[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcv1dA_o9aqmeO0TerqvQutz9aitLuDUdZV8whSZdBZE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":38,"analysis":125,"fingerprints":975},"vigilante","Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…","1.5.1","Fernando Tellado","https:\u002F\u002Fprofiles.wordpress.org\u002Ffernandot\u002F","\u003Ch3>Premium Security, Zero Cost\u003C\u002Fh3>\n\u003Cp>Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.\u003C\u002Fp>\n\u003Cp>Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, malware detection, user management, activity logging, under attack mode and much more.\u003C\u002Fp>\n\u003Ch3>Instant Protection\u003C\u002Fh3>\n\u003Cp>Once activated, Vigilant immediately applies essential security measures:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Firewall rules against common attacks (SQL injection, XSS, file inclusion)\u003C\u002Fli>\n\u003Cli>Security headers for browser protection\u003C\u002Fli>\n\u003Cli>Login attempt monitoring\u003C\u002Fli>\n\u003Cli>XML-RPC blocking\u003C\u002Fli>\n\u003Cli>WordPress version hiding\u003C\u002Fli>\n\u003Cli>Sensitive file protection (.htaccess, wp-config.php)\u003C\u002Fli>\n\u003Cli>Automatic backup of your existing configuration files\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>One-Click Security Presets\u003C\u002Fh3>\n\u003Cp>Choose a preset and get protected instantly:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Standard\u003C\u002Fstrong> – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Maximum Security\u003C\u002Fstrong> – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.\u003C\u002Fp>\n\u003Cp>You can always customize individual settings after applying a preset.\u003C\u002Fp>\n\u003Ch3>Under Attack Mode\u003C\u002Fh3>\n\u003Cp>Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>JavaScript challenge\u003C\u002Fstrong> – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Aggressive rate limiting\u003C\u002Fstrong> – Requests limited to 30 per minute with 15-minute blocks for offenders\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HTTP method restriction\u003C\u002Fstrong> – Only GET, POST, and HEAD allowed. PUT, DELETE, PATCH, OPTIONS, and TRACE are blocked\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Empty user agent blocking\u003C\u002Fstrong> – Requests without a user agent header are rejected\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full XML-RPC lockdown\u003C\u002Fstrong> – All XML-RPC access is blocked during the attack\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API restriction\u003C\u002Fstrong> – Only authenticated users can access the REST API\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto-deactivation\u003C\u002Fstrong> – Mode automatically turns off after 4 hours so you never forget it’s on\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email notifications\u003C\u002Fstrong> – Get notified when the mode is activated and deactivated\u003C\u002Fli>\n\u003Cli>\u003Cstrong>HMAC-signed cookies\u003C\u002Fstrong> – Verified visitors receive a cryptographically signed cookie so they only see the challenge once\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates.\u003C\u002Fp>\n\u003Ch3>Core Security Features\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Add a second verification step to your WordPress login. Choose the method that works best for your team:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Authenticator app (TOTP)\u003C\u002Fstrong> – Google Authenticator, Authy, Microsoft Authenticator, or any TOTP-compatible app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email codes\u003C\u002Fstrong> – One-time 6-digit verification codes sent via email\u003C\u002Fli>\n\u003Cli>QR code setup directly in user profiles\u003C\u002Fli>\n\u003Cli>10 backup codes for emergency access if you lose your device\u003C\u002Fli>\n\u003Cli>Configurable grace period for users to set up their authenticator app\u003C\u002Fli>\n\u003Cli>Trusted devices feature – skip 2FA on recognized devices for configurable days\u003C\u002Fli>\n\u003Cli>Role-based enforcement – require 2FA for administrators, editors, or any role\u003C\u002Fli>\n\u003Cli>Exclude specific users from 2FA requirements\u003C\u002Fli>\n\u003Cli>Admin tool to reset TOTP for users who lost their authenticator\u003C\u002Fli>\n\u003Cli>Configurable code expiry, attempt limits, and email sender name\u003C\u002Fli>\n\u003Cli>User notification emails when 2FA is enabled or method changes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Firewall Protection\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Block malicious requests before they reach WordPress:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>SQL injection blocking\u003C\u002Fli>\n\u003Cli>XSS (Cross-Site Scripting) attack prevention\u003C\u002Fli>\n\u003Cli>File inclusion protection (LFI\u002FRFI)\u003C\u002Fli>\n\u003Cli>Directory traversal blocking\u003C\u002Fli>\n\u003Cli>Bad bot detection and blocking\u003C\u002Fli>\n\u003Cli>Rate limiting against DDoS and brute force\u003C\u002Fli>\n\u003Cli>IP whitelist and blacklist management\u003C\u002Fli>\n\u003Cli>User-Agent whitelist and blacklist with partial matching\u003C\u002Fli>\n\u003Cli>HTTP method restriction\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Login Security\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Stop unauthorized access attempts:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit login attempts with configurable thresholds\u003C\u002Fli>\n\u003Cli>Progressive lockouts – longer blocks for repeat offenders\u003C\u002Fli>\n\u003Cli>Custom login URL – hide wp-login.php from bots\u003C\u002Fli>\n\u003Cli>Login URL change notifications to all admin-area users\u003C\u002Fli>\n\u003Cli>Hide login error messages – don’t reveal valid usernames\u003C\u002Fli>\n\u003Cli>XML-RPC disable – block this common attack vector\u003C\u002Fli>\n\u003Cli>Application passwords control\u003C\u002Fli>\n\u003Cli>Admin login notifications via email\u003C\u002Fli>\n\u003Cli>IP whitelist for trusted locations\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>User Security\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Comprehensive user account protection:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Block insecure usernames (admin, test, root, etc.)\u003C\u002Fli>\n\u003Cli>Force strong passwords with minimum length\u003C\u002Fli>\n\u003Cli>Password expiration with configurable intervals\u003C\u002Fli>\n\u003Cli>Password history – prevent reusing old passwords\u003C\u002Fli>\n\u003Cli>Force password reset for all users (post-hack recovery)\u003C\u002Fli>\n\u003Cli>Session limits – control concurrent logins per user\u003C\u002Fli>\n\u003Cli>Session management – view and revoke active sessions\u003C\u002Fli>\n\u003Cli>Email verification for new registrations\u003C\u002Fli>\n\u003Cli>Registration approval workflow – manually approve new users\u003C\u002Fli>\n\u003Cli>Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security Headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Achieve Grade A security ratings:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Content Security Policy (CSP) with visual builder\u003C\u002Fli>\n\u003Cli>HSTS (HTTP Strict Transport Security) with preload option\u003C\u002Fli>\n\u003Cli>X-Frame-Options – prevent clickjacking\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options – prevent MIME sniffing\u003C\u002Fli>\n\u003Cli>Referrer Policy control\u003C\u002Fli>\n\u003Cli>Permissions Policy (camera, microphone, geolocation)\u003C\u002Fli>\n\u003Cli>Cross-Origin policies (COEP, COOP, CORP)\u003C\u002Fli>\n\u003Cli>HTTPS enforcer with automatic mixed content fix\u003C\u002Fli>\n\u003Cli>Built-in header testing tool\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>File Integrity Monitoring\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Detect unauthorized changes to your files:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WordPress core verification against official checksums\u003C\u002Fli>\n\u003Cli>Plugin and theme file monitoring with WordPress.org checksums\u003C\u002Fli>\n\u003Cli>Suspicious code scanning for plugins and themes without checksums\u003C\u002Fli>\n\u003Cli>Extra file detection in plugins and themes (files not in original distribution)\u003C\u002Fli>\n\u003Cli>Two-level detection: strict obfuscation combos for plugins, broad patterns for uploads\u003C\u002Fli>\n\u003Cli>Uploads directory scanning for PHP files, double extensions, and .htaccess\u003C\u002Fli>\n\u003Cli>String concatenation obfuscation detection\u003C\u002Fli>\n\u003Cli>Configurable notification levels (all issues, suspicious only, or disabled)\u003C\u002Fli>\n\u003Cli>Ignore list to dismiss known files from results\u003C\u002Fli>\n\u003Cli>Excluded paths and file extensions\u003C\u002Fli>\n\u003Cli>Scheduled automatic scans (daily, weekly)\u003C\u002Fli>\n\u003Cli>HTML formatted email alerts with severity sections\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Activity Log\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Track everything happening on your site:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Successful and failed login attempts\u003C\u002Fli>\n\u003Cli>Two-factor authentication events\u003C\u002Fli>\n\u003Cli>User account changes (creation, deletion, role changes)\u003C\u002Fli>\n\u003Cli>Content modifications (posts, pages)\u003C\u002Fli>\n\u003Cli>Plugin and theme activations\u002Fdeactivations\u003C\u002Fli>\n\u003Cli>Security events and blocked threats\u003C\u002Fli>\n\u003Cli>HTTP request method tracking and filtering (GET, POST, PUT, DELETE)\u003C\u002Fli>\n\u003Cli>Enhanced log detail popup with grouped sections and quick actions\u003C\u002Fli>\n\u003Cli>One-click add IP or User-Agent to firewall whitelist\u002Fblacklist from log entries\u003C\u002Fli>\n\u003Cli>Direct IP lookup links to AbuseIPDB\u003C\u002Fli>\n\u003Cli>Configurable retention period\u003C\u002Fli>\n\u003Cli>Export logs to CSV\u003C\u002Fli>\n\u003Cli>Filter by event type, severity, request method, or date\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>WordPress Hardening\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Additional security measures:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>wp-config.php security constants (DISALLOW_FILE_EDIT, etc.)\u003C\u002Fli>\n\u003Cli>Database prefix security check and one-click change tool\u003C\u002Fli>\n\u003Cli>Comment spam protection with honeypot fields\u003C\u002Fli>\n\u003Cli>Disable pingbacks and trackbacks\u003C\u002Fli>\n\u003Cli>Close comments on old posts\u003C\u002Fli>\n\u003Cli>WordPress head cleanup (remove version, RSD, WLW links)\u003C\u002Fli>\n\u003Cli>Feed management and security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>REST API Security\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Control API access to your site:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Three access modes: public, authenticated only, or selective\u003C\u002Fli>\n\u003Cli>Block user enumeration via REST API\u003C\u002Fli>\n\u003Cli>Protect sensitive endpoints\u003C\u002Fli>\n\u003Cli>Maintain compatibility with popular plugins (WooCommerce, Contact Form 7, Elementor)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Tools\u003C\u002Fh3>\n\u003Cp>Utilities included:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Database Backup\u003C\u002Fstrong> – Download a full or partial database backup as ZIP with table selection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Database Prefix Change\u003C\u002Fstrong> – Change the default wp_ prefix to a random secure prefix\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Export\u002FImport Settings\u003C\u002Fstrong> – Transfer your configuration between sites\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Manual Backup\u003C\u002Fstrong> – Create backups of .htaccess and wp-config.php on demand\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reset to Defaults\u003C\u002Fstrong> – Start fresh with one click\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Safe by Design\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Automatic Backup System\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content\u002Fvigilante-backups\u002F, persisting through plugin updates.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Clean Rollback\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.\u003C\u002Fp>\n\u003Ch3>Why choose Vigilant?\u003C\u002Fh3>\n\u003Cp>Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront — no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, activity log, and more. All free, all maintained, all following WordPress coding standards.\u003C\u002Fp>\n\u003Cp>If your current security plugin asks you to pay for features that should be basic, take a look at what Vigilant offers out of the box.\u003C\u002Fp>\n\u003Ch3>How does Vigilant compare?\u003C\u002Fh3>\n\u003Cp>We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin offers in its free version and where Vigilant fills the gaps.