Atlant Security is a WordPress app, with a 5.0 average rating from 3 reviews, as of July 9, 2026.
Atlant Security is a WordPress Plugin Directory app by Atlant. With a rating of 5.0★ from 3 reviews.
AppRanks data: Atlant Security ranks #0 in Brute Force on WordPress Plugin Directory, placing it in the top 1% of that category.
AppRanks verdict
Generated from live marketplace data — refreshed daily
Atlant Security is a category-leading WordPress app with a limited review volume. It is listed in the Security category on WordPress Plugin Directory, which AppRanks treats as the canonical taxonomy node for ranking and competitor comparison. 3 reviews put it in the early-traction tier — useful for early-stage stores willing to be on the leading edge. Early-traction review counts are sensitive to single launch periods or feature events, so a 30-day re-check before bigger commitments often resolves whether the trend is sustained. Paid-only pricing means evaluating fit on the marketplace listing or via the developer's documentation before installing. AppRanks tracks rating, review count, pricing tier, and category position daily — the figures on this page reflect the most recent scrape from the canonical WordPress Plugin Directory listing.
Pros
- +High average rating (5.0★) signals consistent merchant satisfaction
- +Published by Atlant — established developer track record
Cons
- −Limited review base (3) — ratings can shift significantly with new feedback
Looking to switch from Atlant Security?
See Atlant Security's alternatives ranked by audit score, rating, and review velocity.
How Atlant Security works
Show full descriptionShow less
Atlant Security is a comprehensive WordPress security plugin that provides enterprise-grade protection through 17 integrated security modules organized in a 5-layer defense architecture.
5-Layer Defense Architecture
Pre-WordPress WAF – Firewall, rate limiter, and IP blocking run before WordPress processes the request.
Application-Aware – Login security, custom login URL, two-factor authentication, session hardening, cron monitoring, and REST API policies.
Content & Config – WordPress hardening, security headers, AI crawler management, and honeypot traps.
Outbound & Data – SSRF prevention, malware scanning (files and database).
Response & Recovery – Post-breach recovery, notifications, visitor log, and audit log.
Key Features Web Application Firewall (WAF)
Inspects every request against 28+ attack pattern families including SQL injection, XSS, remote code execution, path traversal, PHP object injection, and WordPress-specific attacks. Block or log-only mode. Triple URL decoding prevents evasion.
Brute Force Protection
Progressive lockout system (5 min > 30 min > 24 hours) with configurable thresholds. Generic login error messages prevent username enumeration. Author enumeration blocking.
Malware Scanner
Local file and database scanner with 38 malware signatures. Detects backdoors, webshells (WSO, c99, r57), crypto miners, credit card skimmers, and obfuscated code. Quarantine system with web access blocking.
Two-Factor Authentication (2FA)
TOTP (Google Authenticator, Authy) and email OTP. Per-role enforcement, 10 recovery codes, 5-minute challenge timeout, replay attack prevention.
Honeypot Traps
Zero-false-positive bot detection: hidden link traps, fake login pages, comment honeypots, and Contact Form 7 integration. 3-layer safe bot protection ensures Googlebot, Bingbot, and allowed AI crawlers are never blocked.
AI Crawler Management
Control 20+ known AI/LLM training crawlers (GPTBot, ClaudeBot, Google-Extended, Bytespider, and more). Per-crawler toggles, robots.txt integration, and 403 enforcement. Block training crawlers while allowing browsing bots.
Security Headers
Manage HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CSP, CORP, and COOP. Letter-grade scoring system. Remove X-Powered-By and Server headers.
Session Security
Cookie hardening (HttpOnly, Secure, SameSite). Session binding via IP + User-Agent fingerprint detects hijacking. Concurrent session limits. Idle timeout. Optional admin bypass for all session restrictions.
Rate Limiter
Sliding-window rate limiting across 11 endpoint categories: frontend, login, search, feed, REST API, WooCommerce checkout, XML-RPC, and cron.
REST API Policies
Per-route access control with authentication requirements, HTTP method restrictions, rate limits, and IP whitelists. 5 built-in policies protect user enumeration, search, and write endpoints.
Cron Guard
Monitors wp-cron.php for flood attacks. Detects suspicious scheduled tasks via baseline comparison. System cron migration helper.
Outbound Monitor (SSRF Prevention)
Monitors all outgoing HTTP requests. Blocks requests to private/internal IP ranges including cloud metadata endpoints. Domain allowlist with wildcard support. Caller detection traces requests to specific plugins.
