[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYABrdu2TpLd9ktRzYaXsKHD4-AkwqTfF1nRWYmPJ9dQ":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":49,"crawl_stats":38,"alternatives":55,"analysis":160,"fingerprints":731},"wp-shieldon","WP Shieldon – WordPress Firewall","2.0.2","Terry L.","https:\u002F\u002Fprofiles.wordpress.org\u002Fterrylin\u002F","\u003Cp>WP Shieldon is a WordPress security plugin based on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fshieldon\" rel=\"nofollow ugc\">Shieldon\u003C\u002Fa> library, a Web Application Firewall (WAF) for PHP.\u003C\u002Fp>\n\u003Cp>When users or robots try to view many of your web pages within a short period of time, they will be temporarily banned. They can get unbanned by solving a Captcha.\u003C\u002Fp>\n\u003Cp>You can visit the plugin author – \u003Ca href=\"https:\u002F\u002Fterryl.in\" rel=\"nofollow ugc\">Terry L.\u003C\u002Fa>‘s blog and try reloading the pages several times to see how this plugin works. You can also try Terry’s login page to find it protected. For more information about Shieldon, please visit \u003Ca href=\"https:\u002F\u002Fshieldon.io\u002Fen\u002F\" rel=\"nofollow ugc\">shieldon.io\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Please note that there are three important things you must understand before using WP Shieldon:\u003C\u002Fp>\n\u003Col>\n\u003Cli>WP Shieldon is not for beginners.\u003C\u002Fli>\n\u003Cli>Turn the \u003Ccode>Trusted Bot\u003C\u002Fcode> component on to allow search engine crawlers such as Google, Bing, Yahoo, and others to smoothly crawl your website.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Open Source Code\u003C\u002Fh3>\n\u003Cp>Plugin:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fwp-shieldon\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fwp-shieldon\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Core library:\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fshieldon\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fshieldon\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Realtime statistics – See who are browsing your website and their status.\u003C\u002Fli>\n\u003Cli>Beautiful and detailed statistics and dashboard.\u003C\u002Fli>\n\u003Cli>Block bad bots by default – Backlink crawlers, copyright crawlers and WayBack machine bot.\u003C\u002Fli>\n\u003Cli>IP manager – Block signle IP or IP range as you want. (IPv6 supported)\u003C\u002Fli>\n\u003Cli>Online session control – You can limit just how many visitors browsing your website. Good for webmasters whose blog is hosted on a share hosting.\u003C\u002Fli>\n\u003Cli>SEO friendly – You can allow popular search engines such as Google, Bing, Yahoo and others, put them in the whitelist.\u003C\u002Fli>\n\u003Cli>XML RPC, Login, Signup page protection.\u003C\u002Fli>\n\u003Cli>Multiple data drivers – Redis, SQLite, File system, MySQL.\u003C\u002Fli>\n\u003Cli>Multiple CAPTCHA modules – Google reCAPTCHA v2, v3 and Image CAPTCHA.\u003C\u002Fli>\n\u003Cli>XSS Protection.\u003C\u002Fli>\n\u003Cli>Page authentication.\u003C\u002Fli>\n\u003Cli>Many others you can find by yourself.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check out my other WordPress works here:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-githuber-md\u002F\" rel=\"ugc\">Markdown Editor\u003C\u002Fa> – WP Githuber MD – an all in one Markdown editor.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcache-master\u002F\" rel=\"ugc\">Cache Master\u003C\u002Fa> – WordPress cache plugin.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fthemes\u002Fmynote\u002F\" rel=\"ugc\">Mynote Theme\u003C\u002Fa> – Theme for programmers.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Copyright\u003C\u002Fh3>\n\u003Cp>WP Shieldon, Copyright 2019 TerryL.in\u003Cbr \u002F>\nWP Shieldon is distributed under the terms of the GNU GPL\u003C\u002Fp>\n\u003Cp>This program is free software: you can redistribute it and\u002For modify\u003Cbr \u002F>\nit under the terms of the GNU General Public License as published by\u003Cbr \u002F>\nthe Free Software Foundation, either version 3 of the License, or\u003Cbr \u002F>\n(at your option) any later version.\u003C\u002Fp>\n\u003Cp>This program is distributed in the hope that it will be useful,\u003Cbr \u002F>\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\u003Cbr \u002F>\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\u003Cbr \u002F>\nGNU General Public License for more details.\u003C\u002Fp>\n","WP Shieldon is a WordPress security plugin based on Shieldon library, a Web Application Firewall (WAF) for PHP.",100,5678,74,3,"2023-06-21T02:55:00.000Z","6.2.9","4.7","7.1.0",[20,21,22,23,24],"anti-scriping","brute-force","firewall","security","xss-protection","https:\u002F\u002Fgithub.com\u002Fterrylinooo\u002Fwp-shieldon","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-shieldon.2.0.2.zip",85,1,0,"2021-01-18 00:00:00","2026-03-15T15:16:48.613Z",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":40,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48},"CVE-2021-24124","wp-shieldon-reflected-cross-site-scripting","WP Shieldon \u003C= 1.6.3 - Reflected Cross-Site Scripting","Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation.",null,"\u003C=1.6.3","1.6.4","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-01-22 19:56:02",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6c8eaba3-9c23-4f35-8669-0ce345918fa6?source=api-prod",1100,{"slug":50,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":51,"avg_security_score":52,"avg_patch_time_days":48,"trust_score":53,"computed_at":54},"terrylin",630,78,64,"2026-04-04T02:12:30.627Z",[56,78,100,120,139],{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":69,"requires_at_least":70,"requires_php":71,"tags":72,"homepage":71,"download_link":75,"security_score":66,"vuln_count":76,"unpatched_count":29,"last_vuln_date":77,"fetched_at":31},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","6.9.4","3.0","",[73,21,22,74,23],"2fa","login-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip",4,"2023-12-20 00:00:00",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":66,"num_ratings":88,"last_updated":89,"tested_up_to":69,"requires_at_least":90,"requires_php":91,"tags":92,"homepage":95,"download_link":96,"security_score":97,"vuln_count":98,"unpatched_count":29,"last_vuln_date":99,"fetched_at":31},"gotmls","Anti-Malware Security and Brute-Force Firewall","4.23.88","Eli","https:\u002F\u002Fprofiles.wordpress.org\u002Fscheeeli\u002F","\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Download Definition Updates to protect against new threats.\u003C\u002Fli>\n\u003Cli>Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.\u003C\u002Fli>\n\u003Cli>Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.\u003C\u002Fli>\n\u003Cli>Upgrade vulnerable versions of timthumb scripts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Premium Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Patch your wp-login and XMLRPC to block Brute-Force and DDoS attacks.\u003C\u002Fli>\n\u003Cli>Check the integrity of your WordPress Core files.\u003C\u002Fli>\n\u003Cli>Automatically download new Definition Updates when running a Complete Scan.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Register this plugin at \u003Ca href=\"http:\u002F\u002Fgotmls.net\u002F\" rel=\"nofollow ugc\">GOTMLS.NET\u003C\u002Fa> and get access to new definitions of “Known Threats” and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for “Potential Threats” and leaves it up to you to identify and remove the malicious ones.\u003C\u002Fp>\n\u003Cp>NOTICE: This plugin makes calls to GOTMLS.NET to check for updates not unlike what WordPress does when checking your plugins and themes for new versions. Staying up-to-date is an essential part of any security plugin and this plugin can let you know when there are new plugin and definition update available. If you’re allergic to “phone home” scripts then don’t use this plugin (or WordPress at all for that matter).