\u003C\u002Fp>\n\u003Cp>→ \u003Ca href=\"https:\u002F\u002Fvigilante.works\u002Fcomparison.html\" rel=\"nofollow ugc\">View the full comparison\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>Need help or have suggestions?\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fservicios.ayudawp.com\u002F\" rel=\"nofollow ugc\">Official website\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fvigilante\u002F\" rel=\"ugc\">WordPress support forum\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\u002FAyudaWordPressES\" rel=\"nofollow ugc\">YouTube channel\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fayudawp.com\u002F\" rel=\"nofollow ugc\">Documentation and tutorials\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Love the plugin? Please leave us a 5-star review and help spread the word!\u003C\u002Fp>\n\u003Ch3>About AyudaWP\u003C\u002Fh3>\n\u003Cp>We are specialists in WordPress security, SEO, and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.\u003C\u002Fp>\n","Premium WordPress Security - 100% FREE: Firewall, 2FA, Security Headers, Login and Malware Protection, File Monitor, Activity Log, Under Attack & more",90,1438,100,1,"2026-03-14T18:03:00.000Z","6.9.4","6.2","7.4",[20,21,22,23,24],"2fa","firewall","malware","protection","security","https:\u002F\u002Fservicios.ayudawp.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvigilante.1.5.1.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":13,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"fernandot",21,24270,30,94,"2026-04-04T04:21:26.086Z",[39,55,76,96,112],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":27,"downloaded":47,"rating":27,"num_ratings":27,"last_updated":48,"tested_up_to":16,"requires_at_least":49,"requires_php":18,"tags":50,"homepage":53,"download_link":54,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"vmpfence-security","VMP Security – Firewall, Malware Scan, and Login Security","2.2.5","VMP™","https:\u002F\u002Fprofiles.wordpress.org\u002Ftanveer269\u002F","\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FQavtowPq0TQ?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Advanced Firewall and Security Scanner\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Tired of worrying about your WordPress site getting hacked?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>VMP Security is like having a professional security team watching your website 24\u002F7. We combine a powerful firewall, intelligent malware scanner, and advanced threat detection to keep your site safe from hackers, malware, and security vulnerabilities.\u003C\u002Fp>\n\u003Ch3>Why Choose VMP Security?\u003C\u002Fh3>\n\u003Cp>✅ \u003Cstrong>Comprehensive Real-Time Protection\u003C\u002Fstrong> – Advanced security features that detect and stop attacks in real-time.\u003Cbr \u002F>\n✅ \u003Cstrong>Easy to Use\u003C\u002Fstrong> – Set it up in 5 minutes. No security degree required.\u003Cbr \u002F>\n✅ \u003Cstrong>Performance Optimized\u003C\u002Fstrong> – Won’t slow down your site. Runs efficiently in the background.\u003Cbr \u002F>\n✅ \u003Cstrong>Always Up-to-Date\u003C\u002Fstrong> – Our 280+ firewall rules and malware signatures are constantly updated.\u003Cbr \u002F>\n✅ \u003Cstrong>Complete Coverage\u003C\u002Fstrong> – Firewall, malware scanner, 2FA, brute force protection, and more in one plugin.\u003C\u002Fp>\n\u003Ch3>🔥 Web Application Firewall (WAF)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Think of it as a security guard for your website.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Our firewall inspects every visitor before they reach your WordPress site. Bad guys? Blocked instantly. Legitimate visitors? They won’t even notice we’re there.\u003C\u002Fp>\n\u003Ch3>What It Protects Against:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>SQL Injection\u003C\u002Fstrong> – Hackers trying to steal your database\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cross-Site Scripting (XSS)\u003C\u002Fstrong> – Malicious code injection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remote File Inclusion (RFI)\u003C\u002Fstrong> – Attempts to upload backdoors\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Local File Inclusion (LFI)\u003C\u002Fstrong> – Unauthorized file access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Command Injection\u003C\u002Fstrong> – Server takeover attempts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Path Traversal\u003C\u002Fstrong> – Directory browsing attacks\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Key Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>280+ Built-in Security Rules\u003C\u002Fstrong> – Covering all major attack types\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-Day Protection\u003C\u002Fstrong> – Pattern-based detection catches new threats\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Attack Logging\u003C\u002Fstrong> – See exactly who’s trying to hack you\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Rules\u003C\u002Fstrong> – Add your own protection patterns\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Learning Mode\u003C\u002Fstrong> – Fine-tune rules based on your legitimate traffic\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Blocking\u003C\u002Fstrong> – Automatic permanent bans for repeat offenders\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚀 Extended Protection (WAF Optimizer)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Run the firewall before WordPress — stop attacks before vulnerable code can execute.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>By default, the firewall loads as a WordPress plugin. Extended Protection takes it a step further by running the firewall \u003Cem>before\u003C\u002Fem> WordPress and all other plugins load, so malicious requests are blocked before any potentially vulnerable code has a chance to run.\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Pre-WordPress Execution\u003C\u002Fstrong> – Firewall processes every request before WordPress core loads\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-Click Optimization\u003C\u002Fstrong> – Guided wizard to enable extended protection safely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Safe Removal\u003C\u002Fstrong> – Dedicated removal wizard to revert changes cleanly\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic Backup\u003C\u002Fstrong> – Download a backup of your server configuration before any changes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server Auto-Detection\u003C\u002Fstrong> – Automatically detects Apache or LiteSpeed and configures accordingly\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multisite Aware\u003C\u002Fstrong> – Configurable from the main site of a WordPress multisite network\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protection Level Indicator\u003C\u002Fstrong> – See at a glance whether basic or extended protection is active\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛡️ Brute Force Protection\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Stop password guessing attacks before they succeed.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Hackers use bots to try thousands of password combinations. We stop them cold.\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Smart Login Limiting\u003C\u002Fstrong> – Lock out IPs after failed attempts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Invalid Username Blocking\u003C\u002Fstrong> – Instant block for fake usernames\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Leaked Password Detection\u003C\u002Fstrong> – Check credentials against breach databases\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Strong Password Enforcement\u003C\u002Fstrong> – Force admins and users to use secure passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Username Blacklist\u003C\u002Fstrong> – Block known malicious usernames instantly\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permanent Bans\u003C\u002Fstrong> – Get rid of persistent attackers for good\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>⚡ Rate Limiting & Bot Protection\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Prevent site scraping, resource exhaustion, and vulnerability scanning.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Not all attacks are malicious code. Some attackers just overwhelm your site with requests. We stop that too.\u003C\u002Fp>\n\u003Ch3>What We Control:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Request Limits\u003C\u002Fstrong> – Maximum requests per IP per time period\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Human vs Bot Detection\u003C\u002Fstrong> – Smart classification of traffic\u003C\u002Fli>\n\u003Cli>\u003Cstrong>404 Error Monitoring\u003C\u002Fstrong> – Detect scanning attempts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Google Crawler Handling\u003C\u002Fstrong> – Special treatment for legitimate search engines\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Throttling or Blocking\u003C\u002Fstrong> – Slow down or stop violators\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Allowlist Support\u003C\u002Fstrong> – Whitelist your own IPs and trusted services\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌍 Country Blocking\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Block entire countries from accessing your site.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Protect your WordPress site from geo-targeted attacks by blocking traffic from specific countries. Perfect for sites with regional focus or facing attacks from certain locations.\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Comprehensive Geo-Blocking\u003C\u002Fstrong> – Block any country by ISO code\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular Control\u003C\u002Fstrong> – Block login only or entire site access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block Statistics\u003C\u002Fstrong> – Track attempts and blocks per country\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Top Attackers Report\u003C\u002Fstrong> – See which countries attack you most\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Temporary Blocks\u003C\u002Fstrong> – Set expiration times for country blocks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permanent Blocks\u003C\u002Fstrong> – Long-term protection from persistent threats\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Logging\u003C\u002Fstrong> – Complete audit trail with IP, country, and request data\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Attack Analytics\u003C\u002Fstrong> – Visual reports showing attack patterns by country\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GeoIP Integration\u003C\u002Fstrong> – Automatic IP-to-country lookup with IP2Location\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto-Updates\u003C\u002Fstrong> – GeoIP database updates automatically\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🎯 Custom Pattern Matching\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Block threats using advanced pattern matching.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Go beyond simple IP blocking. Create sophisticated blocking rules based on hostnames, user agents, referrers, and IP ranges.\u003C\u002Fp>\n\u003Ch3>Pattern Types:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Hostname Blocking\u003C\u002Fstrong> – Block specific domains or wildcard patterns\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Agent Blocking\u003C\u002Fstrong> – Stop malicious bots and scrapers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer Blocking\u003C\u002Fstrong> – Block traffic from specific sources\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Range Blocking\u003C\u002Fstrong> – CIDR notation support for network blocks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wildcard Patterns\u003C\u002Fstrong> – Flexible matching with * wildcards\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Regex Support\u003C\u002Fstrong> – Advanced users can use regular expressions\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Management Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Pattern Groups\u003C\u002Fstrong> – Organize related patterns together\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Match Statistics\u003C\u002Fstrong> – Track how often patterns trigger\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Active\u002FInactive\u003C\u002Fstrong> – Enable or disable patterns without deleting\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Source Tracking\u003C\u002Fstrong> – Know if patterns are local or from sync service\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reason Logging\u003C\u002Fstrong> – Document why each pattern was created\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Match History\u003C\u002Fstrong> – See when patterns last matched\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚫 Blocking Options\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Centralized management for all blocking features.