, Authy, etc.\u003C\u002Fli>\n\u003Cli>Email – Send a code to the user’s email address\u003C\u002Fli>\n\u003Cli>Backup Codes – Generate and use backup codes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Integrate 2FA setup options in other plugin account pages\n\u003Cul>\n\u003Cli>WooCommerce\u003C\u002Fli>\n\u003Cli>BuddyPress\u003C\u002Fli>\n\u003Cli>BuddyBoss\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>“AJAXify” other login forms\n\u003Cul>\n\u003Cli>Create a better login experience in the default WP login form with AJAX effects for logins, password recovery and registration.\u003C\u002Fli>\n\u003Cli>Regular WP login and registration forms\u003C\u002Fli>\n\u003Cli>WooCommerce login forms\u003C\u002Fli>\n\u003Cli>Events Manager login forms\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Many ways to display and customize your login form:\n\u003Cul>\n\u003Cli>Gutenberg Blocks\u003C\u002Fli>\n\u003Cli>Full-site editor compatible\u003C\u002Fli>\n\u003Cli>Widgets (classic and blocks)\u003C\u002Fli>\n\u003Cli>Shortcode\u003C\u002Fli>\n\u003Cli>Template Tags\u003C\u002Fli>\n\u003Cli>PHP API\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Flexible templates and options\n\u003Cul>\n\u003Cli>Multiple templates to choose from\u003C\u002Fli>\n\u003Cli>Including Modal\u002FPop-Up login forms\u003C\u002Fli>\n\u003Cli>Responsive and Accessible!\u003C\u002Fli>\n\u003Cli>Choose a base color for each individual login form.\u003C\u002Fli>\n\u003Cli>Individual display options via all display methods (e.g. Gutenberg Blocks, Shortcode etc.)\u003C\u002Fli>\n\u003Cli>Create your own upgrade-safe templates, or override our own ones.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Custom Login\u002FLogout redirections\n\u003Cul>\n\u003Cli>Redirect users to custom URLs on Login and Logout\u003C\u002Fli>\n\u003Cli>Redirect users with different roles to custom URLs\u003C\u002Fli>\n\u003Cli>WPML – Language-specific redirects\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Modify registration email templates\u003C\u002Fli>\n\u003Cli>Other Features\n\u003Cul>\n\u003Cli>Disable CSS styling (via shortcode or PHP display methods)\u003C\u002Fli>\n\u003Cli>SSL-compatible\u003C\u002Fli>\n\u003Cli>Fallback mechanism, will still work on javascript-disabled browsers\u003C\u002Fli>\n\u003Cli>Compatible with WordPress, MultiSite, BuddyPress and many other plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Developer Friendly\n\u003Cul>\n\u003Cli>Multiple PHP and JS hooks\u003C\u002Fli>\n\u003Cli>Overridable CSS and JS files\u003C\u002Fli>\n\u003Cli>Easy-to-customize and overridable template files\u003C\u002Fli>\n\u003Cli>Well-documented\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>First released in 2009, the oldest login plugin for WordPress, regularly maintained and updated since then!\u003C\u002Fp>\n\u003Ch4>Pro Add-On Features\u003C\u002Fh4>\n\u003Cp>As of version 4.0, \u003Ca href=\"https:\u002F\u002Floginwithajax.com\u002F\" rel=\"nofollow ugc\">we now offer a Pro add-on\u003C\u002Fa> which extends Login With AJAX with multiple new features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>Security Features\u003C\u002Fem> – Harden the security of your login forms\n\u003Cul>\n\u003Cli>2FA – Additional Two-Factor Authentication Methods:\u003C\u002Fli>\n\u003Cli>SMS – Send a code to the user’s phone\u003C\u002Fli>\n\u003Cli>WhatsApp – Send a message, user clicks a button, done!\u003C\u002Fli>\n\u003Cli>Telegram – Send a message, user clicks a button, done!\u003C\u002Fli>\n\u003Cli>reCaptcha (v2, v2 Invisible and v3)\u003C\u002Fli>\n\u003Cli>Login limiter\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cem>3rd Party Page Builder Blocks\u002FWidgets\u002FModules\u003C\u002Fem>\n\u003Cul>\n\u003Cli>Divi\u003C\u002Fli>\n\u003Cli>Elementor\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>More on the way!