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Special thanks to:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clarus Dignus for design suggestions and graphic design work on the banner image.\u003C\u002Fli>\n\u003Cli>Jelena Kovacevic and Andrew Kurtis of webhostinghub.com for providing the Spanish translation.\u003C\u002Fli>\n\u003Cli>Marcelo Guernieri for the Brazilian Portuguese translation.\u003C\u002Fli>\n\u003Cli>Umut Can Alparslan for the Turkish translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fmichacassola\u002F\" rel=\"nofollow ugc\">Micha Cassola\u003C\u002Fa> for the German translation.\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fsitustarget\u002F\" rel=\"nofollow ugc\">Robi Erwin Setiawan\u003C\u002Fa> for the Indonesian translation.\u003C\u002Fli>\n\u003C\u002Ful>\n","This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.",100000,7622347,781,"2026-03-09T14:47:00.000Z","3.3","5.6",[93,21,22,94,23],"anti-malware","scanner","https:\u002F\u002Fgotmls.net\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgotmls.4.23.88.zip",83,9,"2025-10-28 15:41:58",{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":108,"downloaded":109,"rating":110,"num_ratings":111,"last_updated":112,"tested_up_to":113,"requires_at_least":114,"requires_php":71,"tags":115,"homepage":118,"download_link":119,"security_score":27,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"ip-geo-block","IP Geo Block","3.0.17.4","tokkonopapa","https:\u002F\u002Fprofiles.wordpress.org\u002Ftokkonopapa\u002F","\u003Cp>The more you install themes and plugins, the more likely your sites will be vulnerable, even if you \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FHardening_WordPress\" title=\"Hardening WordPress &laquo; WordPress Codex\" rel=\"nofollow ugc\">securely harden your sites\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>While WordPress.org \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fabout\u002Fsecurity\u002F\" title=\"Security | WordPress.org\" rel=\"ugc\">provides\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fthemes\u002Ftheme-security\u002F\" title=\"Theme Security | Theme Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">excellent\u003C\u002Fa> \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F\" title=\"Plugin Security | Plugin Developer Handbook | WordPress Developer Resources\" rel=\"nofollow ugc\">resources\u003C\u002Fa>, themes and plugins may often get vulnerable due to developers’ \u003Ca href=\"https:\u002F\u002Fwww.google.com\u002Fsearch?q=human+factors+in+security\" title=\"human factors in security - Google Search\" rel=\"nofollow ugc\">human factors\u003C\u002Fa> such as lack of security awareness, misuse and disuse of the best practices in those resources.\u003C\u002Fp>\n\u003Cp>This plugin focuses on insights into such developers’ human factors instead of detecting the specific attack vectors after they were disclosed. This brings a smart and powerful methods named as “\u003Cstrong>WP Zero-day Exploit Prevention\u003C\u002Fstrong>” and “\u003Cstrong>WP Metadata Exploit Protection\u003C\u002Fstrong>“.\u003C\u002Fp>\n\u003Cp>Combined with those methods and IP address geolocation, you’ll be surprised to find a bunch of malicious or undesirable access blocked in the logs of this plugin after several days of installation.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Privacy by design:\u003C\u002Fstrong>\u003Cbr \u002F>\nIP address is always encrypted on recording in logs\u002Fcache. Moreover, it can be anonymized and restricted on sending to the 3rd parties such as geolocation APIs or whois service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Immigration control:\u003C\u002Fstrong>\u003Cbr \u002F>\nAccess to the basic and important entrances into back-end such as \u003Ccode>wp-comments-post.php\u003C\u002Fcode>, \u003Ccode>xmlrpc.php\u003C\u002Fcode>, \u003Ccode>wp-login.php\u003C\u002Fcode>, \u003Ccode>wp-signup.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-ajax.php\u003C\u002Fcode>, \u003Ccode>wp-admin\u002Fadmin-post.php\u003C\u002Fcode> will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FISO_3166-1_alpha-2#Officially_assigned_code_elements\" title=\"ISO 3166-1 alpha-2 - Wikipedia\" rel=\"nofollow ugc\">specify the countires\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FClassless_Inter-Domain_Routing\" title=\"Classless Inter-Domain Routing - Wikipedia\" rel=\"nofollow ugc\">CIDR notation\u003C\u002Fa> for a range of IP addresses and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAutonomous_system_(Internet)\" title=\"Autonomous system (Internet) - Wikipedia\" rel=\"nofollow ugc\">AS number\u003C\u002Fa> for a group of IP networks.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Zero-day Exploit Prevention:\u003C\u002Fstrong>\u003Cbr \u002F>\nUnlike other security firewalls based on attack patterns (vectors), the original feature “\u003Cstrong>W\u003C\u002Fstrong>ord\u003Cstrong>P\u003C\u002Fstrong>ress \u003Cstrong>Z\u003C\u002Fstrong>ero-day \u003Cstrong>E\u003C\u002Fstrong>xploit \u003Cstrong>P\u003C\u002Fstrong>revention” (WP-ZEP) is focused on patterns of vulnerability. It is simple but still smart and strong enough to block any malicious accesses to \u003Ccode>wp-admin\u002F*.php\u003C\u002Fcode>, \u003Ccode>plugins\u002F*.php\u003C\u002Fcode> and \u003Ccode>themes\u002F*.php\u003C\u002Fcode> even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, \u003Cstrong>even if you have some vulnerable plugins and themes in your site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Guard against login attempts:\u003C\u002Fstrong>\u003Cbr \u002F>\nIn order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Minimize server load against brute-force attacks:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin as a \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FMust_Use_Plugins\" title=\"Must Use Plugins &laquo; WordPress Codex\" rel=\"nofollow ugc\">Must Use Plugins\u003C\u002Fa> so that this plugin can be loaded prior to regular plugins. It can massively \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fvalidation-timing.html\" title=\"Validation timing | IP Geo Block\" rel=\"nofollow ugc\">reduce the load on server\u003C\u002Fa>.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Prevent malicious down\u002Fuploading:\u003C\u002Fstrong>\u003Cbr \u002F>\nA malicious request such as exposing \u003Ccode>wp-config.php\u003C\u002Fcode> or uploading malwares via vulnerable plugins\u002Fthemes can be blocked.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Block badly-behaved bots and crawlers:\u003C\u002Fstrong>\u003Cbr \u002F>\nA simple logic may help to reduce the number of rogue bots and crawlers scraping your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Support of BuddyPress and bbPress:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can configure this plugin so that a registered user can login as a membership from anywhere, while a request such as a new user registration, lost password, creating a new topic and subscribing comment can be blocked by country. It is suitable for \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbuddypress\u002F\" title=\"BuddyPress &mdash; WordPress Plugins\" rel=\"ugc\">BuddyPress\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fbbpress\u002F\" title=\"WordPress &rsaquo; bbPress &laquo; WordPress Plugins\" rel=\"ugc\">bbPress\u003C\u002Fa> to help reducing spams.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Referrer suppressor for external links:\u003C\u002Fstrong>\u003Cbr \u002F>\nWhen you click an external hyperlink on admin screens, http referrer will be eliminated to hide a footprint of your site.