Post-Breach Recovery
12 emergency actions: terminate sessions, force password reset, rotate secret keys, emergency lockdown, reinstall core, reinstall plugins, audit admin accounts, clear caches, malware scan, disable plugins, and downloadable incident report.
Real-Time Dashboard
Live visitor monitoring with 15-second auto-refresh. Stat cards, traffic charts, top IPs with VirusTotal integration, browser distribution, and IP detail modals.
Visitor Log & Audit Log
Complete request history with filters (IP, URL, bots, blocked, time range). Tamper-resistant admin action audit trail.
Notifications
Email alerts (HTML formatted, color-coded severity), Slack webhooks, custom JSON webhooks, and daily digest. Configurable severity threshold with 5-minute deduplication.
WordPress Hardening
One-click toggles: disable XML-RPC, hide WordPress version, block REST API user enumeration, block author enumeration, disable file editor, block PHP execution in uploads.
What Makes Atlant Security Different
Pre-WordPress WAF – Blocks attacks via auto_prepend_file before WordPress even loads
Outbound HTTP Monitor – Detects SSRF attacks and unauthorized outbound connections
Database Backdoor Scanner – Scans wp_options and wp_posts for eval(), base64, and hidden backdoors
Client-Side Bot Detection – JavaScript challenges and browser fingerprinting catch sophisticated bots
AI/LLM Crawler Blocking – Identify and block AI training crawlers scraping your content
Honeypot Traps – Hidden links, fake login pages, invisible form fields that only bots trigger
Cron Guard – Monitors wp-cron for unauthorized scheduled tasks planted by malware
Post-Breach Recovery – Guided recovery toolkit with 12 emergency actions in one place
Session Fingerprint Binding – Binds sessions to IP + User-Agent so stolen cookies are useless
Real-Time Visitor Dashboard – Live visitor feed updated every 15 seconds
Smart Password Policy – Minimum length, complexity, common-password blocking, and passphrase support
Granular REST API Policies – Per-endpoint control, not just a global on/off switch
Safe Mode Override – One constant in wp-config.php disables all blocking features instantly
Deactivation Data Control – Choose to keep or wipe all security data when deactivating
Zero phone-home – No telemetry, no tracking, fully GDPR-compliant (external services used only when explicitly enabled by the admin – see External Services section)
Why Atlant Security?
All-in-one – Replaces 5-6 separate security plugins
No external dependencies – Core security features run locally on your server
Zero phone-home – No telemetry, no tracking (optional features like GeoIP use external services only when explicitly enabled – see External Services section)
GDPR-friendly – No external fonts, no CDN resources
Setup wizard – Configure core security in under 2 minutes
Clean uninstall – Removes all database tables and options when deleted (opt-in)
Safe Mode – Emergency override if you get locked out of your site
External Services This plugin connects to the following third-party services under specific conditions:
Cloudflare IP Ranges When Cloudflare integration is enabled, the plugin periodically fetches the current list of Cloudflare edge IP ranges from Cloudflare’s official endpoints. This is used to correctly identify visitor IP addresses behind the Cloudflare proxy and to whitelist Cloudflare edge servers.
Data sent: No user data is sent. The plugin fetches publicly available IP range lists.
When: Once per week via a scheduled cron job (aswp_refresh_cloudflare_ips), only when Cloudflare integration is enabled.
Endpoints: https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6
Cloudflare Terms of Use
Cloudflare Privacy Policy
MaxMind GeoLite2 GeoIP Database When GeoIP country detection is enabled and a MaxMind license key is configured, the plugin downloads the GeoLite2-Country database from MaxMind. This database is stored locally and used to resolve visitor IP addresses to country codes for display in the visitor log and dashboard.
Data sent: Your MaxMind license key is sent to authenticate the download request. No visitor data is sent to MaxMind.
When: On initial setup and once per week via a scheduled cron job (aswp_update_geoip_db), only when GeoIP is enabled and a license key is configured.
Endpoint: https://download.maxmind.com/app/geoip_download
MaxMind End User License Agreement
MaxMind Privacy Policy
Google IP Ranges When Google integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Google IP ranges from Google’s official endpoint. This is used to automatically whitelist known Google infrastructure IPs (Googlebot, Google Cloud, etc.) so legitimate Google traffic is never blocked.
Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Google IP ranges.