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Manage all your site’s blocking rules from one convenient location. Control who can access your site and how.\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>IP Blocking\u003C\u002Fstrong> – Block individual IPs or entire IP ranges using CIDR notation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Country Blocking\u003C\u002Fstrong> – Block entire countries from accessing your site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Pattern Blocking\u003C\u002Fstrong> – Create custom blocking rules based on hostnames, user agents, and referrers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Temporary Blocks\u003C\u002Fstrong> – Set time-limited blocks that expire automatically\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permanent Blocks\u003C\u002Fstrong> – Long-term protection from persistent threats\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block Statistics\u003C\u002Fstrong> – See what’s being blocked and why with detailed analytics\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Allowlist Management\u003C\u002Fstrong> – Whitelist trusted IPs and services to bypass all blocks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unified Dashboard\u003C\u002Fstrong> – Manage all blocking types in one place\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔐 Two-Factor Authentication (2FA)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Add an extra layer of security to your WordPress login.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Even if someone steals your password, they can’t get in without the second factor.\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>QR Code Setup\u003C\u002Fstrong> – Easy configuration with any authenticator app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup Codes\u003C\u002Fstrong> – Never get locked out of your own site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Management\u003C\u002Fstrong> – Force 2FA for admins or specific roles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Frontend 2FA Management\u003C\u002Fstrong> – Users can manage their own 2FA settings\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Notifications\u003C\u002Fstrong> – Get notified when 2FA is enabled\u002Fdisabled\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcode Support\u003C\u002Fstrong> – Add 2FA controls anywhere on your site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC Protection\u003C\u002Fstrong> – Require 2FA for XML-RPC requests\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WooCommerce Integration\u003C\u002Fstrong> – Secure your online store checkout\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔍 Advanced Malware Scanner\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Multiple specialized scanners working together to find threats.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>We don’t just look for known malware. Our intelligent scanner detects suspicious patterns, unauthorized changes, and hidden backdoors.\u003C\u002Fp>\n\u003Ch3>Our Security Scanners:\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Malware Scanner\u003C\u002Fstrong> – Detects backdoors, trojans, and malicious code from our 40,000+ malware scanner\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Integrity Monitor\u003C\u002Fstrong> – Compares files against official WordPress versions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Vulnerability Scanner\u003C\u002Fstrong> – Identifies security flaws in plugins and themes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Security Scanner\u003C\u002Fstrong> – Finds suspicious admin accounts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content Safety Scanner\u003C\u002Fstrong> – Analyzes posts\u002Fcomments for malicious content\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Public Files Scanner\u003C\u002Fstrong> – Detects exposed configuration files\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server State Scanner\u003C\u002Fstrong> – Monitors server security settings\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Binary Scanner\u003C\u002Fstrong> – Checks images and executables for embedded malware\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Domain Reputation Scanner\u003C\u002Fstrong> – Verifies URLs against threat databases\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Scan Types:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Quick Scan\u003C\u002Fstrong> – Critical files only (2-5 minutes)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Standard Scan\u003C\u002Fstrong> – Balanced coverage (6-12 minutes)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>High Sensitivity Scan\u003C\u002Fstrong> – Complete site analysis (10-25 minutes)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Scan\u003C\u002Fstrong> – Choose exactly what to scan\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🚨 Advanced Threat Detection\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Advanced pattern matching and behavioral analysis.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Intelligent Detection:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Pattern Analysis\u003C\u002Fstrong> – Detects obfuscated and encrypted malware\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Behavior Analysis\u003C\u002Fstrong> – Identifies suspicious file operations\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reputation Checking\u003C\u002Fstrong> – Validates URLs against Google Safe Browsing\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Legitimacy Assessment\u003C\u002Fstrong> – Distinguishes real threats from false positives\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unknown File Detection\u003C\u002Fstrong> – Flags files that shouldn’t be there\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Breach Checking\u003C\u002Fstrong> – Scans for compromised credentials\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📊 Live Traffic Monitor & Event Tracking\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>See exactly what’s happening on your site in real-time.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Features:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Real-Time Traffic View\u003C\u002Fstrong> – Watch visitors and attacks as they happen\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Event Logging\u003C\u002Fstrong> – Complete audit trail of security events\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Attack Statistics\u003C\u002Fstrong> – Visual dashboards showing threats over time\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP Intelligence\u003C\u002Fstrong> – WHOIS lookup and IP reputation checking\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Human vs Bot Tracking\u003C\u002Fstrong> – Classify and analyze traffic patterns\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Export Capabilities\u003C\u002Fstrong> – Download logs and reports for analysis\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🎛️ Easy-to-Use Dashboard\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>All your security in one place. No tech degree required.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>What You Get:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security Status\u003C\u002Fstrong> – Green, yellow, or red. Know your status at a glance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recent Attacks\u003C\u002Fstrong> – See who’s trying to hack you\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scan Results\u003C\u002Fstrong> – Detailed reports with clear action items\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Firewall Status\u003C\u002Fstrong> – Protection levels and rule statistics\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-Click Actions\u003C\u002Fstrong> – Block IPs, ignore false positives, repair files\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scheduled Scans\u003C\u002Fstrong> – Set it and forget it\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>⚙️ Advanced Features for Power Users\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Need more control? We’ve got you covered.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Custom Firewall Rules\u003C\u002Fstrong> – Write your own protection patterns\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Exclusions\u003C\u002Fstrong> – Skip certain directories or file types\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Performance Tuning\u003C\u002Fstrong> – Adjust memory limits and timeouts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>API Integrations\u003C\u002Fstrong> – Google Safe Browsing, IP reputation databases\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IPv4\u002FIPv6 Support\u003C\u002Fstrong> – Dual-stack or IPv4-only mode\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multisite Compatible\u003C\u002Fstrong> – Works perfectly with WordPress networks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Hooks and filters for customization\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sync Service\u003C\u002Fstrong> – Central management for multiple sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔒 Privacy & Your Data\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Your site data and scan results stay on your server. Optional features like settings export use secure cloud storage.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>What We DON’T Do:\u003C\u002Fh3>\n\u003Cp>❌ We don’t send your file content or database data to external servers\u003Cbr \u002F>\n❌ We don’t track your users\u003Cbr \u002F>\n❌ We don’t collect analytics about your site\u003Cbr \u002F>\n❌ We don’t send data without your knowledge\u003C\u002Fp>\n\u003Ch3>External Services (Optional):\u003C\u002Fh3>\n\u003Cp>We use external services only when necessary for specific security features. You can see exactly what’s sent:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>VMP Security Servers\u003C\u002Fstrong>\u003Cbr \u002F>\n* License activation and validation (free\u002Fpremium)\u003Cbr \u002F>\n* WAF rules synchronization and updates\u003Cbr \u002F>\n* Malware signature database updates\u003Cbr \u002F>\n* Two-Factor Authentication (2FA) system management\u003Cbr \u002F>\n* Settings export\u002Fimport cloud storage(optional)\u003Cbr \u002F>\n* Privacy: Your site data remains on your server – only configuration and security rules are synced\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Google Services\u003C\u002Fstrong> (safebrowsing.googleapis.com, www.google.com\u002Frecaptcha)\u003Cbr \u002F>\n* URL threat detection and reCAPTCHA spam protection\u003Cbr \u002F>\n* Privacy: https:\u002F\u002Fpolicies.google.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress.org APIs\u003C\u002Fstrong> (api.wordpress.org, downloads.wordpress.org, core.svn.wordpress.org)\u003Cbr \u002F>\n* Download original files for integrity checking during malware scans\u003Cbr \u002F>\n* Privacy: https:\u002F\u002Fwordpress.org\u002Fabout\u002Fprivacy\u002F\u003C\u002Fp>\n\u003Cp>\u003Cstrong>GitHub\u003C\u002Fstrong> (raw.githubusercontent.com)\u003Cbr \u002F>\n* Download WordPress core files for file comparison\u003C\u002Fp>\n\u003Cp>\u003Cstrong>IP Lookup Services\u003C\u002Fstrong> (api.ipify.org, ifconfig.me, icanhazip.com, ip-api.com, ipwhois.app, download.ip2location.com)\u003Cbr \u002F>\n* Server IP detection, geolocation, and country blocking features\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Threat Intelligence\u003C\u002Fstrong> (api.urlvoid.com, www.virustotal.com, checkurl.phishtank.com)\u003Cbr \u002F>\n* URL reputation checking and threat validation\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Vulnerability Databases\u003C\u002Fstrong> (services.nvd.nist.gov, wpscan.com, cvedetails.com, cve.mitre.org)\u003Cbr \u002F>\n* Check for known security vulnerabilities during scans\u003C\u002Fp>\n\u003Cp>\u003Cstrong>All malware scanning happens on YOUR server.\u003C\u002Fstrong> We do not upload your files or database content to external services except for certain features used by the user.\u003C\u002Fp>\n\u003Ch3>🛠️ Advanced Tools\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Professional-grade tools for site management and troubleshooting.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Diagnostics Tool\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Comprehensive system health check to troubleshoot issues quickly.