Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… for WordPress Plugin Directory
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… is a WordPress app, with a 5.0 average rating from 13 reviews, as of July 8, 2026.
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… is a WordPress Plugin Directory app by Fernando Tellado. With a rating of 5.0★ from 13 reviews.
AppRanks data: Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… ranks #0 in 2FA on WordPress Plugin Directory, placing it in the top 1% of that category.
AppRanks verdict
Generated from live marketplace data — refreshed daily
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… is a category-leading WordPress app with a limited review volume. It is listed in the Security category on WordPress Plugin Directory, which AppRanks treats as the canonical taxonomy node for ranking and competitor comparison. 13 reviews put it in the early-traction tier — useful for early-stage stores willing to be on the leading edge. Early-traction review counts are sensitive to single launch periods or feature events, so a 30-day re-check before bigger commitments often resolves whether the trend is sustained. Paid-only pricing means evaluating fit on the marketplace listing or via the developer's documentation before installing. AppRanks tracks rating, review count, pricing tier, and category position daily — the figures on this page reflect the most recent scrape from the canonical WordPress Plugin Directory listing.
Pros
- +High average rating (5.0★) signals consistent merchant satisfaction
- +Published by Fernando Tellado — established developer track record
Cons
- −Limited review base (13) — ratings can shift significantly with new feedback
Looking to switch from Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…?
See Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…'s alternatives ranked by audit score, rating, and review velocity.
How Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… works
Show full descriptionShow less
Premium Security. Zero Cost. Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.
Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, closed plugin detection, malware detection, user management, security audit logging, under attack mode and much more.
Once activated, Vigilant immediately applies firewall rules against common attacks (SQL injection, XSS, file inclusion), security headers, login attempt monitoring, XML-RPC blocking, WordPress version hiding and sensitive file protection (.htaccess, wp-config.php), after automatically backing up your existing configuration files.
One-Click Security Presets Choose a preset and get protected instantly:
Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.
Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.
You can always customize individual settings after applying a preset.
Under Attack Mode Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:
JavaScript challenge – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely
Aggressive rate limiting – Requests limited to 30 per minute with 15-minute blocks for offenders
HTTP method restriction – Only GET, POST and HEAD allowed; PUT, DELETE, PATCH, OPTIONS and TRACE are blocked
Empty user agent blocking – Requests without a user agent header are rejected
Full XML-RPC lockdown during the attack
REST API restriction – Only authenticated users can access the REST API
Auto-deactivation – Mode turns off after 4 hours so you never forget it’s on
Email notifications when the mode activates and deactivates
HMAC-signed cookies – Verified visitors get a signed cookie so they only see the challenge once
Under Attack mode works independently from your preset configuration. Your regular settings are preserved and restored when the mode deactivates.
Two-Factor Authentication (2FA) Add a second verification step to your WordPress login:
Authenticator app (TOTP) – Google Authenticator, Authy, Microsoft Authenticator or any TOTP-compatible app
Email codes – One-time 6-digit verification codes sent via email
QR code setup directly in user profiles
10 backup codes for emergency access if you lose your device
Configurable grace period for users to set up their authenticator app
Trusted devices – optionally let users skip 2FA on recognized devices for 30 days
Role-based enforcement – require 2FA for administrators, editors or any role
Exclude specific users from 2FA requirements
Admin tool to reset TOTP for users who lost their authenticator
Configurable code expiry, attempt limits and email sender name
User notification emails when 2FA is enabled or the method changes
Firewall Protection Block malicious requests before they reach WordPress:
SQL injection blocking
XSS (Cross-Site Scripting) attack prevention
File inclusion protection (LFI/RFI)
Directory traversal blocking
Bad query string filtering (catches generic suspicious patterns the specific blockers miss)
Bad bot detection and blocking
Block requests with empty user agent
Block legacy HTTP/1.0 requests (almost always automated tools, never modern browsers)
Rate limiting against DDoS and brute force, with optional progressive lockouts
IP whitelist and blacklist management (IPv4 and IPv6, with CIDR ranges and wildcards)
User-Agent whitelist and blacklist with partial matching
Visitor IP detection control – read the real IP directly from the connection (a spoof-proof default) or from a proxy header when behind Cloudflare, a reverse proxy or a load balancer, with an admin notice if a proxy is detected but not configured
HTTP method restriction
Server-level file protection via .htaccess: block direct access to wp-config.php, .htaccess, wp-includes/ and sensitive files (.log, .sql, .bak, .ini, debug.log, readme.html, etc.), and optionally wp-cron.php external access