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Multiple source of IP Geolocation databases:\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind GeoLite2 free databases\u003C\u002Fa> (it requires PHP 5.4.0+) and \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\u002F\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location LITE databases\u003C\u002Fa> can be installed in this plugin. Also free Geolocation REST APIs and whois information can be available for audit purposes.\u003Cbr \u002F>\nFather more, \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Farticle\u002Fapi-class-library.html\" title=\"CloudFlare & CloudFront API class library | IP Geo Block\" rel=\"nofollow ugc\">dedicated API class libraries\u003C\u002Fa> can be installed for CloudFlare and CloudFront as a reverse proxy service.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Customizing response:\u003C\u002Fstrong>\u003Cbr \u002F>\nHTTP response code can be selectable as \u003Ccode>403 Forbidden\u003C\u002Fcode> to deny access pages, \u003Ccode>404 Not Found\u003C\u002Fcode> to hide pages or even \u003Ccode>200 OK\u003C\u002Fcode> to redirect to the top page.\u003Cbr \u002F>\nYou can also have a human friendly page (like \u003Ccode>404.php\u003C\u002Fcode>) in your parent\u002Fchild theme template directory to fit your site design.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Validation logs:\u003C\u002Fstrong>\u003Cbr \u002F>\nValidation logs for useful information to audit attack patterns can be manageable.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Cooperation with full spec security plugin:\u003C\u002Fstrong>\u003Cbr \u002F>\nThis plugin is lite enough to be able to cooperate with other full spec security plugin such as \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwordfence\u002F\" title=\"Wordfence Security &mdash; WordPress Plugins\" rel=\"ugc\">Wordfence Security\u003C\u002Fa>. See \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fpage-speed-performance.html\" title=\"Page speed performance | IP Geo Block\" rel=\"nofollow ugc\">this report\u003C\u002Fa> about page speed performance.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Extendability:\u003C\u002Fstrong>\u003Cbr \u002F>\nYou can customize the behavior of this plugin via \u003Ccode>add_filter()\u003C\u002Fcode> with \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002F\" title=\"Codex | IP Geo Block\" rel=\"nofollow ugc\">pre-defined filter hook\u003C\u002Fa>. See various use cases in \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fblob\u002Fmaster\u002Fip-geo-block\u002Fsamples.php\" title=\"WordPress-IP-Geo-Block\u002Fsamples.php at master - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">samples.php\u003C\u002Fa> bundled within this package.\u003Cbr \u002F>\nYou can also get the extension \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\u002FWordPress-IP-Geo-Allow\" title=\"GitHub - ddur\u002FWordPress-IP-Geo-Allow: WordPress Plugin Exension for WordPress-IP-Geo-Block Plugin\" rel=\"nofollow ugc\">IP Geo Allow\u003C\u002Fa> by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fddur\" title=\"ddur (Dragan) - GitHub\" rel=\"nofollow ugc\">Dragan\u003C\u002Fa>. It makes admin screens strictly private with more flexible way than specifying IP addresses.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Self blocking prevention and easy rescue:\u003C\u002Fstrong>\u003Cbr \u002F>\nWebsite owners do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002Fcodex\u002Fwhat-should-i-do-when-i-m-locked-out.html\" title=\"What should I do when I'm locked out? | IP Geo Block\" rel=\"nofollow ugc\">rescue yourself\u003C\u002Fa> easily.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Clean uninstallation:\u003C\u002Fstrong>\u003Cbr \u002F>\nNothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin’s functionality.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Attribution\u003C\u002Fh4>\n\u003Cp>This package includes GeoLite2 library distributed by MaxMind, available from \u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\" title=\"MaxMind - IP Geolocation and Online Fraud Prevention\" rel=\"nofollow ugc\">MaxMind\u003C\u002Fa> (it requires PHP 5.4.0+), and also includes IP2Location open source libraries available from \u003Ca href=\"https:\u002F\u002Fwww.ip2location.com\" title=\"IP Address Geolocation to Identify Website Visitor's Geographical Location\" rel=\"nofollow ugc\">IP2Location\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Also thanks for providing the following great services and REST APIs for free.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fip-api.com\u002F\" title=\"IP-API.com - Free Geolocation API\" rel=\"nofollow ugc\">http:\u002F\u002Fip-api.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for non-commercial use)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fgeoiplookup.net\u002F\" title=\"What Is My IP Address | GeoIP Lookup\" rel=\"nofollow ugc\">http:\u002F\u002Fgeoiplookup.net\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfo.io\u002F\" title=\"IP Address API and Data Solutions\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfo.io\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free)\u003C\u002Fli>\n\u003Cli>[https:\u002F\u002Fipapi.com\u002F](https:\u002F\u002Fipapi.com\u002F “ipapi – IP Address Lookup and Geolocation API) (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipdata.co\u002F\" title=\"ipdata.co - IP Geolocation and Threat Data API\" rel=\"nofollow ugc\">https:\u002F\u002Fipdata.co\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipstack.com\u002F\" title=\"ipstack - Free IP Geolocation API\" rel=\"nofollow ugc\">https:\u002F\u002Fipstack.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fipinfodb.com\u002F\" title=\"Free IP Geolocation Tools and API| IPInfoDB\" rel=\"nofollow ugc\">https:\u002F\u002Fipinfodb.com\u002F\u003C\u002Fa> (IPv4, IPv6 \u002F free for registered user, need API key)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Development\u003C\u002Fh4>\n\u003Cp>Development of this plugin is promoted at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\" title=\"tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-Block\u003C\u002Fa> and class libraries to handle geo-location database are developed separately as “add-in”s at \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-API\" title=\"tokkonopapa\u002FWordPress-IP-Geo-API - GitHub\" rel=\"nofollow ugc\">WordPress-IP-Geo-API\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>All contributions will always be welcome. Or visit my \u003Ca href=\"https:\u002F\u002Fwww.ipgeoblock.com\u002F\" title=\"IP Geo Block\" rel=\"nofollow ugc\">development blog\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Known issues\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>No image is shown after drag & drop a image in grid view at “Media Library”. For more details, please refer to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ftokkonopapa\u002FWordPress-IP-Geo-Block\u002Fissues\u002F2\" title=\"No image is shown after drag & drop a image in grid view at \"Media Library\". - Issue #2 - tokkonopapa\u002FWordPress-IP-Geo-Block - GitHub\" rel=\"nofollow ugc\">this ticket at Github\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>From \u003Ca href=\"https:\u002F\u002Fmake.wordpress.org\u002Fcore\u002F2016\u002F03\u002F09\u002Fcomment-changes-in-wordpress-4-5\u002F\" title=\"Comment Changes in WordPress 4.5 – Make WordPress Core\" rel=\"nofollow ugc\">WordPress 4.5\u003C\u002Fa>, \u003Ccode>rel=nofollow\u003C\u002Fcode> had no longer be attached to the links in \u003Ccode>comment_content\u003C\u002Fcode>. This change prevents to block “\u003Ca href=\"https:\u002F\u002Fwww.owasp.org\u002Findex.php\u002FServer_Side_Request_Forgery\" title=\"Server Side Request Forgery - OWASP\" rel=\"nofollow ugc\">Server Side Request Forgeries\u003C\u002Fa>” (not Cross Site but a malicious internal link in the comment field).