WP-Safety

WP Hide & Security Enhancer Security & Risk Analysis

wordpress.org/plugins/wp-hide-security-enhancer

Protect your website by concealing vulnerable WordPress traces, plugins, themes, login/admin url. 2FA, Captcha, Firewall, Security Headers etc.

50K active installs v2.8.3 PHP 5.4+ WP 4.0+ Updated Mar 6, 2026
2faheadershideloginsecurity
96
A · Safe
CVEs total3
Unpatched0
Last CVEDec 5, 2024
Plugin page Download
Safety Verdict

Is WP Hide & Security Enhancer Safe to Use in 2026?

Generally Safe

Score 96/100

WP Hide & Security Enhancer has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Dec 5, 2024Updated 2mo ago
Risk Assessment

The plugin "wp-hide-security-enhancer" v2.8.3 exhibits a generally positive security posture with several strengths, including 100% of SQL queries using prepared statements and a high percentage of properly escaped output. The presence of 19 nonce checks and 9 capability checks across its entry points indicates a good effort to secure its functionalities.

However, there are significant areas of concern. The static analysis revealed 14 flows with unsanitized paths, with one flagged as high severity in the taint analysis. This suggests a potential for vulnerabilities related to path manipulation. Furthermore, the plugin has a history of 3 known CVEs, with 2 high and 1 medium severity issues, specifically related to Path Traversal, Cross-site Scripting, and accessible files. The recent vulnerability reported on 2024-12-05 is particularly worrying, as it indicates ongoing security challenges despite past fixes. The presence of 16 file operations and 11 external HTTP requests, while not inherently insecure, increases the potential attack surface if not meticulously handled, especially in conjunction with the unsanitized path flows.

In conclusion, while the plugin demonstrates good fundamental security practices in its SQL and output handling, the recurrent history of high-severity vulnerabilities and the presence of unsanitized path flows in the static analysis are significant red flags. These elements, combined with the relatively recent vulnerability disclosure, suggest that users should exercise caution. The plugin's overall security is moderate, with a clear need for ongoing vigilance and potential further hardening against path-related and injection vulnerabilities.

Key Concerns

  • High severity taint flow
  • Flows with unsanitized paths
  • 2 high severity CVEs
  • 1 medium severity CVE
  • Recent vulnerability (2024-12-05)
  • 16 file operations
  • 11 external HTTP requests
Vulnerabilities
3 published

WP Hide & Security Enhancer Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2022
2022
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
1

3 total CVEs

CVE-2024-11585high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Hide & Security Enhancer <= 2.5.1 - Missing Authorization to Unauthenticated Arbitrary File Contents Deletion

Dec 5, 2024 Patched in 2.5.2 (1d)
CVE-2022-2538medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Hide & Security Enhancer <= 1.7.9.2 - Reflected Cross-Site Scripting

Aug 8, 2022 Patched in 1.8 (533d)
WF-aee59a8f-7f21-4572-b146-ab1b6350ddb1-wp-hide-security-enhancerhigh · 7.5Files or Directories Accessible to External Parties

WP Hide & Security Enhancer <= 1.3.9.2 - Arbitrary File Download

Jul 21, 2017 Patched in 1.4 (2377d)
Version History

WP Hide & Security Enhancer Release Timeline

v2.8.3Current
v2.8.2
v2.8.1
v2.8
v2.7.9
v2.7.7
v2.7.6
v2.7.4
v2.7.2
v2.7
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6
v2.5.8
Code Analysis
Analyzed Mar 16, 2026

WP Hide & Security Enhancer Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
15 prepared
Unescaped Output
36
349 escaped
Nonce Checks
19
Capability Checks
9
File Operations
16
External Requests
11
Bundled Libraries
0

SQL Query Safety

100% prepared15 total queries

Output Escaping

91% escaped385 total outputs
Data Flows · Security
14 unsanitized

Data Flow Analysis

24 flows14 with unsanitized paths
prepare_HTML (modules\components\login_2fa.php:156)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Hide & Security Enhancer Attack Surface

Entry Points9
Unprotected0

AJAX Handlers 8

authwp_ajax_wph_site_scaninclude\admin-interfaces\security-scan.class.php:147
authwp_ajax_wph_site_scan_progressinclude\admin-interfaces\security-scan.class.php:148
authwp_ajax_wph_site_scan_ignoreinclude\admin-interfaces\security-scan.class.php:149
authwp_ajax_wph_site_scan_restoreinclude\admin-interfaces\security-scan.class.php:150
authwp_ajax_2fa_app_resetmodules\components\login_2fa_app.php:93
authwp_ajax_2fa_app_code_submitmodules\components\login_2fa_app.php:94
authwp_ajax_2fa_rc_regeneratemodules\components\login_2fa_recovery_codes.php:85
authwp_ajax_wph_check_headersmodules\components\security-check_headers.php:173

