Atlant Security
Atlant Security is a comprehensive WordPress security plugin that provides enterprise-grade protection through 17 integrated security modules organized in a 5-layer defense architecture. 5-Layer Defense Architecture Pre-WordPress WAF – Firewall, rate limiter, and IP blocking run before WordPress processes the request. Application-Aware – Login security, custom login URL, two-factor authentication, session hardening, cron monitoring, and REST API policies. Content & Config – WordPress hardening, security headers, AI crawler management, and honeypot traps. Outbound & Data – SSRF prevention, malware scanning (files and database). Response & Recovery – Post-breach recovery, notifications, visitor log, and audit log. Key Features Web Application Firewall (WAF) Inspects every request against 28+ attack pattern families including SQL injection, XSS, remote code execution, path traversal, PHP object injection, and WordPress-specific attacks. Block or log-only mode. Triple URL decoding prevents evasion. Brute Force Protection Progressive lockout system (5 min > 30 min > 24 hours) with configurable thresholds. Generic login error messages prevent username enumeration. Author enumeration blocking. Malware Scanner Local file and database scanner with 38 malware signatures. Detects backdoors, webshells (WSO, c99, r57), crypto miners, credit card skimmers, and obfuscated code. Quarantine system with web access blocking. Two-Factor Authentication (2FA) TOTP (Google Authenticator, Authy) and email OTP. Per-role enforcement, 10 recovery codes, 5-minute challenge timeout, replay attack prevention. Honeypot Traps Zero-false-positive bot detection: hidden link traps, fake login pages, comment honeypots, and Contact Form 7 integration. 3-layer safe bot protection ensures Googlebot, Bingbot, and allowed AI crawlers are never blocked. AI Crawler Management Control 20+ known AI/LLM training crawlers (GPTBot, ClaudeBot, Google-Extended, Bytespider, and more). Per-crawler toggles, robots.txt integration, and 403 enforcement. Block training crawlers while allowing browsing bots. Security Headers Manage HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CSP, CORP, and COOP. Letter-grade scoring system. Remove X-Powered-By and Server headers. Session Security Cookie hardening (HttpOnly, Secure, SameSite). Session binding via IP + User-Agent fingerprint detects hijacking. Concurrent session limits. Idle timeout. Optional admin bypass for all session restrictions. Rate Limiter Sliding-window rate limiting across 11 endpoint categories: frontend, login, search, feed, REST API, WooCommerce checkout, XML-RPC, and cron. REST API Policies Per-route access control with authentication requirements, HTTP method restrictions, rate limits, and IP whitelists. 5 built-in policies protect user enumeration, search, and write endpoints. Cron Guard Monitors wp-cron.php for flood attacks. Detects suspicious scheduled tasks via baseline comparison. System cron migration helper. Outbound Monitor (SSRF Prevention) Monitors all outgoing HTTP requests. Blocks requests to private/internal IP ranges including cloud metadata endpoints. Domain allowlist with wildcard support. Caller detection traces requests to specific plugins. Post-Breach Recovery 12 emergency actions: terminate sessions, force password reset, rotate secret keys, emergency lockdown, reinstall core, reinstall plugins, audit admin accounts, clear caches, malware scan, disable plugins, and downloadable incident report. Real-Time Dashboard Live visitor monitoring with 15-second auto-refresh. Stat cards, traffic charts, top IPs with VirusTotal integration, browser distribution, and IP detail modals. Visitor Log & Audit Log Complete request history with filters (IP, URL, bots, blocked, time range). Tamper-resistant admin action audit trail. Notifications Email alerts (HTML formatted, color-coded severity), Slack webhooks, custom JSON webhooks, and daily digest. Configurable severity threshold with 5-minute