\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapps.wordpress.com\u002Fmobile\u002F\" title=\"WordPress.com Apps - Mobile Apps\" rel=\"nofollow ugc\">WordPress.com Mobile App\u003C\u002Fa> can’t execute image uploading because of its own authentication system via XMLRPC.\u003C\u002Fli>\n\u003C\u002Ful>\n","It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.",9000,777726,82,96,"2019-01-22T03:59:00.000Z","5.0.25","3.7",[21,22,116,23,117],"login","vulnerability","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fip-geo-block\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fip-geo-block.3.0.17.4.zip",{"slug":121,"name":122,"version":123,"author":124,"author_profile":125,"description":126,"short_description":127,"active_installs":128,"downloaded":129,"rating":11,"num_ratings":130,"last_updated":131,"tested_up_to":69,"requires_at_least":132,"requires_php":133,"tags":134,"homepage":137,"download_link":138,"security_score":11,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"botblocker-security","BotBlocker Security – Firewall & Bot Protection","1.6.14","Yevhen Leonidov","https:\u002F\u002Fprofiles.wordpress.org\u002Fglobusstudio\u002F","\u003Ch4>WordPress Security Plugin & Firewall (WAF)\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Every day, automated bots and hackers bombard websites with attacks.\u003C\u002Fstrong> Mass botnets, fake search engine crawlers, brute-force login attempts, and spam bots can overwhelm your WordPress site – stealing data, overloading your server, and defacing content. It’s a 24\u002F7 threat to your business. If you’re looking for \u003Cstrong>WordPress site protection\u003C\u002Fstrong>, you need a proactive defense that stops these attacks before they reach your website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>BotBlocker Security is the all-in-one solution to keep your site safe from automated threats.\u003C\u002Fstrong> This powerful \u003Cstrong>WordPress security plugin and Web Application Firewall (WAF)\u003C\u002Fstrong> acts as a dedicated \u003Cstrong>anti-bot\u003C\u002Fstrong> firewall, blocking malicious traffic at the front gate without slowing down your site.\u003C\u002Fp>\n\u003Cp>BotBlocker’s setup and onboarding experience allows anyone to secure their \u003Cstrong>WordPress site\u003C\u002Fstrong> in under 1 minute, regardless of technical expertise. You can rest assured knowing you have enabled the right \u003Cstrong>site protection\u003C\u002Fstrong> settings to protect your website.\u003C\u002Fp>\n\u003Ch4>🔥 WordPress Firewall (WAF)\u003C\u002Fh4>\n\u003Cp>BotBlocker Security includes an endpoint \u003Cstrong>firewall\u002FWAF\u003C\u002Fstrong> that identifies and blocks malicious traffic before it reaches WordPress. Built and maintained by a team focused 100% on WordPress security, our Web Application Firewall protects your site while reducing server load.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>BotBlocker intercepts bad traffic at the earliest stage\u003C\u002Fstrong> – even before WordPress or your theme loads. By running as a must-use plugin (MU-plugin) on early init, it blocks threats before WordPress initializes, drastically reducing server load during attacks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Firewall Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Real-time firewall rule updates via the BotBlocker Threat Defense Feed\u003C\u002Fli>\n\u003Cli>Real-time IP Blocklist blocks all requests from the most malicious IPs\u003C\u002Fli>\n\u003Cli>Early-init protection – blocks threats before WordPress loads\u003C\u002Fli>\n\u003Cli>Cloud-based threat intelligence – cross-checks every visitor against global threat databases\u003C\u002Fli>\n\u003Cli>No visitor data collected – only technical request parameters analyzed (GDPR\u002FCCPA-compliant)\u003C\u002Fli>\n\u003Cli>Brute force protection with login attempt limits and multi-layer verification\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>📡 WordPress Security Scanner & Site Protection\u003C\u002Fh4>\n\u003Cp>Every attempt to access your site is thoroughly analyzed and filtered. BotBlocker provides comprehensive \u003Cstrong>site protection\u003C\u002Fstrong> across all entry points:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>XML-RPC and API Protection\u003C\u002Fstrong> – all endpoints blocked by default. Create access rules for trusted services and add allowed URLs for payment plugins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Spam Prevention\u003C\u002Fstrong> – spammers cannot connect to your site. Automatically block IP addresses that exceed spam comment thresholds\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Access Protection\u003C\u002Fstrong> – theme and plugin files securely protected from unauthorized access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deep Analysis\u003C\u002Fstrong> – User-Agent, Accept-Language, GeoIP, PTR, DNSBL, cookies, browser fingerprint, AdBlock, Incognito detection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Network & Protocol Control\u003C\u002Fstrong> – block obsolete HTTP\u002F1.0 clients and disable IPv6 if not used. Cloudflare-aware protection blocks origin bypass attempts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🔒 Login Security & Bot Protection\u003C\u002Fh4>\n\u003Cp>All login attempts pass through multi-layer filtering and CAPTCHA verification:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Multi-layer CAPTCHA Protection\u003C\u002Fstrong> – color buttons, animal images, floating shapes, floating math, Google reCAPTCHA v2\u002Fv3\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced Anti-bot Challenges\u003C\u002Fstrong> – proprietary CAPTCHA designed to be nearly impossible to bypass, even by AI-based anti-CAPTCHA services\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Intelligent Ban System\u003C\u002Fstrong> – failed CAPTCHA results in configurable ban periods. Repeated failures trigger 24-hour bans\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Access Simplification\u003C\u002Fstrong> – special mechanism to ease site administrator login while maintaining security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC Control\u003C\u002Fstrong> – options including complete disabling\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Two-Factor Authentication Support\u003C\u002Fstrong> – 2FA enhanced login security for admin area. Backup codes for recovery access. Universal 2FA app support – works with Google Authenticator, Authy, etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>🛠️ Security Tools\u003C\u002Fh4>\n\u003Cp>Comprehensive tools to block attackers and monitor your site in real-time:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Advanced Blocking Rules\u003C\u002Fstrong> – block by IP or build rules based on IP Range, Hostname, User Agent, Referrer, PTR record, ASN, country, city, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP-PTR-Host Mismatch Detection\u003C\u002Fstrong> – automatically detect and block fake crawlers (e.g., fake Googlebots)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Blacklist & Whitelist Management\u003C\u002Fstrong> – instantly allow or block any IP, ASN, range, or User-Agent\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Live Traffic Monitoring\u003C\u002Fstrong> – see all traffic in real-time: robots, humans, 404 errors, logins\u002Flogouts, file requests, and content consumption\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server IP Identification\u003C\u002Fstrong> – prevent lockouts by automatically identifying and protecting server IPs\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Visual