\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Getting Help\u002FSupport\u003C\u002Fh4>\n\u003Cblockquote>\u003Cp> Version 4 is a major overhaul of the plugin, which has remained largely unchanged for 11 years yet remained a staple tool for logins to WordPress! Changes include a complete rewrite of login templates updated to modern stadnards and practices, as well as new WP features such as Gutenberg Blocks. \u003C\u002Fp>\u003C\u002Fblockquote>\n\u003Cp>If you’re stuck, we strongly suggest visiting our \u003Ca href=\"https:\u002F\u002Fdocs.loginwithajax.com\u002F\" rel=\"nofollow ugc\">Documentation Site\u003C\u002Fa> which contains exensive information and advice on setup and troubleshooting.\u003C\u002Fp>\n\u003Cp>If you have any problems with the plugin after reading our \u003Ca href=\"https:\u002F\u002Fdoocs.loginwithajax.com\u002Ftroubleshooting\u002F\" rel=\"nofollow ugc\">Troubleshooting\u003C\u002Fa>, please visit our freely supported \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Flogin-with-ajax\" rel=\"ugc\">community forums\u003C\u002Fa>, or \u003Ca href=\"https:\u002F\u002Floginwithajax.com\u002Fgopro\u002F\" rel=\"nofollow ugc\">Go Pro\u003C\u002Fa> for premium support.\u003C\u002Fp>\n\u003Ch3>Notes\u003C\u002Fh3>\n\u003Cp>Please visit our \u003Ca href=\"https:\u002F\u002Fdocs.loginwithajax.com\" rel=\"nofollow ugc\">documentation site\u003C\u002Fa>, which is regularly and extensively maintained and updated with all the information relevant to getting started, advanced setup and troubleshooting common issues.\u003C\u002Fp>\n","Add beautiful login forms with smooth AJAX login\u002Fregistration effects, 2FA support, custom redrection options and many more login-related features!",20000,1126792,166,"2025-12-03T15:37:00.000Z","4.8","5.2",[19,20,118,119,57],"passkeys","registration","https:\u002F\u002Floginwithajax.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-with-ajax.4.5.1.zip",97,"2024-04-10 00:00:00",{"slug":78,"name":125,"version":126,"author":127,"author_profile":128,"description":129,"short_description":130,"active_installs":111,"downloaded":131,"rating":132,"num_ratings":133,"last_updated":134,"tested_up_to":50,"requires_at_least":135,"requires_php":136,"tags":137,"homepage":141,"download_link":142,"security_score":143,"vuln_count":144,"unpatched_count":13,"last_vuln_date":145,"fetched_at":26},"Two Factor Authentication","1.16.0","David Anderson \u002F Team Updraft","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidanderson\u002F","\u003Cp>Secure WordPress login with this two factor authentication (TFA \u002F 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of \u003Ca href=\"https:\u002F\u002Fupdraftplus.com\u002F\" rel=\"nofollow ugc\">UpdraftPlus – WP’s #1 backup\u002Frestore plugin\u003C\u002Fa>, with over two million active installs.\u003C\u002Fp>\n\u003Cp>Are you completely new to TFA? \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-authentication\u002Ffaq\u002F\" rel=\"ugc\">If so, please see our FAQ\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Features (please see the “Screenshots” for more information):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).\u003C\u002Fli>\n\u003Cli>Displays graphical QR codes for easy scanning into apps on your phone\u002Ftablet\u003C\u002Fli>\n\u003Cli>TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)\u003C\u002Fli>\n\u003Cli>TFA can be turned on or off by each user\u003C\u002Fli>\n\u003Cli>TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>), including forcing them to immediately set up (by redirecting them to the page to do so)\u003C\u002Fli>\n\u003Cli>Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The \u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa> allows custom designing of any layout you wish).