[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5Jx-4OLuw2q6dYdnH6z0nj_Dm6gaJ0L6HEKt0cR5dBo":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":108,"crawl_stats":38,"alternatives":115,"analysis":214,"fingerprints":1121},"security-malware-firewall","Login Security, FireWall, Malware removal by CleanTalk","2.174","CleanTalk Inc","https:\u002F\u002Fprofiles.wordpress.org\u002Fcleantalk\u002F","\u003Cp>Brute force, Login security & Two Factor Auth (2FA). Limit login. Malware & Vulnerabilities scan. FireWall. Enterprise ready security plugin.\u003C\u002Fp>\n\u003Ch3>SECURITY PLUGIN BY CLEANTALK (SPBCT)\u003C\u002Fh3>\n\u003Cp>We focus on eliminating the most common security threats for WordPress. At the same time, we strive to ensure that \u003Cstrong>site performance remains unaffected\u003C\u002Fstrong>. To achieve this, each release goes through automated and expert-driven testing pipelines. We also verify performance using Google PageSpeed Insights and GTMetrix. Typically, we release a new version twice a month to keep features up to date and protection strong.\u003C\u002Fp>\n\u003Ch4>SECURITY FEATURES\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Limit Login Attempts and rate limits for logins.\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two Factor Authentication (2FA)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom wp-login URL (wp-login.php)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Login Default Login Page\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable or Stop User Enumeration\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute force protection for WordPress accounts and passwords\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Protection for WordPress login form\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security FireWall by IP, Networks or Countries\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Web Application Firewall (WAF)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time traffic monitor (Visitors per pages, IPs, Countires and hits counts per page)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malware scanner with auto-cure function\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Daily auto malware scan\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Vulnerabilities scanner among installed plugins and themes\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security weekly reports to email\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Notifications of login events to your website\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>FREE TRIAL THEN $9 PER YEAR\u003C\u002Fh4>\n\u003Cp>CleanTalk is a Cloud security service that protects your website from online threats and provides you great security instruments to control your website security. We provide detailed security stats for all of our security features to have a full control of security.\u003C\u002Fp>\n\u003Cp>We believe the most honest approach is when every user pays a small fee for using the service, rather than relying on a freemium model where some users subsidize others. The fee is as low as price of a good cup of coffee! So, the security plugin does not have a PRO version-it is completely free and works in combination with our premium Cloud security service at cleantalk.org. Every user has full access to all features of both the service and the plugin. Also, please take a note about \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fwordpress-org\u002Fdetailed-plugin-guidelines\u002F#6-software-as-a-service-is-permitted\" rel=\"nofollow ugc\">WordPress.org policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>BRUTE FORCE PROTECTION\u003C\u002Fh3>\n\u003Cp>Our default anti–brute-force policy works as follows,\u003C\u002Fp>\n\u003Cul>\n\u003Cli>For any failed login attempt to the WordPress admin area, the plugin introduces a brief delay of a few seconds.\u003C\u002Fli>\n\u003Cli>The plugin reviews the security audit log every hour. If any IP address records 10 or more login attempts in that period, it will be blocked for 24 hours.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>ALL BRUTE FORCE PROTECTION FUNCTIONS\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Maximum failed attemtps to login before ban (default is 5).\u003C\u002Fstrong> A failed attempt happens when either the login or password is incorrect.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Time frame to count login attempts (default is 15 minutes).\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ban to login time frame from 2 minutes to 24 hours (default is 1 hour).\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two-factor authentication (2FA) with abillity to apply policy to specific users roles.\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent collecting of login on password reset error.\u003C\u002Fstrong> The option exclude the info about the login existing on password change error. Error message will be replaced with followed text: “If the user with the specified credentials exists, check your email for the password reset confirmation link. Then visit login page.”\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Audit Log.\u003C\u002Fstrong> Keeps track of actions in the WP Dashboard to let you know what is happening on your blog. With the Security Audit Log is very easy to see user activity in order to understand what changes have done and who made them. Security Audit Log shows who logged in and when and how much time they spent on each page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two Factor Authentication (2FA).\u003C\u002Fstrong> It requires a bit of your time but Two Factor (2 Step) Authentication immediately gives a much higher level of security.With your first authorization, the CleanTalk Security plugin remembers your browser and you won’t have to input your authorization code every time anymore. However, if you started to use a new device or a new browser then you are required to input your security authorization code. CleanTalk security plugin will remember your browser for 30 days.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Change the URL of the wp-login page.\u003C\u002Fstrong> This option helps you change the default wp-login URL (wp-login.php). Hackers use scripts for massive brute-force attacks, and since most sites use a default login page URL, hackers configure scripts for such URLs. When you change the URL of the authorization page, hackers will not have the opportunity to perform brute-force attacks in scripts in automatic mode. This option does not change files and does not rewrite URLs in system files. To return the address of the default authorization page, it is enough to disable the option in the plugin settings or set a new value. If you are using caching plugins, then you need to add a new authorization page in the caching exceptions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Leaked password check.\u003C\u002Fstrong> This feature enhances your website’s security by continuously monitoring users’ passwords for potential exposure in known data breaches and on the dark web. It works in the background and requires no action from users unless a leak is detected.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>SECURITY FIREWALL\u003C\u002Fh3>\n\u003Cp>To enhance the security of your site, you can use the CleanTalk Security FireWall, which will allow you to block access by HTTP\u002FHTTPS to your website for individual IP addresses, IP networks and block access to users from specific countries. Use personal BlackList to block IP addresses with a suspicious activity to enhance the WordPress security.\u003C\u002Fp>\n\u003Cp>Security FireWall may significantly reduce the risk of hacking and reduces the load on your web server. CleanTalk Security is fully compatible with the most popular VPN services. Also, CleanTalk security supports all search engines Google, Bing, Yahoo, Baidu, MSN, Yandex and etc.\u003C\u002Fp>\n\u003Ch4>LIST OF FIREWALL FUNCTIONS\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Blocks or bypass visitors by IP, IP Network. Country blocking.\u003C\u002Fstrong> It also has option to avoid blocking hits from major search engines like Google, Bing, Yahoo, Baidu, Yandex and etc.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Traffic control.\u003C\u002Fstrong> CleanTalk security Traffic Control will track every single visitor no matter if they are using JavaScript or not and provides many valuable traffic parameters. Another option in Security Traffic Control – “Block user after requests amounts more than” – blocks access to the site for any IP that has exceeded the number of HTTP requests per hour. If this number of requests will be exceeded, this IP will be added to the Security FireWall Black List for 24 hours. Security Firewall has a limit for requests to your website (by default 1000 requests per hour, so you can change it) and if any IP exceed this threshold it will be added to security firewall for next 24 hours. It allows you to break some of the DDoS attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Login Attempts.\u003C\u002Fstrong> Limit Login Attempts – is a part of brute-force protection and security firewall.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Web Application FireWall (WAF) for WordPress Security Plugin\u003C\u002Fstrong>. The main purpose of Web Application FireWall (WAF) is real-time protection from unauthorized access, even if there are critical known\u002Funknown vulnerabilities. Security Web Application FireWall catches all requests to your website and checks HTTP parameters that include,\n\u003Cul>\n\u003Cli>SQL Injection,\u003C\u002Fli>\n\u003Cli>Cross Site Scripting (XSS),\u003C\u002Fli>\n\u003Cli>uploading files from non-authorised users,\u003C\u002Fli>\n\u003Cli>PHP constructions\u002Fcode,\u003C\u002Fli>\n\u003Cli>the presence of malicious code in the downloaded files.\u003Cbr \u002F>\nIn addition to effective information security and information security applications are required to know what is quality of protection and CleanTalk Security has logged all blocked requests that allow you to know and analyze accurate information.\u003C\u002Fli>\n\u003Cli>You can see your Cleantalk Security Logs in your \u003Ca href=\"https:\u002F\u002Fcleantalk.org\u002Fmy\u002Flogs_firewall\" rel=\"nofollow ugc\">Dashboard\u003C\u002Fa> CleanTalk’s research team updates WAF database each time as we find a vulnerability, it means plugin’s users get protection even against unpublished vulnurebilites.\u003C\u002Fli>\n\u003Cli>Learn more how to set up and test \u003Ca href=\"https:\u002F\u002Fcleantalk.org\u002Fhelp\u002Fsecurity-waf\" title=\"About Web Application Firewall\" rel=\"nofollow ugc\">About Security Web Application Firewall\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Notifications when administrators or users are logged in.\u003C\u002Fstrong> We added this option to our security plugin. Now you can receive notifications if you want to know about an unauthorized entrance to your WP Dashboard. Notification will be sent only when a user was able to authorize entering login and password. If you are logged into the admin panel from the saved session, then the alert won’t be sent.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>MALWARE SCANNER WITH AUTO-CURE FUNCTION\u003C\u002Fh3>\n\u003Cp>Scans WordPress files for hacker files or code for hacker code. Performs antivirus functions. Security Malware Scanner runs manually by users requests or automaticaly by WordPress cron. All of the results will send in your Security CleanTalk Dashboard with the details and you will be able to investigate them and see if that was a legitimate change or some bad code was injected.\u003C\u002Fp>\n\u003Cp>If you are unsure how to identify, remove, or clean malware using the plugin, you can book a \u003Ca href=\"https:\u002F\u002Fcleantalk.org\u002Fwordpress-malware-removal\" rel=\"nofollow ugc\">malware removal service\u003C\u002Fa> with our Security & Pentest team.\u003C\u002Fp>\n\u003Ch4>LIST OF MALWARE SCANNER, ANTIVIRUS FUNCTIONS\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malware autoscanning.\u003C\u002Fstrong> Scans the website automatically at intervals ranging from once every 12 hours to once every 30 days.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cure malware.\u003C\u002Fstrong> It cures infected files automatically if the scanner knows cure methods for these specific cases. If the option is disabled then when the scanning process ends you will be presented with several actions you can do to the found files,\n\u003Cul>\n\u003Cli>\u003Cstrong>Cure.\u003C\u002Fstrong> Malicious code will be removed from the file.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Replace.\u003C\u002Fstrong> The file will be replaced with the original file.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Delete.\u003C\u002Fstrong> The file will be put in quarantine. Do nothing.\u003Cbr \u002F>\nBefore any action is chosen, backups of the files will be created and if the cure is unsuccessful it’s possible to restore each file.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Malware Heuristic Check\u003C\u002Fstrong>. This option allows you to check files of plugins and themes with heuristic analysis. Probably it will find more than you expect.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Malware scanner to find SQL Injections.\u003C\u002Fstrong> The CleanTalk Security Malware Scanner allows you to find code that allows performing SQL injection. It is this problem that the scanner solves.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Operating system cron tasks analysis.\u003C\u002Fstrong> This functional provides an overview of scheduled cron jobs on server that perform automated tasks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>DB Trigger analysis.\u003C\u002Fstrong> Will search for known malicious signatures in database triggers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>List unknown files.\u003C\u002Fstrong> Shows the list of found unknown files in the malware scanner report. Unknown files do not have known virus signatures and do not have suspicious code. Meanwhile, unknown files do not belong to the public plugins and themes at wordpress.org.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File System Watcher.\u003C\u002Fstrong> File system Watcher monitors changes in the file system. This allows to quickly respond to a site infection by tracking which files were affected. The Watcher makes file system snapshots as often as one hour and show difference up to seven days time frame.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Feedback System.\u003C\u002Fstrong> If you don’t have programming experience and don’t know, is there security issue or not, you send some files to CleanTalk Cloud and we check them for malware code. After checking we send you an email notification with results, is there viruses or not. Please, look at our guide How malware file analysis works \u003Ca href=\"https:\u002F\u002Fcleantalk.org\u002Fhelp\u002Ffiles-analysis\" title=\"About Scanner Feedback System\" rel=\"nofollow ugc\">About Scanner Feedback System\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>LIST OF THE MOST ACTIVE MALWARES BY FILENAMES\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>radio.php\u003C\u002Fli>\n\u003Cli>admin-ajax.php\u003C\u002Fli>\n\u003Cli>.1235512.css\u003C\u002Fli>\n\u003Cli>8sjdakSJ3.php\u003C\u002Fli>\n\u003Cli>wso.php\u003C\u002Fli>\n\u003Cli>cmd.php\u003C\u002Fli>\n\u003Cli>shell.php\u003C\u002Fli>\n\u003Cli>reverse_shell.php\u003C\u002Fli>\n\u003Cli>admin.php\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The list is actual on July 15th, 2025. The latest data is the article \u003Ca href=\"https:\u002F\u002Fresearch.cleantalk.org\u002Fmajor-signs-of-malware-on-an-infected-wordpress-site\u002F\" rel=\"nofollow ugc\">Is my site infected?\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>VULNERABILITIES SCANNER AMONG INSTALLED PLUGINS AND THEMES\u003C\u002Fh3>\n\u003Cp>Plugin checks installed plugins and themes for known (published) vulnerabilities. If finds vulnerable plugin\u002Ftheme, it sends an Email notification and shows data in the \u003Cem>Critical updates\u003C\u002Fem> tab.\u003C\u002Fp>\n\u003Cp>List of the most recent vulnerabilities found and published by CleanTalk Research team,\u003C\u002Fp>\n\u003Cul>\n\u003Cli>CVE-2025-5921 – SureForms – Unauthenticated XSS – POC, 200k+ installs.\u003C\u002Fli>\n\u003Cli>CVE-2025-3582 – Newsletter – Stored XSS to JS Backdoor Creation – POC, 300k+ installs.\u003C\u002Fli>\n\u003Cli>CVE-2025-2560 – Ninja Forms – Stored XSS to JS Backdoor Creation – POC, 700k+ installs.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The list is effective on July 18th, 2025. Updates are avaible on \u003Ca href=\"https:\u002F\u002Fresearch.cleantalk.org\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fresearch.cleantalk.org\u002F\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>MISCELLANEOUS SECURITY OPTIONS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Send additional HTTP headers option.