Block PHP execution in /uploads (one of the most common post-exploit vectors)
Disable directory browsing
Login Security Stop unauthorized access attempts:
Limit login attempts with configurable thresholds
Progressive lockouts – longer blocks for repeat offenders
Custom login URL – hide wp-login.php from bots
Login URL change notifications to all admin-area users
Hide login error messages – don’t reveal valid usernames
XML-RPC disable, with a separate toggle for just the pingback method if you still need other XML-RPC features
Application passwords control
Email notification when an IP is blocked for exceeding login attempts
Admin login notifications via email
IP whitelist for trusted locations
User Security Comprehensive user account protection:
Block insecure usernames (admin, test, root, etc.) on new registrations
Warn about existing users with insecure usernames so you can rename or remove them
Block author scanning – intercept ?author=N URLs so WordPress doesn’t redirect them to /author/USERNAME/ and leak the login slug
Force strong passwords with minimum length
Password expiration with configurable intervals
Password history – prevent reusing old passwords
Force password reset – by specific users, by role, or all users (post-hack recovery)
Session limits – control concurrent logins per user
Session management – view and revoke active sessions
Email verification for new registrations
Registration approval workflow – manually approve new users
Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation
Display name protection – prevent exposing login username publicly
Security Headers Achieve Grade A security ratings:
Content Security Policy (CSP) with visual builder and Report-Only mode for safe testing before enforcing
HSTS (HTTP Strict Transport Security) with includeSubdomains and preload options
X-Frame-Options – prevent clickjacking
X-Content-Type-Options – prevent MIME sniffing
Referrer Policy control
Permissions Policy (camera, microphone, geolocation, payment, USB)
Cross-Origin policies (COEP, COOP, CORP)
HTTPS enforcer with automatic mixed content fix
Server fingerprint hiding – the Server: header is neutralized and X-Powered-By and other fingerprinting headers are stripped from responses
File Integrity Monitoring Detect unauthorized changes to your files and compromised plugins:
WordPress core verification against official checksums
Plugin and theme file monitoring with WordPress.org checksums
Critical config files (wp-config.php, .htaccess) monitored against baseline, detecting code injection even in files with no official checksum
Closed and removed plugins detection – daily check against the WordPress.org repository, flagging any installed plugin closed for malware, security issues or guideline violations, including both explicit closures and silent “removed” takedowns, with per-slug Ignore for legacy plugins you can’t uninstall yet
Line-level diff view of changes, with per-file approval workflow
Suspicious code scanning for plugins and themes without checksums
Extra file detection in plugins and themes (files not in original distribution)
Uploads directory scanning for PHP files, double extensions and .htaccess, with smart classification of dangerous rules vs protective ones
Root directory scanning for non-core PHP files (common attack vector)
String concatenation obfuscation detection
Configurable notification levels and an ignore list to dismiss known files
Excluded paths and file extensions
Scheduled automatic scans (daily, weekly)
HTML formatted email alerts with severity sections, including a dedicated section for closed plugins
Security Audit Track everything happening on your site:
Successful and failed login attempts
Two-factor authentication events
User account changes (creation, deletion, role changes)
Content modifications (posts, pages)
Plugin and theme activations/deactivations
Security events and blocked threats
HTTP request method tracking and filtering (GET, POST, PUT, DELETE)
Enhanced log detail popup with grouped sections and quick actions
One-click add IP or User-Agent to firewall whitelist/blacklist from log entries
Direct IP lookup links to AbuseIPDB
Configurable retention period, CSV export, and filtering by event type, severity, request method or date
Audit Alerts – get an email when the audit log points to something worth your attention, off by default and configured under Security Audit:
Immediate alerts the moment a serious event is logged, by minimum severity (a new administrator, a closed plugin or a privilege escalation are all logged as Critical)
Threshold alerts when a category spikes – firewall blocks, login failures, user, plugin, file integrity, security, system and content events – over a 30-minute, 1, 6 or 24 hour window, counting only warning and critical events so routine activity never trips them
A single anti-repeat cooldown keeps a storm of events down to one notice instead of flooding your inbox
Active alerts surface in Settings & Tools, the Dashboard, the Configuration Score and the Security Check
“Send test email” button to confirm delivery
Security Check On-demand security audit built into the Dashboard. No external services, no accounts, no API keys – everything runs on your server:
40+ checks across 6 categories: SSL/TLS, HTTP Headers, WP Exposure, Access & Auth, Sensitive Files and Internal Checks
Single 0-100 score with A-E grade, plus per-category breakdown and explanatory details for every check
15 exclusive internal checks impossible from the outside: PHP end-of-life status, pending updates, inactive plugins, closed or removed plugins, file permissions, default salts detection, wp_ table prefix, admin username, administrators without 2FA enrolled, module status, recent audit errors, last File Integrity scan result and whether audit alerts are configured