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Run 15+ diagnostic tests to verify your site’s security configuration and identify potential problems:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Plugin Status\u003C\u002Fstrong> – Check if VMP Security is working correctly\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Permissions\u003C\u002Fstrong> – Verify read\u002Fwrite access to critical directories\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Connectivity Tests\u003C\u002Fstrong> – Ensure your site can communicate with security services\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Time Sync\u003C\u002Fstrong> – Verify server time is accurate for security features\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress Health\u003C\u002Fstrong> – Complete audit of WordPress configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugins & Themes\u003C\u002Fstrong> – View all installed plugins and themes with versions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scheduled Tasks\u003C\u002Fstrong> – Monitor cron jobs to ensure scans run on time\u003C\u002Fli>\n\u003Cli>\u003Cstrong>PHP Environment\u003C\u002Fstrong> – Check PHP version and required extensions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Firewall Status\u003C\u002Fstrong> – Verify WAF is protecting your site\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Settings Export\u002FImport\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Backup and migrate your security configuration easily.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Cloud-based configuration backup and migration using secure tokens:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Generate Export Token\u003C\u002Fstrong> – Upload settings to VMP server and receive a unique token\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloud Storage\u003C\u002Fstrong> – Your settings are securely stored on VMP servers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy Import\u003C\u002Fstrong> – Use the token to download settings on any site\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Site Migration\u003C\u002Fstrong> – Quickly migrate security settings between sites\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configuration Backup\u003C\u002Fstrong> – Keep your settings safe in the cloud\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible Import\u003C\u002Fstrong> – Choose to merge with or replace existing settings\u003C\u002Fli>\n\u003C\u002Ful>\n","Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.",765,"2026-03-05T09:58:00.000Z","5.0",[20,51,21,52,24],"brute-force-protection","malware-scanner","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvmpfence-security.2.2.5.zip",{"slug":56,"name":57,"version":58,"author":59,"author_profile":60,"description":61,"short_description":62,"active_installs":63,"downloaded":64,"rating":36,"num_ratings":65,"last_updated":66,"tested_up_to":16,"requires_at_least":67,"requires_php":68,"tags":69,"homepage":71,"download_link":72,"security_score":73,"vuln_count":74,"unpatched_count":27,"last_vuln_date":75,"fetched_at":29},"wordfence","Wordfence Security – Firewall, Malware Scan, and Login Security","8.1.4","Mark Maunder","https:\u002F\u002Fprofiles.wordpress.org\u002Fmmaunder\u002F","\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fi4ZN2TwlaBE?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER\u003C\u002Fh4>\n\u003Cp>WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time.\u003C\u002Fp>\n\u003Cp>Choose the right protection for you: \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fpricing\u002F\" rel=\"nofollow ugc\">Wordfence Free, Premium, Care or Response\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Wordfence is widely acknowledged as the number one WordPress security research team in the World. Our plugin provides a comprehensive suite of security features, and our team’s research is what powers our plugin and provides the level of security that we are known for.\u003C\u002Fp>\n\u003Cp>At Wordfence, WordPress security isn’t a division of our business – WordPress security is all we do. We employ a global 24-hour dedicated incident response team that provides our priority customers with a 1 hour response time for any security incident.\u003C\u002Fp>\n\u003Cp>The sun never sets on our global security team and we run a sophisticated threat intelligence platform to aggregate, analyze and produce ground breaking security research on the newest security threats.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more.\u003C\u002Fstrong> Our \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002F\" rel=\"nofollow ugc\">Threat Defense Feed\u003C\u002Fa> arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe.\u003C\u002Fp>\n\u003Cp>Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.\u003C\u002Fp>\n\u003Ch3>🔥 WORDPRESS FIREWALL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002F\" rel=\"nofollow ugc\">Web Application Firewall\u003C\u002Fa>\u003C\u002Fstrong> identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time firewall rule and malware signature [Premium]\u003C\u002Fstrong> updates via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002F\" rel=\"nofollow ugc\">Real-time IP Blocklist\u003C\u002Fa> [Premium]\u003C\u002Fstrong> blocks all requests from the most malicious IPs, protecting your site while reducing load.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protects your site at the endpoint\u003C\u002Fstrong>, enabling deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, cannot be bypassed and cannot leak data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fscan\u002F\" rel=\"nofollow ugc\">Integrated malware scanner\u003C\u002Fa>\u003C\u002Fstrong> blocks requests that include malicious code or content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002Fbrute-force\u002F\" rel=\"nofollow ugc\">Protection from brute force\u003C\u002Fa>\u003C\u002Fstrong> attacks by limiting login attempts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📡 WORDPRESS SECURITY SCANNER\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malware scanner\u003C\u002Fstrong> checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time malware signature updates [Premium]\u003C\u002Fstrong> via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compares with WordPress.org repository\u003C\u002Fstrong> your core files, themes and plugins, checking their integrity and reporting any changes to you.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Repair WordPress core, theme, and plugin files\u003C\u002Fstrong> that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malware Removal Tools\u003C\u002Fstrong> “Delete File” and “Delete All Deletable Files” options allow for efficient malware removal. Remember to investigate the scan results and backup files first!\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your site for known security vulnerabilities\u003C\u002Fstrong> and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your content safety\u003C\u002Fstrong> by scanning file contents, posts and comments for dangerous URLs and suspicious content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks to see if your site or IP have been blocklisted [Premium]\u003C\u002Fstrong> for malicious activity, generating spam or other security issues.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔒 LOGIN SECURITY\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Two-factor authentication (2FA)\u003C\u002Fa>\u003C\u002Fstrong>, one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F\" rel=\"nofollow ugc\">Login Page CAPTCHA\u003C\u002Fa>\u003C\u002Fstrong> stops bots from logging in.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F#woocommerce-and-custom-integrations\" rel=\"nofollow ugc\">2FA for WooCommerce and custom integrations\u003C\u002Fa>\u003C\u002Fstrong> allow for 2FA to be setup on custom account pages\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC\u003C\u002Fstrong> options including disabling or adding 2FA.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Security:\u003C\u002Fstrong> Block logins for administrators using known compromised passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📋 SECURITY AUDIT LOG [Premium]\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Faudit-log\" rel=\"nofollow ugc\">The Audit Log\u003C\u002Fa>\u003C\u002Fstrong> monitors all changes and actions in security-sensitive areas of the site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remote tamper-proof data storage\u003C\u002Fstrong> via Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Monitor events and actions\u003C\u002Fstrong> ranging  from user creation and editing to plugin\u002Ftheme installation and updates to post and page changes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable\u003C\u002Fstrong> to log all events or significant events only, which includes all authentication, site configuration, and site functionality events.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌐 WORDFENCE CENTRAL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fwordfence-central\u002F\" rel=\"nofollow ugc\">Wordfence Central\u003C\u002Fa>\u003C\u002Fstrong> is a powerful and efficient way to manage the security for multiple sites in one place.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Centralized management:\u003C\u002Fstrong> Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Powerful templates\u003C\u002Fstrong> make configuring Wordfence a breeze.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Highly configurable alerts\u003C\u002Fstrong> can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Track and alert on important security events\u003C\u002Fstrong> including administrator logins, breached password usage and surges in attack activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free to use\u003C\u002Fstrong> for unlimited sites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛠️ SECURITY TOOLS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Flive-traffic\u002F\" rel=\"nofollow ugc\">Live Traffic\u003C\u002Fa>\u003C\u002Fstrong> monitors visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block attackers by IP\u003C\u002Fstrong> or build advanced rules based on IP Range, Hostname, User Agent and Referrer.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002Fcountry-blocking\u002F\" rel=\"nofollow ugc\">Country blocking\u003C\u002Fa>\u003C\u002Fstrong> available with Wordfence Premium.\u003C\u002Fli>\n\u003C\u002Ful>\n","Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.",5000000,406617999,4829,"2025-12-20T21:06:00.000Z","4.7","7.0",[20,21,22,70,24],"scanner","https:\u002F\u002Fwww.wordfence.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordfence.8.1.4.zip",96,12,"2022-09-06 00:00:00",{"slug":77,"name":78,"version":79,"author":80,"author_profile":81,"description":82,"short_description":83,"active_installs":84,"downloaded":85,"rating":86,"num_ratings":87,"last_updated":88,"tested_up_to":16,"requires_at_least":89,"requires_php":90,"tags":91,"homepage":93,"download_link":94,"security_score":13,"vuln_count":14,"unpatched_count":27,"last_vuln_date":95,"fetched_at":29},"ninjafirewall","NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall","4.8.4","nintechnet","https:\u002F\u002Fprofiles.wordpress.org\u002Fnintechnet\u002F","\u003Ch4>A true Web Application Firewall\u003C\u002Fh4>\n\u003Cp>NinjaFirewall (WP Edition) is a true Web Application Firewall. Although it can be installed and configured just like a plugin, it is a stand-alone firewall that stands in front of WordPress.\u003C\u002Fp>\n\u003Cp>It allows any blog administrator to benefit from very advanced and powerful security features that usually aren’t available at the WordPress level, but only in security applications such as the Apache \u003Ca href=\"http:\u002F\u002Fwww.modsecurity.org\u002F\" title=\"\" rel=\"nofollow ugc\">ModSecurity\u003C\u002Fa> module or the PHP \u003Ca href=\"http:\u002F\u002Fsuhosin.org\u002F\" title=\"\" rel=\"nofollow ugc\">Suhosin\u003C\u002Fa> extension.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>NinjaFirewall requires at least PHP 7.1, MySQLi extension and is only compatible with Unix-like OS (Linux, BSD). It is \u003Cstrong>not compatible with Microsoft Windows\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>NinjaFirewall can hook, scan, sanitise or reject any HTTP\u002FHTTPS request sent to a PHP script before it reaches WordPress or any of its plugins. All scripts located inside the blog installation directories and sub-directories will be protected, including those that aren’t part of the WordPress package. Even encoded PHP scripts, hackers shell scripts and backdoors will be filtered by NinjaFirewall.\u003C\u002Fp>\n\u003Ch4>Powerful filtering engine\u003C\u002Fh4>\n\u003Cp>NinjaFirewall includes the most powerful filtering engine available in a WordPress plugin. Its most important feature is its ability to normalize and transform data from incoming HTTP requests which allows it to detect Web Application Firewall evasion techniques and obfuscation tactics used by hackers, as well as to support and decode a large set of encodings. See our blog for a full description: \u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fintroduction-to-ninjafirewall-filtering-engine\u002F\" title=\"\" rel=\"nofollow ugc\">An introduction to NinjaFirewall filtering engine\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Fastest and most efficient brute-force attack protection for WordPress\u003C\u002Fh4>\n\u003Cp>By processing incoming HTTP requests before your blog and any of its plugins, NinjaFirewall is the only plugin for WordPress able to protect it against very large brute-force attacks, including distributed attacks coming from several thousands of different IPs.