\u003C\u002Fstrong> There are several additional http-headers which added to the every http-requests by the plugin if this option is enabled:\n\u003Cul>\n\u003Cli>“X-Content-Type-Options” improves the security of your site (and your users) against some types of drive-by-downloads.\u003C\u002Fli>\n\u003Cli>“X-XSS-Protection” header improves the security of your site against some types of XSS (cross-site scripting) attacks.\u003C\u002Fli>\n\u003Cli>“Strict-Transport-Security” response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.\u003C\u002Fli>\n\u003Cli>“Referrer-Policy” make the \u003Ccode>Referer\u003C\u002Fcode> http-header transferring more strictly.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Collect and send PHP logs.\u003C\u002Fstrong> Collect and send PHP error logs to your CleanTalk Dashboard where you can list them.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent collecting of authors logins.\u003C\u002Fstrong> Prevent visitors from collecting logins of the content authors from the website links (like example.com\u002F?author=1). Also this function known as Stop User Enumeration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent collecting of user login on password reset.\u003C\u002Fstrong> The password reset error will not contain the data about selected username does not exist.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable REST API for non-authenticated users.\u003C\u002Fstrong> Turn this on to deny access to WordPress REST API for non-authenticated users. Denied requests will get a 401 HTTP Code (Unauthorized).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable the WordPress endpoint “users” REST API.\u003C\u002Fstrong> Disables access to \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers and \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002F”id_user”.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable File Editor.\u003C\u002Fstrong> By prohibiting file editing, you protect the site from malicious attacks that may try to change the code and gain access to the site or steal confidential information.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>TRANSLATE INTO YOUR LANGUAGE\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Thank you for helping translate the plugin!\u003C\u002Fli>\n\u003Cli>感谢您帮助翻译这个插件！ (Gǎnxiè nín bāngzhù fānyì zhège chājìan!)\u003C\u002Fli>\n\u003Cli>प्लगइन का अनुवाद करने में मदद के लिए धन्यवाद! (Plugin ka anuvaad karne mein madad ke liye dhanyavaad!)\u003C\u002Fli>\n\u003Cli>¡Gracias por ayudar a traducir el complemento!\u003C\u002Fli>\n\u003Cli>Merci d’avoir aidé à traduire le plugin !\u003C\u002Fli>\n\u003Cli>شكرًا لمساعدتك في ترجمة الإضافة! (Shukran limusaa’adatika fi tarjamat al-idafa!)\u003C\u002Fli>\n\u003Cli>প্লাগইন অনুবাদে সাহায্য করার জন্য ধন্যবাদ! (Plug-in onubade shahajjo korar jonno dhonnobad!)\u003C\u002Fli>\n\u003Cli>Спасибо за помощь в переводе плагина! (Spasibo za pomoshch v perevode plagina!)\u003C\u002Fli>\n\u003Cli>Obrigado por ajudar a traduzir o plugin! (Obrigada if female)\u003C\u002Fli>\n\u003Cli>پلگ ان کا ترجمہ کرنے میں مدد کرنے کا شکریہ! (Plug-in ka tarjuma karne mein madad karne ka shukriya!)\u003C\u002Fli>\n\u003Cli>Terima kasih telah membantu menerjemahkan plugin!\u003C\u002Fli>\n\u003Cli>Danke, dass du beim Übersetzen des Plugins geholfen hast!\u003C\u002Fli>\n\u003Cli>プラグインの翻訳を手伝ってくれてありがとうございます！ (Puraguin no hon’yaku o tetsudatte kurete arigatou gozaimasu!)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fsecurity-malware-firewall\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Ftranslate.wordpress.org\u002Fprojects\u002Fwp-plugins\u002Fsecurity-malware-firewall\u002F\u003C\u002Fa>\u003C\u002Fp>\n","Brute force, Login security & Two Factor Auth (2FA). Limit login. Malware & Vulnerabilities scan. FireWall. Enterprise ready security plugin.",30000,2575884,96,378,"2026-03-02T10:49:00.000Z","6.9.4","5.0","7.2",[20,21,22,23,24],"firewall","login","malware","security","waf","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-malware-firewall\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-malware-firewall.2.174.zip",86,5,0,"2025-12-08 16:28:49","2026-03-15T15:16:48.613Z",[33,49,64,78,94],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":40,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48},"CVE-2025-13604","login-security-firewall-malware-removal-by-cleantalk-unauthenticated-stored-cross-site-scripting-via-page-url","Login Security, FireWall, Malware removal by CleanTalk \u003C= 2.168 - Unauthenticated Stored Cross-Site Scripting via Page URL","The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2.168","2.169","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-12-09 04:36:25",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1e35eb83-716e-4177-99ba-24a884725265?source=api-prod",1,{"id":50,"url_slug":51,"title":52,"description":53,"plugin_slug":4,"theme_slug":38,"affected_versions":54,"patched_in_version":55,"severity":56,"cvss_score":57,"cvss_vector":58,"vuln_type":59,"published_date":60,"updated_date":61,"references":62,"days_to_patch":48},"CVE-2024-13365","security-malware-scan-by-cleantalk-unauthenticated-arbitrary-file-upload","Security & Malware scan by CleanTalk \u003C= 2.149 - Unauthenticated Arbitrary File Upload","The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function  in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.","\u003C=2.149","2.150","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2025-02-11 20:29:00","2025-02-12 09:22:51",[63],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9fa30fa2-6c42-4e5f-a0b5-8711ce5d8121?source=api-prod",{"id":65,"url_slug":66,"title":67,"description":68,"plugin_slug":4,"theme_slug":38,"affected_versions":69,"patched_in_version":70,"severity":41,"cvss_score":71,"cvss_vector":72,"vuln_type":73,"published_date":74,"updated_date":75,"references":76,"days_to_patch":48},"CVE-2024-10570","security-malware-scan-by-cleantalk-authorization-bypass-via-reverse-dns-spoofing-to-unauthenticated-sql-injection","Security & Malware scan by CleanTalk \u003C= 2.145 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection","The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","\u003C=2.145","2.145.1",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2024-11-25 17:07:52","2024-11-26 05:33:02",[77],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2187311d-6651-4eca-806d-aa2ff9fae4e2?source=api-prod",{"id":79,"url_slug":80,"title":81,"description":82,"plugin_slug":4,"theme_slug":38,"affected_versions":83,"patched_in_version":84,"severity":85,"cvss_score":86,"cvss_vector":87,"vuln_type":88,"published_date":89,"updated_date":90,"references":91,"days_to_patch":93},"CVE-2023-5239","security-malware-scan-by-cleantalk-ip-spoofing-to-protection-mechanism-bypass","Security & Malware scan by CleanTalk \u003C= 2.120 - IP Spoofing to Protection Mechanism Bypass","The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.120. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.","\u003C=2.120","2.121","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Use of Less Trusted Source","2023-11-06 00:00:00","2024-01-22 19:56:02",[92],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F525626be-fe1d-4543-91a1-ae5ea3658862?source=api-prod",78,{"id":95,"url_slug":96,"title":97,"description":98,"plugin_slug":4,"theme_slug":38,"affected_versions":99,"patched_in_version":100,"severity":41,"cvss_score":101,"cvss_vector":102,"vuln_type":103,"published_date":104,"updated_date":90,"references":105,"days_to_patch":107},"CVE-2020-36698","security-malware-scan-by-cleantalk-missing-authorization","Security & Malware scan by CleanTalk \u003C= 2.50 - Missing Authorization","The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and\u002For upload files.","\u003C=2.50","2.51",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2020-07-06 00:00:00",[106],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0fb9b039-eb04-4c27-89eb-1932c9c31962?source=api-prod",1296,{"slug":109,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":110,"avg_security_score":111,"avg_patch_time_days":112,"trust_score":113,"computed_at":114},"cleantalk",230200,92,571,73,"2026-04-03T23:38:33.635Z",[116,139,159,178,196],{"slug":117,"name":118,"version":119,"author":120,"author_profile":121,"description":122,"short_description":123,"active_installs":124,"downloaded":125,"rating":126,"num_ratings":127,"last_updated":128,"tested_up_to":16,"requires_at_least":17,"requires_php":129,"tags":130,"homepage":134,"download_link":135,"security_score":136,"vuln_count":137,"unpatched_count":29,"last_vuln_date":138,"fetched_at":31},"all-in-one-wp-security-and-firewall","All-In-One Security (AIOS) – Security and Firewall","5.4.6","David Anderson \u002F Team Updraft","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidanderson\u002F","\u003Ch3>THE TOP RATED WORDPRESS SECURITY AND FIREWALL PLUGIN\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fteamupdraft.com\u002Fall-in-one-security?utm_source=aios-wp-dir&utm_medium=referral&utm_campaign=plugin-dir&utm_content=aios&utm_creative_format=description\" rel=\"nofollow ugc\">All-in-One Security (AIOS)\u003C\u002Fa> is a WordPress security plugin from the same, trusted team that brought you UpdraftPlus.\u003C\u002Fp>\n\u003Cp>It’s called ‘All-In-One’ because it’s packed full of ways to keep your WordPress website(s) safe and secure.\u003C\u002Fp>\n\u003Cp>It includes:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login security features\u003C\u002Fstrong> keep bots at bay. Lock out users based on a configurable number of login attempts, get two-factor authentication and more.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>File and database security.\u003C\u002Fstrong> Get notified of file changes that occur outside of normal operations. Block access to key files and scan files and folders to spot insecure permissions.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Firewall.\u003C\u002Fstrong> Get PHP, .htaccess and 6G firewall rules courtesy of Perishable Press. Spot and block fake Google Bots and more!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Spam prevention.\u003C\u002Fstrong> Prevent annoying spam comments and reduce unnecessary load on the server. Automatically and permanently block IP addresses that exceed a set number of spam comments.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Audit log.\u003C\u002Fstrong> View events happening on your WordPress website. Find out if a plugin or theme has been added, removed, updated and more.\u003C\u002Fp>\n\u003Ch4>WHY ALL-IN-ONE SECURITY?\u003C\u002Fh4>\n\u003Cp>AIOS has a near-perfect \u003Cstrong>4.7 \u002F 5-star user rating\u003C\u002Fstrong> across more than 1 million installs.\u003C\u002Fp>\n\u003Cp>Great for beginners and experts alike. AIOS guides you logically and clearly through each of its features which are all clearly explained. Security features are marked as basic, intermediate and advanced. Each step increases your security score. Turn them on and watch your protection grow!\u003C\u002Fp>\n\u003Cp>We have a large support team of software developers. That means we have the availability and the skillset to help you with the trickiest of queries.\u003C\u002Fp>\n\u003Cp>We comb the WordPress plugin directory for support tickets daily – most queries are responded to within 24 hours.\u003C\u002Fp>\n\u003Cp>\u003Cem>Excellent plugin with numerous well-thought-out options for making a website more secure. I have been using it for years and am very happy with it. I recently had a small problem setting up a website and – even as a non-premium user – I received support very quickly. Highly recommended!\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>For even more ways to stay safe and secure, upgrade to \u003Ca href=\"https:\u002F\u002Fteamupdraft.com\u002Fall-in-one-security\u002Fpricing?utm_source=aios-wp-dir&utm_medium=referral&utm_campaign=plugin-dir&utm_content=aios_premium&utm_creative_format=description\" rel=\"nofollow ugc\">AIOS Premium\u003C\u002Fa> – it packs a punch security-wise, whilst being \u003Cstrong>extremely cost-competitive\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>LOGIN SECURITY\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Two-factor authentication (TFA)\u003C\u002Fstrong> – Require TFA for specific user roles. Supports Google Authenticator, Microsoft Authenticator, Authy, and many more.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Detect and manage ‘admin’ usernames\u003C\u002Fstrong> – Identify default ‘admin’ usernames and guide users to change them to protect against brute force attacks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Identify and correct identical login and display names\u003C\u002Fstrong> – Detect cases where the display name matches the username and provide guidance to improve login security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Prevent user enumeration\u003C\u002Fstrong> – Block unauthorised access to URLs that can reveal sensitive information such as usernames or other details.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Control login attempts\u003C\u002Fstrong> – Prevent brute force attacks by limiting the number of failed login attempts. Choose how many login attempts are allowed, set lockout durations, and more.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Force user logout\u003C\u002Fstrong> – Automatically log out users after a specified period of time. Unattended sessions are closed, reducing the risk of unauthorised access.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Manually approve new registrations\u003C\u002Fstrong> – Review and approve new user registrations to prevent spam and fake sign-ups.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Enhance WordPress salt security\u003C\u002Fstrong> – Adds 64 extra characters to WordPress salts, rotating them weekly. Makes cracking passwords virtually impossible, even if your database is stolen.\u003C\u002Fp>\n\u003Ch4>Plugin Support\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via https:\u002F\u002Fteamupdraft.com\u002Fall-in-one-security\u002F\u003Cbr \u002F>\n\u003Cstrong>Monitor and manage active sessions\u003C\u002Fstrong> – If a user is logged in who shouldn’t be, log them out or add them to a blacklist.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>SPAM PREVENTION\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Block spam coming from bots\u003C\u002Fstrong> – Reduce the load on your server and improve the user experience by automatically blocking spam comments from bots.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Monitor spam IP addresses\u003C\u002Fstrong> – Monitor the IP addresses of people or bots leaving spam comments. Choose which ones to block based on a configurable number of comments left.\u003C\u002Fp>\n\u003Ch4>FILE \u002F DATABASE Security\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Scan and fix file permissions\u003C\u002Fstrong> – Scan for insecure file permissions. Click once to fix issues and safeguard critical files and folders.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Disable PHP file editing\u003C\u002Fstrong> – Disable editing of PHP files (such as plugins and themes) via the dashboard. It’s often the first tool that attackers use as it allows for code execution.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Protect sensitive files\u003C\u002Fstrong> – Prevent access to files like readme.html that might reveal information about your WordPress installation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>File change scanner\u003C\u002Fstrong> – Get notified of any file changes which occur on your system. Exclude files and folders which change as part of normal operations.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Prevent image hotlinking\u003C\u002Fstrong> – Prevent other websites from displaying your images via hotlinking and protect server bandwidth.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Secure database backups\u003C\u002Fstrong> – Perform a database backup via UpdraftPlus from AIOS. Change the default ‘wp_’ prefix to hide your WordPress database from hackers.\u003C\u002Fp>\n\u003Ch4>FIREWALL\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Get .htaccess firewall rules\u003C\u002Fstrong> – Deny access to the .htaccess and wp-config.php files. Disable the server signature and limit file uploads to a configurable size.**\u003C\u002Fp>\n\u003Cp>Block access to the debug.log file and prevent Apache servers from listing the contents of a directory when an index.php file is not present\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Get PHP firewall rules\u003C\u002Fstrong> – PHP firewall rules prevent malicious users from exploiting well-known vulnerabilities in XML-RPC. Safeguard your content by disabling RSS and Atom feeds and avoid cross-site scripting (XSS) attacks.