When: Once per week via a scheduled cron job (aswp_refresh_google_ips), only when Google integration is enabled.
Endpoint: https://www.gstatic.com/ipranges/goog.json
Google Terms of Service
Google Privacy Policy
Microsoft / Bing IP Ranges When Microsoft integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Bing bot IP ranges from Microsoft’s official endpoint. This is used to automatically whitelist known Bing crawler IPs so legitimate Bing traffic is never blocked.
Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Bing bot IP ranges.
When: Once per week via a scheduled cron job (aswp_refresh_microsoft_ips), only when Microsoft integration is enabled.
Endpoint: https://www.bing.com/toolbox/bingbot.json
Microsoft Services Agreement
Microsoft Privacy Statement
WordPress.org Core Checksums API The Malware Scanner verifies the integrity of WordPress core files by comparing their MD5 hashes against the official checksums published by WordPress.org. Files that match are skipped during pattern scanning (vendor-verified, safe by definition). Files that mismatch are flagged as critical “core_modified” findings.
Data sent: WordPress version number and locale. No site data, no visitor data, no PII.
When: Once per WordPress version (cached for 24 hours), only when the Malware Scanner runs and the “Use core checksums” setting is enabled.
Endpoint: https://api.wordpress.org/core/checksums/1.0/
WordPress.org Terms of Service
WordPress.org Privacy Policy
WordPress.org Secret Key API The Post-Breach Recovery module can generate new WordPress secret keys and salts using the official WordPress.org API. This is used when an administrator manually triggers the “Rotate Secret Keys” emergency action after a security breach.
Data sent: No user data is sent. The plugin fetches randomly generated keys from the API.
When: Only when an administrator manually triggers the “Rotate Secret Keys” action in the Post-Breach Recovery module.
Endpoint: https://api.wordpress.org/secret-key/1.1/salt/
WordPress.org Terms of Service
WordPress.org Privacy Policy
Slack Webhooks When Slack notifications are enabled and a Slack webhook URL is configured, the plugin sends security alert messages to the specified Slack channel. This allows administrators to receive real-time security notifications in Slack.
Data sent: Security alert messages containing the alert subject, description, severity level, site URL, and the IP address that triggered the alert. No visitor personal data or cookies are sent.
When: Only when a security event occurs (e.g., brute force attempt, WAF block, honeypot trip) and Slack notifications are enabled.
Endpoint: Administrator-configured Slack Incoming Webhook URL (e.g., https://hooks.slack.com/services/…)
Slack Terms of Service
Slack Privacy Policy
Custom Webhooks When webhook notifications are enabled and a webhook URL is configured, the plugin sends security alert payloads in JSON format to the specified endpoint. This allows integration with any external monitoring or alerting system.
Data sent: JSON payload containing the alert subject, description, severity level, site URL, timestamp, and the IP address that triggered the alert. No visitor personal data or cookies are sent.
When: Only when a security event occurs and webhook notifications are enabled.
Endpoint: Administrator-configured webhook URL.
Terms and privacy: Determined by the third-party service the administrator configures.
Google reCAPTCHA When CAPTCHA bot protection is enabled and the provider is set to “Google reCAPTCHA v2” or “Google reCAPTCHA v3”, visitor browsers load Google’s reCAPTCHA library and the server verifies submitted tokens with Google. This is OPT-IN – disabled by default.
Data sent (browser → Google): visitor IP address and standard reCAPTCHA telemetry that Google uses to score human-vs-bot likelihood. Google’s reCAPTCHA library is loaded from www.google.com/recaptcha/api.js.
Data sent (server → Google): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (remoteip field), to https://www.google.com/recaptcha/api/siteverify.
When: only when the configured provider is reCAPTCHA AND the visitor reaches /wp-login.php, the WordPress registration form, or the lost-password form (per-form toggle).
Endpoints: https://www.google.com/recaptcha/api.js and https://www.google.com/recaptcha/api/siteverify
Google reCAPTCHA Terms of Service
Google Privacy Policy
Cloudflare Turnstile When CAPTCHA bot protection is enabled and the provider is set to “Cloudflare Turnstile”, visitor browsers load Cloudflare’s Turnstile library and the server verifies submitted tokens with Cloudflare. This is OPT-IN – disabled by default. Turnstile is the privacy-respecting alternative to reCAPTCHA – Cloudflare states it does NOT track users across sites.