\u003C\u002Fp>\n\u003Cp>See our benchmarks and stress-tests: \u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fwordpress-brute-force-attack-detection-plugins-comparison-2015\u002F\" title=\"\" rel=\"nofollow ugc\">Brute-force attack detection plugins comparison\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>The protection applies to the \u003Ccode>wp-login.php\u003C\u002Fcode> script but can be extended to the \u003Ccode>xmlrpc.php\u003C\u002Fcode> one. The incident can also be written to the server \u003Ccode>AUTH\u003C\u002Fcode> log, which can be useful to the system administrator for monitoring purposes or banning IPs at the server level (e.g., Fail2ban).\u003C\u002Fp>\n\u003Ch4>Real-time detection\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Guard\u003C\u002Fstrong> real-time detection is a totally unique feature provided by NinjaFirewall: it can detect, in real-time, any access to a PHP file that was recently modified or created, and alert you about this. If a hacker uploaded a shell script to your site (or injected a backdoor into an already existing file) and tried to directly access that file using his browser or a script, NinjaFirewall would hook the HTTP request and immediately detect that the file was recently modified or created. It would send you an alert with all details (script name, IP, request, date and time).\u003C\u002Fp>\n\u003Ch4>File integrity monitoring\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Check\u003C\u002Fstrong> lets you perform file integrity monitoring by scanning your website hourly, twicedaily or daily. Any modification made to a file will be detected: file content, file permissions, file ownership, timestamp as well as file creation and deletion.\u003C\u002Fp>\n\u003Ch4>Watch your website traffic in real time\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Live Log\u003C\u002Fstrong> lets you watch your website traffic in real time. It displays connections in a format similar to the one used by the \u003Ccode>tail -f\u003C\u002Fcode> Unix command. Because it communicates directly with the firewall, i.e., without loading WordPress, \u003Cstrong>Live Log\u003C\u002Fstrong> is fast, lightweight and it will not affect your server load, even if you set its refresh rate to the lowest value.\u003C\u002Fp>\n\u003Ch4>Event Notifications\u003C\u002Fh4>\n\u003Cp>NinjaFirewall can alert you by email on specific events triggered within your blog. Some of those alerts are enabled by default and it is highly recommended to keep them enabled. It is not unusual for a hacker, after breaking into your WordPress admin console, to install or just to upload a backdoored plugin or theme in order to take full control of your website. NinjaFirewall can also \u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fninjafirewall-wp-edition-adds-php-backtrace-to-email-notifications\u002F\" title=\"NinjaFirewall adds PHP backtrace to email notifications\" rel=\"nofollow ugc\">attach a PHP backtrace\u003C\u002Fa> to important notifications.\u003C\u002Fp>\n\u003Cp>Monitored events:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Administrator login.\u003C\u002Fli>\n\u003Cli>Modification of any administrator account in the database.\u003C\u002Fli>\n\u003Cli>Plugins upload, installation, (de)activation, update, deletion.\u003C\u002Fli>\n\u003Cli>Themes upload, installation, activation, deletion.\u003C\u002Fli>\n\u003Cli>WordPress update.\u003C\u002Fli>\n\u003Cli>Pending security update in your plugins and themes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Stay protected against the latest WordPress security vulnerabilities\u003C\u002Fh4>\n\u003Cp>To get the most efficient protection, NinjaFirewall can automatically update its security rules daily, twice daily or even hourly. Each time a new vulnerability is found in WordPress or one of its plugins\u002Fthemes, a new set of security rules will be made available to protect your blog immediately.\u003C\u002Fp>\n\u003Ch4>Strong Privacy\u003C\u002Fh4>\n\u003Cp>Unlike a Cloud Web Application Firewall, or Cloud WAF, NinjaFirewall works and filters the traffic on your own server and infrastructure. That means that your sensitive data (contact form messages, customers credit card number, login credentials etc) remains on your server and is not routed through a third-party company’s servers, which could pose unnecessary risks (e.g., decryption of your HTTPS traffic in order to inspect it, employees accessing your data or logs in plain text, theft of private information, man-in-the-middle attack etc).\u003C\u002Fp>\n\u003Cp>Your website can run NinjaFirewall and be \u003Cstrong>compliant with the General Data Protection Regulation (GDPR)\u003C\u002Fstrong>. \u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fninjafirewall-general-data-protection-regulation-compliance\u002F\" title=\"GDPR Compliance\" rel=\"nofollow ugc\">See our blog for more details\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>IPv6 compatibility\u003C\u002Fh4>\n\u003Cp>IPv6 compatibility is a mandatory feature for a security plugin: if it supports only IPv4, hackers can easily bypass the plugin by using an IPv6. NinjaFirewall natively supports IPv4 and IPv6 protocols, for both public and private addresses.\u003C\u002Fp>\n\u003Ch4>Multi-site support\u003C\u002Fh4>\n\u003Cp>NinjaFirewall is multi-site compatible. It will protect all sites from your network and its configuration interface will be accessible only to the Super Admin from the network main site.\u003C\u002Fp>\n\u003Ch4>Possibility to prepend your own PHP code to the firewall\u003C\u002Fh4>\n\u003Cp>You can prepend your own PHP code to the firewall with the help of an \u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fninjafirewall-wp-edition-the-htninja-configuration-file\u002F\" rel=\"nofollow ugc\">optional distributed configuration file\u003C\u002Fa>. It will be processed before WordPress and all its plugins are loaded. This is a very powerful feature, and there is almost no limit to what you can do: add your own security rules, manipulate HTTP requests, variables etc.\u003C\u002Fp>\n\u003Ch4>Low Footprint Firewall\u003C\u002Fh4>\n\u003Cp>NinjaFirewall is very fast, optimised, compact, and requires very low system resource.\u003Cbr \u002F>\nSee for yourself: download and install the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcode-profiler\u002F\" title=\"\" rel=\"ugc\">Code Profiler\u003C\u002Fa> plugin and compare NinjaFirewall’s performance with other security plugins.\u003C\u002Fp>\n\u003Ch4>Non-Intrusive User Interface\u003C\u002Fh4>\n\u003Cp>NinjaFirewall looks and feels like a built-in WordPress feature. It does not contain intrusive banners, warnings or flashy colors. It uses the WordPress simple and clean interface and is also smartphone-friendly.\u003C\u002Fp>\n\u003Ch4>Contextual Help\u003C\u002Fh4>\n\u003Cp>Each NinjaFirewall menu page has a contextual help screen with useful information about how to use and configure it.\u003Cbr \u002F>\nIf you need help, click on the \u003Cem>Help\u003C\u002Fem> menu tab located in the upper right corner of each page in your admin panel.\u003C\u002Fp>\n\u003Ch4>Need more security ?\u003C\u002Fh4>\n\u003Cp>Check out our new supercharged edition: \u003Ca href=\"https:\u002F\u002Fnintechnet.com\u002Fninjafirewall\u002Fwp-edition\u002F\" title=\"NinjaFirewall WP+ Edition\" rel=\"nofollow ugc\">NinjaFirewall WP+ Edition\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Unix shared memory use for inter-process communication and blazing fast performances.\u003C\u002Fli>\n\u003Cli>IP-based Access Control.\u003C\u002Fli>\n\u003Cli>Role-based Access Control.\u003C\u002Fli>\n\u003Cli>Country-based Access Control via geolocation.\u003C\u002Fli>\n\u003Cli>URL-based Access Control.\u003C\u002Fli>\n\u003Cli>Bot-based Access Control.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fcentralized-logging-with-ninjafirewall\u002F\" title=\"Centralized Logging\" rel=\"nofollow ugc\">Centralized Logging\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Antispam for comment and user regisration forms.\u003C\u002Fli>\n\u003Cli>Rate limiting option to block aggressive bots, crawlers, web scrapers and HTTP attacks.\u003C\u002Fli>\n\u003Cli>Response body filter to scan the output of the HTML page right before it is sent to your visitors browser.\u003C\u002Fli>\n\u003Cli>Better File uploads management.\u003C\u002Fli>\n\u003Cli>Better logs management.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fblog.nintechnet.com\u002Fsyslog-logging-with-ninjafirewall\u002F\" title=\"Syslog logging\" rel=\"nofollow ugc\">Syslog logging\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fnintechnet.com\u002Fninjafirewall\u002Fwp-edition\u002F\" title=\"\" rel=\"nofollow ugc\">Learn more\u003C\u002Fa> about the WP+ Edition unique features. \u003Ca href=\"https:\u002F\u002Fnintechnet.com\u002Fninjafirewall\u002Fwp-edition\u002F?comparison\" title=\"\" rel=\"nofollow ugc\">Compare\u003C\u002Fa> the WP and WP+ Editions.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 4.9+\u003C\u002Fli>\n\u003Cli>Admin\u002FSuperadmin with \u003Ccode>manage_options\u003C\u002Fcode> + \u003Ccode>unfiltered_html capabilities\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>PHP 7.1+\u003C\u002Fli>\n\u003Cli>MySQL or MariaDB with MySQLi extension\u003C\u002Fli>\n\u003Cli>Apache \u002F Nginx \u002F LiteSpeed \u002F Openlitespeed compatible\u003C\u002Fli>\n\u003Cli>Unix-like operating systems only (Linux, BSD etc). NinjaFirewall is \u003Cstrong>NOT\u003C\u002Fstrong> compatible with Microsoft Windows.\u003C\u002Fli>\n\u003C\u002Ful>\n","A true Web Application Firewall to protect and secure WordPress.",100000,3089632,98,217,"2026-03-12T09:53:00.000Z","4.9","7.1",[21,22,23,24,92],"virus","https:\u002F\u002Fnintechnet.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fninjafirewall.4.8.4.zip","2021-05-30 00:00:00",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":13,"num_ratings":14,"last_updated":106,"tested_up_to":107,"requires_at_least":67,"requires_php":18,"tags":108,"homepage":110,"download_link":111,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"iron-security","Iron Security – WordPress Security Plugin","2.5.3","WpIron","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpiron\u002F","\u003Cp>\u003Cstrong>Iron Security\u003C\u002Fstrong> is your WordPress security bodyguard.\u003C\u002Fp>\n\u003Cp>It shields your site from brute force attacks, unauthorized admin access, file injections, and common exploits like XML-RPC and REST API abuse. Whether you’re a solo creator or managing client sites, Iron Security delivers essential protection without the performance hit.\u003C\u002Fp>\n\u003Cp>🔒 \u003Cstrong>Don’t wait until your site is compromised. Secure it now — effortlessly.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Iron Security includes real-time brute-force protection, custom login URLs, HTTP headers, session control, malware upload prevention, and much more. All from a single, easy-to-use plugin dashboard.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Protects Against:\u003C\u002Fstrong>\u003Cbr \u002F>\n– 🔐 Brute Force Attacks (Limit login attempts, 2FA)\u003Cbr \u002F>\n– 👮 Unauthorized Admin Access (Custom login URL, admin limit)\u003Cbr \u002F>\n– 👤 User Enumeration\u003Cbr \u002F>\n– 🎯 Admin Account Targeting (Admin ID & username protection)\u003Cbr \u002F>\n– 💣 XML-RPC & REST API Exploits\u003Cbr \u002F>\n– 🛡️ Code Injection & PHP Malware Uploads\u003Cbr \u002F>\n– 📂 Direct Access to Sensitive Files\u003Cbr \u002F>\n– 📛 MIME Sniffing & Content-Type Exploits\u003Cbr \u002F>\n– 🖼️ Clickjacking\u003Cbr \u002F>\n– 🧬 Cross-Site Scripting (XSS)\u003Cbr \u002F>\n– 🌐 Referrer Leakage\u003C\u002Fp>\n\u003Ch3>🔐 Key Features\u003C\u002Fh3>\n\u003Ch3>🛠 General Hardening\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Disable XML-RPC & REST API\u003C\u002Fli>\n\u003Cli>Hide WordPress & WooCommerce versions\u003C\u002Fli>\n\u003Cli>Block AI & scraping bots\u003C\u002Fli>\n\u003Cli>Disable file editor\u003C\u002Fli>\n\u003Cli>Enable plugin & core auto-updates\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔍 Security Logs\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>View detailed logs of login attempts and alerts\u003C\u002Fli>\n\u003Cli>Filter logs by IP, message, or date\u003C\u002Fli>\n\u003Cli>Audit suspicious activity easily\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔑 Login & Authentication\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Custom login\u002Fadmin URL\u003C\u002Fli>\n\u003Cli>Limit login attempts with lockouts\u003C\u002Fli>\n\u003Cli>Session timeout for idle users\u003C\u002Fli>\n\u003Cli>Limit number of administrators\u003C\u002Fli>\n\u003Cli>Block user enumeration\u003C\u002Fli>\n\u003Cli>Change default Admin ID and Username\u003C\u002Fli>\n\u003Cli>Enable 2FA (Google Authenticator)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🗂 Files & Directory Protection\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Block PHP file uploads\u003C\u002Fli>\n\u003Cli>Prevent direct access to core\u002Fsystem files\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📦 HTTP Security Headers\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-XSS-Protection\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cblockquote>\n\u003Cp>Iron Security is built for creators who care about speed, simplicity, and security. If you’re not securing your site, you’re risking everything.