Dashboard\u003C\u002Fstrong> – intuitive charts and stats showing blocked attacks, world map of threat origins, top offending IPs\u002Fcountries\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Security Log\u003C\u002Fstrong> – every event logged with IP address, user agent, country, and blocking reason\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Login URL\u003C\u002Fstrong> \u003Cem>(Premium Addon)\u003C\u002Fem>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>⚡ Performance & Integration\u003C\u002Fh4>\n\u003Cp>BotBlocker’s robust defense won’t slow your site down – in fact, it often improves performance under attack:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Lightweight & Fast\u003C\u002Fstrong> – negligible overhead in normal conditions. Reduces database and server load during attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in Caching\u003C\u002Fstrong> – Redis and Memcached support for high-traffic environments\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cache Plugin Compatibility\u003C\u002Fstrong> – automatic \u003Ccode>DONOTCACHEPAGE\u003C\u002Fcode> + \u003Ccode>Cache-Control: no-store\u003C\u002Fcode> on verification pages. Works with WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, and more. Server-level caches (Nginx FastCGI, Varnish, Cloudflare) may need a cookie-based bypass rule – see \u003Ccode>docs\u002FCACHE-COMPATIBILITY.md\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>DDoS Protection Compatibility\u003C\u002Fstrong> – automatic detection of JS-challenges from DDoS-Guard, Stormwall, and similar services. See \u003Ccode>docs\u002FDDOS-COMPATIBILITY.md\u003C\u002Fcode> for advanced configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Seamless Compatibility\u003C\u002Fstrong> – works with Cloudflare, CDN services, caching plugins, and optimizers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full IPv6 Support\u003C\u002Fstrong> – all security functions work with both IPv4 and IPv6\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Server Optimization\u003C\u002Fstrong> \u003Cem>(Premium Addon)\u003C\u002Fem> – additional performance enhancements for high-traffic sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>👤 Easy Setup & User-Friendly Interface\u003C\u002Fh4>\n\u003Cp>You don’t have to be a security expert to use BotBlocker:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Quick Installation Wizard\u003C\u002Fstrong> – step-by-step setup guide for configuration in under 1 minute\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Intuitive Admin Panel\u003C\u002Fstrong> – organized settings with clear descriptions and tooltips\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multilingual\u003C\u002Fstrong> – translated into English, Spanish, German, French, Polish, Russian, Ukrainian, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No Conflicts\u003C\u002Fstrong> – built following WordPress best practices, tested with recent WP versions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Adjustable Logging\u003C\u002Fstrong> – configurable retention periods with time zone awareness and daylight saving support\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Security first – BotBlocker’s on guard!\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Ch4>Detection & Analysis\u003C\u002Fh4>\n\u003Cp>BotBlocker employs advanced multi-layer detection to identify and block threats:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Detection Mechanisms:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Local and cloud signature databases with real-time updates\u003C\u002Fli>\n\u003Cli>IP reputation and blacklist checks with global threat intelligence\u003C\u002Fli>\n\u003Cli>DNS-based and PTR lookups to detect fake crawlers\u003C\u002Fli>\n\u003Cli>Heuristic and behavioral analysis for suspicious patterns\u003C\u002Fli>\n\u003Cli>Browser fingerprint and feature mismatch detection\u003C\u002Fli>\n\u003Cli>Header and protocol validation\u003C\u002Fli>\n\u003Cli>JavaScript challenge and capability verification\u003C\u002Fli>\n\u003Cli>Multi-layered CAPTCHA verification\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Comprehensive Request Analysis:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Network & IP:\u003C\u002Fstrong> Full IPv4\u002FIPv6 support, blacklist\u002Fwhitelist, country\u002FGeoIP, ASN, hosting\u002FVPN detection, TOR detection, PTR\u002FDNSBL checks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Browser & Client:\u003C\u002Fstrong> User-Agent validation, browser\u002FOS\u002Fdevice detection, fingerprint analysis, headless browser detection, JavaScript\u002Fcookie support\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Headers & Protocol:\u003C\u002Fstrong> Accept-Language, Referer validation, HTTP version control, Cloudflare\u002Fproxy detection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Advanced Fingerprinting:\u003C\u002Fstrong> Font rendering, WebGL, media devices, touch events, battery API, permissions, timing analysis, plugin verification\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>CAPTCHA Modes\u003C\u002Fh4>\n\u003Cp>Choose from various CAPTCHA types to protect your site:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Single Button\u003C\u002Fstrong> – one-click verification for quick validation\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Google reCAPTCHA v2\u003C\u002Fstrong> – standard image\u002Fcheckbox challenge\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Google reCAPTCHA v3\u003C\u002Fstrong> – invisible background scoring\u003C\u002Fli>\n\u003Cli>\u003Cstrong>BotBlocker Color CAPTCHA\u003C\u002Fstrong> – select colored buttons challenge\u003C\u002Fli>\n\u003Cli>\u003Cstrong>BotBlocker Digits CAPTCHA\u003C\u002Fstrong> – floating math challenge\u003C\u002Fli>\n\u003Cli>\u003Cstrong>BotBlocker Images CAPTCHA\u003C\u002Fstrong> – animal image selection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>BotBlocker Shapes CAPTCHA\u003C\u002Fstrong> – floating shapes challenge\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hybrid Mode\u003C\u002Fstrong> – combine any CAPTCHA with reCAPTCHA v3 for dual-layer protection\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Additional Capabilities\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Early-init & MU plugin support\u003C\u002Fli>\n\u003Cli>Real-time cloud threat checks\u003C\u002Fli>\n\u003Cli>Dynamic and graphical anti-bot challenges\u003C\u002Fli>\n\u003Cli>Automatic logging with adjustable retention\u003C\u002Fli>\n\u003Cli>Session tracking and verification\u003C\u002Fli>\n\u003Cli>No visitor data collected — GDPR\u002FCCPA-compliant (see FAQ for admin notification details)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>BotBlocker Security does \u003Cstrong>not\u003C\u002Fstrong> collect or process personal data of your visitors. All cloud analysis is performed on technical parameters only (IP, headers, User-Agent). No personally identifiable information is collected, stored, or transmitted to any external service.\u003C\u002Fp>\n\u003Ch3>Support and Documentation\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Product site: \u003Ca href=\"https:\u002F\u002Fbotblocker.top\u002Fproducts\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fbotblocker.top\u002Fproducts\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Documentation: \u003Ca href=\"https:\u002F\u002Fbotblocker.top\u002Fdocs\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fbotblocker.top\u002Fdocs\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Contact\u002Fsupport: \u003Ca href=\"https:\u002F\u002Fbotblocker.top\u002Fcontacts\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fbotblocker.top\u002Fcontacts\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Community: \u003Ca href=\"https:\u002F\u002Fbotblocker.top\u002Fcommunity\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fbotblocker.top\u002Fcommunity\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later. See LICENSE.txt for details.