DNS-only reputation lookup against Spamhaus ZEN, Barracuda BRBL and SpamCop SCBL (informational – listings are flagged but don’t deduct from the score)
Two-phase scan: fast local checks appear in under a second, remote checks stream in as they complete
Weekly automatic scan with opt-in email alert if the score drops by 10+ points or a new critical check starts failing
30-scan history with sparkline trend and delta chip
“Go to setting” fix link on every failing check, jumping straight to the exact Vigilant field that resolves it
Smart header diagnostics that report “configured but not being served” when a cache/CDN overrides your headers
WordPress Hardening Layered protection at the WordPress level – admin, content, head, feeds and database:
Lock down the admin: disable the built-in plugin and theme file editor, block installations and updates from the admin area, and force HTTPS for the admin area. Compatible with any hosting layout, respecting values already in place and never overriding them
Disable WordPress’s internal page-view cron when you already have a real server-side cron job configured
Dashboard warning when debug mode is left enabled in production, so error output never leaks to visitors
Hide your WordPress version everywhere it can leak: from the HTML head, from RSS and Atom feeds, and optionally from every script and style URL on the front-end (stripping only the WordPress version itself, leaving plugin and theme cache busting intact)
Automatic daily removal of readme.html, license.txt and licencia.txt from the WordPress root, which otherwise expose your version
HTML head cleanup – remove the RSD link, Windows Live Writer manifest, shortlink header and REST API discovery link
Database hardening – check for the default wp_ table prefix and one-click rename tool with full backup before the change
Comment security – honeypot field against spam bots, force moderation on every new comment, close comments on old posts, disable pingbacks and trackbacks
Feed management – completely disable RSS and Atom feeds, or only disable them when the site has no published content
REST API Security Control API access to your site:
Three access modes: public (default WordPress behavior), authenticated only (closes the API to anonymous visitors), or selective (custom allow/block lists)
Block user enumeration via /wp-json/wp/v2/users
Protect any list of sensitive endpoints from anonymous access
Per-plugin compatibility toggles so authenticated mode doesn’t break the front-end: WooCommerce, Contact Form 7, Gravity Forms, WPForms, Elementor, Jetpack. oEmbed and Site Health endpoints stay accessible by default
Security Tools Utilities included:
Database Backup – Download a full or partial database backup as ZIP with table selection
Database Prefix Change – Change the default wp_ prefix to a random secure prefix
Export/Import Settings – Transfer your configuration between sites
Manual Backup – Create backups of .htaccess and wp-config.php on demand
Reset to Defaults – Start fresh with one click
Safe by Design Your existing .htaccess, wp-config.php and robots.txt are automatically backed up before any modifications. Backups are stored in the WordPress database, never as files under the web root, and verified with MD5 checksums.
When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.
Why Vigilant? Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront – no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, on-demand Security Check with weekly regression alerts, and more. All free, all maintained, all following WordPress coding standards.
We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each offers in its free version and where Vigilant fills the gaps.
→ View the full comparison
Support Need private support or custom development?
Do you need one-on-one help, priority troubleshooting, or a custom feature, integration, or tweak built specifically for your site? I offer private support and custom development. Just contact me and tell me what you need.
Need help or have suggestions?
Official website
WordPress support forum
YouTube channel
Documentation and tutorials
Love the plugin? Please leave us a 5-star review and help spread the word!
About AyudaWP We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.
Category rankings
As of Jul 8, 2026See 90-day rank history for each category
Track daily rank changes, category shifts, and position volatility.
Keyword rankings
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… ranks for 2 keywords across WordPress Plugin Directory. Here are the top 2:
- 1.ai agentRank #208
- Rank #903
Competitors & alternatives
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…doesn't have curated competitor matchups yet. Other tracked security apps on WordPress:
Frequently asked questions
What is Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…?
Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner… is an app for WordPress. It currently holds a 5.0-star rating from 13 merchant reviews, and AppRanks has been tracking its public marketplace data on a daily refresh cycle. It is listed under the Security category on AppRanks, where you can see its current category position, review-velocity trend, and how it compares against the top alternatives in the same space. Developed by Fernando Tellado.
Who uses Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…?
Currently around 1,000 active stores have installed Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…. Its review base is still building, which usually maps to early-stage merchants and stores piloting a new workflow. It is part of the Security category on WordPress.