\u003Cbr \u002F>\nBlock fake Google bots and POST requests made by bots – Block fake Google bots and stop bots from making POST requests by blocking IP addresses where the user-agent and referrer fields are blank.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Utilise 6G firewall rules\u003C\u002Fstrong> – Employ flexible blacklist rules to reduce the number of malicious URL requests that hit your website (courtesy of Perishable Press).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>And more\u003C\u002Fstrong> – Blacklist (and whitelist) IP ranges and user agents and block unauthorized access to data by disabling REST API access for non-logged-in requests.\u003C\u002Fp>\n\u003Ch4>TWO-FACTOR AUTHENTICATION ENHANCED [Premium]\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Two-factor authentication\u003C\u002Fstrong> is included in the free plugin. Upgrade to Premium if you’d like to:\u003Cbr \u002F>\nRequire TFA after a set time period – Mandate TFA for all admins or other roles after their accounts reach a specified age.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Control how often TFA is required\u003C\u002Fstrong> – Set TFA to be required after a certain number of days on trusted devices instead of every login.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customise design layout\u003C\u002Fstrong> – Adjust the TFA design to match your website’s existing layout and branding.\u003Cbr \u002F>\nEmergency codes – Generate one-time use emergency codes to regain access if you lose your TFA device.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress Multisite Compatible\u003C\u002Fstrong> – Ensure compatibility with WordPress multisite networks and their sub-sites for consistent TFA application.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Integration with login forms\u003C\u002Fstrong> – Integrate TFA with various login forms, including WooCommerce, Affiliates-WP, Elementor Pro, bbPress, and ‘Theme My Login’ without additional coding.\u003C\u002Fp>\n\u003Ch4>SMART 404 BLOCKING [Premium]\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Block IPs based on 404 errors\u003C\u002Fstrong> – Detect hackers probing your URLs via script and bots by the 404 errors they leave behind.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Smart 404 Configuration\u003C\u002Fstrong> – Set a figure for the maximum number of 404 events allowed before an IP address is blocked. Choose a time period within which the 404 events must occur (e.g., 10 errors within 10 minutes).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Smart 404 block by URL string\u003C\u002Fstrong> – Instantly block an IP address if a 404 event includes a specific URL string.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Smart 404 whitelisting\u003C\u002Fstrong> – Prevent particular IP addresses from being permanently blocked due to 404 events.\u003C\u002Fp>\n\u003Ch4>COUNTRY BLOCKING [Premium]\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Block traffic to the entire site or to specific pages or posts\u003C\u002Fstrong> – Useful if you’re an e-commerce site and you want to block sales to some countries for shipping or tax reasons.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Whitelist some users from blocked countries\u003C\u002Fstrong> – Whitelist IP addresses or IP ranges even if they are part of a blocked country.\u003C\u002Fp>\n\u003Ch4>MALWARE SCANNING [Premium]\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Automatic malware scanning\u003C\u002Fstrong> – Detect and protect against the latest malware, trojans, and spyware.\u003Cbr \u002F>\nAlerts you to blacklisting by search engines – Monitor your site for blacklisting by search engines due to malicious code.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response time monitoring\u003C\u002Fstrong> – Keep track of your website’s response time to identify and address any performance issues.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Uptime monitoring\u003C\u002Fstrong> – Checks your website’s uptime every 5 minutes and alerts you immediately if your site or server goes down.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advice and malware removal\u003C\u002Fstrong> – Need hands-on advice and support for malware removal? Our team of genuine cybersecurity experts is here to help.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Notification if something’s amiss\u003C\u002Fstrong> – Receive notifications about any issues with your site so you can address problems before they escalate.\u003C\u002Fp>\n\u003Ch4>Plugin Support\u003C\u002Fh4>\n\u003Cp>If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via https:\u002F\u002Fteamupdraft.com\u002Fall-in-one-security\u003C\u002Fp>\n\u003Ch4>Developers\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>If you are a developer and you need some extra hooks or filters for this plugin then let us know.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Translations\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>All-In-One Security plugin can be translated to any language.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Currently available translations:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>German\u003C\u002Fli>\n\u003Cli>Spanish\u003C\u002Fli>\n\u003Cli>French\u003C\u002Fli>\n\u003Cli>Hungarian\u003C\u002Fli>\n\u003Cli>Italian\u003C\u002Fli>\n\u003Cli>Swedish\u003C\u002Fli>\n\u003Cli>Russian\u003C\u002Fli>\n\u003Cli>Chinese\u003C\u002Fli>\n\u003Cli>Portuguese (Brazil)\u003C\u002Fli>\n\u003Cli>Persian\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Privacy Policy\u003C\u002Fh4>\n\u003Cp>This plugin may collect IP addresses for security reasons such as mitigating brute force login threats and malicious activity.\u003C\u002Fp>\n\u003Cp>The collected information is stored on your server. No information is transmitted to third parties or remote server locations.\u003C\u002Fp>\n\u003Ch4>Usage\u003C\u002Fh4>\n\u003Cp>Go to the settings menu after you activate the plugin and follow the instructions.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Go to the settings menu after you activate the plugin and follow the instructions.\u003C\u002Fp>\n","Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.",1000000,36139406,94,1693,"2026-01-28T22:15:00.000Z","5.6",[20,131,132,23,133],"login-security","malware-scanning","two-factor-authentication","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fall-in-one-wp-security-and-firewall\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-wp-security-and-firewall.5.4.6.zip",93,26,"2024-02-08 00:00:00",{"slug":140,"name":141,"version":142,"author":143,"author_profile":144,"description":145,"short_description":146,"active_installs":124,"downloaded":147,"rating":148,"num_ratings":149,"last_updated":150,"tested_up_to":16,"requires_at_least":151,"requires_php":152,"tags":153,"homepage":156,"download_link":157,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":158,"fetched_at":31},"sg-security","Security Optimizer – The All-In-One Protection Plugin","1.5.9","SiteGround","https:\u002F\u002Fprofiles.wordpress.org\u002Fsiteground\u002F","\u003Cp>\u003Cstrong>Bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots, with our free WordPress security plugin – Security Optimizer.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Proactively monitor your site’s security to detect any suspicious activity and take immediate actions to protect your site and prevent further damage with these essential features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enable \u003Cstrong>2FA (Two-Factor Authentication)\u003C\u002Fstrong> for an extra layer of website security\u003C\u002Fli>\n\u003Cli>Set \u003Cstrong>Limit Login Attempts\u003C\u002Fstrong> to deter malicious login attempts and brute-force attacks\u003C\u002Fli>\n\u003Cli>Change your default login URL to \u003Cstrong>Custom Login URL\u003C\u002Fstrong> to avoid attacks\u003C\u002Fli>\n\u003Cli>Activate \u003Cstrong>Advanced XSS Protection\u003C\u002Fstrong> to fortify your website against malicious attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lock and Protect System Folders\u003C\u002Fstrong> to ensure no unauthorized or malicious scripts can be executed in your system folders\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Themes & Plugins Editor\u003C\u002Fstrong> to safeguard your website from unauthorized access via the WordPress editor\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide WordPress Version\u003C\u002Fstrong> effortlessly, keeping it hidden from prying eyes\u003C\u002Fli>\n\u003Cli>Use \u003Cstrong>Activity Log\u003C\u002Fstrong> to monitor your site and quickly prevent malicious actions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Post-Hack Actions\u003C\u002Fstrong> to take immediate actions and prevent further damages\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Developed by the website security experts at \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fwordpress-plugins\u002Fsiteground-security\" rel=\"nofollow ugc\">SiteGround\u003C\u002Fa> and trusted by over 900,000 webmasters for its robust security shield and ease of use to safeguard WordPress applications from possible attacks on any hosting platform.\u003C\u002Fp>\n\u003Ch4>AWARDS:\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.templatemonster.com\u002Fawards\u002Fwinners-2022\u002F\" rel=\"nofollow ugc\">Monster Awards 2022\u003C\u002Fa>: Best WordPress Security Plugin 🥇\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.templatemonster.com\u002Fawards\u002Fwinners-2021\u002F\" rel=\"nofollow ugc\">Monster Awards 2021\u003C\u002Fa>: Best WordPress Security Plugin 🥇\u003C\u002Fp>\n\u003Ch4>Plugin Video\u003C\u002Fh4>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FFOheCz7sm9A?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch4>Plugin Tutorial\u003C\u002Fh4>\n\u003Cp>Unveil the vast array of features and unleash the full potential of our security plugin in our \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Ftutorials\u002Fwordpress\u002Fsg-security\u002F\" rel=\"nofollow ugc\">Security Optimizer Tutorial\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>SITE PROTECTION FEATURES\u003C\u002Fh3>\n\u003Cp>Safeguard your WordPress application using our powerful site security toolset. Our comprehensive features are specifically designed to strengthen your website’s defenses against malware, exploits, and various malicious activities. With these tools at your disposal, you can ensure the utmost bot, malware and brute force protection for your website:\u003C\u002Fp>\n\u003Ch4>Lock and Protect System Folders\u003C\u002Fh4>\n\u003Cp>Ensure the maximum security for your application’s system folders by preventing the execution of any unauthorized or malicious scripts. The Lock and Protect System Folders feature acts as a powerful shield against potential threats.\u003C\u002Fp>\n\u003Ch4>Hide WordPress Version\u003C\u002Fh4>\n\u003Cp>Protect your website from mass attacks by hiding the WordPress version, which helps to mitigate version-specific vulnerabilities.\u003C\u002Fp>\n\u003Ch4>Disable Themes & Plugins Editor\u003C\u002Fh4>\n\u003Cp>Enhance the security of your WordPress admin area by disabling the Themes & Plugins Editor, preventing potential coding errors and unauthorized access through the editor.\u003C\u002Fp>\n\u003Ch4>Disable XML-RPC\u003C\u002Fh4>\n\u003Cp>Mitigate potential security risks by disabling the XML-RPC protocol, which has been exploited in various attacks. Please note that disabling XML-RPC will restrict WordPress from communicating with third-party systems. We recommend enabling this feature unless you have a specific need for it.\u003C\u002Fp>\n\u003Ch4>Disable RSS and ATOM Feeds\u003C\u002Fh4>\n\u003Cp>Prevent content scraping and specific attacks on your site by disabling RSS and ATOM feeds. Unless you have readers accessing your site via RSS readers, it is recommended to keep this feature enabled.\u003C\u002Fp>\n\u003Ch4>Advanced XSS Protection\u003C\u002Fh4>\n\u003Cp>Add an extra layer of website security against cross-site scripting (XSS) attacks by enabling Advanced XSS Protection, bolstering the overall security of your website.\u003C\u002Fp>\n\u003Ch4>Delete Default Readme.html\u003C\u002Fh4>\n\u003Cp>Eliminate potential vulnerabilities by deleting the default readme.txt file, which contains information about your website. By removing this file, you reduce the risk of your site being listed in vulnerable sites targeted by hackers.\u003C\u002Fp>\n\u003Ch3>Login Security\u003C\u002Fh3>\n\u003Ch4>Custom Login Url\u003C\u002Fh4>\n\u003Cp>Personalize your login URL to thwart potential attacks and create a strong entry point. Bid farewell to the default login URL and embrace a bespoke path of your choosing. Additionally, you have the freedom to modify the default sign-up URL as well.\u003C\u002Fp>\n\u003Ch4>Login Access\u003C\u002Fh4>\n\u003Cp>Restrict login page access to specific IP addresses or IP ranges, effectively thwarting malicious login attempts and deterring brute force attacks.\u003C\u002Fp>\n\u003Ch4>2FA (Two-Factor Authentication)\u003C\u002Fh4>\n\u003Cp>Immerse your website in an impenetrable shield of security with 2FA. This formidable feature demands that all admin users furnish a unique token, generated exclusively through the Google Authentication application, during the login process.\u003C\u002Fp>\n\u003Ch4>Disable Common Usernames\u003C\u002Fh4>\n\u003Cp>Don’t fall victim to predictable security breaches! The use of common usernames, such as ‘admin,’ poses a significant threat to the integrity of your website. Activate this option to disable the creation of common usernames. If any weak usernames already exist, we’ll prompt you to provide new, stronger alternatives.\u003C\u002Fp>\n\u003Ch4>Limit Login Attempts\u003C\u002Fh4>\n\u003Cp>Maintain control over unauthorized access attempts with Limit Login Attempts. Set a specific threshold for the number of login failures users can endure before consequences arise. After reaching the limit, the IP address associated with the unsuccessful login attempts will be blocked for one hour. Persistent failures will result in longer restrictions, starting with 24 hours and escalating to a week.\u003C\u002Fp>\n\u003Ch3>ACTIVITY MONITORING\u003C\u002Fh3>\n\u003Cp>Monitor your website and login page for unauthorized visitors and brute force attempts to prevent malicious actions\u003C\u002Fp>\n\u003Ch4>Activity Log\u003C\u002Fh4>\n\u003Cp>The Activity Log page provides you with a comprehensive view of the activities performed by registered, unknown, and blocked visitors. It allows you to closely monitor any suspicious behavior and take appropriate actions in case of a compromised user, plugin, or hacking attempt. You can leverage the quick tools available to swiftly block future attempts.\u003C\u002Fp>\n\u003Ch4>Weekly Security Reports\u003C\u002Fh4>\n\u003Cp>Receive a weekly traffic summary for your website directly to your inbox. This \u003Cstrong>Weekly Security Report\u003C\u002Fstrong> compiles data on both bot and human traffic, along with details about blocked login and visit attempts to proactively monitor traffic and promptly identify suspicious activity.\u003C\u002Fp>\n\u003Ch3>POST-HACK ACTIONS\u003C\u002Fh3>\n\u003Cp>Take immediate measures to protect your website if you suspect a compromise and prevent further damage. Here, you’ll find convenient solutions to address the situation effectively:\u003C\u002Fp>\n\u003Ch4>Reinstall All Free Plugins\u003C\u002Fh4>\n\u003Cp>In the event of a hack, utilizing the Reinstall All Free Plugins feature can help mitigate potential harm. This action reinstalls all of your free plugins, reducing the likelihood of additional exploits or the reuse of malicious code.\u003C\u002Fp>\n\u003Ch4>Log Out All Users\u003C\u002Fh4>\n\u003Cp>To prevent any further unauthorized activities by users or attackers, you can choose to log out all users instantly using the Log Out All Users feature.\u003C\u002Fp>\n\u003Ch4>Force Password Reset\u003C\u002Fh4>\n\u003Cp>By enforcing a password reset, you can ensure that all users are prompted to change their passwords during their next login. This not only strengthens the security of their accounts but also immediately logs out all currently logged-in users.\u003C\u002Fp>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress 4.7\u003C\u002Fli>\n\u003Cli>PHP 7.0\u003C\u002Fli>\n\u003Cli>Working .htaccess file\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data Collection\u003C\u002Fh3>\n\u003Cp>Collection of technical data is optional and is \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fkb\u002Fwhat-information-wp-plugins-collect\" rel=\"nofollow ugc\">listed here\u003C\u002Fa>. This data is collected only for technical analysis, improvements and the possibility to contact the plugin user in case urgent issues need to be fixed (for example a critical security release that needs to be communicated to site owners). The plugin user can manage their preferences within the WP admin to control the collection of technical data. We advise opting in for this data collection, as it can enhance the plugin’s performance. You may find more information on data collection in our \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fviewtos\u002Fsiteground_plugins_privacy_notice\" rel=\"nofollow ugc\">Plugins Privacy Notice\u003C\u002Fa>.