Shortcodes 1

[wph-2fa-user-settings] modules\components\login_2fa.php:45
WordPress Hooks 213
filtera2opt_cache_page_contents_before_storecompatibility\a2-optimized.php:25
filterautoptimize_css_after_minifycompatibility\autoptimize.php:18
filterautoptimize_js_after_minifycompatibility\autoptimize.php:19
filterbp_core_avatar_urlcompatibility\buddypress.php:19
filtercache_enabler_before_storecompatibility\cache-enabler.php:23
actiondokan_seller_registration_after_shopurl_fieldcompatibility\dokan.php:26
filteredd_start_sessioncompatibility\easy-digital-downloads.php:20
actionwph/settings_changedcompatibility\elementor.php:22
filterelementor/widget/render_contentcompatibility\elementor.php:25
actionfvm_get_urlcompatibility\fast-velocity-minfy.php:24
actionwp_print_stylescompatibility\fast-velocity-minfy.php:26
actionwp_print_footer_scriptscompatibility\fast-velocity-minfy.php:27
actionwp_print_scriptscompatibility\fast-velocity-minfy.php:29
actionwp_print_footer_scriptscompatibility\fast-velocity-minfy.php:30
filterfvm_after_download_and_minify_codecompatibility\fast-velocity-minfy.php:32
actionwp-hide/content_urls_replacementcompatibility\fluentform.php:20
filterflying_press_optimization:aftercompatibility\flying-press.php:25
actionwph/settings_changedcompatibility\fusion-builder.php:18
filtercache_buffercompatibility\hyper-cache.php:24
filterjch_optimize_save_contentcompatibility\jch-optimize.php:25
filterupload_dircompatibility\jobboardwp.php:23
actionlitespeed_buffer_beforecompatibility\litespeed-cache.php:25
actionlitespeed_optm_cssjscompatibility\litespeed-cache.php:27
actionlitespeed_ccsscompatibility\litespeed-cache.php:28
filterplugins_loadedcompatibility\oxygen.php:24
filterwph/components/components_run/ignore_componentcompatibility\oxygen.php:28
filterwp-hide/modules_components_run/completedcompatibility\qtranslate-xt.php:24
filterqtranslate_language_detect_redirectcompatibility\qtranslate-xt.php:25
filterwp-hide/ignore_ob_start_callbackcompatibility\redirection.php:20
filterinitcompatibility\sg-cachepress.php:25
actionwp_calculate_image_srcsetcompatibility\shortpixel-adaptive-images.php:18
actioninitcompatibility\shortpixel-adaptive-images.php:20
actionshortpixel_image_urlscompatibility\shortpixel-image-optimiser.php:18
actionplugins_loadedcompatibility\super-cache.php:16
filterwp_cache_ob_callback_filtercompatibility\super-cache.php:38
filterswift_performance_buffercompatibility\swift-performance.php:18
filterswift_performance_css_contentcompatibility\swift-performance.php:20
filterswift_performance_js_contentcompatibility\swift-performance.php:21
actionwp-hide/2fa/process_wp_logincompatibility\temporary-login-without-password.php:24
actionplugins_loadedcompatibility\themes\avada.php:10
filterfusion_dynamic_css_finalcompatibility\themes\avada.php:18
actionwph/settings_changedcompatibility\themes\avada.php:22
actionwph/settings_changedcompatibility\themes\avada.php:24
filterinitcompatibility\themes\buddyboss-theme.php:16
actionet_builder_custom_fontscompatibility\themes\divi.php:16
actionet_core_page_resource_get_datacompatibility\themes\divi.php:18
actionwph/settings_changedcompatibility\themes\divi.php:20
filterwoodmart_get_all_theme_settings_csscompatibility\themes\woodmart.php:16
filtertrp_is_admin_linkcompatibility\translatepress-multilingual.php:23
actionplugins_loadedcompatibility\w3-cache.php:15
filterw3tc_filename_to_urlcompatibility\w3-cache.php:17
filterw3tc_minify_file_handler_minify_optionscompatibility\w3-cache.php:19
filterw3tc_uri_cdn_uricompatibility\w3-cache.php:21
filterwp-hide/ignore_ob_start_callbackcompatibility\w3-cache.php:82
filterwp-hide/ignore_ob_start_callbackcompatibility\w3-cache.php:104
actionwp-hide/admin_noticescompatibility\webarx.php:19
filterwpcompatibility\wepos.php:24
filterwph/components/wp_oembed_add_discovery_linkscompatibility\wepos.php:43
filterwph/components/wp_oembed_add_host_jscompatibility\wepos.php:44
actionplugins_loadedcompatibility\woo-global-cart.php:15
filterwoogc/on_shutdown/ob_buferring_outputcompatibility\woo-global-cart.php:36
actionplugins_loadedcompatibility\woocommerce.php:16
filterwoocommerce_is_rest_api_requestcompatibility\woocommerce.php:20
filteradmin_urlcompatibility\woocommerce.php:23
actionwoocommerce_product_get_downloadscompatibility\woocommerce.php:45
filterwpacu_html_source_after_optimizationcompatibility\wp-asset-clean-up.php:24
filterswcfpc_normal_fallback_cache_htmlcompatibility\wp-cloudflare-page-cache.php:26