\u003C\u002Fli>\n\u003Cli>Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database \u003Cem>and\u003C\u002Fem> your files in order to break TFA codes (as well as breaking a user’s password in order to use them)\u003C\u002Fli>\n\u003Cli>Works together with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftheme-my-login\u002F\" rel=\"ugc\">“Theme My Login”\u003C\u002Fa> (both forms and widgets)\u003C\u002Fli>\n\u003Cli>Includes support for the WooCommerce and Affiliates-WP login forms\u003C\u002Fli>\n\u003Cli>Includes support for Ultimate Membership Pro\u003C\u002Fli>\n\u003Cli>Includes support for CozmosLabs Profile Builder\u003C\u002Fli>\n\u003Cli>Includes support for Ultimate Member login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for Elementor Pro login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for bbPress login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for Easy Digital Downloads login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for RegistrationMagic login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for login forms from the Gravity Forms User Registration add-on (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for login forms (shortcode forms only) from Paid Memberships Pro (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password\u003C\u002Fli>\n\u003Cli>Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)\u003C\u002Fli>\n\u003Cli>WP Multisite compatible (plugin should be network activated)\u003C\u002Fli>\n\u003Cli>Simplified user interface and code base for ease of use and performance\u003C\u002Fli>\n\u003Cli>Added a number of extra security checks to the original forked code\u003C\u002Fli>\n\u003Cli>Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.\u003C\u002Fli>\n\u003Cli>Emergency codes for when you lose your phone\u002Ftablet (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>When using the front-end shortcode (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>), require the user to enter the current TFA code correctly to be able to activate TFA \u003C\u002Fli>\n\u003Cli>Works together with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-members\u002F\" rel=\"ugc\">“WP Members”\u003C\u002Fa> (shortcode form)\u003C\u002Fli>\n\u003Cli>Administrators can access other users’ codes, and turn them on\u002Foff when needed (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Why use TFA \u002F 2FA ?\u003C\u002Fh4>\n\u003Cp>Read this! \u003Ca href=\"https:\u002F\u002Fwww.wired.com\u002F2012\u002F08\u002Fapple-amazon-mat-honan-hacking\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.wired.com\u002F2012\u002F08\u002Fapple-amazon-mat-honan-hacking\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>How Does TFA \u002F 2FA Work?\u003C\u002Fh4>\n\u003Cp>This plugin uses the industry standard TFA \u002F 2FA algorithm \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FTime-based_One-time_Password_Algorithm\" rel=\"nofollow ugc\">TOTP\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FHMAC-based_One-time_Password_Algorithm\" rel=\"nofollow ugc\">HOTP\u003C\u002Fa> for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.\u003C\u002Fp>\n\u003Cp>A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.\u003C\u002Fp>\n\u003Ch4>Plugin Notes\u003C\u002Fh4>\n\u003Cp>This plugin began life in early 2015 as a friendly fork and enhancement of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-auth\u002F\" rel=\"ugc\">Oscar Hane’s “two factor auth” plugin\u003C\u002Fa>.