\u003C\u002Fp>\n","Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.",31890492,90,153,"2026-01-15T09:21:00.000Z","4.7","7.0",[20,21,154,23,155],"malware-scanner","web-application-firewall","https:\u002F\u002Fsiteground.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsg-security.1.5.9.zip","2025-11-30 00:00:00",{"slug":160,"name":161,"version":162,"author":163,"author_profile":164,"description":165,"short_description":166,"active_installs":167,"downloaded":168,"rating":13,"num_ratings":169,"last_updated":170,"tested_up_to":16,"requires_at_least":171,"requires_php":172,"tags":173,"homepage":174,"download_link":175,"security_score":13,"vuln_count":176,"unpatched_count":29,"last_vuln_date":177,"fetched_at":31},"defender-security","Defender Security – Malware Scanner, Login Security & Firewall","5.10.0","WPMU DEV - Your All-in-One WordPress Platform","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpmudev\u002F","\u003Cp>\u003Cstrong>Defender adds the best in WordPress plugin security to your website with just a few clicks, including malware scanner, firewall, password protection, and login security features. Stop brute force login attacks, weak password usage, SQL injections, cross-site scripting (XSS), and other WordPress security vulnerabilities and hacks with Defender’s malware scanner, providing antivirus scans, IP blocking, firewall, activity log, security log, and two-factor authentication (2FA) login security.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>No more complex security settings, Defender’s malware scanner, firewall, and login security features add all the hardening and security you need.\u003C\u002Fp>\n\u003Cp>Defender is brought to you by the WordPress speed specialists that created Smush image optimization, now active on more than +1 million websites.\u003C\u002Fp>\n\u003Cp>Plus, connect for free to WPMU DEV’s AntiBot Global Firewall to block harmful IPs with data from over 750,000 sites.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Enjoy complete site protection from malware, vulnerabilities, bot attacks, and session hijacking from the start with \u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fproject\u002Fwp-defender\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme-above-the-fold&utm_content=wp_defender_pro\" rel=\"nofollow ugc\">Defender Pro\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Level up security immediately with exclusive Pro features like scheduled malware scanning, Safe Repair for suspicious files, and known WordPress vulnerability detection. \u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fproject\u002Fwp-defender\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme-above-the-fold&utm_content=wp_defender_pro\" rel=\"nofollow ugc\">Learn more about Pro\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Security Recommendations\u003C\u002Fh3>\n\u003Cp>Defender’s one-click security hardening recommendations instantly adds layers of protection and security to your site.\u003C\u002Fp>\n\u003Ch3>Enhance Security and Block Hackers At Every Level:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malware Scanner\u003C\u002Fstrong> – Scan WordPress core files for modifications and unexpected changes which may be caused by malware. Scan for malware and tighten up the security of your files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Outdated & Removed Plugins\u003C\u002Fstrong> – Scans for plugins removed from WordPress.org or not updated in 2+ years.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>AntiBot Global Firewall\u003C\u002Fstrong> – Connect for free to WPMU DEV to block harmful IPs with data from over 750,000 sites.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress Security Firewall\u003C\u002Fstrong> – Block or allowlist IPs, implement IP blocking, and Geo IP blocking, user agent banning and protect against brute force attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong> – Easily set up better security with 2FA to prevent most login attacks such as brute force, App verification, backup codes, lost device email, WooCommerce 2FA, and Web Authentication.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Masking\u003C\u002Fstrong> – Change the location of WordPress’s default login area to improve login security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login Lockout\u003C\u002Fstrong> – Failed login attempts lockout for even more security assurance.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Agent Banning\u003C\u002Fstrong> – Fortify security by blocking bad bots and user agents from accessing your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Headers\u003C\u002Fstrong> – Add an extra layer of defense security and protect against common attacks like: XSS, code injection, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>404 Detection Security\u003C\u002Fstrong> – Automated block of bot IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Configs\u003C\u002Fstrong> – Create your ideal Defender security plugin settings and export \u002F import saved configs to any other site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geolocation IP Lockout Security\u003C\u002Fstrong> – Block users based on location and country (IP blocking).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Trackbacks And Pingbacks\u003C\u002Fstrong> – Disable these notifications to enhance spam protection and site security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Core And Server Update Security Recommendations\u003C\u002Fstrong> – Stay on top of your system security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Antivirus Scan\u003C\u002Fstrong> – Scan for active security threats, viruses, and other malware.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable File Editor\u003C\u002Fstrong> – If they get in, they won’t get far.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Error Reporting\u003C\u002Fstrong> – Hide code errors on the frontend so hackers can’t exploit site security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Update Security Keys\u003C\u002Fstrong> – Update old WordPress security keys to be more encrypted and provide better security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent Information Disclosure\u003C\u002Fstrong> – Improve server security and protect sensitive files by locking down specific file types.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent PHP Execution\u003C\u002Fstrong> – Defender bolsters security by automatically preventing any PHP code from being executed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Bulk Apply Security Recommendations\u003C\u002Fstrong> – Apply multiple recommended security improvements at once for quicker site hardening.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Google reCAPTCHA Security\u003C\u002Fstrong> – Easy to add, stop fraud and abuse – including BuddyPress and WooCommerce.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloudflare Turnstile\u003C\u002Fstrong> – Captcha-free protection from spam and automated attacks, including BuddyPress and WooCommerce support.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Pwned Password Check\u003C\u002Fstrong> – Increase security by protecting against compromised passwords.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Force Password Reset\u003C\u002Fstrong> – Force users with selected roles to reset passwords.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Force Strong Passwords\u003C\u002Fstrong> – Ensure users create secure credentials by enforcing robust password requirements.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Agent Blocklist Presets\u003C\u002Fstrong> – Easily block unwanted bots and scripts using curated user agent presets.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Known Vulnerability & Suspicious Code Scan (Pro Only)\u003C\u002Fstrong> – Scan WordPress core, themes, and plugins for vulnerabilities and harmful code.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malicious Bot Detector (Pro Only)\u003C\u002Fstrong> – Block malicious bots with layered defenses, including traps for bots that ignore robots.txt and checks for fake crawlers posing as search engines.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Google Blocklist Monitoring (Pro Only)\u003C\u002Fstrong> – Get instant alerts if your site is flagged by Google.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Session Protection (Pro Only)\u003C\u002Fstrong> – Stop session hijacking and prevent unauthorized account access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Safe Repair For Suspicious Files (Pro Only)\u003C\u002Fstrong> – Restore or replace compromised files safely with a single click.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automated Reports (Pro Only)\u003C\u002Fstrong> – Receive scheduled security reports straight to your inbox.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Learn The Ropes With These Hands-On Defender Security Plugin Tutorials\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fblog\u002Fhow-to-get-the-most-out-of-defender-security\u002F\" rel=\"nofollow ugc\">How to Get the Most Out of Defender Security\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fblog\u002Fstop-hackers-with-defender-wordpress-security-plugin\u002F\" rel=\"nofollow ugc\">How to Stop Hackers in Their Tracks with Defender Security\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fblog\u002Fdelete-suspicious-code-defender\u002F\" rel=\"nofollow ugc\">Find Out if You’re Hacked: How to Find and Delete Suspicious Code with Defender Security\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fblog\u002Fdefender-ip-address-lockout-firewall\u002F\" rel=\"nofollow ugc\">How to Create a Powerful and Secure Customized Firewall with Defender Security\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>WordPress Security Scans\u003C\u002Fh3>\n\u003Cp>Defender’s malware scanner security checks for suspicious code and malware. It also compares your WordPress install with the WP directory master copy, and reports any changes so you can restore the original file with a click.\u003C\u002Fp>\n\u003Ch3>Two-Factor Authentication (2FA) Security\u003C\u002Fh3>\n\u003Cp>Easily add an extra layer of protection and security to your WordPress sites with Defender’s two-factor authentication (2FA) features. Including: mobile app verification (Google Authenticator, Microsoft Authenticator, Authy), backup code generation, lost device emails, WooCommerce 2FA, Biometric Authentication (fingerprint\u002Ffacial recognition), and Hardware Key Authentication (USB security keys). Easily prevent brute force attacks and login security vulnerabilities.\u003C\u002Fp>\n\u003Ch3>Login Protection\u003C\u002Fh3>\n\u003Cp>Brute force attacks are no match for Defender’s login security. Limit login attempts so hackers can’t guess passwords. Permanently ban IPs or trigger a timed lockout after a set number of failed login attempts. Use Geo IP blocking to ban users from specific countries or locations.\u003C\u002Fp>\n\u003Ch3>Firewall Security and IP Manager\u003C\u002Fh3>\n\u003Cp>Improve your website security with Defender’s IP manager and firewall. Manually block specific IPs, import a list of banned IPs, and set automated timed and permanent lockouts. Defender makes it easy to block and unblock specific locations quickly thanks to its advanced firewall security(WAF) offering Geographical IP blocking.\u003C\u002Fp>\n\u003Ch3>User Agent Banning\u003C\u002Fh3>\n\u003Cp>Add user agents to the block or allowlist and stop bad bots from spamming and scraping your site. All major search engines and special network bots are allow-listed out of the box. Easy to set up, Defender’s user agent banning tool now includes built-in bot and script presets to help you quickly block malicious traffic. It does all the security work for you—no editing of the .htaccess file required.\u003C\u002Fp>\n\u003Ch3>Google reCAPTCHA Integration\u003C\u002Fh3>\n\u003Cp>Add reCAPTCHA security to your login \u002F registration pages, lost password forms, and post comments in a couple of steps to up security and help protect from fraud and abuse. Select reCAPTCHA type, language, location, and style to suit. As well as Google, Defender also supports the following reCAPTCHA types:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>BuddyPress reCAPTCHA\u003C\u002Fli>\n\u003Cli>WooCommerce reCAPTCHA\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Login Screen Masking\u003C\u002Fh3>\n\u003Cp>Defender makes it easy to move your login screen to a custom URL. Not only does login screen masking improve security, but it also lets you white label your login user experience and improves branding.\u003C\u002Fp>\n\u003Ch3>Force Password Reset\u003C\u002Fh3>\n\u003Cp>Enhance site security by forcing all users with selected roles to reset their password at any time. Especially helpful if you suspect a possible data breach on your site.\u003C\u002Fp>\n\u003Ch3>Security Headers\u003C\u002Fh3>\n\u003Cp>Protect your site against common attacks, such as: XSS, code injection, cross site scripting, and more. Enable the following security headers:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-XSS-Protection\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>Strict Transport\u003C\u002Fli>\n\u003Cli>Referrer Policy\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>404 Limiter\u003C\u002Fh3>\n\u003Cp>Detect when bots are being used to scan your site for security vulnerabilities and shut them down. The 404 limiter lets you stop the scan by detecting when a bot keeps visiting pages that do not exist, which can also save you from a giant strain on your site’s performance.\u003C\u002Fp>\n\u003Ch3>Security Notifications and Reports\u003C\u002Fh3>\n\u003Cp>Defender runs surveillance and sends security notifications with information that matters. All activity and notifications are recorded in the activity log to let you see at a glance the website security actions that have been taken by the Defender security plugin.\u003C\u002Fp>\n\u003Ch3>Reduce Security Setup Time With Saved Configs\u003C\u002Fh3>\n\u003Cp>Save your Defender security plugin configurations and reapply them to your other sites in just a few clicks. You can create and save an unlimited number of security configurations.\u003C\u002Fp>\n\u003Ch3>Pwned Password Check\u003C\u002Fh3>\n\u003Cp>Entered passwords are checked against public database breach records to further boost security. If a password is identified as compromised, the user will be asked to change it.\u003C\u002Fp>\n\u003Ch3>Custom IP Block\u002FAllowlist\u003C\u002Fh3>\n\u003Cp>Create your IP block\u002Fallow list once, then apply and automatically sync it to all your other sites with just a single click. Save hours by not having to manually add IPs to each individual site. *Note: a [free WPMU DEV account] (https:\u002F\u002Fwpmudev.com\u002Fregister) is required to access this feature.\u003C\u002Fp>\n\u003Ch3>What Do People Say About Defender?\u003C\u002Fh3>\n\u003Cp>★★★★★\u003Cbr \u002F>\n“I found other pro security plugins a bit too fiddly for my taste…I’m delighted with Defender” – \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fkeithadv\" rel=\"nofollow ugc\">KeithADV\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>★★★★★\u003Cbr \u002F>\n“Thank you for bringing back a free and easy to use 2-Factor Authentication after Clef! Defender helps keep me aware of my site’s security.” – \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fusers\u002Fawijasa\u002F\" rel=\"ugc\">awijasa\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>★★★★★\u003Cbr \u002F>\n“Defender’s interface is very intuitive with warnings that are very helpful” – \u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fprofile\u002Fdjohns\" rel=\"nofollow ugc\">djohns\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>★★★★★\u003Cbr \u002F>\n“Defender Recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.” – \u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002Fprofile\u002Fdavidoswald\u002F\" rel=\"nofollow ugc\">David Oswald\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Secure Websites, More Trust, Better Profit\u003C\u002Fh3>\n\u003Cp>If you’re running a business website or eCommerce store, privacy, security, uptime and trust are essential.\u003C\u002Fp>\n\u003Cp>The Defender security plugin is here to help you: it’s a one of a kind WordPress security plugin that makes web security easy for anyone, for free!