\u003C\u002Fp>\n\u003Ch3>Credits & Authors\u003C\u002Fh3>\n\u003Cp>BotBlocker Security is developed and maintained by GLOBUS.studio.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Concept, architecture & code – Yevhen Leonidov: \u003Ca href=\"https:\u002F\u002Fleonidov.dev\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fleonidov.dev\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Code, code review – Andrii Lukashevych\u003C\u002Fli>\n\u003Cli>Code, translations – Aleksandr Kinakh\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>BotBlocker Security – The first line of defense for your WordPress site.\u003C\u002Fstrong>\u003C\u002Fp>\n","Protect your WordPress site: firewall, bot & brute-force protection, anti-spam, multi-layer CAPTCHA, optional cloud threat intel.",2000,3799,6,"2026-03-10T18:22:00.000Z","5.0","7.4",[135,21,136,22,23],"anti-spam","captcha","https:\u002F\u002Fbotblocker.top\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbotblocker-security.1.6.14.zip",{"slug":140,"name":141,"version":142,"author":143,"author_profile":144,"description":145,"short_description":146,"active_installs":147,"downloaded":148,"rating":149,"num_ratings":150,"last_updated":151,"tested_up_to":152,"requires_at_least":153,"requires_php":154,"tags":155,"homepage":71,"download_link":158,"security_score":159,"vuln_count":29,"unpatched_count":29,"last_vuln_date":38,"fetched_at":31},"rate-limit-co","Rate Limit Guard","1.1","IP Stresser Guard","https:\u002F\u002Fprofiles.wordpress.org\u002Fcostresser\u002F","\u003Cp>This plugin allows you to have a simple rate limit option to protect the site against DDoS or brute force and IP stresser attacks. It is suitable to Prevent against IP Stresser and booter scripts that want to increase the consumption of your site’s resources with a “Slow” method.\u003C\u002Fp>\n\u003Ch3>What is IP Stresser ?\u003C\u002Fh3>\n\u003Cp>An IP stresser is an online tool that is used to attack a server or a website by overwhelming its resources with a flood of Internet traffic. It is often used to test the strength and resilience of a server or a network, but it can also be used maliciously to bring down a website or a service by denying legitimate users access.\u003Cbr \u002F>\nIP stressers are often used by hackers to launch attacks on websites, but they can also be used by legitimate businesses and organizations to test their websites’ performance.\u003C\u002Fp>\n\u003Ch3>What is Slowloris  Attack?\u003C\u002Fh3>\n\u003Cp>Slowloris is a type of DDoD attack that targets web servers by keeping many HTTP connections open simultaneously and sending partial HTTP requests. This can tie up server resources and cause the server to reach its maximum concurrent connection limit, preventing legitimate users from accessing the website.\u003Cbr \u002F>\nIt’s worth noting that Layer 7 attacks are often more difficult to mitigate compared to lower-level attacks, as they can mimic legitimate traffic patterns and require more advanced detection and mitigation techniques. Implementing proper security measures, such as web application firewalls (WAFs) and rate-limiting mechanisms, can help protect against Layer 7 attacks.\u003C\u002Fp>\n\u003Ch3>Simple source code\u003C\u002Fh3>\n\u003Cp>this PHP Code help you to have a simple rate limit option to protect the site against DDoS or brute force attacks from IP Stresser It is suitable to Prevent against IP Stresser and booter scripts that want to increase the consumption of your site’s resources with a “Slow” method.\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FJhonvalta\u002Fprevent_IP_Stresser\" rel=\"nofollow ugc\">Prevent IP Stresser\u003C\u002Fa> on Github.\u003C\u002Fp>\n","This plugin safeguards your website from Layer 7 DDoS attacks and IP stressors by utilizing a rate limiting feature.",70,2889,60,2,"2024-12-06T19:56:00.000Z","6.7.5","4.0.1","7.0",[21,156,22,157,23],"ddos","ip-stresser","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frate-limit-co.1.1.zip",92,{"attackSurface":161,"codeSignals":238,"taintFlows":660,"riskAssessment":722,"analyzedAt":730},{"hooks":162,"ajaxHandlers":234,"restRoutes":235,"shortcodes":236,"cronEvents":237,"entryPointCount":29,"unprotectedCount":29},[163,169,173,176,180,183,189,192,196,198,202,206,211,216,220,224,227,231],{"type":164,"name":165,"callback":166,"file":167,"line":168},"action","admin_init","setting_admin_init","includes\\class-wpso-admin-ip-manager.php",47,{"type":164,"name":170,"callback":170,"file":171,"line":172},"admin_enqueue_scripts","includes\\class-wpso-admin-menu.php",38,{"type":164,"name":170,"callback":174,"file":171,"line":175},"admin_enqueue_styles",39,{"type":164,"name":177,"callback":178,"file":171,"line":179},"admin_menu","setting_admin_menu",40,{"type":164,"name":165,"callback":181,"file":171,"line":182},"export_settings",41,{"type":184,"name":185,"callback":186,"priority":187,"file":171,"line":188},"filter","plugin_row_meta","plugin_extend_links",10,43,{"type":164,"name":165,"callback":166,"file":190,"line":191},"includes\\class-wpso-admin-settings.php",48,{"type":184,"name":193,"callback":194,"file":190,"line":195},"admin_body_class","setting_admin_body_class",49,{"type":164,"name":170,"callback":170,"file":197,"line":188},"includes\\class-wpso-setting-api.php",{"type":164,"name":165,"callback":199,"priority":187,"file":200,"line":201},"init_shieldon_admin","includes\\class-wpso-shieldon-admin.php",29,{"type":164,"name":203,"callback":204,"file":200,"line":205},"admin_notices","update_completed_notice",97,{"type":164,"name":207,"callback":208,"file":209,"line":210},"wp_print_footer_scripts","front_print_footer_scripts","includes\\class-wpso-shieldon.php",203,{"type":184,"name":212,"callback":213,"file":214,"line":215},"rest_authentication_errors","only_authorised_rest_access","includes\\class-wpso-tweak-wp-core.php",30,{"type":184,"name":217,"callback":218,"file":214,"line":219},"xmlrpc_enabled","__return_false",34,{"type":164,"name":221,"callback":222,"file":223,"line":13},"init","wpso_load_textdomain","wp-shieldon.php",{"type":164,"name":203,"callback":225,"file":223,"line":226},"wpso_warning",91,{"type":164,"name":228,"callback":229,"file":223,"line":230},"plugins_loaded","wpso_plugin_init",210,{"type":164,"name":221,"callback":232,"priority":187,"file":223,"line":233},"wpso_tweak_init",221,[],[],[],[],{"dangerousFunctions":239,"sqlUsage":240,"outputEscaping":242,"fileOperations":187,"externalRequests":29,"nonceChecks":655,"capabilityChecks":76,"bundledLibraries":656},[],{"prepared":150,"raw":29,"locations":241},[],{"escaped":243,"rawEcho":244,"locations":245},25,255,[246,249,251,253,255,257,259,261,263,265,267,269,271,273,275,277,279,281,283,285,287,289,291,293,295,297,299,301,303,305,307,308,310,313,315,318,320,321,322,324,325,327,329,331,333,334,336,338,339,341,342,344,346,348,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,410,411,412,413,414,415,416,417,418,419,420,421,422,423,425,426,428,430,432,435,436,438,440,442,444,446,448,450,452,454,456,458,460,462,463,465,467,469,471,472,473,475,477,479,481,483,485,487,488,490,492,494,495,497,499,501,503,505,508,510,512,513,515,517,519,520,522,523,525,527,529,531,533,534,536,538,539,541,543,545,547,549,551,553,555,557,559,561,563,566,567,568,569,570,571,573,576,577,578,579,580,581,582,583,584,585,586,589,592,594,596,597,598,599,601,604,606,607,609,612,613,615,618,619,621,622,625,627,629,632,633,634,636,637,639,640,642,643,645,647,649,651,652,654],{"file":171,"line":247,"context":248},320,"raw