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Developed and maintained by \u003Ca href=\"https:\u002F\u002Fwpiron.com\" rel=\"nofollow ugc\">WPIron\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003C\u002Fp>\n","Hardening tool that blocks hackers and protect against: Brute Force Attacks, Exploits, Injections, Clickjacking and other important functionalities.",40,4464,"2025-07-23T04:40:00.000Z","6.8.5",[20,21,109,22,24],"login","https:\u002F\u002Fwpiron.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Firon-security.2.5.3.zip",{"slug":113,"name":114,"version":115,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":27,"downloaded":120,"rating":27,"num_ratings":27,"last_updated":121,"tested_up_to":16,"requires_at_least":49,"requires_php":18,"tags":122,"homepage":53,"download_link":123,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":124},"arkhost-security-pack","ArkHost Security Pack","1.1","ArkHost","https:\u002F\u002Fprofiles.wordpress.org\u002Farkhost\u002F","\u003Cp>A complete security plugin that’s actually free. No “pro” version, no nag screens, no made-up threat statistics.\u003C\u002Fp>\n\u003Ch4>Login Protection\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Blocks IPs after failed login attempts\u003C\u002Fli>\n\u003Cli>Custom login URL (hides wp-login.php)\u003C\u002Fli>\n\u003Cli>Hides wp-admin from logged-out users\u003C\u002Fli>\n\u003Cli>Honeypot field for bots\u003C\u002Fli>\n\u003Cli>Hides login errors (stops username enumeration)\u003C\u002Fli>\n\u003Cli>Email alerts for admin logins from new IPs\u003C\u002Fli>\n\u003Cli>Country\u002FIP restrictions on login page\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>IP Control\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Whitelist and blacklist\u003C\u002Fli>\n\u003Cli>Auto-blacklist after repeated lockouts\u003C\u002Fli>\n\u003Cli>IPv4, IPv6, CIDR supported\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Geo Blocking\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Block countries\u003C\u002Fli>\n\u003Cli>Uses free IP2Location LITE database\u003C\u002Fli>\n\u003Cli>One-click download\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Hardening\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable XML-RPC\u003C\u002Fli>\n\u003Cli>Disable dashboard file editing\u003C\u002Fli>\n\u003Cli>Disable application passwords\u003C\u002Fli>\n\u003Cli>Restrict REST API to logged-in users\u003C\u002Fli>\n\u003Cli>Remove WordPress version\u003C\u002Fli>\n\u003Cli>Block user enumeration (?author=1 and REST API)\u003C\u002Fli>\n\u003Cli>Disable pingbacks\u002Ftrackbacks\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Headers\u003C\u002Fh4>\n\u003Cp>X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS\u003C\u002Fp>\n\u003Ch4>Two-Factor Authentication\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>TOTP (Google Authenticator, Authy, etc.)\u003C\u002Fli>\n\u003Cli>Backup codes\u003C\u002Fli>\n\u003Cli>Enforce for admins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>File Integrity Monitoring\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Checks WordPress core files against official checksums\u003C\u002Fli>\n\u003Cli>Daily scans\u003C\u002Fli>\n\u003Cli>Email alerts on changes\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Malware Scanner\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Scans plugins, themes, uploads\u003C\u002Fli>\n\u003Cli>Pattern-based detection\u003C\u002Fli>\n\u003Cli>Quarantine suspicious files\u003C\u002Fli>\n\u003Cli>Weekly scans\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Activity Log\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Login attempts, lockouts, blocks\u003C\u002Fli>\n\u003Cli>IP, country, username, timestamp\u003C\u002Fli>\n\u003Cli>Configurable retention\u003C\u002Fli>\n\u003Cli>CSV export\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Tools\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Export\u002Fimport settings\u003C\u002Fli>\n\u003Cli>Force logout all users\u003C\u002Fli>\n\u003Cli>Test email\u003C\u002Fli>\n\u003Cli>Delete readme.html\u002Flicense.txt\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>No tracking. No analytics. No telemetry.\u003C\u002Fp>\n\u003Cp>External connections:\u003Cbr \u002F>\n* WordPress.org API (core file checksums)\u003Cbr \u002F>\n* IP2Location (database download, only when you click it)\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin connects to the following external services under specific circumstances:\u003C\u002Fp>\n\u003Ch4>WordPress.org Checksums API\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Service: api.wordpress.org\u002Fcore\u002Fchecksums\u002F1.0\u002F\u003C\u002Fli>\n\u003Cli>Used for: Verifying WordPress core file integrity by comparing local files against official checksums\u003C\u002Fli>\n\u003Cli>Data sent: WordPress version and locale\u003C\u002Fli>\n\u003Cli>When: During daily scheduled file integrity scans and when manually triggered by the admin\u003C\u002Fli>\n\u003Cli>Privacy policy: https:\u002F\u002Fwordpress.org\u002Fabout\u002Fprivacy\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>IP Detection Services\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Services: api.ipify.org, ifconfig.me, icanhazip.com\u003C\u002Fli>\n\u003Cli>Used for: Detecting the server’s public IP address for the “Whitelist My IP” tool\u003C\u002Fli>\n\u003Cli>Data sent: Standard HTTP request (no personal data)\u003C\u002Fli>\n\u003Cli>When: Only when an admin uses the “Whitelist My IP” feature in the Tools tab\u003C\u002Fli>\n\u003Cli>Terms: https:\u002F\u002Fwww.ipify.org\u002F \u002F https:\u002F\u002Fifconfig.me\u002F \u002F https:\u002F\u002Ficanhazip.com\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>IP2Location\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Service: download.ip2location.com\u003C\u002Fli>\n\u003Cli>Used for: Downloading the free IP2Location LITE geolocation database for country-based blocking\u003C\u002Fli>\n\u003Cli>Data sent: Standard HTTP request (optional: user’s download token if configured)\u003C\u002Fli>\n\u003Cli>When: Only when an admin clicks “Download IP2Location Database” in the IP Control tab\u003C\u002Fli>\n\u003Cli>Terms of service: https:\u002F\u002Fwww.ip2location.com\u002Fterms\u003C\u002Fli>\n\u003Cli>Privacy policy: https:\u002F\u002Fwww.ip2location.com\u002Fprivacy\u003C\u002Fli>\n\u003C\u002Ful>\n","WordPress security without the nonsense. No upsells, no premium tier, no fake threat counters.",165,"2026-02-19T18:23:00.000Z",[20,21,109,22,24],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Farkhost-security-pack.1.1.zip","2026-03-15T14:54:45.397Z",{"attackSurface":126,"codeSignals":743,"taintFlows":778,"riskAssessment":965,"analyzedAt":974},{"hooks":127,"ajaxHandlers":584,"restRoutes":732,"shortcodes":733,"cronEvents":734,"entryPointCount":741,"unprotectedCount":742},[128,134,138,142,146,151,154,157,159,165,169,173,177,181,185,189,193,197,200,204,208,212,215,220,224,229,231,234,238,241,244,247,250,254,256,258,261,264,268,271,273,276,280,285,291,293,297,298,301,303,307,310,313,316,319,323,325,330,333,337,340,344,346,350,352,354,357,361,364,368,372,376,380,384,388,392,396,402,405,407,410,414,417,421,423,426,428,430,432,434,438,440,443,446,449,453,455,458,461,464,466,468,469,471,472,477,480,483,485,487,489,491,494,497,500,503,506,509,513,515,518,520,522,525,528,530,533,536,538,542,544,546,548,552,555,559,561,565,567,570,572,576,580],{"type":129,"name":130,"callback":131,"file":132,"line":133},"action","admin_menu","add_menu","admin\\class-admin.php",103,{"type":129,"name":135,"callback":136,"file":132,"line":137},"admin_init","register_settings",104,{"type":129,"name":139,"callback":140,"file":132,"line":141},"admin_enqueue_scripts","enqueue_assets",105,{"type":129,"name":143,"callback":144,"file":132,"line":145},"admin_notices","show_admin_notices",106,{"type":147,"name":148,"callback":149,"file":132,"line":150},"filter","submenu_file","highlight_submenu_tab",109,{"type":129,"name":135,"callback":152,"file":132,"line":153},"run_migrations",167,{"type":129,"name":143,"callback":155,"file":156,"line":150},"closure","includes\\class-activator.php",{"type":129,"name":143,"callback":155,"file":156,"line":158},121,{"type":129,"name":160,"callback":161,"priority":162,"file":163,"line":164},"transition_post_status","log_post_status_change",10,"includes\\class-activity-log.php",65,{"type":129,"name":166,"callback":167,"file":163,"line":168},"delete_post","log_post_delete",66,{"type":129,"name":170,"callback":171,"file":163,"line":172},"activated_plugin","log_plugin_activated",71,{"type":129,"name":174,"callback":175,"file":163,"line":176},"deactivated_plugin","log_plugin_deactivated",72,{"type":129,"name":178,"callback":179,"priority":162,"file":163,"line":180},"upgrader_process_complete","log_plugin_update",73,{"type":129,"name":182,"callback":183,"priority":162,"file":163,"line":184},"deleted_plugin","log_plugin_deleted",74,{"type":129,"name":186,"callback":187,"priority":162,"file":163,"line":188},"switch_theme","log_theme_switch",79,{"type":129,"name":190,"callback":191,"priority":162,"file":163,"line":192},"updated_option","log_option_update",84,{"type":129,"name":194,"callback":195,"priority":162,"file":163,"line":196},"wp_insert_comment","log_comment_insert",89,{"type":129,"name":198,"callback":199,"file":163,"line":11},"spam_comment","log_comment_spam",{"type":129,"name":201,"callback":202,"file":163,"line":203},"trash_comment","log_comment_trash",91,{"type":129,"name":205,"callback":206,"file":163,"line":207},"delete_comment","log_comment_delete",92,{"type":129,"name":209,"callback":210,"file":163,"line":211},"add_attachment","log_media_upload",97,{"type":129,"name":213,"callback":214,"file":163,"line":86},"delete_attachment","log_media_delete",{"type":147,"name":216,"callback":217,"file":218,"line":219},"xmlrpc_methods","disable_pingback_methods","includes\\class-comment-security.php",54,{"type":147,"name":221,"callback":222,"file":218,"line":223},"wp_headers","remove_pingback_header",55,{"type":147,"name":225,"callback":226,"priority":227,"file":218,"line":228},"pings_open","__return_false",9999,56,{"type":147,"name":225,"callback":226,"priority":227,"file":218,"line":230},60,{"type":147,"name":232,"callback":233,"priority":162,"file":218,"line":164},"comments_open","close_old_comments",{"type":129,"name":235,"callback":236,"file":218,"line":237},"comment_form","add_honeypot_field",70,{"type":147,"name":239,"callback":240,"file":218,"line":172},"preprocess_comment","check_honeypot",{"type":147,"name":239,"callback":242,"file":218,"line":243},"check_link_limit",76,{"type":147,"name":239,"callback":245,"file":218,"line":246},"check_blocked_patterns",81,{"type":147,"name":239,"callback":248,"file":218,"line":249},"check_blocked_ips",86,{"type":129,"name":251,"callback":252,"priority":14,"file":253,"line":219},"do_feed","disable_feed","includes\\class-feed-manager.php",{"type":129,"name":255,"callback":252,"priority":14,"file":253,"line":223},"do_feed_rdf",{"type":129,"name":257,"callback":252,"priority":14,"file":253,"line":228},"do_feed_rss",{"type":129,"name":259,"callback":252,"priority":14,"file":253,"line":260},"do_feed_rss2",57,{"type":129,"name":262,"callback":252,"priority":14,"file":253,"line":263},"do_feed_atom",58,{"type":129,"name":265,"callback":266,"file":253,"line":267},"template_redirect","maybe_disable_feed",69,{"type":147,"name":269,"callback":270,"priority":162,"file":253,"line":184},"posts_where","delay_feed_posts",{"type":129,"name":272,"callback":252,"priority":14,"file":253,"line":188},"do_feed_rss2_comments",{"type":129,"name":274,"callback":252,"priority":14,"file":253,"line":275},"do_feed_atom_comments",80,{"type":147,"name":277,"callback":278,"file":253,"line":279},"the_generator","__return_empty_string",85,{"type":129,"name":281,"callback":282,"file":283,"line":284},"vigilante_file_integrity_scan","run_scheduled_scan","includes\\class-file-integrity.php",120,{"type":129,"name":286,"callback":287,"priority":288,"file":289,"line":290},"init","run_firewall",2,"includes\\class-firewall.php",62,{"type":129,"name":286,"callback":292,"priority":288,"file":289,"line":168},"check_rate_limit",{"type":129,"name":286,"callback":294,"file":295,"line":296},"clean_head","includes\\class-head-cleaner.php",52,{"type":147,"name":277,"callback":278,"file":295,"line":290},{"type":129,"name":265,"callback":299,"priority":14,"file":300,"line":263},"redirect_to_https","includes\\class-https-enforcer.php",{"type":129,"name":135,"callback":299,"priority":14,"file":300,"line":302},59,{"type":129,"name":304,"callback":305,"file":300,"line":306},"wp_loaded","start_output_buffer",64,{"type":129,"name":308,"callback":309,"priority":27,"file":300,"line":164},"shutdown","end_output_buffer",{"type":147,"name":311,"callback":312,"priority":162,"file":300,"line":168},"script_loader_src","fix_url_scheme",{"type":147,"name":314,"callback":312,"priority":162,"file":300,"line":315},"style_loader_src",67,{"type":147,"name":317,"callback":312,"priority":162,"file":300,"line":318},"wp_get_attachment_url",68,{"type":147,"name":320,"callback":321,"priority":322,"file":300,"line":267},"the_content","fix_content_urls",999,{"type":147,"name":324,"callback":321,"priority":322,"file":300,"line":237},"widget_text",{"type":147,"name":326,"callback":327,"priority":35,"file":328,"line":329},"authenticate","check_lockout","includes\\class-login-security.php",78,{"type":129,"name":331,"callback":332,"file":328,"line":246},"wp_login_failed","handle_failed_login",{"type":129,"name":334,"callback":335,"priority":162,"file":328,"line":336},"wp_login","handle_successful_login",82,{"type":147,"name":338,"callback":339,"file":328,"line":249},"login_errors","hide_login_errors",{"type":147,"name":341,"callback":342,"file":328,"line":343},"shake_error_codes","remove_shake_errors",87,{"type":147,"name":345,"callback":226,"file":328,"line":207},"xmlrpc_enabled",{"type":147,"name":347,"callback":348,"file":328,"line":349},"wp_xmlrpc_server_class","disable_xmlrpc_server",93,{"type":147,"name":216,"callback":351,"file":328,"line":13},"disable_xmlrpc_pingback",{"type":147,"name":353,"callback":226,"file":328,"line":141},"wp_is_application_passwords_available",{"type":129,"name":334,"callback":355,"priority":162,"file":328,"line":356},"notify_admin_login",110,{"type":129,"name":358,"callback":359,"file":328,"line":360},"login_form","show_remaining_attempts",114,{"type":129,"name":304,"callback":362,"file":328,"line":363},"wp_loaded_handler",138,{"type":147,"name":365,"callback":366,"priority":162,"file":328,"line":367},"login_url","filter_login_url",141,{"type":147,"name":369,"callback":370,"priority":162,"file":328,"line":371},"logout_url","filter_logout_url",142,{"type":147,"name":373,"callback":374,"priority":162,"file":328,"line":375},"lostpassword_url","filter_lostpassword_url",143,{"type":147,"name":377,"callback":378,"file":328,"line":379},"register_url","filter_register_url",144,{"type":129,"name":381,"callback":382,"priority":14,"file":328,"line":383},"login_init","block_wp_login_access",147,{"type":147,"name":385,"callback":386,"priority":162,"file":328,"line":387},"site_url","filter_site_url",150,{"type":147,"name":389,"callback":390,"priority":162,"file":328,"line":391},"logout_redirect","filter_logout_redirect",153,{"type":147,"name":393,"callback":394,"priority":14,"file":328,"line":395},"wp_redirect","intercept_admin_redirect",159,{"type":147,"name":397,"callback":398,"priority":399,"file":400,"line":401},"rest_authentication_errors","restrict_rest_api",99,"includes\\class-rest-api-security.php",50,{"type":147,"name":403,"callback":404,"file":400,"line":219},"rest_endpoints","restrict_user_endpoints",{"type":147,"name":406,"callback":226,"file":400,"line":302},"rest_jsonp_enabled",{"type":147,"name":326,"callback":408,"priority":13,"file":409,"line":141},"check_2fa_requirement","includes\\class-two-factor-email.php",{"type":129,"name":411,"callback":412,"file":409,"line":413},"login_form_vigilante_2fa","handle_2fa_form",108,{"type":129,"name":358,"callback":415,"file":409,"line":416},"maybe_show_2fa_form",111,{"type":129,"name":418,"callback":419,"file":409,"line":420},"login_enqueue_scripts","enqueue_login_assets",117,{"type":147,"name":338,"callback":422,"priority":13,"file":409,"line":284},"filter_login_errors",{"type":147,"name":326,"callback":408,"priority":13,"file":424,"line":425},"includes\\class-two-factor-totp.php",125,{"type":129,"name":411,"callback":412,"file":424,"line":427},128,{"type":129,"name":358,"callback":415,"file":424,"line":429},131,{"type":129,"name":418,"callback":419,"file":424,"line":431},134,{"type":147,"name":338,"callback":422,"priority":13,"file":424,"line":433},137,{"type":129,"name":435,"callback":436,"file":424,"line":437},"show_user_profile","render_user_profile_section",140,{"type":129,"name":439,"callback":436,"file":424,"line":367},"edit_user_profile",{"type":129,"name":139,"callback":441,"file":424,"line":442},"enqueue_profile_assets",149,{"type":129,"name":143,"callback":444,"file":424,"line":445},"show_grace_period_notice",152,{"type":129,"name":135,"callback":447,"file":424,"line":448},"force_totp_setup_redirect",155,{"type":129,"name":286,"callback":450,"priority":14,"file":451,"line":452},"check_expiration","includes\\class-under-attack.php",75,{"type":129,"name":265,"callback":454,"priority":14,"file":451,"line":275},"maybe_serve_challenge",{"type":129,"name":286,"callback":456,"priority":288,"file":451,"line":457},"handle_challenge_response",83,{"type":147,"name":459,"callback":460,"file":451,"line":249},"vigilante_rate_limit_requests","aggressive_rate_limit",{"type":147,"name":462,"callback":463,"file":451,"line":343},"vigilante_rate_limit_duration","aggressive_block_duration",{"type":129,"name":286,"callback":465,"priority":288,"file":451,"line":11},"restrict_http_methods",{"type":129,"name":286,"callback":467,"priority":288,"file":451,"line":349},"block_empty_user_agent",{"type":147,"name":345,"callback":226,"file":451,"line":73},{"type":147,"name":216,"callback":470,"file":451,"line":211},"__return_empty_array",{"type":147,"name":397,"callback":398,"priority":399,"file":451,"line":13},{"type":129,"name":473,"callback":474,"priority":162,"file":475,"line":476},"user_profile_update_errors","validate_username","includes\\class-user-security.php",63,{"type":147,"name":478,"callback":479,"file":475,"line":306},"pre_user_login","check_username_on_create",{"type":129,"name":481,"callback":482,"priority":162,"file":475,"line":164},"register_post","validate_registration_username",{"type":129,"name":143,"callback":484,"file":475,"line":237},"show_insecure_user_warning",{"type":129,"name":265,"callback":486,"file":475,"line":452},"block_author_scan",{"type":147,"name":403,"callback":488,"file":475,"line":275},"disable_user_endpoints",{"type":129,"name":473,"callback":490,"priority":162,"file":475,"line":279},"validate_password_strength",{"type":147,"name":492,"callback":493,"priority":162,"file":475,"line":249},"registration_errors","validate_registration_password",{"type":129,"name":495,"callback":496,"priority":162,"file":475,"line":11},"profile_update","log_profile_update",{"type":129,"name":498,"callback":499,"file":475,"line":203},"user_register","log_user_register",{"type":129,"name":501,"callback":502,"file":475,"line":207},"delete_user","log_user_delete",{"type":129,"name":504,"callback":505,"priority":162,"file":475,"line":349},"set_user_role","log_role_change",{"type":129,"name":498,"callback":507,"priority":508,"file":475,"line":86},"set_user_pending_approval",5,{"type":147,"name":510,"callback":511,"priority":512,"file":475,"line":399},"wp_authenticate_user","block_pending_user_login",15,{"type":129,"name":143,"callback":514,"file":475,"line":13},"show_pending_users_notice",{"type":147,"name":510,"callback":516,"priority":517,"file":475,"line":413},"check_session_limit_before_login",20,{"type":129,"name":334,"callback":519,"priority":162,"file":475,"line":416},"enforce_session_limit",{"type":129,"name":495,"callback":521,"priority":162,"file":475,"line":420},"check_admin_password_change",{"type":129,"name":334,"callback":523,"priority":162,"file":475,"line":524},"check_password_expiration",123,{"type":129,"name":143,"callback":526,"file":475,"line":527},"show_password_expiration_notice",124,{"type":129,"name":135,"callback":529,"file":475,"line":425},"force_password_change_redirect",{"type":129,"name":495,"callback":531,"priority":162,"file":475,"line":532},"update_password_change_date",126,{"type":129,"name":498,"callback":534,"file":475,"line":535},"set_initial_password_date",127,{"type":129,"name":473,"callback":537,"priority":162,"file":475,"line":427},"check_password_history",{"type":129,"name":539,"callback":540,"file":475,"line":541},"vigilante_password_expiry_reminder","send_password_expiry_reminders",132,{"type":129,"name":498,"callback":543,"priority":512,"file":475,"line":371},"send_verification_email",{"type":147,"name":510,"callback":545,"priority":162,"file":475,"line":375},"block_unverified_user_login",{"type":129,"name":286,"callback":547,"file":475,"line":379},"handle_email_verification",{"type":129,"name":549,"callback":550,"file":475,"line":551},"login_message","show_verification_message",145,{"type":147,"name":553,"callback":554,"priority":162,"file":475,"line":387},"wp_new_user_notification_email","suppress_new_user_email",{"type":147,"name":556,"callback":557,"file":475,"line":558},"registration_redirect","custom_registration_redirect",151,{"type":129,"name":549,"callback":560,"file":475,"line":445},"show_registration_pending_message",{"type":147,"name":562,"callback":563,"file":475,"line":564},"vigilante_skip_failed_login_count","__return_true",960,{"type":147,"name":562,"callback":563,"file":475,"line":566},1536,{"type":129,"name":143,"callback":568,"file":569,"line":476},"vigilante_requirements_notice","vigilante.php",{"type":129,"name":286,"callback":571,"priority":14,"file":569,"line":551},"vigilante_init_plugin",{"type":129,"name":573,"callback":574,"file":569,"line":575},"vigilante_daily_maintenance","daily_maintenance",305,{"type":129,"name":577,"callback":578,"file":569,"line":579},"vigilante_hourly_checks","hourly_checks",306,{"type":129,"name":581,"callback":582,"file":569,"line":583},"plugins_loaded","vigilante_load_plugin",402,[585,591,595,598,602,606,609,613,617,620,623,627,630,633,636,639,643,647,650,653,657,660,663,666,670,673,676,680,683,687,690,693,696,700,704,708,712,716,719,722,725,728],{"action":586,"nopriv":587,"callback":588,"hasNonce":589,"hasCapCheck":589,"file":132,"line":590},"vigilante_save_settings",false,"ajax_save_settings",true,112,{"action":592,"nopriv":587,"callback":593,"hasNonce":589,"hasCapCheck":589,"file":132,"line":594},"vigilante_apply_preset","ajax_apply_preset",113,{"action":596,"nopriv":587,"callback":597,"hasNonce":589,"hasCapCheck":589,"file":132,"line":360},"vigilante_reset_section","ajax_reset_section",{"action":599,"nopriv":587,"callback":600,"hasNonce":589,"hasCapCheck":589,"file":132,"line":601},"vigilante_clear_lockouts","ajax_clear_lockouts",115,{"action":603,"nopriv":587,"callback":604,"hasNonce":589,"hasCapCheck":589,"file":132,"line":605},"vigilante_clear_logs","ajax_clear_logs",116,{"action":607,"nopriv":587,"callback":608,"hasNonce":589,"hasCapCheck":589,"file":132,"line":420},"vigilante_run_scan","ajax_run_scan",{"action":610,"nopriv":587,"callback":611,"hasNonce":589,"hasCapCheck":589,"file":132,"line":612},"vigilante_clear_scan","ajax_clear_scan",118,{"action":614,"nopriv":587,"callback":615,"hasNonce":589,"hasCapCheck":589,"file":132,"line":616},"vigilante_ignore_file","ajax_ignore_file",119,{"action":618,"nopriv":587,"callback":619,"hasNonce":589,"hasCapCheck":589,"file":132,"line":284},"vigilante_unignore_file","ajax_unignore_file",{"action":621,"nopriv":587,"callback":622,"hasNonce":589,"hasCapCheck":589,"file":132,"line":158},"vigilante_clear_ignored","ajax_clear_ignored",{"action":624,"nopriv":587,"callback":625,"hasNonce":589,"hasCapCheck":589,"file":132,"line":626},"vigilante_export_settings","ajax_export_settings",122,{"action":628,"nopriv":587,"callback":629,"hasNonce":589,"hasCapCheck":589,"file":132,"line":524},"vigilante_import_settings","ajax_import_settings",{"action":631,"nopriv":587,"callback":632,"hasNonce":587,"hasCapCheck":587,"file":132,"line":527},"vigilante_get_logs","ajax_get_logs",{"action":634,"nopriv":587,"callback":635,"hasNonce":589,"hasCapCheck":589,"file":132,"line":425},"vigilante_test_headers","ajax_test_headers",{"action":637,"nopriv":587,"callback":638,"hasNonce":589,"hasCapCheck":589,"file":132,"line":532},"vigilante_create_backup","ajax_create_backup",{"action":640,"nopriv":587,"callback":641,"hasNonce":587,"hasCapCheck":587,"file":132,"line":642},"vigilante_search_users_2fa","ajax_search_users_2fa",129,{"action":644,"nopriv":587,"callback":645,"hasNonce":587,"hasCapCheck":587,"file":132,"line":646},"vigilante_send_2fa_notification","ajax_send_2fa_notification",130,{"action":648,"nopriv":587,"callback":649,"hasNonce":587,"hasCapCheck":587,"file":132,"line":429},"vigilante_search_totp_users","ajax_search_totp_users",{"action":651,"nopriv":587,"callback":652,"hasNonce":587,"hasCapCheck":587,"file":132,"line":541},"vigilante_reset_totp_users","ajax_reset_totp_users",{"action":654,"nopriv":587,"callback":655,"hasNonce":587,"hasCapCheck":587,"file":132,"line":656},"vigilante_totp_get_setup","ajax_totp_get_setup",133,{"action":658,"nopriv":587,"callback":659,"hasNonce":587,"hasCapCheck":587,"file":132,"line":431},"vigilante_notify_login_url","ajax_notify_login_url",{"action":661