\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Malware scanner\u003C\u002Fli>\n\u003Cli>Google two-factor authentication (2FA)\u003C\u002Fli>\n\u003Cli>Web Authentication\u003C\u002Fli>\n\u003Cli>Firewall setup and configuration\u003C\u002Fli>\n\u003Cli>One-click site hardening and security tweaking\u003C\u002Fli>\n\u003Cli>WordPress core file scanning and repair\u003C\u002Fli>\n\u003Cli>Ongoing firewall security\u003C\u002Fli>\n\u003Cli>Google reCAPTCHA\u003C\u002Fli>\n\u003Cli>Security headers\u003C\u002Fli>\n\u003Cli>One-click security configs\u003C\u002Fli>\n\u003Cli>Login Screen Masking\u003C\u002Fli>\n\u003Cli>Pwned Password Check\u003C\u002Fli>\n\u003Cli>IP Blocklist manager and logging\u003C\u002Fli>\n\u003Cli>Geo IP blocking\u003C\u002Fli>\n\u003Cli>User agent banning\u003C\u002Fli>\n\u003Cli>Unlimited file scans\u003C\u002Fli>\n\u003Cli>Timed Lockout brute force login attack shield for login security\u003C\u002Fli>\n\u003Cli>404 limiter for blocking vulnerability scans\u003C\u002Fli>\n\u003Cli>IP lockout notifications and security reports\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>All the above is free and will enhance WordPress security for you. If you need extra security for your WordPress site, \u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=you_should_get_wpmudev_membership#trial\" rel=\"nofollow ugc\">you should get a WPMU DEV Membership\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Our Membership gives you access to Defender Pro – which security features include automated scanning, scheduled malware scans for Core, themes, plugins and other files, audit logs, firewall protection, Safe Repair, Blocklist monitoring – alongside Snapshot Pro cloud backups, the Hub with automated plugin, theme and core updates and safe-upgrade scans, all our premium WordPress plugins, 24\u002F7 WordPress support and if your sites already been hacked our team of security experts will clean it up at no additional cost.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=and_you_can_find_out_more_here#trial\" rel=\"nofollow ugc\">It’s an incredible deal, and you can find out more here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>About Us\u003C\u002Fh3>\n\u003Cp>WPMU DEV is a premium supplier of quality WordPress plugins and themes. For premium support with any WordPress-related issues you can join us here:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=wpmu_dev_link\" rel=\"nofollow ugc\">https:\u002F\u002Fwpmudev.com\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpmudev.com\u002F?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=wpmu_dev_blog_link\" rel=\"nofollow ugc\">WPMU DEV Blog\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Hey, one more thing… we hope you \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002FWPMUDEV\u002F\" rel=\"nofollow ugc\">enjoy our free offerings\u003C\u002Fa> as much as we’ve loved making them for you!\u003C\u002Fp>\n","WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.",90000,4036012,329,"2026-03-03T11:21:00.000Z","6.4","8.0.0",[20,131,22,154,23],"https:\u002F\u002Fwpmudev.com\u002Fproject\u002Fwp-defender\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdefender-security.5.10.0.zip",7,"2024-06-28 00:00:00",{"slug":179,"name":180,"version":181,"author":182,"author_profile":183,"description":184,"short_description":185,"active_installs":11,"downloaded":186,"rating":13,"num_ratings":187,"last_updated":188,"tested_up_to":16,"requires_at_least":17,"requires_php":152,"tags":189,"homepage":191,"download_link":192,"security_score":193,"vuln_count":194,"unpatched_count":29,"last_vuln_date":195,"fetched_at":31},"bulletproof-security","BulletProof Security","7.1","AITpro","https:\u002F\u002Fprofiles.wordpress.org\u002Faitpro\u002F","\u003Cp>WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam… View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>BulletProof Security is a proactive security plugin that automatically fixes 100+ known issues\u002Fconflicts with other plugins\u003C\u002Fstrong>.\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fforum.ait-pro.com\u002Fforums\u002Ftopic\u002Fsetup-wizard-autofix\u002F\" title=\"BPS Setup Wizard AutoFix\" rel=\"nofollow ugc\">BPS Setup Wizard AutoFix\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>BulletProof Security Installation and Setup Video Tutorial\u003C\u002Fh4>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FRZ1ARaEE0_I?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>BulletProof Security Feature Highlights\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>One-Click Setup Wizard\u003C\u002Fli>\n\u003Cli>Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)\u003C\u002Fli>\n\u003Cli>MScan Malware Scanner\u003C\u002Fli>\n\u003Cli>.htaccess Website Security Protection (Firewalls)\u003C\u002Fli>\n\u003Cli>Hidden Plugin Folders|Files Cron (HPF)\u003C\u002Fli>\n\u003Cli>Login Security & Monitoring\u003C\u002Fli>\n\u003Cli>JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)\u003C\u002Fli>\n\u003Cli>Idle Session Logout (ISL)\u003C\u002Fli>\n\u003Cli>Auth Cookie Expiration (ACE)\u003C\u002Fli>\n\u003Cli>DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups\u003C\u002Fli>\n\u003Cli>DB Table Prefix Changer\u003C\u002Fli>\n\u003Cli>Security Logging\u003C\u002Fli>\n\u003Cli>HTTP Error Logging\u003C\u002Fli>\n\u003Cli>FrontEnd|BackEnd Maintenance Mode\u003C\u002Fli>\n\u003Cli>Extensive System Info (System Info page)\u003C\u002Fli>\n\u003Cli>WordPress Automatic Update Options\u003C\u002Fli>\n\u003Cli>Force Strong Passwords (FSP)\u003C\u002Fli>\n\u003Cli>Send email alerts when new Plugin & Theme updates are available\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>BulletProof Security Pro Feature Highlights\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>One-Click Setup Wizard\u003C\u002Fli>\n\u003Cli>Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)\u003C\u002Fli>\n\u003Cli>AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)\u003C\u002Fli>\n\u003Cli>Quarantine Intrusion Detection & Prevention System (ARQ IDPS)\u003C\u002Fli>\n\u003Cli>Real-time File Monitor (IDPS)\u003C\u002Fli>\n\u003Cli>MScan Malware Scanner\u003C\u002Fli>\n\u003Cli>DB Monitor Intrusion Detection System (IDS)\u003C\u002Fli>\n\u003Cli>DB Diff Tool: data comparison tool\u003C\u002Fli>\n\u003Cli>DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups\u003C\u002Fli>\n\u003Cli>DB Status & Info: extensive database status & info\u003C\u002Fli>\n\u003Cli>Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updated in Real-time\u003C\u002Fli>\n\u003Cli>JTC Anti-Spam|Anti-Hacker\u003C\u002Fli>\n\u003Cli>Uploads Folder Anti-Exploit Guard (UAEG)\u003C\u002Fli>\n\u003Cli>.htaccess Website Security Protection (Firewalls)\u003C\u002Fli>\n\u003Cli>Hidden Plugin Folders|Files Cron (HPF)\u003C\u002Fli>\n\u003Cli>Custom php.ini Website Security\u003C\u002Fli>\n\u003Cli>Login Security & Monitoring w\u002FDashboard Alerting|Status Display & additional options\u002Ffeatures\u003C\u002Fli>\n\u003Cli>Idle Session Logout (ISL)\u003C\u002Fli>\n\u003Cli>Auth Cookie Expiration (ACE)\u003C\u002Fli>\n\u003Cli>File|Folder Lock: File Locking | Detect & Lock Folders that were not created by you\u003C\u002Fli>\n\u003Cli>FrontEnd|BackEnd Maintenance Mode\u003C\u002Fli>\n\u003Cli>Security Logging\u003C\u002Fli>\n\u003Cli>HTTP Error Logging\u003C\u002Fli>\n\u003Cli>PHP Error Logging\u003C\u002Fli>\n\u003Cli>DB Table Prefix Changer\u003C\u002Fli>\n\u003Cli>Pro-Tools: 16 mini-plugins\u003C\u002Fli>\n\u003Cli>Heads Up Dashboard Status Display\u003C\u002Fli>\n\u003Cli>Extensive System Info (System Info page)\u003C\u002Fli>\n\u003Cli>WordPress Automatic Update Options\u003C\u002Fli>\n\u003Cli>Force Strong Passwords (FSP)\u003C\u002Fli>\n\u003Cli>Send email alerts when new Plugin & Theme updates are available\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.ait-pro.com\u002Fbps-features\u002F\" title=\"BulletProof Security Features\" rel=\"nofollow ugc\">View All BulletProof Security Pro Feature Details\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>BulletProof Security Recommended Video Tutorials\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fforum.ait-pro.com\u002Fvideo-tutorials\u002F#custom-code\" title=\"BulletProof Security Custom Code Video Tutorial\" rel=\"nofollow ugc\">BulletProof Security Custom Code Video Tutorial\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fforum.ait-pro.com\u002Fvideo-tutorials\u002F#security-log-firewall\" title=\"BulletProof Security Security Log Video Tutorial\" rel=\"nofollow ugc\">BulletProof Security Security Log Video Tutorial\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Help Info\u003C\u002Fh3>\n\u003Cp>For details about BulletProof Security plugin features and frequently asked questions see the \u003Ca href=\"https:\u002F\u002Fforum.ait-pro.com\u002Fforums\u002Ftopic\u002Fbulletproof-security-plugin-frequently-asked-questions\u002F\" title=\"AIT-pro.com Forum\" rel=\"nofollow ugc\">BulletProof Security Plugin Frequently Asked Questions\u003C\u002Fa> forum topic. Extensive Help Info can be found on the \u003Ca href=\"https:\u002F\u002Fforum.ait-pro.com\u002Fforums\u002Ftopic\u002Fread-me-first-free\u002F#bps-free-general-troubleshooting\" title=\"AIT-pro.com Forum\" rel=\"nofollow ugc\">AIT-pro.com Forum\u003C\u002Fa> website and by clicking the Question Mark Help buttons on BulletProof Security plugin pages.\u003C\u002Fp>\n","WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...",4509595,674,"2025-12-08T15:11:00.000Z",[20,131,154,190,23],"secure","https:\u002F\u002Fforum.ait-pro.com\u002Fread-me-first\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbulletproof-security.7.1.zip",89,12,"2026-01-06 00:00:00",{"slug":197,"name":198,"version":199,"author":200,"author_profile":201,"description":202,"short_description":203,"active_installs":204,"downloaded":205,"rating":111,"num_ratings":206,"last_updated":207,"tested_up_to":16,"requires_at_least":151,"requires_php":208,"tags":209,"homepage":211,"download_link":212,"security_score":206,"vuln_count":48,"unpatched_count":29,"last_vuln_date":213,"fetched_at":31},"security-ninja","Security Ninja – WordPress Security Plugin & Firewall","5.272","cleverplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fcleverplugins\u002F","\u003Cp>Security Ninja is a lightweight \u003Cstrong>WordPress security plugin\u003C\u002Fstrong> that helps protect your site from common attacks and security mistakes — without turning your dashboard into a cockpit.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Free includes a basic Web Application Firewall (WAF)\u003C\u002Fstrong> (based on the 8G ruleset) to block common malicious requests, plus 50+ security checks, a full vulnerability scanner, and a core integrity scanner to spot risky settings and unexpected file changes.\u003C\u002Fp>\n\u003Cp>Upgrade to Pro if you need deeper protection like advanced malware scanning\u002Fcleanup, stronger WAF controls (e.g. country blocking), and more automation\u002Falerting.\u003C\u002Fp>\n\u003Cp>This plugin can be downloaded for free without any paid subscription from \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-ninja\u002F\" rel=\"ugc\">the official WordPress repository\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why Security Ninja\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Included for free\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Basic Firewall (8G-based)\u003C\u002Fstrong> – Blocks common malicious requests and bot noise before it becomes a problem.\u003Cbr \u002F>\n– \u003Cstrong>50+ Security Tests\u003C\u002Fstrong> – Fast audit of common WordPress security misconfigurations.\u003Cbr \u002F>\n– \u003Cstrong>Vulnerability Scanner\u003C\u002Fstrong> – Highlights known issues in plugins\u002Fthemes so you can patch faster.\u003Cbr \u002F>\n– \u003Cstrong>Core Scanner\u003C\u002Fstrong> – Detect modified or unexpected files in WordPress core folders.\u003Cbr \u002F>\n– \u003Cstrong>Basic Events Logger\u003C\u002Fstrong> – Logs \u003Cstrong>firewall events\u003C\u002Fstrong> and \u003Cstrong>login attempts (successful\u002Ffailed)\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Pro adds\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Advanced Malware Scanner\u003C\u002Fstrong> – Detect and clean malicious code and suspicious files.\u003Cbr \u002F>\n– \u003Cstrong>Advanced Firewall\u002FWAF controls\u003C\u002Fstrong> – e.g. country blocking, stronger rules and automation.\u003Cbr \u002F>\n– \u003Cstrong>Secure Login & 2FA\u003C\u002Fstrong> – Add stronger authentication and login protections.\u003Cbr \u002F>\n– \u003Cstrong>Automation & reporting\u003C\u002Fstrong> – Scheduled scans, reports, and advanced tracking.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja is a lightweight \u003Cstrong>WordPress firewall plugin\u003C\u002Fstrong> and security toolkit designed to protect your website from hackers, malware, brute-force attacks, and known vulnerabilities — without slowing it down.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Comprehensive WordPress Security Testing\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja performs 50+ advanced security tests to identify vulnerabilities before hackers exploit them. This includes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Brute-force protection\u003C\u002Fstrong> – Blocks unauthorized login attempts to prevent forced entry.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File integrity monitoring\u003C\u002Fstrong> – Detects unauthorized changes to WordPress core files, themes, and plugins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Database security checks\u003C\u002Fstrong> – Identifies weak database permissions and potential SQL injection threats.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User role audits\u003C\u002Fstrong> – Ensures no unauthorized administrator accounts exist.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security misconfiguration scans\u003C\u002Fstrong> – Identifies and fixes weak settings that could compromise security.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Enhanced Vulnerability Scanner\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Stay Ahead of Threats\u003C\u002Fstrong> – Our vulnerability scanner proactively alerts you to known vulnerabilities, allowing you to address potential threats before they exploit your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Protection\u003C\u002Fstrong> – Security Ninja not only checks and warns for common issues but also checks for known vulnerabilities in plugins and themes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Peace of Mind\u003C\u002Fstrong> – Knowing your site is monitored for the latest vulnerabilities means you can focus on what matters most, growing your business and creating content, worry-free.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Core Scanner – Comprehensive Protection for Your WordPress Installation\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The Core Scanner module adds a critical layer of security by ensuring your WordPress installation remains untampered and free of unauthorized files.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Full Core File Integrity Check\u003C\u002Fstrong>: Every file in your core WordPress folders is scanned to ensure it hasn’t been modified or compromised.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detection of Unknown Files\u003C\u002Fstrong>: The scanner flags any extra or unknown files in your core WordPress directories, alerting you to potential threats.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in File Viewer\u003C\u002Fstrong>: Review flagged files directly within your WordPress dashboard using the integrated file viewer for a clear and easy inspection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restore Core Files\u003C\u002Fstrong>: If a core WordPress file has been altered, you can quickly restore it with a single click, ensuring your site is running the official version.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy File Management\u003C\u002Fstrong>: For unknown or suspicious files, you have the option to delete them right from the interface, keeping your WordPress installation clean and secure.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Advanced Malware Scanner – Detect & Remove Malware Instantly (PRO)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja includes a high-performance malware scanner that automatically checks your WordPress core, plugins and themes for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malicious scripts and backdoors\u003C\u002Fstrong> – Identifies hidden malware and harmful injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Trojan and virus detection\u003C\u002Fstrong> – Scans for suspicious PHP and JavaScript entries.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-click malware removal\u003C\u002Fstrong> – Instantly quarantine and delete infected files.