Data sent (browser → Cloudflare): visitor IP address and standard Turnstile telemetry. The Turnstile library is loaded from challenges.cloudflare.com/turnstile/v0/api.js.
Data sent (server → Cloudflare): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (remoteip field), to https://challenges.cloudflare.com/turnstile/v0/siteverify.
When: only when the configured provider is Cloudflare Turnstile AND the visitor reaches /wp-login.php, the WordPress registration form, or the lost-password form (per-form toggle).
Endpoints: https://challenges.cloudflare.com/turnstile/v0/api.js and https://challenges.cloudflare.com/turnstile/v0/siteverify
Cloudflare Terms of Service
Cloudflare Privacy Policy
Upgrade Notices 1.1.8 Restores the policy: legitimate vendor bots (Google, Anthropic, OpenAI, Bing) are NEVER blocked unless the site operator explicitly opts in. Two fixes – AI crawler defaults flipped to “allow”, and the Honeypot reverse-DNS check now fails open so transient DNS issues can’t ban real Googlebots. Recommended for everyone running an SEO-sensitive site.
1.1.7 Critical security release. Fixes 14 CRITICAL and 12 HIGH issues found during a full external audit, including a fatal-at-login bug, IP-block bypass via IPv6-mapped addresses, an SSRF DNS-rebinding race in the outbound monitor, and a wp-config-backup-leaks-old-keys flaw. Recommended upgrade for every install.
1.1.6 Big scanner-accuracy improvement. Verified WordPress core files are now skipped (MD5-matched against the official api.wordpress.org checksums), tightened iframe/base64 signatures, fixed an over-broad path match, and added a “Mark as False Positive” button. Recommended upgrade for everyone running scans.
1.1.5 Adds CAPTCHA support on login / registration / lost-password forms. Three providers: reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile. Configure in Login Security → Bot Protection (CAPTCHA).
1.1.4 Adds CSV export on the Malware Scanner (per Reddit community suggestion) – download full untruncated File + Database Findings before committing to Quarantine. Compatibility declared through WP 7.0.
1.1.3 Security hardening release. Fixes custom-login-URL cookie bypass, 2FA enforcement, SSRF log-only default, session-limit token/verifier mix, and adds real wp-config.php rewriting for key rotation. Existing 2FA recovery codes generated before 1.1.3 may not verify – regenerate them from your user profile after upgrading.
1.1.2 New About page consolidates defense architecture and competitive features. Setup wizard no longer auto-redirects on activation. Dashboard is cleaner with focus on operational data.
1.0.7 Major UI overhaul: inner sidebar navigation replaces 23 WordPress submenu items with a clean, persistent sidebar panel. All page URLs remain the same – bookmarks still work.
1.0.4 Adds GeoIP country flags in visitor log, custom login URL, password policy enforcement, and Force SSL Admin setting. Internal prefix migration runs automatically – no action required.
1.0.3 Adds honeypot traps, security headers management, two-factor authentication, and notification channels. Fixes IP management and status code logging. Recommended update.
1.0.0 Initial release. Run the Setup Wizard after activation to configure your site’s security.
Category rankings
As of Jul 9, 2026- Brute Force#0of 30Top 1%
- Firewall#0of 70Top 1%
- Malware scanner#0of 16Top 1%
- Security#0of 635Top 1%
- Two factor authentication#0of 14Top 1%
See 90-day rank history for each category
Track daily rank changes, category shifts, and position volatility.
Keyword rankings
Atlant Security ranks for 1 keywords across WordPress Plugin Directory. Here are the top 1:
- 1.ai agentRank #263
Competitors & alternatives
Atlant Securitydoesn't have curated competitor matchups yet. Other tracked security apps on WordPress:
Where Atlant Security stands in the Security category
Atlant Security ranks #0 of 635 apps in the Security category, placing it in the top 1% of the listing.
Frequently asked questions
What is Atlant Security?
Atlant Security is an app for WordPress. It currently holds a 5.0-star rating from 3 merchant reviews, and AppRanks has been tracking its public marketplace data on a daily refresh cycle. It is listed under the Security category on AppRanks, where you can see its current category position, review-velocity trend, and how it compares against the top alternatives in the same space. Developed by Atlant.
Who uses Atlant Security?
Currently around 70 active stores have installed Atlant Security. Its review base is still building, which usually maps to early-stage merchants and stores piloting a new workflow. It is part of the Security category on WordPress.