output",{"file":171,"line":250,"context":248},369,{"file":171,"line":252,"context":248},382,{"file":171,"line":254,"context":248},457,{"file":171,"line":256,"context":248},531,{"file":171,"line":258,"context":248},549,{"file":171,"line":260,"context":248},582,{"file":171,"line":262,"context":248},634,{"file":171,"line":264,"context":248},704,{"file":171,"line":266,"context":248},873,{"file":171,"line":268,"context":248},1038,{"file":197,"line":270,"context":248},126,{"file":197,"line":272,"context":248},230,{"file":197,"line":274,"context":248},263,{"file":197,"line":276,"context":248},285,{"file":197,"line":278,"context":248},314,{"file":197,"line":280,"context":248},351,{"file":197,"line":282,"context":248},377,{"file":197,"line":284,"context":248},402,{"file":197,"line":286,"context":248},423,{"file":197,"line":288,"context":248},440,{"file":197,"line":290,"context":248},455,{"file":197,"line":292,"context":248},458,{"file":197,"line":294,"context":248},474,{"file":197,"line":296,"context":248},502,{"file":197,"line":298,"context":248},522,{"file":197,"line":300,"context":248},542,{"file":197,"line":302,"context":248},566,{"file":197,"line":304,"context":248},660,{"file":197,"line":306,"context":248},672,{"file":200,"line":53,"context":248},{"file":209,"line":309,"context":248},168,{"file":311,"line":312,"context":248},"includes\\helpers.php",266,{"file":311,"line":314,"context":248},267,{"file":316,"line":317,"context":248},"includes\\views\\dashboard\\dashboard-last-month.php",27,{"file":316,"line":319,"context":248},37,{"file":316,"line":110,"context":248},{"file":316,"line":97,"context":248},{"file":316,"line":323,"context":248},84,{"file":316,"line":27,"context":248},{"file":316,"line":326,"context":248},86,{"file":316,"line":328,"context":248},87,{"file":316,"line":330,"context":248},88,{"file":316,"line":332,"context":248},89,{"file":316,"line":205,"context":248},{"file":316,"line":335,"context":248},102,{"file":316,"line":337,"context":248},116,{"file":316,"line":337,"context":248},{"file":316,"line":340,"context":248},147,{"file":316,"line":340,"context":248},{"file":316,"line":343,"context":248},188,{"file":316,"line":345,"context":248},191,{"file":316,"line":347,"context":248},193,{"file":349,"line":317,"context":248},"includes\\views\\dashboard\\dashboard-past-seven-days.php",{"file":349,"line":319,"context":248},{"file":349,"line":110,"context":248},{"file":349,"line":97,"context":248},{"file":349,"line":323,"context":248},{"file":349,"line":27,"context":248},{"file":349,"line":326,"context":248},{"file":349,"line":328,"context":248},{"file":349,"line":330,"context":248},{"file":349,"line":332,"context":248},{"file":349,"line":205,"context":248},{"file":349,"line":335,"context":248},{"file":349,"line":337,"context":248},{"file":349,"line":337,"context":248},{"file":349,"line":340,"context":248},{"file":349,"line":340,"context":248},{"file":349,"line":343,"context":248},{"file":349,"line":345,"context":248},{"file":349,"line":347,"context":248},{"file":369,"line":317,"context":248},"includes\\views\\dashboard\\dashboard-this-month.php",{"file":369,"line":319,"context":248},{"file":369,"line":110,"context":248},{"file":369,"line":97,"context":248},{"file":369,"line":323,"context":248},{"file":369,"line":27,"context":248},{"file":369,"line":326,"context":248},{"file":369,"line":328,"context":248},{"file":369,"line":330,"context":248},{"file":369,"line":332,"context":248},{"file":369,"line":205,"context":248},{"file":369,"line":335,"context":248},{"file":369,"line":337,"context":248},{"file":369,"line":337,"context":248},{"file":369,"line":340,"context":248},{"file":369,"line":340,"context":248},{"file":369,"line":343,"context":248},{"file":369,"line":345,"context":248},{"file":369,"line":347,"context":248},{"file":389,"line":317,"context":248},"includes\\views\\dashboard\\dashboard-today.php",{"file":389,"line":319,"context":248},{"file":389,"line":110,"context":248},{"file":389,"line":97,"context":248},{"file":389,"line":323,"context":248},{"file":389,"line":27,"context":248},{"file":389,"line":326,"context":248},{"file":389,"line":328,"context":248},{"file":389,"line":330,"context":248},{"file":389,"line":332,"context":248},{"file":389,"line":205,"context":248},{"file":389,"line":335,"context":248},{"file":389,"line":337,"context":248},{"file":389,"line":337,"context":248},{"file":389,"line":340,"context":248},{"file":389,"line":340,"context":248},{"file":389,"line":343,"context":248},{"file":389,"line":345,"context":248},{"file":389,"line":347,"context":248},{"file":409,"line":317,"context":248},"includes\\views\\dashboard\\dashboard-yesterday.php",{"file":409,"line":319,"context":248},{"file":409,"line":110,"context":248},{"file":409,"line":97,"context":248},{"file":409,"line":323,"context":248},{"file":409,"line":27,"context":248},{"file":409,"line":326,"context":248},{"file":409,"line":328,"context":248},{"file":409,"line":330,"context":248},{"file":409,"line":332,"context":248},{"file":409,"line":205,"context":248},{"file":409,"line":335,"context":248},{"file":409,"line":337,"context":248},{"file":409,"line":337,"context":248},{"file":409,"line":424,"context":248},146,{"file":409,"line":424,"context":248},{"file":409,"line":427,"context":248},187,{"file":409,"line":429,"context":248},190,{"file":409,"line":431,"context":248},192,{"file":433,"line":434,"context":248},"includes\\views\\dashboard\\filter-log-table.php",103,{"file":433,"line":434,"context":248},{"file":433,"line":437,"context":248},104,{"file":433,"line":439,"context":248},105,{"file":433,"line":441,"context":248},106,{"file":433,"line":443,"context":248},107,{"file":433,"line":445,"context":248},108,{"file":433,"line":447,"context":248},109,{"file":433,"line":449,"context":248},110,{"file":433,"line":451,"context":248},111,{"file":433,"line":453,"context":248},112,{"file":433,"line":455,"context":248},121,{"file":457,"line":201,"context":248},"includes\\views\\dashboard\\operation-status.php",{"file":457,"line":459,"context":248},31,{"file":457,"line":461,"context":248},45,{"file":457,"line":168,"context":248},{"file":457,"line":464,"context":248},61,{"file":457,"line":466,"context":248},63,{"file":457,"line":468,"context":248},77,{"file":457,"line":470,"context":248},79,{"file":457,"line":335,"context":248},{"file":457,"line":437,"context":248},{"file":457,"line":474,"context":248},118,{"file":457,"line":476,"context":248},120,{"file":457,"line":478,"context":248},134,{"file":457,"line":480,"context":248},136,{"file":457,"line":482,"context":248},150,{"file":457,"line":484,"context":248},152,{"file":457,"line":486,"context":248},166,{"file":457,"line":309,"context":248},{"file":457,"line":489,"context":248},182,{"file":457,"line":491,"context":248},185,{"file":457,"line":493,"context":248},186,{"file":457,"line":429,"context":248},{"file":457,"line":496,"context":248},204,{"file":457,"line":498,"context":248},206,{"file":457,"line":500,"context":248},209,{"file":457,"line":502,"context":248},214,{"file":457,"line":504,"context":248},217,{"file":506,"line":507,"context":248},"includes\\views\\dashboard\\overview.php",51,{"file":506,"line":509,"context":248},52,{"file":506,"line":511,"context":248},53,{"file":506,"line":466,"context":248},{"file":506,"line":514,"context":248},72,{"file":506,"line":516,"context":248},81,{"file":506,"line":518,"context":248},90,{"file":506,"line":445,"context":248},{"file":506,"line":521,"context":248},117,{"file":506,"line":270,"context":248},{"file":506,"line":524,"context":248},135,{"file":506,"line":526,"context":248},153,{"file":506,"line":528,"context":248},162,{"file":506,"line":530,"context":248},172,{"file":506,"line":532,"context":248},181,{"file":506,"line":429,"context":248},{"file":506,"line":535,"context":248},207,{"file":506,"line":537,"context":248},208,{"file":506,"line":500,"context":248},{"file":506,"line":540,"context":248},219,{"file":506,"line":542,"context":248},237,{"file":506,"line":544,"context":248},247,