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>WordPress Firewall & Real-Time Threat Protection\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja includes a \u003Cstrong>basic firewall for free\u003C\u002Fstrong> (8G-based) to block common malicious requests. Upgrade to Pro for more advanced WAF controls.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Basic protection (Free)\u003C\u002Fstrong> – Blocks common exploit patterns and bad requests.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced protection (Pro)\u003C\u002Fstrong> – Country blocking, stronger controls, and additional intelligence\u002Fautomation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute-force & bot mitigation\u003C\u002Fstrong> – Reduce noisy and abusive traffic hitting WordPress.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Login Security & Two-Factor Authentication (2FA) (PRO)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Your WordPress login page is a primary target for hackers. Security Ninja enhances login security with:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong> – Requires additional verification for safer logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute-force attack protection\u003C\u002Fstrong> – Limits failed login attempts to block unauthorized access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rename login\u003C\u002Fstrong> – Getting a lot of requests to your login form? Hide it for spammers.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>One-Click Security Fixes & WordPress Hardening (PRO)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Manually fixing security issues is time-consuming. Security Ninja provides one-click hardening to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Disable XML-RPC\u003C\u002Fstrong> – Blocks common DDoS attacks and brute-force exploits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict file editing\u003C\u002Fstrong> – Prevents unauthorized theme and plugin modifications.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide PHP error messages\u003C\u002Fstrong> – Stops hackers from exploiting sensitive error details.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>And many more fixes to harden your WordPress security!\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Events Logger \u002F Activity Tracking\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja includes a \u003Cstrong>basic events logger for free\u003C\u002Fstrong> so you can see what’s happening on your site.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Free:\u003C\u002Fstrong> firewall events + login attempts (successful\u002Ffailed).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Pro:\u003C\u002Fstrong> deeper tracking, alerting, and reporting.\u003C\u002Fli>\n\u003Cli>Export security logs for audits and compliance reports.\u003C\u002Fli>\n\u003Cli>Includes webhook functionality so you can integrate with other services (e.g. Slack\u002FDiscord\u002Fwebhooks).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Automated Security Scans & Reports (PRO)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja performs scheduled security scans and sends reports directly to your inbox.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Set up daily, weekly, or monthly security scans.\u003C\u002Fli>\n\u003Cli>Receive email alerts about vulnerabilities and malware infections.\u003C\u002Fli>\n\u003Cli>Analyze detailed reports to keep your website secure.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Block Spam & Malicious Bots Instantly (PRO)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Hackers and spammers use bots to exploit WordPress websites. Security Ninja prevents:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Fake registrations and spam comments\u003C\u002Fstrong> – Stops bots from even getting to your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malicious bot attacks\u003C\u002Fstrong> – Blocks scripts attempting to hack your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unwanted traffic\u003C\u002Fstrong> – Reduces server load by preventing unnecessary bot access.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Join thousands of satisfied users who trust Security Ninja to keep their websites safe. Start protecting your online presence today and help yourself to peace of mind.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why Security Ninja is Best WordPress Security Plugin\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Security Ninja is the best WordPress security plugin because it provides a comprehensive, lightweight, and easy-to-use solution to protect your website from hackers, malware, and vulnerabilities. With 50+ security tests, an advanced malware scanner, a firewall, and two-factor authentication (2FA), it ensures complete website protection without slowing down performance.\u003C\u002Fp>\n\u003Cp>Unlike bloated security plugins, Security Ninja is optimized for speed and efficiency. It offers one-click security fixes, automated scans, real-time threat detection, and login protection, making it ideal for beginners and advanced users alike. Trusted since 2011, it keeps thousands of websites secure while offering proactive protection against cyber threats.\u003C\u002Fp>\n\u003Ch3>Extensions\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>MainWP – The MainWP Dashboard allows administrators to manage many WordPress websites from a central location.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Install the \u003Cstrong>FREE \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-ninja-for-mainwp\u002F\" rel=\"ugc\">Security Ninja for MainWP Extension\u003C\u002Fa>\u003C\u002Fstrong> to get an overview of all websites you have installed Security Ninja on!\u003C\u002Fp>\n\u003Cp>https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-ninja-for-mainwp\u002F\u003C\u002Fp>\n\u003Ch3>Security Tests for your website\u003C\u002Fh3>\n\u003Cp>Security Ninja – Your WordPress Guardian\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Immediate Vulnerability Alerts\u003C\u002Fstrong>: Get instant notifications about vulnerabilities to keep your website safe and secure.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Comprehensive One-click Security Audit\u003C\u002Fstrong>: With just one click, perform over 50+ detailed security checks that scrutinize every corner of your site for security vulnerabilities and performance issues.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>You’re in Command\u003C\u002Fstrong>: Security Ninja respects your autonomy, providing insights and recommendations without making unsolicited changes to your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Holistic Security Evaluation\u003C\u002Fstrong>: Comprehensive checks on everything from the WordPress core, plugins, and themes to ensure they are up-to-date and secure.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Proactive Defense Strategies\u003C\u002Fstrong>: Equip yourself with the tools and knowledge to prevent attacks before they happen, safeguarding your site from potential threats.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Optimization Beyond Security\u003C\u002Fstrong>: Improve your site’s performance with database optimization tips, ensuring a seamless experience for your users.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Knowledge\u003C\u002Fstrong>: Each test comes with an easy-to-understand explanation, documentation, and actionable steps to fix identified issues.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Customized Security Insights\u003C\u002Fstrong>: Tailored security assessments to check critical updates and configurations specific to your WordPress setup for a personalized protection strategy.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Future-Proof Your Site\u003C\u002Fstrong>: Stay ahead with tests that include the latest WordPress features and best practices for site security.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Prevent Unauthorized Access\u003C\u002Fstrong>: Strengthen your defenses with checks designed to prevent weak passwords and unauthorized file access.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Secure Configuration Checks\u003C\u002Fstrong>: Ensure your website is configured according to security best practices, from file permissions to security headers, for comprehensive protection against threats.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Enhance your website’s security, performance, and user experience with Security Ninja – your trusted partner in WordPress protection.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Security Ninja Pro\u003C\u002Fstrong> has extra features: Firewall, Filter Suspicious Queries, Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, Events Logger & Scheduled Scans.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>An all-in-one security solution for any site. With premium support and continuous updates Security Ninja \u003Cstrong>Pro\u003C\u002Fstrong> is a perfect tool to keep your site safe. \u003Ca href=\"https:\u002F\u002Fwpsecurityninja.com\u002F?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=see-what-pro-offers\" rel=\"nofollow ugc\">See what the PRO version offers\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Automatically block \u003Cstrong>600+ million bad IPs\u003C\u002Fstrong> with one click! \u003Ca href=\"https:\u002F\u002Fwpsecurityninja.com\u002F?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=cloud-firewall\" rel=\"nofollow ugc\">Security Ninja Pro Firewall\u003C\u002Fa> will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Read more about Pro features on the \u003Ca href=\"https:\u002F\u002Fwpsecurityninja.com\u002F?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=readmoreaboutpro\" rel=\"nofollow ugc\">Security Ninja website\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>What others say about the plugin\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmayor.com\u002Fsecurity-ninja-review-wordpress-security-plugin\u002F\" rel=\"nofollow ugc\">WP Mayor: “Easy-to-Use WordPress Security Plugin”\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwplift.com\u002Fsecurity-ninja-review\" rel=\"nofollow ugc\">WPLift\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.wpexplorer.com\u002Fwordpress-security-can-security-ninja-keep-your-site-safe\u002F\" rel=\"nofollow ugc\">WPExplorer\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwploop.com\u002Fsecurity-ninja-review\u002F\" rel=\"nofollow ugc\">WP Loop\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.bitcatcha.com\u002Fblog\u002Fsecurity-ninja-plugin-review\u002F\" rel=\"nofollow ugc\">Bitcatcha.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.webhostingsecretrevealed.net\u002Fblog\u002Fwordpress-blog\u002F10-actionable-wordpress-security-tips\u002F\" rel=\"nofollow ugc\">WebHostingSecretRevealed\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.ravisinghblog.in\u002Fwp-security-ninja-review\u002F\" rel=\"nofollow ugc\">Ravi Singh\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Ftutorials7.com\u002Fsecurity-ninja-review.html\" rel=\"nofollow ugc\">Tutorials 7\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.onlinedecoded.com\u002Fsecurity-ninja-review\u002F\" rel=\"nofollow ugc\">onlinedecoded.com\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Tests\u003C\u002Fstrong>\u003Cbr \u002F>\n* The tests include:\u003Cbr \u002F>\n  * brute-force attack on user accounts to test password strength\u003Cbr \u002F>\n  * numerous installation parameters tests\u003Cbr \u002F>\n  * file permissions\u003Cbr \u002F>\n  * version hiding\u003Cbr \u002F>\n  * 0-day exploits tests\u003Cbr \u002F>\n  * debug and auto-update modes tests\u003Cbr \u002F>\n  * database configuration tests\u003Cbr \u002F>\n  * Apache and PHP related tests\u003Cbr \u002F>\n  * WP options tests\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Complete list of tests:\n\u003Cul>\n\u003Cli>Check if Application Passwords feature is enabled (new to WP 5.6)\u003C\u002Fli>\n\u003Cli>Check if WordPress core is up to date\u003C\u002Fli>\n\u003Cli>Check if automatic WordPress core updates are enabled\u003C\u002Fli>\n\u003Cli>Check if plugins are up to date\u003C\u002Fli>\n\u003Cli>Check if there are deactivated plugins\u003C\u002Fli>\n\u003Cli>Check if active plugins have been updated in the last 12 months\u003C\u002Fli>\n\u003Cli>Check if active plugins are compatible with your version of WP\u003C\u002Fli>\n\u003Cli>Check if themes are up to date\u003C\u002Fli>\n\u003Cli>Check if there are any deactivated themes\u003C\u002Fli>\n\u003Cli>Check if full WordPress version info is revealed in page’s meta data\u003C\u002Fli>\n\u003Cli>Check if REST API links are displayed in page’s meta data\u003C\u002Fli>\n\u003Cli>Check the PHP version is up to date\u003C\u002Fli>\n\u003Cli>Check the MySQL version\u003C\u002Fli>\n\u003Cli>Check if server response headers contain detailed PHP version info\u003C\u002Fli>\n\u003Cli>Check if expose_php PHP directive is turned off\u003C\u002Fli>\n\u003Cli>Check if user with username “admin” and administrator privileges exists\u003C\u002Fli>\n\u003Cli>Check if “anyone can register” option is enabled\u003C\u002Fli>\n\u003Cli>Check user’s password strength with a brute-force attack\u003C\u002Fli>\n\u003Cli>Check for display of unnecessary information on failed login attempts\u003C\u002Fli>\n\u003Cli>Check if database table prefix is the default one\u003C\u002Fli>\n\u003Cli>Check if security keys and salts have proper values\u003C\u002Fli>\n\u003Cli>Check the age of security keys and salts\u003C\u002Fli>\n\u003Cli>Test the strength of WordPress database password\u003C\u002Fli>\n\u003Cli>Check if general debug mode is enabled\u003C\u002Fli>\n\u003Cli>Check if the debug.log file exists\u003C\u002Fli>\n\u003Cli>Check if database debug mode is enabled\u003C\u002Fli>\n\u003Cli>Check if JavaScript debug mode is enabled\u003C\u002Fli>\n\u003Cli>Check if display_errors PHP directive is turned off\u003C\u002Fli>\n\u003Cli>Check if WordPress installation address is the same as the site address\u003C\u002Fli>\n\u003Cli>Check if wp-config.php file has the right permissions (chmod) set\u003C\u002Fli>\n\u003Cli>Check if register_globals PHP directive is turned off\u003C\u002Fli>\n\u003Cli>Check if PHP safe mode is disabled\u003C\u002Fli>\n\u003Cli>Check if allow_url_include PHP directive is turned off\u003C\u002Fli>\n\u003Cli>Check if plugins\u002Fthemes file editor is enabled\u003C\u002Fli>\n\u003Cli>Check if uploads folder is browsable by browsers\u003C\u002Fli>\n\u003Cli>Test if user with ID 1 and administrator role exists\u003C\u002Fli>\n\u003Cli>Check if Windows Live Writer link is present in pages’ header data\u003C\u002Fli>\n\u003Cli>Check if wp-config.php is present on the default location\u003C\u002Fli>\n\u003Cli>Check if MySQL server is connectable from outside with the WP user\u003C\u002Fli>\n\u003Cli>Check if EditURI link is present in pages’ header data\u003C\u002Fli>\n\u003Cli>Check if TimThumb script is used in the active theme\u003C\u002Fli>\n\u003Cli>Check if the server is vulnerable to the Shellshock bug #6271\u003C\u002Fli>\n\u003Cli>Check if the server is vulnerable to the Shellshock bug #7169\u003C\u002Fli>\n\u003Cli>Check if admin interface is delivered via SSL\u003C\u002Fli>\n\u003Cli>Check if MySQL account used by WordPress has too many permissions\u003C\u002Fli>\n\u003Cli>Test if a list of usernames can be fetched by looping through user IDs on http:\u002F\u002Fsiteurl.com\u002F?author={ID} (also called username enumeration)\u003C\u002Fli>\n\u003Cli>Check if server response headers contain Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Check if server response headers contain X-Frame-Options\u003C\u002Fli>\n\u003Cli>Check if server response headers contain X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>Check if server response headers contain Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Check if server response headers contain Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Check if server response headers contain Referrer-Policy\u003C\u002Fli>\n\u003Cli>Check if server response headers contain Feature-Policy\u003C\u002Fli>\n\u003Cli>Check for unwanted files in your root folder you should remove\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>License info\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcarhartl\u002Fjquery-cookie\" rel=\"nofollow ugc\">jQuery Cookie Plugin, Copyright 2013 Klaus Hartl\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>The vulnerability scanner uses data from the \u003Ca href=\"https:\u002F\u002Fnvd.nist.gov\u002F\" rel=\"nofollow ugc\">National Vulnerability Database – NVD\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>This product includes IP2Location LITE data available from \u003Ca href=\"https:\u002F\u002Flite.ip2location.com\" rel=\"nofollow ugc\">https:\u002F\u002Flite.ip2location.