deduplication. WordPress Hardening One-click toggles: disable XML-RPC, hide WordPress version, block REST API user enumeration, block author enumeration, disable file editor, block PHP execution in uploads. What Makes Atlant Security Different Pre-WordPress WAF – Blocks attacks via auto_prepend_file before WordPress even loads Outbound HTTP Monitor – Detects SSRF attacks and unauthorized outbound connections Database Backdoor Scanner – Scans wp_options and wp_posts for eval(), base64, and hidden backdoors Client-Side Bot Detection – JavaScript challenges and browser fingerprinting catch sophisticated bots AI/LLM Crawler Blocking – Identify and block AI training crawlers scraping your content Honeypot Traps – Hidden links, fake login pages, invisible form fields that only bots trigger Cron Guard – Monitors wp-cron for unauthorized scheduled tasks planted by malware Post-Breach Recovery – Guided recovery toolkit with 12 emergency actions in one place Session Fingerprint Binding – Binds sessions to IP + User-Agent so stolen cookies are useless Real-Time Visitor Dashboard – Live visitor feed updated every 15 seconds Smart Password Policy – Minimum length, complexity, common-password blocking, and passphrase support Granular REST API Policies – Per-endpoint control, not just a global on/off switch Safe Mode Override – One constant in wp-config.php disables all blocking features instantly Deactivation Data Control – Choose to keep or wipe all security data when deactivating Zero phone-home – No telemetry, no tracking, fully GDPR-compliant (external services used only when explicitly enabled by the admin – see External Services section) Why Atlant Security? All-in-one – Replaces 5-6 separate security plugins No external dependencies – Core security features run locally on your server Zero phone-home – No telemetry, no tracking (optional features like GeoIP use external services only when explicitly enabled – see External Services section) GDPR-friendly – No external fonts, no CDN resources Setup wizard – Configure core security in under 2 minutes Clean uninstall – Removes all database tables and options when deleted (opt-in) Safe Mode – Emergency override if you get locked out of your site External Services This plugin connects to the following third-party services under specific conditions: Cloudflare IP Ranges When Cloudflare integration is enabled, the plugin periodically fetches the current list of Cloudflare edge IP ranges from Cloudflare’s official endpoints. This is used to correctly identify visitor IP addresses behind the Cloudflare proxy and to whitelist Cloudflare edge servers. Data sent: No user data is sent. The plugin fetches publicly available IP range lists. When: Once per week via a scheduled cron job (aswp_refresh_cloudflare_ips), only when Cloudflare integration is enabled. Endpoints: https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6 Cloudflare Terms of Use Cloudflare Privacy Policy MaxMind GeoLite2 GeoIP Database When GeoIP country detection is enabled and a MaxMind license key is configured, the plugin downloads the GeoLite2-Country database from MaxMind. This database is stored locally and used to resolve visitor IP addresses to country codes for display in the visitor log and dashboard. Data sent: Your MaxMind license key is sent to authenticate the download request. No visitor data is sent to MaxMind. When: On initial setup and once per week via a scheduled cron job (aswp_update_geoip_db), only when GeoIP is enabled and a license key is configured. Endpoint: https://download.maxmind.com/app/geoip_download MaxMind End User License Agreement MaxMind Privacy Policy Google IP Ranges When Google integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Google IP ranges from Google’s official endpoint. This is used to automatically whitelist known Google infrastructure IPs (Googlebot, Google Cloud, etc.) so legitimate Google traffic is never blocked. Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Google IP ranges. When: Once per week via a scheduled cron job (aswp_refresh_google_ips), only when Google integration is enabled. Endpoint: https://www.gstatic.com/ipranges/goog.json Google Terms of Service Google Privacy Policy Microsoft / Bing IP Ranges When Microsoft integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Bing bot IP ranges from Microsoft’s official endpoint. This is used to automatically whitelist known Bing crawler IPs so legitimate Bing traffic is never blocked. Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Bing bot IP ranges. When: Once per week via a scheduled cron job (aswp_refresh_microsoft_ips), only when Microsoft integration is enabled. Endpoint: https://www.bing.com/toolbox/bingbot.json Microsoft Services Agreement Microsoft Privacy Statement WordPress.org Core Checksums API The Malware Scanner verifies the integrity of WordPress core files by comparing their MD5 hashes against the official checksums published by WordPress.org. Files that match are skipped during pattern scanning (vendor-verified, safe by definition). Files that mismatch are flagged as critical “core_modified” findings. Data sent: WordPress version number and locale. No site data, no visitor data, no PII. When: Once per WordPress version (cached for 24 hours), only when the Malware Scanner runs and the “Use core checksums” setting is enabled. Endpoint: https://api.wordpress.org/core/checksums/1.0/ WordPress.org Terms of Service WordPress.org Privacy Policy WordPress.org Secret Key API The Post-Breach Recovery module can generate new WordPress secret keys and salts using the official WordPress.org API. This is used when an administrator manually triggers the “Rotate Secret Keys” emergency action after a security breach. Data sent: No user data is sent. The plugin fetches randomly generated keys from the API. When: Only when an administrator manually triggers the “Rotate Secret Keys” action in the Post-Breach Recovery module. Endpoint: https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org Terms of Service WordPress.org Privacy Policy Slack Webhooks When Slack notifications are enabled and a Slack webhook URL is configured, the plugin sends security alert messages to the specified Slack channel. This allows administrators to receive real-time security notifications in Slack. Data sent: Security alert messages containing the alert subject, description, severity level, site URL, and the IP address that triggered the alert. No visitor personal data or cookies are sent. When: Only when a security event occurs (e.g., brute force attempt, WAF block, honeypot trip) and Slack notifications are enabled. Endpoint: Administrator-configured Slack Incoming Webhook URL (e.g., https://hooks.slack.com/services/…) Slack Terms of Service Slack Privacy Policy Custom Webhooks When webhook notifications are enabled and a webhook URL is configured, the plugin sends security alert payloads in JSON format to the specified endpoint. This allows integration with any external monitoring or alerting system. Data sent: JSON payload containing the alert subject, description, severity level, site URL, timestamp, and the IP address that triggered the alert. No visitor personal data or cookies are sent. When: Only when a security event occurs and webhook notifications are enabled. Endpoint: Administrator-configured webhook URL. Terms and privacy: Determined by the third-party service the administrator configures. Google reCAPTCHA When CAPTCHA bot protection is enabled and the provider is set to “Google reCAPTCHA v2” or “Google reCAPTCHA v3”, visitor browsers load Google’s reCAPTCHA library and the server verifies submitted tokens with Google. This is OPT-IN – disabled by default. Data sent (browser → Google): visitor IP address and standard reCAPTCHA telemetry that Google uses to score human-vs-bot likelihood. Google’s reCAPTCHA library is loaded from www.google.com/recaptcha/api.js. Data sent (server → Google): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (remoteip field), to