,"nopriv":587,"callback":662,"hasNonce":587,"hasCapCheck":587,"file":132,"line":433},"vigilante_search_users_password_reset","ajax_search_users_password_reset",{"action":664,"nopriv":587,"callback":665,"hasNonce":587,"hasCapCheck":587,"file":132,"line":363},"vigilante_force_password_reset","ajax_force_password_reset",{"action":667,"nopriv":587,"callback":668,"hasNonce":587,"hasCapCheck":587,"file":132,"line":669},"vigilante_force_password_reset_all","ajax_force_password_reset_all",139,{"action":671,"nopriv":587,"callback":672,"hasNonce":587,"hasCapCheck":587,"file":132,"line":371},"vigilante_approve_user","ajax_approve_user",{"action":674,"nopriv":587,"callback":675,"hasNonce":587,"hasCapCheck":587,"file":132,"line":375},"vigilante_reject_user","ajax_reject_user",{"action":677,"nopriv":587,"callback":678,"hasNonce":587,"hasCapCheck":587,"file":132,"line":679},"vigilante_get_user_sessions","ajax_get_user_sessions",146,{"action":681,"nopriv":587,"callback":682,"hasNonce":587,"hasCapCheck":587,"file":132,"line":383},"vigilante_revoke_session","ajax_revoke_session",{"action":684,"nopriv":587,"callback":685,"hasNonce":587,"hasCapCheck":587,"file":132,"line":686},"vigilante_revoke_all_sessions","ajax_revoke_all_sessions",148,{"action":688,"nopriv":587,"callback":689,"hasNonce":587,"hasCapCheck":587,"file":132,"line":558},"vigilante_activate_under_attack","ajax_activate_under_attack",{"action":691,"nopriv":587,"callback":692,"hasNonce":587,"hasCapCheck":587,"file":132,"line":445},"vigilante_deactivate_under_attack","ajax_deactivate_under_attack",{"action":694,"nopriv":587,"callback":695,"hasNonce":587,"hasCapCheck":587,"file":132,"line":391},"vigilante_under_attack_status","ajax_under_attack_status",{"action":697,"nopriv":587,"callback":698,"hasNonce":587,"hasCapCheck":587,"file":132,"line":699},"vigilante_get_db_tables","ajax_get_db_tables",156,{"action":701,"nopriv":587,"callback":702,"hasNonce":587,"hasCapCheck":587,"file":132,"line":703},"vigilante_download_db_backup","ajax_download_db_backup",157,{"action":705,"nopriv":587,"callback":706,"hasNonce":587,"hasCapCheck":587,"file":132,"line":707},"vigilante_generate_prefix","ajax_generate_prefix",160,{"action":709,"nopriv":587,"callback":710,"hasNonce":587,"hasCapCheck":587,"file":132,"line":711},"vigilante_change_prefix","ajax_change_prefix",161,{"action":713,"nopriv":587,"callback":714,"hasNonce":587,"hasCapCheck":587,"file":132,"line":715},"vigilante_add_to_firewall_list","ajax_add_to_firewall_list",164,{"action":717,"nopriv":589,"callback":718,"hasNonce":589,"hasCapCheck":587,"file":409,"line":360},"vigilante_resend_2fa_code","ajax_resend_code",{"action":720,"nopriv":587,"callback":721,"hasNonce":589,"hasCapCheck":589,"file":424,"line":379},"vigilante_totp_verify_setup","ajax_verify_setup",{"action":723,"nopriv":587,"callback":724,"hasNonce":589,"hasCapCheck":589,"file":424,"line":551},"vigilante_totp_regenerate_backup","ajax_regenerate_backup_codes",{"action":726,"nopriv":587,"callback":727,"hasNonce":589,"hasCapCheck":589,"file":424,"line":679},"vigilante_totp_reconfigure","ajax_reconfigure",{"action":729,"nopriv":587,"callback":730,"hasNonce":589,"hasCapCheck":589,"file":569,"line":731},"vigilante_dismiss_notice","ajax_dismiss_notice",309,[],[],[735,737,739,740],{"hook":573,"callback":573,"file":156,"line":736},253,{"hook":577,"callback":577,"file":156,"line":738},258,{"hook":281,"callback":281,"file":283,"line":379},{"hook":539,"callback":539,"file":475,"line":431},42,23,{"dangerousFunctions":744,"sqlUsage":745,"outputEscaping":766,"fileOperations":774,"externalRequests":775,"nonceChecks":776,"capabilityChecks":219,"bundledLibraries":777},[],{"prepared":150,"raw":746,"locations":747},7,[748,752,754,757,759,763,764],{"file":749,"line":750,"context":751},"includes\\class-backup-manager.php",274,"$wpdb->get_col() with variable interpolation",{"file":749,"line":753,"context":751},326,{"file":218,"line":755,"context":756},312,"$wpdb->get_results() with variable interpolation",{"file":300,"line":758,"context":756},314,{"file":760,"line":761,"context":762},"uninstall.php",46,"$wpdb->query() with variable interpolation",{"file":760,"line":318,"context":762},{"file":760,"line":765,"context":762},95,{"escaped":767,"rawEcho":288,"locations":768},630,[769,772],{"file":132,"line":770,"context":771},2714,"raw output",{"file":451,"line":773,"context":771},525,27,4,53,[],[779,803,816,826,835,848,856,867,878,886,903,921,937,952],{"entryPoint":780,"graph":781,"unsanitizedCount":14,"severity":802},"ajax_download_db_backup (admin\\class-admin-ajax.php:1484)",{"nodes":782,"edges":799},[783,788,792],{"id":784,"type":785,"label":786,"file":787,"line":566},"n0","source","$_POST","admin\\class-admin-ajax.php",{"id":789,"type":790,"label":791,"file":787,"line":566},"n1","transform","→ stream_download()",{"id":793,"type":794,"label":795,"file":796,"line":797,"wp_function":798},"n2","sink","header() [Header Injection]","includes\\class-database-backup.php",239,"header",[800,801],{"from":784,"to":789,"sanitized":587},{"from":789,"to":793,"sanitized":587},"medium",{"entryPoint":804,"graph":805,"unsanitizedCount":27,"severity":815},"ajax_import_settings (admin\\class-admin.php:4160)",{"nodes":806,"edges":813},[807,809],{"id":784,"type":785,"label":786,"file":132,"line":808},4170,{"id":789,"type":794,"label":810,"file":132,"line":811,"wp_function":812},"update_option() [Settings Manipulation]",4191,"update_option",[814],{"from":784,"to":789,"sanitized":589},"low",{"entryPoint":817,"graph":818,"unsanitizedCount":27,"severity":815},"ajax_apply_preset (admin\\class-admin.php:4203)",{"nodes":819,"edges":824},[820,822],{"id":784,"type":785,"label":786,"file":132,"line":821},4210,{"id":789,"type":794,"label":810,"file":132,"line":823,"wp_function":812},4242,[825],{"from":784,"to":789,"sanitized":589},{"entryPoint":827,"graph":828,"unsanitizedCount":27,"severity":815},"\u003Cclass-admin> (admin\\class-admin.php:0)",{"nodes":829,"edges":833},[830,832],{"id":784,"type":785,"label":831,"file":132,"line":808},"$_POST (x3)",{"id":789,"type":794,"label":810,"file":132,"line":811,"wp_function":812},[834],{"from":784,"to":789,"sanitized":589},{"entryPoint":836,"graph":837,"unsanitizedCount":27,"severity":815},"maybe_show_2fa_form (includes\\class-two-factor-email.php:610)",{"nodes":838,"edges":846},[839,842],{"id":784,"type":785,"label":840,"file":409,"line":841},"$_COOKIE (x2)",624,{"id":789,"type":794,"label":843,"file":409,"line":844,"wp_function":845},"echo() [XSS]",728,"echo",[847],{"from":784,"to":789,"sanitized":589},{"entryPoint":849,"graph":850,"unsanitizedCount":27,"severity":815},"\u003Cclass-two-factor-email> (includes\\class-two-factor-email.php:0)",{"nodes":851,"edges":854},[852,853],{"id":784,"type":785,"label":840,"file":409,"line":841},{"id":789,"type":794,"label":843,"file":409,"line":844,"wp_function":845},[855],{"from":784,"to":789,"sanitized":589},{"entryPoint":857,"graph":858,"unsanitizedCount":27,"severity":815},"maybe_show_2fa_form (includes\\class-two-factor-totp.php:364)",{"nodes":859,"edges":865},[860,863],{"id":784,"type":785,"label":861,"file":424,"line":862},"$_COOKIE",391,{"id":789,"type":794,"label":843,"file":424,"line":864,"wp_function":845},482,[866],{"from":784,"to":789,"sanitized":589},{"entryPoint":868,"graph":869,"unsanitizedCount":27,"severity":815},"render_challenge_page (includes\\class-under-attack.php:417)",{"nodes":870,"edges":876},[871,874],{"id":784,"type":785,"label":872,"file":451,"line":873},"$_SERVER",431,{"id":789,"type":794,"label":843,"file":451,"line":875,"wp_function":845},520,[877],{"from":784,"to":789,"sanitized":589},{"entryPoint":879,"graph":880,"unsanitizedCount":27,"severity":815},"\u003Cclass-under-attack> (includes\\class-under-attack.php:0)",{"nodes":881,"edges":884},[882,883],{"id":784,"type":785,"label":872,"file":451,"line":873},{"id":789,"type":794,"label":843,"file":451,"line":875,"wp_function":845},[885],{"from":784,"to":789,"sanitized":589},{"entryPoint":887,"graph":888,"unsanitizedCount":14,"severity":902},"ajax_search_totp_users (admin\\class-admin-ajax.php:852)",{"nodes":889,"edges":899},[890,892,894],{"id":784,"type":785,"label":786,"file":787,"line":891},865,{"id":789,"type":790,"label":893,"file":787,"line":891},"→ search_totp_users()",{"id":793,"type":794,"label":895,"file":896,"line":897,"wp_function":898},"get_results() [SQLi]","includes\\class-database.php",1543,"get_results",[900,901],{"from":784,"to":789,"sanitized":587},{"from":789,"to":793,"sanitized":587},"high",{"entryPoint":904,"graph":905,"unsanitizedCount":288,"severity":902},"\u003Cclass-admin-ajax> (admin\\class-admin-ajax.php:0)",{"nodes":906,"edges":916},[907,908,909,910,912,914],{"id":784,"type":785,"label":786,"file":787,"line":891},{"id":789,"type":790,"label":893,"file":787,"line":891},{"id":793,"type":794,"label":895,"file":896,"line":897,"wp_function":898},{"id":911,"type":785,"label":786,"file":787,"line":566},"n3",{"id":913,"type":790,"label":791,"file":787,"line":566},"n4",{"id":915,"type":794,"label":795,"file":796,"line":797,"wp_function":798},"n5",[917,918,919,920],{"from":784,"to":789,"sanitized":587},{"from":789,"to":793,"sanitized":587},{"from":911,"to":913,"sanitized":587},{"from":913,"to":915,"sanitized":587},{"entryPoint":922,"graph":923,"unsanitizedCount":288,"severity":902},"\u003Cclass-database> (includes\\class-database.php:0)",{"nodes":924,"edges":934},[925,927,929,930],{"id":784,"type":785,"label":872,"file":896,"line":926},449,{"id":789,"type":794,"label":895,"file":896,"line":928,"wp_function":898},534,{"id":793,"type":785,"label":872,"file":896,"line":926},{"id":911,"type":794,"label":931,"file":896,"line":932,"wp_function":933},"get_var() [SQLi]",558,"get_var",[935,936],{"from":784,"to":789,"sanitized":587},{"from":793,"to":911,"sanitized":587},{"entryPoint":938,"graph":939,"unsanitizedCount":14,"severity":902},"ajax_regenerate_backup_codes (includes\\class-two-factor-totp.php:1135)",{"nodes":940,"edges":949},[941,943,945],{"id":784,"type":785,"label":786,"file":424,"line":942},1147,{"id":789,"type":790,"label":944,"file":424,"line":942},"→ get_totp_data()",{"id":793,"type":794,"label":946,"file":896,"line":947,"wp_function":948},"get_row() [SQLi]",1393,"get_row",[950,951],{"from":784,"to":789,"sanitized":587},{"from":789,"to":793,"sanitized":587},{"entryPoint":953,"graph":954,"unsanitizedCount":14,"severity":902},"\u003Cclass-two-factor-totp> (includes\\class-two-factor-totp.php:0)",{"nodes":955,"edges":961},[956,957,958,959,960],{"id":784,"type":785,"label":861,"file":424,"line":862},{"id":789,"type":794,"label":843,"file":424,"line":864,"wp_function":845},{"id":793,"type":785,"label":786,"file":424,"line":942},{"id":911,"type":790,"label":944,"file":424,"line":942},{"id":913,"type":794,"label":946,"file":896,"line":947,"wp_function":948},[962,963,964],{"from":784,"to":789,"sanitized":589},{"from":793,"to":911,"sanitized":587},{"from":911,"to":913,"sanitized":587},{"summary":966,"deductions":967},"The 'vigilante' v1.5.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to output escaping and robust use of prepared statements for SQL queries, indicating good development practices in these areas. The complete absence of known CVEs and a clean vulnerability history are also significant strengths. However, a substantial attack surface exists within its AJAX handlers, with a concerning 23 out of 42 handlers lacking authentication checks. Furthermore, the taint analysis reveals 6 flows with unsanitized paths, 5 of which are categorized as high severity, suggesting potential vulnerabilities related to how user input is processed. While no critical issues were found in the taint analysis, these high-severity unsanitized paths on a plugin with a large number of unprotected AJAX endpoints represent the most significant risks.",[968,970,972],{"reason":969,"points":512},"Unprotected AJAX handlers",{"reason":971,"points":162},"High severity unsanitized paths",{"reason":973,"points":508},"Unsanitized paths in taint analysis","2026-03-16T21:21:58.385Z",{"wat":976,"direct":989},{"assetPaths":977,"generatorPatterns":982,"scriptPaths":983,"versionParams":984},[978,979,980,981],"\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fadmin\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fadmin\u002Fjs\u002Fscript.js","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fassets\u002Fcss\u002Ffrontend.css","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fassets\u002Fjs\u002Ffrontend.js",[],[979,981],[985,986,987,988],"\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fadmin\u002Fcss\u002Fstyle.css?ver=","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fadmin\u002Fjs\u002Fscript.js?ver=","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fassets\u002Fcss\u002Ffrontend.css?ver=","\u002Fwp-content\u002Fplugins\u002Fvigilante\u002Fassets\u002Fjs\u002Ffrontend.js?ver=",{"cssClasses":990,"htmlComments":993,"htmlAttributes":994,"restEndpoints":995,"jsGlobals":997,"shortcodeOutput":999},[991,992],"vigilante-admin-menu-icon","vigilante-notice",[],[],[996],"\u002Fwp-json\u002Fvigilante\u002Fv1\u002Fsettings",[998],"vigilante_admin_object",[]]