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>This plugin uses the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fcollizo4sky\u002Fpersist-admin-notices-dismissal\" rel=\"nofollow ugc\">Persist Admin notice Dismissals\u003C\u002Fa> by Collins Agbonghama @collizo4sky\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Firewall rules are based on 8G Firewall by Jeff Starr – https:\u002F\u002Fperishablepress.com\u002F8g-blacklist\u002F\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How can I report security bugs?\u003C\u002Fh4>\n\u003Cp>You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. \u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fdatabase\u002Fvdp\u002Fsecurity-ninja\" rel=\"nofollow ugc\">Report a security vulnerability.\u003C\u002Fa>\u003C\u002Fp>\n","WordPress security plugin with free basic firewall\u002FWAF, vulnerability scanning, and 50+ core integrity checks.",7000,846284,99,"2026-03-04T22:31:00.000Z","7.4",[20,22,23,210,24],"vulnerability","https:\u002F\u002Fwpsecurityninja.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-ninja.5.272.zip","2025-07-23 00:00:00",{"attackSurface":215,"codeSignals":703,"taintFlows":987,"riskAssessment":1103,"analyzedAt":1120},{"hooks":216,"ajaxHandlers":461,"restRoutes":695,"shortcodes":696,"cronEvents":701,"entryPointCount":702,"unprotectedCount":336},[217,224,228,231,237,240,244,248,253,257,261,265,268,272,276,280,283,287,291,295,300,305,309,313,316,319,323,327,330,333,337,341,344,348,353,356,359,363,366,368,371,374,378,382,386,389,393,396,401,403,407,411,414,418,421,425,429,432,434,438,441,443,447,451,453,455,458],{"type":218,"name":219,"callback":220,"priority":221,"file":222,"line":223},"action","admin_bar_menu","spbc_admin__admin_bar__add_structure",999,"inc\\spbc-admin.php",66,{"type":218,"name":225,"callback":226,"file":222,"line":227},"cleantalk_admin_bar__parent_node__before","spbc_admin__admin_bar__prepare_counters",69,{"type":218,"name":229,"callback":226,"file":222,"line":230},"cleantalk_admin_bar__add_icon_to_parent_node",70,{"type":232,"name":233,"callback":234,"priority":235,"file":222,"line":236},"filter","cleantalk_admin_bar__parent_node__after","spbc_admin__admin_bar__add_counter",10,71,{"type":232,"name":219,"callback":238,"priority":239,"file":222,"line":113},"spbc_admin__admin_bar__add_child_nodes",1000,{"type":232,"name":219,"callback":241,"priority":242,"file":222,"line":243},"spbc_apbct_admin__admin_bar__add_child_nodes",1001,75,{"type":232,"name":245,"callback":246,"file":222,"line":247},"manage_users_columns","spbc_users_list_pass_check_column",197,{"type":218,"name":249,"callback":250,"priority":251,"file":222,"line":252},"after_plugin_row","spbc_plugin_list_show_vulnerability",20,278,{"type":232,"name":254,"callback":255,"priority":235,"file":222,"line":256},"plugins_api_result","spbc_plugin_install_show_safety",300,{"type":232,"name":258,"callback":259,"priority":235,"file":222,"line":260},"plugin_row_meta","spbc_plugin_list_show_safety",301,{"type":232,"name":262,"callback":263,"priority":235,"file":222,"line":264},"plugin_install_action_links","closure",355,{"type":232,"name":266,"callback":263,"file":222,"line":267},"wp_prepare_themes_for_js",418,{"type":232,"name":269,"callback":270,"priority":221,"file":222,"line":271},"upgrader_post_install","spbc_plugin_install__run_vulnerability_check_cron",478,{"type":232,"name":273,"callback":274,"priority":251,"file":275,"line":251},"authenticate","spbc_authenticate","inc\\spbc-auth.php",{"type":218,"name":277,"callback":278,"priority":235,"file":275,"line":279},"set_logged_in_cookie","spbc_detect_token_login",23,{"type":232,"name":273,"callback":281,"priority":251,"file":275,"line":282},"addUserPass",27,{"type":218,"name":284,"callback":285,"priority":235,"file":275,"line":286},"delete_user","removeUserPassOnUserDelete",28,{"type":218,"name":288,"callback":289,"priority":235,"file":275,"line":290},"profile_update","removeUserPassOnPasswordChange",29,{"type":218,"name":292,"callback":293,"priority":235,"file":275,"line":294},"login_form","spbc_passleak_change_password_form",30,{"type":218,"name":296,"callback":297,"priority":298,"file":275,"line":299},"login_form_login","spbc_passleak_change_password_handler",3,31,{"type":218,"name":301,"callback":302,"priority":303,"file":275,"line":304},"login_errors","spbc_fix_error_messages",99999,34,{"type":218,"name":306,"callback":307,"priority":48,"file":275,"line":308},"wp_logout","spbc_wp_logout",35,{"type":218,"name":310,"callback":311,"priority":48,"file":275,"line":312},"login_footer","spbc_login_form_notification",36,{"type":232,"name":245,"callback":314,"file":275,"line":315},"spbc_user_last_login_column",38,{"type":232,"name":317,"callback":314,"file":275,"line":318},"manage_users-network_columns",39,{"type":232,"name":320,"callback":321,"priority":235,"file":275,"line":322},"manage_users_custom_column","spbc_user_last_login_column_content",40,{"type":218,"name":324,"callback":325,"priority":235,"file":275,"line":326},"init","spbc_2fa_rate_limit",44,{"type":218,"name":296,"callback":328,"priority":48,"file":275,"line":329},"spbc_2fa__authenticate",46,{"type":218,"name":292,"callback":331,"priority":235,"file":275,"line":332},"spbc_2fa__show_field",47,{"type":218,"name":334,"callback":335,"priority":235,"file":275,"line":336},"after_password_reset","spbc_2fa__2fa_app_replace_meta",48,{"type":218,"name":338,"callback":339,"priority":48,"file":275,"line":340},"show_user_profile","spbc_2fa__SelfUserProfileEdit",50,{"type":218,"name":342,"callback":339,"priority":48,"file":275,"line":343},"edit_user_profile",51,{"type":232,"name":345,"callback":263,"file":346,"line":347},"safe_style_css","inc\\spbc-settings-summary-and-stats.php",336,{"type":218,"name":349,"callback":350,"file":351,"line":352},"spbc_before_returning_settings","spbc__send_local_settings_to_api","inc\\spbc-settings.php",5487,{"type":218,"name":349,"callback":354,"file":351,"line":355},"spbc_cdn_checker__run_check_on_settings_change",5498,{"type":218,"name":324,"callback":263,"file":357,"line":358},"security-malware-firewall.php",211,{"type":232,"name":360,"callback":361,"file":357,"line":362},"xmlrpc_enabled","__return_false",235,{"type":232,"name":364,"callback":263,"file":357,"line":365},"rest_authentication_errors",240,{"type":232,"name":364,"callback":263,"file":357,"line":367},257,{"type":218,"name":369,"callback":370,"file":357,"line":14},"admin_head","record",{"type":218,"name":372,"callback":370,"file":357,"line":373},"wp_head",379,{"type":218,"name":375,"callback":376,"priority":48,"file":357,"line":377},"plugins_loaded","spbc_plugin_loaded",403,{"type":218,"name":379,"callback":380,"priority":235,"file":357,"line":381},"wp_insert_post","spbc_update_postmeta_links",406,{"type":218,"name":383,"callback":384,"priority":235,"file":357,"line":385},"wp_insert_comment","spbc_update_postmeta_links__by_comment",407,{"type":218,"name":324,"callback":387,"file":357,"line":388},"spbc_set_headers",410,{"type":218,"name":390,"callback":391,"file":357,"line":392},"login_enqueue_scripts","spbc_attach_public_css",411,{"type":218,"name":394,"callback":391,"file":357,"line":395},"wp_enqueue_scripts",414,{"type":218,"name":397,"callback":398,"priority":399,"file":357,"line":400},"wp_footer","spbc_hook__wp_footer_trusted_text",998,415,{"type":218,"name":324,"callback":263,"file":357,"line":402},426,{"type":232,"name":404,"callback":405,"priority":235,"file":357,"line":406},"script_loader_tag","addScriptAttributes",432,{"type":218,"name":408,"callback":409,"priority":48,"file":357,"line":410},"admin_init","redirectAfterActivation",433,{"type":218,"name":408,"callback":412,"priority":48,"file":357,"line":413},"spbc_admin_init",434,{"type":218,"name":415,"callback":416,"file":357,"line":417},"admin_menu","spbc_admin_add_page",435,{"type":218,"name":419,"callback":416,"file":357,"line":420},"network_admin_menu",436,{"type":218,"name":422,"callback":423,"file":357,"line":424},"admin_enqueue_scripts","handleEnqueueHook",437,{"type":218,"name":426,"callback":427,"file":357,"line":428},"wp_dashboard_setup","spbc_widget_scripts_init",445,{"type":218,"name":426,"callback":430,"file":357,"line":431},"spbc_dashboard_statistics_widget",446,{"type":218,"name":408,"callback":263,"file":357,"line":433},450,{"type":232,"name":435,"callback":436,"file":357,"line":437},"all_plugins","spbc_admin__change_plugin_description",460,{"type":232,"name":258,"callback":439,"priority":235,"file":357,"line":440},"spbc_plugin_links_meta",461,{"type":218,"name":324,"callback":263,"file":357,"line":442},465,{"type":218,"name":444,"callback":445,"file":357,"line":446},"ColumnCreator_before_drop_column_analysis_status","migrateDbData_2_128_1",519,{"type":218,"name":448,"callback":449,"file":357,"line":450},"ColumnCreator_before_change_column_event","migrateDbData_2_141_0",520,{"type":218,"name":394,"callback":391,"file":357,"line":452},605,{"type":218,"name":324,"callback":263,"file":357,"line":454},1532,{"type":218,"name":375,"callback":456,"file":357,"line":457},"spbc_send_daily_report",1566,{"type":232,"name":459,"callback":263,"file":357,"line":460},"spbc_get_api_key_email",2135,[462,467,471,475,479,481,484,487,491,494,497,499,503,507,510,514,518,522,526,530,534,538,541,545,548,552,556,560,564,568,572,576,580,584,588,592,595,598,601,604,607,610,613,617,621,625,629,632,634,637,641,645,648,651,654,657,661,665,669,673,677,681,683,686,689,692],{"action":463,"nopriv":464,"callback":463,"hasNonce":465,"hasCapCheck":464,"file":222,"line":466},"spbc_get_authorized_admins",false,true,80,{"action":468,"nopriv":464,"callback":469,"hasNonce":464,"hasCapCheck":464,"file":222,"line":470},"spbc_show_more_security_logs","spbc_show_more_security_logs_callback",83,{"action":472,"nopriv":464,"callback":473,"hasNonce":464,"hasCapCheck":464,"file":222,"line":474},"spbc_show_hostname_security_logs","spbc_show_hostname_security_logs_callback",84,{"action":476,"nopriv":464,"callback":477,"hasNonce":464,"hasCapCheck":464,"file":222,"line":478},"spbc_show_more_security_firewall_logs","showMoreFirewallLogs",85,{"action":480,"nopriv":464,"callback":480,"hasNonce":464,"hasCapCheck":464,"file":222,"line":27},"spbc_tc__filter_ip",{"action":482,"nopriv":464,"callback":483,"hasNonce":464,"hasCapCheck":464,"file":222,"line":193},"spbc_scanner_controller_front","controllerFront",{"action":485,"nopriv":464,"callback":486,"hasNonce":464,"hasCapCheck":464,"file":222,"line":148},"spbc_scanner_load_more_scan_logs","loadMoreScanLogs",{"action":488,"nopriv":464,"callback":489,"hasNonce":464,"hasCapCheck":464,"file":222,"line":490},"spbc_scanner_save_to_pdf","downloadPDFReport",91,{"action":492,"nopriv":464,"callback":493,"hasNonce":464,"hasCapCheck":464,"file":222,"line":111},"spbc_scanner_get_pdf_file_name","getPDFReportFileName",{"action":495,"nopriv":464,"callback":496,"hasNonce":464,"hasCapCheck":464,"file":222,"line":136},"spbc_scanner_clear","clearScannerResults",{"action":498,"nopriv":464,"callback":498,"hasNonce":464,"hasCapCheck":464,"file":222,"line":126},"spbc_scanner__last_scan_info",{"action":500,"nopriv":464,"callback":501,"hasNonce":464,"hasCapCheck":464,"file":222,"line":502},"spbc_scanner_file_send","sendFileForAnalysis",97,{"action":504,"nopriv":464,"callback":505,"hasNonce":464,"hasCapCheck":464,"file":222,"line":506},"spbc_scanner_file_delete","deleteFile",98,{"action":508,"nopriv":464,"callback":509,"hasNonce":464,"hasCapCheck":464,"file":222,"line":206},"spbc_scanner_file_approve","approveFile",{"action":511,"nopriv":464,"callback":512,"hasNonce":464,"hasCapCheck":464,"file":222,"line":513},"spbc_scanner_file_view","viewFile",100,{"action":515,"nopriv":464,"callback":516,"hasNonce":464,"hasCapCheck":464,"file":222,"line":517},"spbc_scanner_page_view","viewPage",101,{"action":519,"nopriv":464,"callback":520,"hasNonce":464,"hasCapCheck":464,"file":222,"line":521},"spbc_scanner_file_replace","replaceFileWithOriginal",102,{"action":523,"nopriv":464,"callback":524,"hasNonce":464,"hasCapCheck":464,"file":222,"line":525},"spbc_scanner_file_check_analysis_status","checkFilesAnalysisStatus",103,{"action":527,"nopriv":464,"callback":528,"hasNonce":464,"hasCapCheck":464,"file":222,"line":529},"spbc_scanner_analysis_log_delete_from_log","deleteFileFromAnalysisLog",104,{"action":531,"nopriv":464,"callback":532,"hasNonce":464,"hasCapCheck":464,"file":222,"line":533},"spbc_file_cure_ajax_action","cureFile",105,{"action":535,"nopriv":464,"callback":536,"hasNonce":464,"hasCapCheck":464,"file":222,"line":537},"spbc_restore_file_from_backup_ajax_action","restoreFileFromBackup",106,{"action":539,"nopriv":464,"callback":539,"hasNonce":464,"hasCapCheck":464,"file":222,"line":540},"spbc_settings__draw_elements",109,{"action":542,"nopriv":464,"callback":543,"hasNonce":464,"hasCapCheck":464,"file":222,"line":544},"spbc_scanner_tab__reload_accordion","spbc_field_scanner__show_accordion",110,{"action":546,"nopriv":464,"callback":546,"hasNonce":465,"hasCapCheck":464,"file":222,"line":547},"spbct_get_tab_data",113,{"action":549,"nopriv":464,"callback":550,"hasNonce":464,"hasCapCheck":464,"file":222,"line":551},"spbc_tbl-action--bulk","ajaxBulkActionHandler",116,{"action":553,"nopriv":464,"callback":554,"hasNonce":464,"hasCapCheck":464,"file":222,"line":555},"spbc_tbl-action--row","ajaxRowActionHandler",117,{"action":557,"nopriv":464,"callback":558,"hasNonce":464,"hasCapCheck":464,"file":222,"line":559},"spbc_tbl-pagination","ajaxPaginationHandler",118,{"action":561,"nopriv":464,"callback":562,"hasNonce":464,"hasCapCheck":464,"file":222,"line":563},"spbc_tbl-sort","ajaxSortHandler",119,{"action":565,"nopriv":464,"callback":566,"hasNonce":464,"hasCapCheck":464,"file":222,"line":567},"spbc_tbl-switch","ajaxSwitchTable",120,{"action":569,"nopriv":464,"callback":570,"hasNonce":464,"hasCapCheck":464,"file":222,"line":571},"spbc_cure_selected","cureSelectedAction",121,{"action":573,"nopriv":464,"callback":574,"hasNonce":464,"hasCapCheck":464,"file":222,"line":575},"spbc_restore_selected","restoreSelectedAction",122,{"action":577,"nopriv":464,"callback":578,"hasNonce":464,"hasCapCheck":464,"file":222,"line":579},"spbc_restore_from_quarantine","restoreFromQuarantine",123,{"action":581,"nopriv":464,"callback":582,"hasNonce":464,"hasCapCheck":464,"file":222,"line":583},"spbc_send_traffic_control","spbc_send_firewall_logs_ajax_handler",126,{"action":585,"nopriv":464,"callback":586,"hasNonce":464,"hasCapCheck":464,"file":222,"line":587},"spbc_send_security_log","spbc_send_logs_ajax_handler",127,{"action":589,"nopriv":464,"callback":590,"hasNonce":464,"hasCapCheck":464,"file":222,"line":591},"spbc_check_file_block","uploadCheckerGetLastBlockInfo",130,{"action":593,"nopriv":464,"callback":593,"hasNonce":464,"hasCapCheck":464,"file":222,"line":594},"spbc_rollback",133,{"action":596,"nopriv":464,"callback":596,"hasNonce":464,"hasCapCheck":464,"file":222,"line":597},"spbc_backup__delete",134,{"action":599,"nopriv":464,"callback":599,"hasNonce":464,"hasCapCheck":464,"file":222,"line":600},"spbc_settings__get_description",137,{"action":602,"nopriv":464,"callback":602,"hasNonce":464,"hasCapCheck":464,"file":222,"line":603},"spbc_settings__get_recommendation",138,{"action":605,"nopriv":464,"callback":605,"hasNonce":464,"hasCapCheck":464,"file":222,"line":606},"spbc_settings__check_renew_banner",139,{"action":608,"nopriv":464,"callback":608,"hasNonce":464,"hasCapCheck":464,"file":222,"line":609},"spbc_sync",140,{"action":611,"nopriv":464,"callback":611,"hasNonce":464,"hasCapCheck":464,"file":222,"line":612},"spbc_get_key_auto",141,{"action":614,"nopriv":464,"callback":615,"hasNonce":464,"hasCapCheck":464,"file":222,"line":616},"spbc_update_account_email","spbc_settings__update_account_email",142,{"action":618,"nopriv":464,"callback":619,"hasNonce":464,"hasCapCheck":464,"file":222,"line":620},"spbc_create_support_user","spbc_settings__spbc_create_support_user",143,{"action":622,"nopriv":464,"callback":623,"hasNonce":464,"hasCapCheck":464,"file":222,"line":624},"spbc_generate_confirmation_code","spbctGenerateAndSendConfirmationCode",146,{"action":626,"nopriv":464,"callback":627,"hasNonce":464,"hasCapCheck":464,"file":222,"line":628},"spbc_check_confirmation_code","spbctCheckConfirmationCode",147,{"action":630,"nopriv":464,"callback":630,"hasNonce":464,"hasCapCheck":464,"file":222,"line":631},"spbc_private_list_add",150,{"action":633,"nopriv":464,"callback":633,"hasNonce":464,"hasCapCheck":464,"file":222,"line":149},"spbc_change_role_template",{"action":635,"nopriv":464,"callback":635,"hasNonce":464,"hasCapCheck":464,"file":222,"line":636},"spbc_change_role",154,{"action":638,"nopriv":464,"callback":639,"hasNonce":464,"hasCapCheck":464,"file":222,"line":640},"spbc_check_pass_leak","checkPassLeak",198,{"action":642,"nopriv":464,"callback":643,"hasNonce":465,"hasCapCheck":464,"file":222,"line":644},"spbc_check_vulnerability_list","spbc_theme_list_show_vulnerability",383,{"action":646,"nopriv":464,"callback":647,"hasNonce":465,"hasCapCheck":464,"file":222,"line":413},"spbc_check_vulnerability_install","spbc_themes_install_show_safety",{"action":649,"nopriv":464,"callback":649,"hasNonce":465,"hasCapCheck":464,"file":222,"line":650},"spbc_action_shuffle_salts",811,{"action":652,"nopriv":464,"callback":652,"hasNonce":465,"hasCapCheck":464,"file":222,"line":653},"spbc_action_adjust_change",856,{"action":655,"nopriv":464,"callback":655,"hasNonce":465,"hasCapCheck":464,"file":222,"line":656},"spbc_action_adjust_reverse",872,{"action":658,"nopriv":464,"callback":659,"hasNonce":465,"hasCapCheck":464,"file":275,"line":660},"spbc_get_2fa_app_qr_code","spbc_2fa__Get2FAAppQrCode",53,{"action":662,"nopriv":464,"callback":663,"hasNonce":465,"hasCapCheck":464,"file":275,"line":664},"spbc_check_2fa_app_code","spbc_2fa__Check2FAAppCode",54,{"action":666,"nopriv":464,"callback":667,"hasNonce":465,"hasCapCheck":464,"file":275,"line":668},"spbc_disable_2fa_app","spbc_2fa__Disable2FAApp",55,{"action":670,"nopriv":464,"callback":671,"hasNonce":465,"hasCapCheck":464,"file":351,"line":672},"spbc_analysyis_files_stats__get_html","spbc__analysyis_files_stats__get_html",3158,{"action":674,"nopriv":464,"callback":675,"hasNonce":465,"hasCapCheck":465,"file":351,"line":676},"spbc_get_role_capabilities","spbc_get_role_capabilities_callback",6149,{"action":678,"nopriv":464,"callback":678,"hasNonce":465,"hasCapCheck":464,"file":679,"line":680},"spbc_react_access_key_check","inc\\spbct-sync-react.php",11,{"action":682,"nopriv":464,"callback":682,"hasNonce":465,"hasCapCheck":464,"file":679,"line":194},"spbc_react_secfw_update_init",{"action":684,"nopriv":464,"callback":684,"hasNonce":465,"hasCapCheck":464,"file":679,"line":685},"spbc_react_settings_exclusions",13,{"action":687,"nopriv":464,"callback":687,"hasNonce":465,"hasCapCheck":464,"file":679,"line":688},"spbc_react_run_ajusting_env",14,{"action":690,"nopriv":464,"callback":690,"hasNonce":465,"hasCapCheck":464,"file":679,"line":691},"spbc_react_signatures_update",15,{"action":693,"nopriv":464,"callback":693,"hasNonce":465,"hasCapCheck":464,"file":679,"line":694},"spbc_react_run_vulnerability_check",16,[],[697],{"tag":698,"callback":699,"file":357,"line":700},"cleantalk_security_affiliate_link","spbc_trusted_text_shortcode_handler",606,[],67,{"dangerousFunctions":704,"sqlUsage":705,"outputEscaping":725,"fileOperations":282,"externalRequests":48,"nonceChecks":985,"capabilityChecks":235,"bundledLibraries":986},[],{"prepared":706,"raw":176,"locations":707},43,[708,711,714,717,718,720,722],{"file":709,"line":685,"context":710},"inc\\spbc-backups.php","$wpdb->get_row() with