https://www.google.com/recaptcha/api/siteverify. When: only when the configured provider is reCAPTCHA AND the visitor reaches /wp-login.php, the WordPress registration form, or the lost-password form (per-form toggle). Endpoints: https://www.google.com/recaptcha/api.js and https://www.google.com/recaptcha/api/siteverify Google reCAPTCHA Terms of Service Google Privacy Policy Cloudflare Turnstile When CAPTCHA bot protection is enabled and the provider is set to “Cloudflare Turnstile”, visitor browsers load Cloudflare’s Turnstile library and the server verifies submitted tokens with Cloudflare. This is OPT-IN – disabled by default. Turnstile is the privacy-respecting alternative to reCAPTCHA – Cloudflare states it does NOT track users across sites. Data sent (browser → Cloudflare): visitor IP address and standard Turnstile telemetry. The Turnstile library is loaded from challenges.cloudflare.com/turnstile/v0/api.js. Data sent (server → Cloudflare): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (remoteip field), to https://challenges.cloudflare.com/turnstile/v0/siteverify. When: only when the configured provider is Cloudflare Turnstile AND the visitor reaches /wp-login.php, the WordPress registration form, or the lost-password form (per-form toggle). Endpoints: https://challenges.cloudflare.com/turnstile/v0/api.js and https://challenges.cloudflare.com/turnstile/v0/siteverify Cloudflare Terms of Service Cloudflare Privacy Policy Upgrade Notices 1.1.8 Restores the policy: legitimate vendor bots (Google, Anthropic, OpenAI, Bing) are NEVER blocked unless the site operator explicitly opts in. Two fixes – AI crawler defaults flipped to “allow”, and the Honeypot reverse-DNS check now fails open so transient DNS issues can’t ban real Googlebots. Recommended for everyone running an SEO-sensitive site. 1.1.7 Critical security release. Fixes 14 CRITICAL and 12 HIGH issues found during a full external audit, including a fatal-at-login bug, IP-block bypass via IPv6-mapped addresses, an SSRF DNS-rebinding race in the outbound monitor, and a wp-config-backup-leaks-old-keys flaw. Recommended upgrade for every install. 1.1.6 Big scanner-accuracy improvement. Verified WordPress core files are now skipped (MD5-matched against the official api.wordpress.org checksums), tightened iframe/base64 signatures, fixed an over-broad path match, and added a “Mark as False Positive” button. Recommended upgrade for everyone running scans. 1.1.5 Adds CAPTCHA support on login / registration / lost-password forms. Three providers: reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile. Configure in Login Security → Bot Protection (CAPTCHA). 1.1.4 Adds CSV export on the Malware Scanner (per Reddit community suggestion) – download full untruncated File + Database Findings before committing to Quarantine. Compatibility declared through WP 7.0. 1.1.3 Security hardening release. Fixes custom-login-URL cookie bypass, 2FA enforcement, SSRF log-only default, session-limit token/verifier mix, and adds real wp-config.php rewriting for key rotation. Existing 2FA recovery codes generated before 1.1.3 may not verify – regenerate them from your user profile after upgrading. 1.1.2 New About page consolidates defense architecture and competitive features. Setup wizard no longer auto-redirects on activation. Dashboard is cleaner with focus on operational data. 1.0.7 Major UI overhaul: inner sidebar navigation replaces 23 WordPress submenu items with a clean, persistent sidebar panel. All page URLs remain the same – bookmarks still work. 1.0.4 Adds GeoIP country flags in visitor log, custom login URL, password policy enforcement, and Force SSL Admin setting. Internal prefix migration runs automatically – no action required. 1.0.3 Adds honeypot traps, security headers management, two-factor authentication, and notification channels. Fixes IP management and status code logging. Recommended update. 1.0.0 Initial release. Run the Setup Wizard after activation to configure your site’s security.