\u003C\u002Fp>\n","Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms, HOTP, TOTP (Google Authenticator, Authy, etc.)",879343,88,77,"2025-12-09T10:56:00.000Z","3.4","5.6",[19,138,21,139,140],"google-authenticator","two-factor","two-factor-auth","https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor-authentication.1.16.0.zip",99,2,"2018-12-18 00:00:00",{"attackSurface":147,"codeSignals":255,"taintFlows":271,"riskAssessment":395,"analyzedAt":415},{"hooks":148,"ajaxHandlers":217,"restRoutes":252,"shortcodes":253,"cronEvents":254,"entryPointCount":11,"unprotectedCount":11},[149,155,159,163,167,171,176,180,182,186,191,194,198,200,203,206,210,214],{"type":150,"name":151,"callback":152,"file":153,"line":154},"action","activated_plugin","activation","src\\core\\secure-tfa-application.php",23,{"type":156,"name":157,"callback":158,"priority":11,"file":153,"line":72},"filter","plugin_action_links","plugin_action_settings",{"type":150,"name":160,"callback":161,"file":153,"line":162},"init","load_i18n",33,{"type":150,"name":164,"callback":165,"file":153,"line":166},"plugins_loaded","load_ajax",35,{"type":156,"name":168,"callback":168,"file":169,"line":170},"cron_schedules","src\\core\\secure-tfa-scheduler.php",66,{"type":150,"name":172,"callback":173,"priority":24,"file":174,"line":175},"login_init","initialize","src\\hooks\\secure-tfa-authentication.php",21,{"type":150,"name":177,"callback":178,"priority":24,"file":174,"line":179},"wp_logout","logout",22,{"type":156,"name":181,"callback":181,"priority":24,"file":174,"line":154},"authenticate",{"type":150,"name":160,"callback":183,"priority":24,"file":184,"line":185},"redirect","src\\hooks\\secure-tfa-enforce-redirect.php",15,{"type":150,"name":187,"callback":188,"file":189,"line":190},"admin_menu","menus","src\\includes\\secure-tfa-adminarea.php",18,{"type":150,"name":187,"callback":192,"file":189,"line":193},"tfa_in_user_menu",19,{"type":150,"name":195,"callback":196,"priority":11,"file":189,"line":197},"admin_enqueue_scripts","enqueue_scripts",20,{"type":150,"name":195,"callback":199,"priority":11,"file":189,"line":175},"enqueue_tfa_vue_script",{"type":150,"name":201,"callback":202,"priority":33,"file":189,"line":179},"admin_bar_menu","tfa_in_top_admin_bar_menu",{"type":156,"name":204,"callback":205,"file":189,"line":154},"manage_users_columns","tfa_column_in_users",{"type":150,"name":207,"callback":208,"priority":11,"file":189,"line":209},"manage_users_custom_column","tfa_column_in_users_value",24,{"type":150,"name":211,"callback":212,"file":213,"line":190},"login_enqueue_scripts","tfa_enqueue_login_script","src\\includes\\secure-tfa-frontend.php",{"type":150,"name":215,"callback":216,"file":213,"line":193},"login_form","tfa_login_form",[218,223,226,229,232,235,238,241,244,248],{"action":219,"nopriv":220,"callback":221,"hasNonce":220,"hasCapCheck":220,"file":222,"line":190},"secure_tfa_adminarea_overview",false,"overview","src\\ajax\\secure-tfa-adminarea-ajax.php",{"action":224,"nopriv":220,"callback":225,"hasNonce":220,"hasCapCheck":220,"file":222,"line":193},"secure_tfa_adminarea_filter_users","filter_users",{"action":227,"nopriv":220,"callback":228,"hasNonce":220,"hasCapCheck":220,"file":222,"line":197},"secure_tfa_adminarea_users_list","tfa_users_list",{"action":230,"nopriv":220,"callback":231,"hasNonce":220,"hasCapCheck":220,"file":222,"line":175},"secure_tfa_adminarea_delete_tfa","delete_tfa",{"action":233,"nopriv":220,"callback":234,"hasNonce":220,"hasCapCheck":220,"file":222,"line":179},"secure_tfa_adminarea_activity_list","activity_list",{"action":236,"nopriv":220,"callback":237,"hasNonce":220,"hasCapCheck":220,"file":222,"line":154},"secure_tfa_adminarea_get_tfa_in_profile","get_tfa_in_profile",{"action":239,"nopriv":220,"callback":240,"hasNonce":220,"hasCapCheck":220,"file":222,"line":209},"secure_tfa_adminarea_configure_tfa","configure_tfa",{"action":242,"nopriv":220,"callback":243,"hasNonce":220,"hasCapCheck":220,"file":222,"line":72