filterswcfpc_curl_fallback_cache_htmlcompatibility\wp-cloudflare-page-cache.php:27
filterwpfc_buffer_callback_filtercompatibility\wp-fastest-cache.php:19
actionplugins_loadedcompatibility\wp-hummingbird.php:16
filterwphb_minify_file_contentcompatibility\wp-hummingbird.php:35
filterupload_dircompatibility\wp-job-manager.php:23
filterwpo_pre_cache_buffercompatibility\wp-optimize.php:24
filterwpo_cache_show_cached_by_commentcompatibility\wp-optimize.php:28
filterrocket_js_urlcompatibility\wp-rocket.php:29
filterrocket_css_contentcompatibility\wp-rocket.php:31
actionplugins_loadedcompatibility\wp-simple-firewall.php:27
actionadmin_noticescompatibility\wp-simple-firewall.php:66
filtersmush_filter_generate_cdn_urlcompatibility\wp-smush.php:18
filterwpsol_before_cachecompatibility\wp-speed-of-light.php:25
filterwph/components/rewrite-default/superglobal_variables_replacementscompatibility\wpforms-lite.php:20
actionplugins_loadedcompatibility\wpml.php:16
actionwp-hide/ob_start_callbackcompatibility\wpml.php:37
actionwp-hide/admin_noticescompatibility\wps-hide-login.php:19
actioninitinclude\admin-interfaces\security-scan.class.php:22
actionadmin_noticeinclude\admin-interfaces\security-scan.class.php:141
actionadmin_initinclude\admin-interfaces\setup.class.php:19
actionadmin_initinclude\admin-interfaces\setup.class.php:20
actionadmin_noticeinclude\admin-interfaces\setup.class.php:21
actionwp_loadedinclude\functions.class.php:2412
actionwp_loadedinclude\functions.class.php:2414
actionshutdowninclude\update.class.php:247
actionwp_loadedinclude\update.class.php:249
actionactivated_plugininclude\wph.class.php:120
actioninitinclude\wph.class.php:122
filterwp_mailinclude\wph.class.php:125
actionwp_redirectinclude\wph.class.php:128
actionlogout_redirectinclude\wph.class.php:130
actioninitinclude\wph.class.php:133
actionadmin_menuinclude\wph.class.php:135
actionadmin_initinclude\wph.class.php:136
actionadmin_print_stylesinclude\wph.class.php:137
actionwp_dashboard_setupinclude\wph.class.php:139
actionafter_switch_themeinclude\wph.class.php:142
actionwph/settings_changedinclude\wph.class.php:146
actionwph/settings_changedinclude\wph.class.php:149
actionadmin_initinclude\wph.class.php:152
actionadmin_initinclude\wph.class.php:154
filterflush_rewrite_rules_hardinclude\wph.class.php:160
filteriis7_url_rewrite_rulesinclude\wph.class.php:163
actionswitch_themeinclude\wph.class.php:166
actionadmin_noticesinclude\wph.class.php:169
actionnetwork_admin_noticesinclude\wph.class.php:170
actionsave_postinclude\wph.class.php:173
actionupdate_post_metadatainclude\wph.class.php:175
filterpre_update_optioninclude\wph.class.php:177
actionadmin_print_footer_scriptsinclude\wph.class.php:180
filterwp-hide/ignore_ob_start_callbackinclude\wph.class.php:183
filterattachment_url_to_postidinclude\wph.class.php:185
actioninitinclude\wph.class.php:188
actionrequestinclude\wph.class.php:865
actionparse_requestinclude\wph.class.php:866
actionset_auth_cookiemodules\components\admin-admin_url.php:156
actionwp_logoutmodules\components\admin-admin_url.php:157
filteruser_admin_urlmodules\components\admin-admin_url.php:160
filteradmin_urlmodules\components\admin-admin_url.php:161
filterself_admin_urlmodules\components\admin-admin_url.php:163
filteradmin_urlmodules\components\admin-admin_url.php:166
actionadmin_enqueue_scriptsmodules\components\admin-login_php.php:14
actionlogin_footermodules\components\admin-login_php.php:16
filterlogin_urlmodules\components\admin-login_php.php:175
filtersite_urlmodules\components\admin-login_php.php:177
actioninitmodules\components\general-admin-bar.php:133
filtershow_admin_barmodules\components\general-admin-bar.php:151
filterwp-hide/ob_start_callbackmodules\components\general-emulate.php:93
filterwp-hide/ob_start_callbackmodules\components\general-html.php:279
filterwp-hide/ob_start_callbackmodules\components\general-html.php:320
filterbody_classmodules\components\general-html.php:432
filternav_menu_item_idmodules\components\general-html.php:473
filternav_menu_css_classmodules\components\general-html.php:492
filterpost_classmodules\components\general-html.php:520
filterwp-hide/ob_start_callbackmodules\components\general-html.php:573
filterthe_generatormodules\components\general-meta.php:389
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:393
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:438
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:472
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:509