Top keywords
- google29×1.25%
- cloudflare27×1.16%
- ip27×1.16%
- data25×1.08%
- security25×1.08%
- wordpress25×1.08%
- visitor23×0.99%
- sent20×0.86%
- api18×0.78%
- enabled17×0.73%
- recaptcha15×0.65%
- com14×0.60%
Kadence Security – Password, Two Factor Authentication, and Brute Force Protection
Reduce your WordPress website’s risk to nearly zero with Kadence Security Formerly iThemes Security. Looking for iThemes? Learn more here. On average, 30,000 websites are hacked every day.* Cyberattacks in the US increased by 57% in 2022.** Bad actors who want to hack your site, steal your data, and cripple your business are a 24/7/365 threat. You need a proactive, strategic approach to WordPress website security that protects your site from brute force attacks, malware infections, and other cyber threats. Kadence Security shields your site from cyberattacks and prevents security vulnerabilities. It automatically locks out bad users identified by our Brute Force Protection Network that is nearly 1 million sites strong and leverages your own blacklist. It secures and protects your most commonly attacked part of your WordPress website – user login authentication. With Patchstack integration (Pro) protects your site before you even have a chance to address vulnerabilities and before a plugin or theme vendor or developer can even issue a patch. That’s 24/7/365 always-on truly Kadence Security. 🌐 Secure your Website in Minutes The Kadence Security setup and onboarding experience allows anyone to secure their WordPress website in under 10 minutes, regardless of technical acumen. Knowing that you have enabled all the right security settings for your website will leave you feeling like your site has never been more secure. 📚 Security Site Templates to Fit Your Type of Site Enabling the correct security settings based on the type of website you are building or maintaining is essential for proper security. An eCommerce site requires a different level of security than a basic blog. Kadence Security Site Templates make it quick and easy to apply the right security settings for your website. Choose from six different site templates to apply the type of security your site needs: Ecommerce – websites that sell products or services Network – websites that connect people or communities Non-Profit – websites that promote your cause and collect donations Blog – websites that share your thoughts or start a conversation Portfolio – websites that showcase your craft Brochure – simple websites that promote your business ⌚ Real-Time Website Security Dashboard Every day, lots of activity is happening on your website that you can’t see. Many of these activities can be related to your site’s security, so monitoring these events is vital to keeping your site secure. The Kadence Security Pro plugin provides a real-time WordPress security dashboard that monitors security-related events on your site around the clock. The Kadence Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place, including brute force attacks, banned users, active lockouts, site scan results, and user security stats (Pro). 🗝️ WordPress Login Security Setting up and maintaining proper WordPress configurations and managing user account access are essential aspects of hardening your site against threats and vulnerabilities. Basic and Pro include features that address both of these factors. Two Factor Authentication (2FA) – Make your WordPress login nearly impenetrable to attack by requiring users to enter a security code along with a password to login. The Kadence Security plugin allows you to add two-factor authentication to your WordPress login with several authentication methods, including mobile apps like Authy and Google Authenticator, email, and backup codes. Password Requirements – Create and enforce a password policy for your users in less than a minute. reCAPTCHA (Pro) – Stop bad bots from engaging in abusive activities on your website, such as attempting to break into your website using compromised passwords, posting spam, or even scraping your content. Passwordless Logins (Pro) – WordPress security made easy. Secure your user accounts with 2fa & strong passwords while allowing real users login with a click of a mouse. Trusted Devices (Pro) – Identify the devices you and other users use to block session hijacking attacks and limit Administrator privileges to Trusted Devices. Automated Vulnerability Patching (Pro) – Kadence Security Pro includes Patchstack which patches vulnerabilities before you have a chance to and applies fixes even before a plugin developer or vendor has issued a patch. Learn more about how passwordless login is the future and how Kadence Security can help you implement it today. 👨👩👧👦 The Right Amount of Security for Every User Level Different types of user levels require different levels of security. During the Kadence Security setup process, you can identify your website’s key user groups. Once the different types of users are identified, you can apply the level of security that is just right for each user group. Here are a couple of examples of how User Groups are useful for securing your site: For Clients – Let’s say you are configuring Kadence Security on a client’s website. You will decide whether or not they are required to use two-factor authentication and if they should have access to the Kadence Security settings. For Customers – If you have an eCommerce website, you will decide whether or not you want to protect customer accounts with a password policy. Privilege Escalation (Pro) also adds a safe, secure way to grant temporary admin-level access to your website. 