{"file":506,"line":546,"context":248},265,{"file":506,"line":548,"context":248},274,{"file":506,"line":550,"context":248},283,{"file":506,"line":552,"context":248},301,{"file":506,"line":554,"context":248},305,{"file":506,"line":556,"context":248},309,{"file":506,"line":558,"context":248},325,{"file":506,"line":560,"context":248},329,{"file":506,"line":562,"context":248},333,{"file":564,"line":565,"context":248},"includes\\views\\dashboard\\rule-table.php",69,{"file":564,"line":147,"context":248},{"file":564,"line":13,"context":248},{"file":564,"line":516,"context":248},{"file":564,"line":27,"context":248},{"file":564,"line":328,"context":248},{"file":564,"line":572,"context":248},99,{"file":574,"line":575,"context":248},"includes\\views\\dashboard\\session-table.php",28,{"file":574,"line":175,"context":248},{"file":574,"line":195,"context":248},{"file":574,"line":439,"context":248},{"file":574,"line":439,"context":248},{"file":574,"line":441,"context":248},{"file":574,"line":443,"context":248},{"file":574,"line":445,"context":248},{"file":574,"line":447,"context":248},{"file":574,"line":449,"context":248},{"file":574,"line":476,"context":248},{"file":587,"line":588,"context":248},"includes\\views\\message\\php-version-warning.php",22,{"file":590,"line":591,"context":248},"includes\\views\\message\\update-notice.php",20,{"file":590,"line":593,"context":248},21,{"file":595,"line":323,"context":248},"includes\\views\\security\\authentication.php",{"file":595,"line":27,"context":248},{"file":595,"line":326,"context":248},{"file":595,"line":328,"context":248},{"file":595,"line":600,"context":248},95,{"file":602,"line":603,"context":248},"includes\\views\\security\\xss-protection.php",148,{"file":602,"line":605,"context":248},149,{"file":602,"line":482,"context":248},{"file":602,"line":608,"context":248},158,{"file":610,"line":611,"context":248},"includes\\views\\setting\\about.php",32,{"file":610,"line":219,"context":248},{"file":610,"line":614,"context":248},35,{"file":616,"line":617,"context":248},"includes\\views\\setting\\driver-status-check.php",42,{"file":616,"line":195,"context":248},{"file":616,"line":620,"context":248},56,{"file":616,"line":466,"context":248},{"file":623,"line":624,"context":248},"includes\\views\\setting\\excluded-urls.php",17,{"file":623,"line":626,"context":248},18,{"file":623,"line":628,"context":248},19,{"file":630,"line":631,"context":248},"includes\\views\\setting\\import-export.php",26,{"file":630,"line":317,"context":248},{"file":630,"line":509,"context":248},{"file":635,"line":628,"context":248},"includes\\views\\setting\\ip-manager-login-pass.php",{"file":635,"line":588,"context":248},{"file":635,"line":638,"context":248},24,{"file":635,"line":638,"context":248},{"file":641,"line":626,"context":248},"includes\\views\\setting\\ip-manager-strict-login.php",{"file":641,"line":588,"context":248},{"file":644,"line":624,"context":248},"includes\\views\\setting\\ip-manager-strict-signup.php",{"file":646,"line":624,"context":248},"includes\\views\\setting\\ip-manager-strict-xmlrpc.php",{"file":648,"line":624,"context":248},"includes\\views\\setting\\ip-manager-strict.php",{"file":650,"line":624,"context":248},"includes\\views\\setting\\ip-manager.php",{"file":650,"line":626,"context":248},{"file":653,"line":591,"context":248},"includes\\views\\setting\\trusted-bot.php",{"file":223,"line":330,"context":248},8,[657],{"name":658,"version":38,"knownCves":659},"DataTables",[],[661,678,692,704],{"entryPoint":662,"graph":663,"unsanitizedCount":28,"severity":41},"action_logs (includes\\class-wpso-admin-menu.php:391)",{"nodes":664,"edges":675},[665,670],{"id":666,"type":667,"label":668,"file":171,"line":669},"n0","source","$_GET",401,{"id":671,"type":672,"label":673,"file":171,"line":254,"wp_function":674},"n1","sink","echo() [XSS]","echo",[676],{"from":666,"to":671,"sanitized":677},false,{"entryPoint":679,"graph":680,"unsanitizedCount":29,"severity":691},"import_export (includes\\class-wpso-admin-menu.php:254)",{"nodes":681,"edges":688},[682,684],{"id":666,"type":667,"label":683,"file":171,"line":274},"$_FILES",{"id":671,"type":672,"label":685,"file":171,"line":686,"wp_function":687},"update_option() [Settings Manipulation]",294,"update_option",[689],{"from":666,"to":671,"sanitized":690},true,"low",{"entryPoint":693,"graph":694,"unsanitizedCount":29,"severity":691},"export_settings (includes\\class-wpso-admin-menu.php:333)",{"nodes":695,"edges":702},[696,699],{"id":666,"type":667,"label":697,"file":171,"line":698},"$_SERVER['HTTP_HOST']",337,{"id":671,"type":672,"label":700,"file":171,"line":698,"wp_function":701},"header() [Header Injection]","header",[703],{"from":666,"to":671,"sanitized":690},{"entryPoint":705,"graph":706,"unsanitizedCount":29,"severity":691},"\u003Cclass-wpso-admin-menu> (includes\\class-wpso-admin-menu.php:0)",{"nodes":707,"edges":718},[708,709,710,712,714,716],{"id":666,"type":667,"label":683,"file":171,"line":274},{"id":671,"type":672,"label":685,"file":171,"line":686,"wp_function":687},{"id":711,"type":667,"label":697,"file":171,"line":698},"n2",{"id":713,"type":672,"label":700,"file":171,"line":698,"wp_function":701},"n3",{"id":715,"type":667,"label":668,"file":171,"line":669},"n4",{"id":717,"type":672,"label":673,"file":171,"line":254,"wp_function":674},"n5",[719,720,721],{"from":666,"to":671,"sanitized":690},{"from":711,"to":713,"sanitized":690},{"from":715,"to":717,"sanitized":690},{"summary":723,"deductions":724},"The wp-shieldon v2.0.2 plugin exhibits a generally strong security posture with a commendable lack of direct attack surface from AJAX handlers, REST API routes, shortcodes, and cron events. The complete absence of unprotected entry points is a significant positive. Furthermore, the plugin demonstrates good practices by utilizing prepared statements for all its SQL queries and implementing nonce checks and capability checks. The data analysis also indicates a focus on file operations and a lack of external HTTP requests, which can help mitigate certain attack vectors.  However, a significant concern arises from the low percentage of properly escaped output (9%). This suggests a high potential for Cross-Site Scripting (XSS) vulnerabilities, a risk further underscored by its historical CVEs, specifically mentioning XSS as a common vulnerability type. While there are no currently unpatched vulnerabilities, the presence of a past medium-severity XSS issue and the ongoing risk from insufficient output escaping indicates a need for immediate attention to improve sanitization practices.\n\nIn conclusion, while wp-shieldon has made strides in reducing its direct attack surface and implementing foundational security measures, the inadequate output escaping is a critical weakness that could lead to exploitable XSS vulnerabilities. The plugin's history, combined with the static analysis, paints a picture of a plugin with good intentions but requiring more rigorous attention to output sanitization to achieve a truly secure state. Addressing the low output escaping percentage should be the top priority.",[725,728],{"reason":726,"points":727},"Low percentage of properly escaped output",15,{"reason":729,"points":187},"One past medium severity CVE for XSS","2026-03-16T21:03:27.676Z",{"wat":732,"direct":741},{"assetPaths":733,"generatorPatterns":736,"scriptPaths":737,"versionParams":738},[734,735],"\u002Fwp-content\u002Fplugins\u002Fwp-shieldon\u002Fincludes\u002Fassets\u002Fcss\u002Fadmin-style.css","\u002Fwp-content\u002Fplugins\u002Fwp-shieldon\u002Fincludes\u002Fassets\u002Fjs\u002Fadmin-script.js",[],[735],[739,740],"wp-shieldon\u002Fincludes\u002Fassets\u002Fcss\u002Fadmin-style.css?ver=","wp-shieldon\u002Fincludes\u002Fassets\u002Fjs\u002Fadmin-script.js?ver=",{"cssClasses":742,"htmlComments":743,"htmlAttributes":744,"restEndpoints":745,"jsGlobals":746,"shortcodeOutput":747},[],[],[],[],[],[]]