},"secure_tfa_adminarea_activate_tfa_send_otp","activate_tfa_send_otp",{"action":245,"nopriv":220,"callback":246,"hasNonce":220,"hasCapCheck":220,"file":222,"line":247},"secure_tfa_adminarea_activate_tfa_confirm_otp","activate_tfa_confirm_otp",26,{"action":249,"nopriv":220,"callback":250,"hasNonce":220,"hasCapCheck":220,"file":222,"line":251},"secure_tfa_adminarea_deactivate_tfa","deactivate_tfa",27,[],[],[],{"dangerousFunctions":256,"sqlUsage":257,"outputEscaping":260,"fileOperations":33,"externalRequests":59,"nonceChecks":33,"capabilityChecks":101,"bundledLibraries":270},[],{"prepared":258,"raw":13,"locations":259},45,[],{"escaped":261,"rawEcho":144,"locations":262},144,[263,267],{"file":264,"line":265,"context":266},"src\\views\\admin\\vue\\components\\activity\\app.vue.php",43,"raw output",{"file":268,"line":269,"context":266},"src\\views\\admin\\vue\\components\\users\\app.vue.php",46,[],[272,297,307,325],{"entryPoint":273,"graph":274,"unsanitizedCount":144,"severity":296},"save (src\\settings\\secure-tfa-whatsapp-settings.php:42)",{"nodes":275,"edges":293},[276,282,286],{"id":277,"type":278,"label":279,"file":280,"line":281},"n0","source","$_POST (x2)","src\\settings\\secure-tfa-whatsapp-settings.php",70,{"id":283,"type":284,"label":285,"file":280,"line":281},"n1","transform","→ execute()",{"id":287,"type":288,"label":289,"file":290,"line":291,"wp_function":292},"n2","sink","wp_remote_get() [SSRF]","src\\services\\whatsapp\\client\\adapters\\secure-tfa-wordpress-adapter.php",38,"wp_remote_get",[294,295],{"from":277,"to":283,"sanitized":220},{"from":283,"to":287,"sanitized":220},"medium",{"entryPoint":298,"graph":299,"unsanitizedCount":144,"severity":296},"\u003Csecure-tfa-whatsapp-settings> (src\\settings\\secure-tfa-whatsapp-settings.php:0)",{"nodes":300,"edges":304},[301,302,303],{"id":277,"type":278,"label":279,"file":280,"line":281},{"id":283,"type":284,"label":285,"file":280,"line":281},{"id":287,"type":288,"label":289,"file":290,"line":291,"wp_function":292},[305,306],{"from":277,"to":283,"sanitized":220},{"from":283,"to":287,"sanitized":220},{"entryPoint":308,"graph":309,"unsanitizedCount":33,"severity":324},"delete_tfa (src\\ajax\\secure-tfa-adminarea-ajax.php:91)",{"nodes":310,"edges":321},[311,314,316],{"id":277,"type":278,"label":312,"file":222,"line":313},"$_POST",103,{"id":283,"type":284,"label":315,"file":222,"line":313},"→ first()",{"id":287,"type":288,"label":317,"file":318,"line":319,"wp_function":320},"get_row() [SQLi]","src\\core\\secure-tfa-model.php",34,"get_row",[322,323],{"from":277,"to":283,"sanitized":220},{"from":283,"to":287,"sanitized":220},"high",{"entryPoint":326,"graph":327,"unsanitizedCount":394,"severity":324},"\u003Csecure-tfa-adminarea-ajax> (src\\ajax\\secure-tfa-adminarea-ajax.php:0)",{"nodes":328,"edges":381},[329,330,331,332,336,339,343,346,349,352,355,358,362,365,368,372,375,378],{"id":277,"type":278,"label":312,"file":222,"line":313},{"id":283,"type":284,"label":315,"file":222,"line":313},{"id":287,"type":288,"label":317,"file":318,"line":319,"wp_function":320},{"id":333,"type":278,"label":334,"file":222,"line":335},"n3","$_POST (x5)",171,{"id":337,"type":284,"label":338,"file":222,"line":335},"n4","→ has_tfa_enabled()",{"id":340,"type":288,"label":317,"file":341,"line":342,"wp_function":320},"n5","src\\models\\secure-tfa-verified-user.php",71,{"id":344,"type":278,"label":279,"file":222,"line":345},"n6",173,{"id":347,"type":284,"label":348,"file":222,"line":345},"n7","→ get_tfa_by_user_id()",{"id":350,"type":288,"label":317,"file":341,"line":351,"wp_function":320},"n8",82,{"id":353,"type":278,"label":312,"file":222,"line":354},"n9",174,{"id":356,"type":284,"label":357,"file":222,"line":354},"n10","→ get_counts_of_recovery_codes()",{"id":359,"type":288,"label":317,"file":360,"line":361,"wp_function":320},"n11","src\\models\\secure-tfa-recovery-codes.php",76,{"id":363,"type":278,"label":312,"file":222,"line":364},"n12",175,{"id":366,"type":284,"label":367,"file":222,"line":364},"n13","→ get_last_used_recovery_codes()",{"id":369,"type":288,"label":370,"file":360,"line":122,"wp_function":371},"n14","get_results() [SQLi]","get_results",{"id":373,"type":278,"label":312,"file":222,"line":374},"n15",363,{"id":376,"type":284,"label":377,"file":222,"line":374},"n16","→ get_by_user_id()",{"id":379,"type":288,"label":317,"file":341,"line":380,"wp_function":320},"n17",61,[382,383,384,385,386,387,388,389,390,391,392,393],{"from":277,"to":283,"sanitized":220},{"from":283,"to":287,"sanitized":220},{"from":333,"to":337,"sanitized":220},{"from":337,"to":340,"sanitized":220},{"from":344,"to":347,"sanitized":220},{"from":347,"to":350,"sanitized":220},{"from":353,"to":356,"sanitized":220},{"from":356,"to":359,"sanitized":220},{"from":363,"to":366,"sanitized":220},{"from":366,"to":369,"sanitized":220},{"from":373,"to":376,"sanitized":220},{"from":376,"to":379,"sanitized":220},11,{"summary":396,"deductions":397},"The \"secure-tfa\" plugin, at version 1.0.0, exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers, which represent a large attack surface. While the plugin demonstrates good practices in SQL query handling and output escaping, the absence of authentication checks on 10 out of 10 AJAX entry points is a critical weakness. This could allow any authenticated user, regardless of their privileges, to trigger potentially sensitive actions or expose information through these handlers.\n\nThe taint analysis reveals two high-severity flows with unsanitized paths, suggesting that user-supplied input might be reaching sensitive functions without proper validation or sanitization. This is exacerbated by the fact that these flows could be triggered via the unprotected AJAX handlers. The plugin's vulnerability history is currently clean, with no recorded CVEs. This might indicate that the plugin is either new, has not been extensively targeted, or that previous versions did not have discoverable vulnerabilities. However, the static analysis findings, particularly the unprotected AJAX endpoints and high-severity taint flows, present immediate risks that need to be addressed.\n\nIn conclusion, while \"secure-tfa\" v1.0.0 benefits from robust SQL prepared statements and output escaping, its security is severely undermined by its unprotected AJAX entry points and high-severity taint analysis findings. These weaknesses create a significant risk of privilege escalation, unauthorized actions, or data exposure. The absence of past vulnerabilities should not lead to complacency, given the identified static analysis risks.",[398,400,403,406,408,410,413],{"reason":399,"points":11},"Unprotected AJAX handlers",{"reason":401,"points":402},"High severity unsanitized taint flows",12,{"reason":404,"points":405},"100% AJAX handlers without auth",5,{"reason":407,"points":144},"File operations detected",{"reason":409,"points":144},"External HTTP requests detected",{"reason":411,"points":412},"Only 1 nonce check for 10 AJAX handlers",7,{"reason":414,"points":101},"Capability checks limited (3)","2026-03-17T00:30:48.757Z",{"wat":417,"direct":426},{"assetPaths":418,"generatorPatterns":421,"scriptPaths":422,"versionParams":424},[419,420],"\u002Fwp-content\u002Fplugins\u002Fsecure-tfa\u002Fassets\u002Ffrontend\u002Fcss\u002Ftfa.login.css","\u002Fwp-content\u002Fplugins\u002Fsecure-tfa\u002Fassets\u002Ffrontend\u002Fjs\u002Ftfa.login.js",[],[423],"tfa.login.js",[425],"secure-tfa\u002F1.0.0",{"cssClasses":427,"htmlComments":428,"htmlAttributes":429,"restEndpoints":430,"jsGlobals":431,"shortcodeOutput":433},[],[],[],[],[432],"secure_tfa_object",[]]