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:601
actionauth_redirectmodules\components\general-meta.php:642
filterwp-hide/ob_start_callbackmodules\components\general-meta.php:648
filterwpmodules\components\general-oembed.php:72
actionrobots_txtmodules\components\general-robots-txt.php:77
filterscript_loader_srcmodules\components\general-scripts.php:81
filterstyle_loader_srcmodules\components\general-styles.php:107
filterwp-hide/ob_start_callbackmodules\components\general-styles.php:147
actionwp_enqueue_scriptsmodules\components\general-user-interactions.php:352
filterwp_footermodules\components\general-user-interactions.php:353
filterlogin_footermodules\components\general-user-interactions.php:354
actioninitmodules\components\general-wpemoji.php:103
actioninitmodules\components\general-wpemoji.php:124
filtertiny_mce_pluginsmodules\components\general-wpemoji.php:130
actioninitmodules\components\login_2fa.php:19
actionshow_user_profilemodules\components\login_2fa.php:21
actionedit_user_profilemodules\components\login_2fa.php:22
filteruser_row_actionsmodules\components\login_2fa.php:24
actionadmin_post_user_action_2fa_app_resetmodules\components\login_2fa.php:25
actionadmin_post_user_action_2fa_rc_resetmodules\components\login_2fa.php:26
actionadmin_noticesmodules\components\login_2fa.php:27
actionwoocommerce_edit_account_formmodules\components\login_2fa.php:29
actionpersonal_options_updatemodules\components\login_2fa.php:31
actionedit_user_profile_updatemodules\components\login_2fa.php:32
actionwoocommerce_save_account_detailsmodules\components\login_2fa.php:34
actionwp_loginmodules\components\login_2fa.php:36
actionset_auth_cookiemodules\components\login_2fa.php:38
actionset_logged_in_cookiemodules\components\login_2fa.php:39
filterauthenticatemodules\components\login_2fa.php:41
actionlogin_form_validate_2famodules\components\login_2fa.php:43
filtersend_auth_cookiesmodules\components\login_2fa.php:601
filterwp-hide/get_module_item_settingmodules\components\login_2fa_defaults.php:14
filterwp_robotsmodules\components\login_2fa_template_login_header.php:29
actionlogin_headmodules\components\login_2fa_template_login_header.php:30
actionlogin_headmodules\components\login_2fa_template_login_header.php:32
actionlogin_footermodules\components\login_2fa_template_login_header.php:50
actionlogin_formmodules\components\login_captcha-google-v2.php:196
actionauthenticatemodules\components\login_captcha-google-v2.php:197
actionlostpassword_formmodules\components\login_captcha-google-v2.php:199
actionlostpassword_postmodules\components\login_captcha-google-v2.php:200
actionregister_formmodules\components\login_captcha-google-v2.php:202
actionregistration_errorsmodules\components\login_captcha-google-v2.php:203
actionlogin_formmodules\components\login_captcha-google-v3.php:183
actionauthenticatemodules\components\login_captcha-google-v3.php:184
actionlostpassword_formmodules\components\login_captcha-google-v3.php:186
actionlostpassword_postmodules\components\login_captcha-google-v3.php:187
actionregister_formmodules\components\login_captcha-google-v3.php:189
actionregistration_errorsmodules\components\login_captcha-google-v3.php:190
filterauthor_rewrite_rulesmodules\components\rewrite-author.php:137
actiontemplate_redirectmodules\components\rewrite-author.php:187
actionwp-hide/modules_components_run/completedmodules\components\rewrite-default.php:31
filterrest_request_after_callbacksmodules\components\rewrite-json-rest.php:307
filterjson_enabledmodules\components\rewrite-json-rest.php:331
filterjson_jsonp_enabledmodules\components\rewrite-json-rest.php:332
filterrest_authentication_errorsmodules\components\rewrite-json-rest.php:342
filterrest_jsonp_enabledmodules\components\rewrite-json-rest.php:343
filterwp-hide/interface/processmodules\components\rewrite-new_theme_path.php:101
actionwph/settings_changedmodules\components\rewrite-new_theme_path.php:105
actionshutdownmodules\components\rewrite-new_theme_path.php:462
actionshutdownmodules\components\rewrite-new_theme_path.php:675
filterxmlrpc_enabledmodules\components\rewrite-new_xml-rpc-path.php:261
filterwp-hide/ob_start_callbackmodules\components\rewrite-new_xml-rpc-path.php:314
filtersearch_rewrite_rulesmodules\components\rewrite-search.php:99
actiontemplate_redirectmodules\components\rewrite-search.php:104
actioninitmodules\components\security-check_headers.php:12
actionplugins_loadedwp-hide.php:46
Maintenance & Trust