🤖 Block Bad Bots & Ban User Agents with Lockouts Ban Users (Basic and Pro) – Permanently block repeat offenders from accessing your site. Local Brute Force Protection – Automatically identify and stop the most common method of attack on WordPress sites. Local Brute Force Protection (Basic and Pro) – Automatically identify and stop the most common method of attack on WordPress sites. Network Brute Force Protection (Basic and Pro) – The network is the Kadence Security community and is nearly one million websites strong. If someone tries to break into websites in the Kadence Security community, Kadence Security will block them across the network. Magic Links (Pro) – Security shouldn’t get in your way. Magic Links allow you to log in to your WordPress site while your username is locked out by the Kadence Security Local Brute Force Protection feature. 🔍 Monitor Your Site’s Security Health File Change Detection (Basic and Pro) – Kadence Security logs changes made to your website that can help detect malicious activity on your website. Site Scanner (Basic and Pro) – Schedule checks to run four times per day (Basic) or hourly (Pro) for known vulnerabilities of WordPress core file, plugins and themes. Using the Google Safe Browsing API, the Site Scan also checks your Google’s blocklist status and will alert you if Google has found any malware on your website. Patchstack integration (Pro) – Automated virtual patching of some vulnerabilities before you even have a chance to address them yourself, and before a plugin or theme vendor or developer can even issue a patch. Site Scanner (Pro) – Unlock Version Management to automatically apply a patch to vulnerable software detected by the Site Scan when one is available. User Logging (Pro) – Keep a record of user activity in your WordPress security logs, including login/logout, user registration, adding/removing plugins, switching themes, changes to posts and pages, and more. Version Management (Pro) – The Version Management feature in Kadence Security Pro allows you to auto-update WordPress, plugins, and themes. Beyond that, Version Management also has options to harden your website when you are running outdated software and scan for old websites. 🧠 Smarter, More Actionable Vulnerability Prioritization Not all vulnerabilities pose the same level of risk, and the traditional Common Vulnerability Scoring System (CVSS) score doesn’t always reflect the realities of running a WordPress site. Kadence Security now uses the Patchstack Priority score, which goes beyond CVSS to provide a real-world risk assessment tailored to WordPress. It factors in how likely a vulnerability is to be exploited and its actual impact on your site. With Patchstack Priority, you get a clearer picture of what really matters, helping you focus on the vulnerabilities that pose the greatest risk, and worry less about noise from low-impact issues. 🛠️ Website Security Utilities Enforce SSL – Force all connections to the website to be made over SSL/TLS. Database Backups – Create backups of your WordPress database. (Not a complete backup.) Geolocation (Pro) – Improve Trusted Devices by connecting to an external location or mapping API. 🚀 Advanced Security Tools Identify Server IPs – Prevent issues caused by inadvertently locking out your server IPs. Change User ID 1 – Change the user ID for the first WordPress user, potentially preventing attacks that assume the user with ID1 exists and is an administrator. Change Database Prefix – Change the database prefix that WordPress uses, potentially preventing attacks that assume the database prefix is “wp_”. Check File Permission – See the file and directory permissions of key areas of your site. Server Config Rules – View or flush the server security rules generated by Kadence Security. wp-config.php Rules – View or flush the wp-config.php security rules generated by Kadence Security. Change WordPress Salts – Secure your site after a successful attack by changing the WordPress salts used to secure cookies and security tokens. Hide Login URL – change the login URL of your site, making it harder for bots to find your login page and attack it. 🛟 Need Help? Free support may be available with the community’s help in the WordPress.org support forums. Our Kadence Security support team provides top-notch technical support to all our Kadence Security Basic users there. Our Help Center will help you become an iThemes Security expert. Get additional peace of mind with professional support from our expert team and pro features to take your site’s security to the next level with Kadence Security Pro. Recover From a Hacked Site Kadence Security makes regular backups of your WordPress database, allowing you to get back online quickly in the event of a hack or security breach. Use Kadence Security to create and email database backups on a customizable schedule. For complete site backups and the ability to restore or move WordPress to a new host or domain, check out Solid Backups. Solid Central Integration Manage more than one WordPress site? Release lockouts and keep your themes, plugins, and WordPress core up to date from one dashboard with Solid Central. *Zippia. “30 Crucial Cybersecurity Statistics [2023]: Data, Trends And More” Zippia.com. Jun. 15, 2023, https://www.zippia.com/advice/cybersecurity-statistics/ **https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/ License Released under the terms of the GNU General Public License.