variable interpolation",{"file":709,"line":712,"context":713},17,"$wpdb->get_results() with variable interpolation",{"file":709,"line":715,"context":716},252,"$wpdb->query() with variable interpolation",{"file":709,"line":347,"context":713},{"file":351,"line":719,"context":716},4849,{"file":357,"line":721,"context":713},1022,{"file":357,"line":723,"context":724},1140,"$wpdb->get_var() with variable interpolation",{"escaped":726,"rawEcho":624,"locations":727},60,[728,731,732,733,734,735,736,737,740,742,744,745,746,747,748,749,750,752,754,755,756,757,758,760,762,763,764,765,766,767,768,770,771,772,773,774,775,776,777,779,781,782,783,784,785,786,787,788,789,791,793,795,797,799,801,803,805,807,809,811,813,815,817,819,821,823,825,827,829,831,833,835,836,838,840,842,844,846,848,850,852,854,856,858,860,862,864,866,868,870,872,874,876,878,880,882,884,886,888,890,892,894,896,898,900,902,904,906,908,910,912,914,916,918,920,922,924,926,928,930,932,934,936,938,940,942,944,946,948,950,952,954,956,958,960,962,964,966,968,970,972,974,976,978,980,983],{"file":729,"line":235,"context":730},"inc\\admin-templates\\field-templates\\checkbox.php","raw output",{"file":729,"line":680,"context":730},{"file":729,"line":279,"context":730},{"file":729,"line":279,"context":730},{"file":729,"line":279,"context":730},{"file":729,"line":282,"context":730},{"file":729,"line":299,"context":730},{"file":738,"line":739,"context":730},"inc\\admin-templates\\field-templates\\hidden.php",8,{"file":738,"line":741,"context":730},9,{"file":743,"line":235,"context":730},"inc\\admin-templates\\field-templates\\number.php",{"file":743,"line":235,"context":730},{"file":743,"line":235,"context":730},{"file":743,"line":691,"context":730},{"file":743,"line":286,"context":730},{"file":743,"line":286,"context":730},{"file":743,"line":286,"context":730},{"file":743,"line":751,"context":730},32,{"file":753,"line":235,"context":730},"inc\\admin-templates\\field-templates\\radio.php",{"file":753,"line":235,"context":730},{"file":753,"line":688,"context":730},{"file":753,"line":251,"context":730},{"file":753,"line":286,"context":730},{"file":753,"line":759,"context":730},33,{"file":761,"line":739,"context":730},"inc\\admin-templates\\field-templates\\select.php",{"file":761,"line":739,"context":730},{"file":761,"line":739,"context":730},{"file":761,"line":685,"context":730},{"file":761,"line":282,"context":730},{"file":761,"line":318,"context":730},{"file":761,"line":706,"context":730},{"file":769,"line":739,"context":730},"inc\\admin-templates\\field-templates\\text.php",{"file":769,"line":739,"context":730},{"file":769,"line":739,"context":730},{"file":769,"line":694,"context":730},{"file":769,"line":290,"context":730},{"file":769,"line":290,"context":730},{"file":769,"line":290,"context":730},{"file":769,"line":759,"context":730},{"file":769,"line":778,"context":730},37,{"file":780,"line":235,"context":730},"inc\\admin-templates\\field-templates\\textarea.php",{"file":780,"line":235,"context":730},{"file":780,"line":235,"context":730},{"file":780,"line":194,"context":730},{"file":780,"line":251,"context":730},{"file":780,"line":751,"context":730},{"file":780,"line":751,"context":730},{"file":780,"line":751,"context":730},{"file":780,"line":312,"context":730},{"file":790,"line":235,"context":730},"inc\\admin-templates\\field-templates\\time.php",{"file":222,"line":792,"context":730},294,{"file":222,"line":794,"context":730},688,{"file":222,"line":796,"context":730},1066,{"file":222,"line":798,"context":730},1069,{"file":222,"line":800,"context":730},1075,{"file":222,"line":802,"context":730},1086,{"file":222,"line":804,"context":730},1114,{"file":222,"line":806,"context":730},1123,{"file":222,"line":808,"context":730},1131,{"file":222,"line":810,"context":730},1159,{"file":222,"line":812,"context":730},1162,{"file":222,"line":814,"context":730},1165,{"file":222,"line":816,"context":730},1167,{"file":222,"line":818,"context":730},1168,{"file":222,"line":820,"context":730},1176,{"file":222,"line":822,"context":730},1204,{"file":275,"line":824,"context":730},580,{"file":275,"line":826,"context":730},610,{"file":275,"line":828,"context":730},718,{"file":275,"line":830,"context":730},770,{"file":275,"line":832,"context":730},1156,{"file":275,"line":834,"context":730},1164,{"file":275,"line":814,"context":730},{"file":275,"line":837,"context":730},1166,{"file":351,"line":839,"context":730},1318,{"file":351,"line":841,"context":730},1329,{"file":351,"line":843,"context":730},1339,{"file":351,"line":845,"context":730},1380,{"file":351,"line":847,"context":730},1417,{"file":351,"line":849,"context":730},1491,{"file":351,"line":851,"context":730},1496,{"file":351,"line":853,"context":730},1712,{"file":351,"line":855,"context":730},1788,{"file":351,"line":857,"context":730},1804,{"file":351,"line":859,"context":730},1811,{"file":351,"line":861,"context":730},1820,{"file":351,"line":863,"context":730},1825,{"file":351,"line":865,"context":730},1837,{"file":351,"line":867,"context":730},1841,{"file":351,"line":869,"context":730},1842,{"file":351,"line":871,"context":730},1877,{"file":351,"line":873,"context":730},1908,{"file":351,"line":875,"context":730},1918,{"file":351,"line":877,"context":730},1940,{"file":351,"line":879,"context":730},1972,{"file":351,"line":881,"context":730},1984,{"file":351,"line":883,"context":730},1989,{"file":351,"line":885,"context":730},2001,{"file":351,"line":887,"context":730},2014,{"file":351,"line":889,"context":730},2249,{"file":351,"line":891,"context":730},2258,{"file":351,"line":893,"context":730},2274,{"file":351,"line":895,"context":730},2295,{"file":351,"line":897,"context":730},2307,{"file":351,"line":899,"context":730},2998,{"file":351,"line":901,"context":730},3032,{"file":351,"line":903,"context":730},3047,{"file":351,"line":905,"context":730},3055,{"file":351,"line":907,"context":730},3061,{"file":351,"line":909,"context":730},3071,{"file":351,"line":911,"context":730},3079,{"file":351,"line":913,"context":730},3083,{"file":351,"line":915,"context":730},3086,{"file":351,"line":917,"context":730},3091,{"file":351,"line":919,"context":730},3097,{"file":351,"line":921,"context":730},3103,{"file":351,"line":923,"context":730},3109,{"file":351,"line":925,"context":730},3110,{"file":351,"line":927,"context":730},3116,{"file":351,"line":929,"context":730},3120,{"file":351,"line":931,"context":730},3124,{"file":351,"line":933,"context":730},3127,{"file":351,"line":935,"context":730},3144,{"file":351,"line":937,"context":730},3148,{"file":351,"line":939,"context":730},3153,{"file":351,"line":941,"context":730},3194,{"file":351,"line":943,"context":730},3402,{"file":351,"line":945,"context":730},3403,{"file":351,"line":947,"context":730},3441,{"file":351,"line":949,"context":730},3442,{"file":351,"line":951,"context":730},3446,{"file":351,"line":953,"context":730},3448,{"file":351,"line":955,"context":730},4196,{"file":351,"line":957,"context":730},4208,{"file":351,"line":959,"context":730},4218,{"file":351,"line":961,"context":730},4256,{"file":351,"line":963,"context":730},4275,{"file":351,"line":965,"context":730},4294,{"file":351,"line":967,"context":730},4325,{"file":351,"line":969,"context":730},5524,{"file":351,"line":971,"context":730},5528,{"file":351,"line":973,"context":730},5530,{"file":351,"line":975,"context":730},5532,{"file":351,"line":977,"context":730},5543,{"file":351,"line":979,"context":730},6095,{"file":981,"line":982,"context":730},"inc\\spbc-tools.php",356,{"file":981,"line":984,"context":730},358,2,[],[988,1004,1013,1031,1059,1071,1086,1095],{"entryPoint":989,"graph":990,"unsanitizedCount":48,"severity":85},"spbc_passleak_change_password_form (inc\\spbc-auth.php:542)",{"nodes":991,"edges":1002},[992,997],{"id":993,"type":994,"label":995,"file":275,"line":996},"n0","source","$_GET",548,{"id":998,"type":999,"label":1000,"file":275,"line":826,"wp_function":1001},"n1","sink","echo() [XSS]","echo",[1003],{"from":993,"to":998,"sanitized":464},{"entryPoint":1005,"graph":1006,"unsanitizedCount":48,"severity":85},"spbc_2fa__show_field (inc\\spbc-auth.php:676)",{"nodes":1007,"edges":1011},[1008,1010],{"id":993,"type":994,"label":995,"file":275,"line":1009},685,{"id":998,"type":999,"label":1000,"file":275,"line":830,"wp_function":1001},[1012],{"from":993,"to":998,"sanitized":464},{"entryPoint":1014,"graph":1015,"unsanitizedCount":48,"severity":85},"spbc_2fa__authenticate (inc\\spbc-auth.php:882)",{"nodes":1016,"edges":1028},[1017,1020,1023],{"id":993,"type":994,"label":1018,"file":275,"line":1019},"$_POST",913,{"id":998,"type":1021,"label":1022,"file":275,"line":1019},"transform","→ spbc_2fa__failed()",{"id":1024,"type":999,"label":1025,"file":275,"line":1026,"wp_function":1027},"n2","wp_redirect() [Open Redirect]",982,"wp_redirect",[1029,1030],{"from":993,"to":998,"sanitized":464},{"from":998,"to":1024,"sanitized":464},{"entryPoint":1032,"graph":1033,"unsanitizedCount":48,"severity":85},"\u003Cspbc-auth> (inc\\spbc-auth.php:0)",{"nodes":1034,"edges":1053},[1035,1037,1038,1039,1042,1045,1047,1049,1051],{"id":993,"type":994,"label":1036,"file":275,"line":996},"$_GET (x2)",{"id":998,"type":999,"label":1000,"file":275,"line":826,"wp_function":1001},{"id":1024,"type":994,"label":1036,"file":275,"line":996},{"id":1040,"type":999,"label":1025,"file":275,"line":1041,"wp_function":1027},"n3",640,{"id":1043,"type":994,"label":1018,"file":275,"line":1044},"n4",891,{"id":1046,"type":999,"label":1025,"file":275,"line":1026,"wp_function":1027},"n5",{"id":1048,"type":994,"label":1018,"file":275,"line":1019},"n6",{"id":1050,"type":1021,"label":1022,"file":275,"line":1019},"n7",{"id":1052,"type":999,"label":1025,"file":275,"line":1026,"wp_function":1027},"n8",[1054,1055,1056,1057,1058],{"from":993,"to":998,"sanitized":465},{"from":1024,"to":1040,"sanitized":465},{"from":1043,"to":1046,"sanitized":465},{"from":1048,"to":1050,"sanitized":464},{"from":1050,"to":1052,"sanitized":464},{"entryPoint":1060,"graph":1061,"unsanitizedCount":29,"severity":1070},"spbc_rollback (inc\\spbc-backups.php:326)",{"nodes":1062,"edges":1068},[1063,1065],{"id":993,"type":994,"label":1018,"file":709,"line":1064},332,{"id":998,"type":999,"label":1066,"file":709,"line":347,"wp_function":1067},"get_results() [SQLi]","get_results",[1069],{"from":993,"to":998,"sanitized":465},"low",{"entryPoint":1072,"graph":1073,"unsanitizedCount":29,"severity":1070},"\u003Cspbc-backups> (inc\\spbc-backups.php:0)",{"nodes":1074,"edges":1083},[1075,1077,1081,1082],{"id":993,"type":994,"label":1018,"file":709,"line":1076},125,{"id":998,"type":999,"label":1078,"file":709,"line":1079,"wp_function":1080},"file_put_contents() [File Write]",217,"file_put_contents",{"id":1024,"type":994,"label":1018,"file":709,"line":1064},{"id":1040,"type":999,"label":1066,"file":709,"line":347,"wp_function":1067},[1084,1085],{"from":993,"to":998,"sanitized":465},{"from":1024,"to":1040,"sanitized":465},{"entryPoint":1087,"graph":1088,"unsanitizedCount":29,"severity":1070},"spbc_change_role_template (inc\\spbc-settings.php:6066)",{"nodes":1089,"edges":1093},[1090,1092],{"id":993,"type":994,"label":1018,"file":351,"line":1091},6070,{"id":998,"type":999,"label":1000,"file":351,"line":979,"wp_function":1001},[1094],{"from":993,"to":998,"sanitized":465},{"entryPoint":1096,"graph":1097,"unsanitizedCount":29,"severity":1070},"\u003Cspbc-settings> (inc\\spbc-settings.php:0)",{"nodes":1098,"edges":1101},[1099,1100],{"id":993,"type":994,"label":1018,"file":351,"line":1091},{"id":998,"type":999,"label":1000,"file":351,"line":979,"wp_function":1001},[1102],{"from":993,"to":998,"sanitized":465},{"summary":1104,"deductions":1105},"The security-malware-firewall plugin version 2.174 presents a mixed security posture. While it demonstrates some positive security practices, such as a high percentage of SQL queries using prepared statements and a reasonable number of capability checks, significant concerns are evident. The large attack surface, with 66 AJAX handlers and a concerning 48 of them lacking authentication checks, is a major weakness. This exposes a significant portion of the plugin's functionality to potential unauthorized access and manipulation. Furthermore, only 29% of output escaping is properly handled, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, although limited in scope with only 8 flows, reveals 4 with unsanitized paths, which is concerning for potential injection vulnerabilities.",[1106,1108,1110,1112,1114,1116,1118],{"reason":1107,"points":235},"High number of AJAX handlers without auth checks",{"reason":1109,"points":739},"Low percentage of properly escaped output",{"reason":1111,"points":235},"Taint analysis shows unsanitized paths",{"reason":1113,"points":691},"Numerous past vulnerabilities with critical\u002Fhigh severity",{"reason":1115,"points":235},"History of 'Missing Authorization' vulnerabilities",{"reason":1117,"points":235},"History of 'Cross-site Scripting' vulnerabilities",{"reason":1119,"points":235},"History of 'SQL Injection' vulnerabilities","2026-03-16T17:23:37.760Z",{"wat":1122,"direct":1135},{"assetPaths":1123,"generatorPatterns":1128,"scriptPaths":1129,"versionParams":1130},[1124,1125,1126,1127],"\u002Fwp-content\u002Fplugins\u002Fsecurity-malware-firewall\u002Fsrc\u002Fcss\u002Fspbc_admin.css","\u002Fwp-content\u002Fplugins\u002Fsecurity-malware-firewall\u002Fsrc\u002Fcss\u002Fspbc_frontend.css","\u002Fwp-content\u002Fplugins\u002Fsecurity-malware-firewall\u002Fsrc\u002Fjs\u002Fspbc_admin.js","\u002Fwp-content\u002Fplugins\u002Fsecurity-malware-firewall\u002Fsrc\u002Fjs\u002Fspbc_frontend.js",[],[1126,1127],[1131,1132,1133,1134],"security-malware-firewall\u002Fsrc\u002Fcss\u002Fspbc_admin.css?ver=","security-malware-firewall\u002Fsrc\u002Fcss\u002Fspbc_frontend.css?ver=","security-malware-firewall\u002Fsrc\u002Fjs\u002Fspbc_admin.js?ver=","security-malware-firewall\u002Fsrc\u002Fjs\u002Fspbc_frontend.js?ver=",{"cssClasses":1136,"htmlComments":1141,"htmlAttributes":1146,"restEndpoints":1150,"jsGlobals":1154,"shortcodeOutput":1158},[1137,1138,1139,1140],"spbc-admin-notice","spbc-stats","spbc-scan-results","spbc-logs-table",[1142,1143,1144,1145],"\u003C!-- SPBC: Settings -->","\u003C!-- SPBC: Logs -->","\u003C!-- SPBC: Scan Results -->","\u003C!-- SPBC: Firewall -->",[1147,1148,1149],"data-spbc-scan-id","data-spbc-log-id","data-spbc-firewall-rule",[1151,1152,1153],"\u002Fwp-json\u002Fspbc\u002Fv1\u002Fscan","\u002Fwp-json\u002Fspbc\u002Fv1\u002Flogs","\u002Fwp-json\u002Fspbc\u002Fv1\u002Fsettings",[1155,1156,1157],"window.spbc_admin_data","window.spbc_frontend_data","var spbc_vars",[1159,1160],"[spbc_firewall_message]","[spbc_scan_status]"]