WP Hide & Security Enhancer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version5.4
Downloads3.4M

Community Trust

Rating86/100
Number of ratings275
Active installs50K
Alternatives

WP Hide & Security Enhancer Alternatives

NHR Secure – Login Security, Firewall, 2FA & Audit Log

NHR Secure – Login Security, Firewall, 2FA & Audit Log

nhrrob-secure

A
100

A lightweight WordPress security plugin to protect your admin area with a custom login URL, hide debug logs, limit login attempts, and add 2FA.

0 No CVEs
WP Ghost (Hide My WP Ghost) – Security & Firewall

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

A
86

Hide and Secure WP paths with the complete WP security suite for Site Hardening. Includes 8G Firewall, Brute Force protection, and Passkeys.

100K 8 CVEs
Wordfence Login Security

Wordfence Login Security

wordfence-login-security

A
92

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs
Login With Ajax – Fast Logins, 2FA, Redirects

Login With Ajax – Fast Logins, 2FA, Redirects

login-with-ajax

A
99

Add beautiful login forms with smooth AJAX login/registration effects, 2FA support, custom redrection options and many more login-related features!

20K 6 CVEs
DoLogin Security

DoLogin Security

dologin

A
98

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs
Developer Profile

WP Hide & Security Enhancer Developer Profile

nsp-code

5 plugins · 1.2M total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
1630 days
View full developer profile
Detection Fingerprints

How We Detect WP Hide & Security Enhancer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-hide-security-enhancer/assets/css/backend.css/wp-content/plugins/wp-hide-security-enhancer/assets/css/frontend.css/wp-content/plugins/wp-hide-security-enhancer/assets/js/backend.js/wp-content/plugins/wp-hide-security-enhancer/assets/js/frontend.js
Script Paths
/wp-content/plugins/wp-hide-security-enhancer/assets/js/backend.js/wp-content/plugins/wp-hide-security-enhancer/assets/js/frontend.js
Version Parameters
wp-hide-security-enhancer/assets/css/backend.css?ver=wp-hide-security-enhancer/assets/css/frontend.css?ver=wp-hide-security-enhancer/assets/js/backend.js?ver=wp-hide-security-enhancer/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- wp-hide --><!-- wp-hide-security-enhancer -->
Data Attributes
data-wph-id
JS Globals
wph_dataWPH_frontend_obj
REST Endpoints
/wp-json/wp-hide-security-enhancer/v1/settings/wp-json/wp-hide-security-enhancer/v1/scan-results
FAQ

Frequently Asked Questions about WP Hide & Security Enhancer