Login Armor
Twelve security modules. One lightweight plugin. Zero compromise. Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way. Stop juggling Wordfence’s bloat, Solid Security’s upsells, and Limit Login Attempts’ gaps — Login Armor delivers twelve independent modules in about one megabyte. New in 2.4.0 Request Firewall — an optional, 8G-inspired PHP filter that blocks malicious requests (SQL injection, code execution, traversal, XSS, disallowed HTTP methods) before WordPress finishes loading, on Apache, Nginx and LiteSpeed alike. Off by default, it starts in monitor mode and never filters logged-in administrators; every block is logged, aggregated to one incident per IP per hour. Guided onboarding — a first-run wizard offers a one-click “safe baseline” that turns on the no-risk essentials, so a beginner is protected in seconds. The same “Apply safe baseline” button stays available any time. Why Login Armor No upsells, ever. No “premium” tier, no greyed-out “Pro” buttons. Every feature is GPL. No external services to sign up for. No API keys, no remote dashboards, no telemetry. The only outbound calls are opt-in: Have I Been Pwned (breach/password checks), Slack/Discord/webhook (notifications), the keyless ipwho.is API (geolocation), and your own WordPress 7 AI connector. Built to be invisible. Sub-megabyte ZIP, lazy-loaded modules, indexed queries — under 2 ms on a normal login flow. Multisite-aware, PHP 8.1-native, production-grade defaults. Network-activate a fleet, configure per-site, manage from a complete WP-CLI suite; zero-config gets you 80 percent of the protection. Twelve independent modules Hide Login — Replace wp-login.php with a custom slug; the old URL returns a 404, and a branded pre-activation modal lets you pick or generate the slug and emails it to you so you can’t lock yourself out. Compatible with multisite, reverse proxies and password-recovery flows. Brute Force Protection — Cascading lockouts escalating to a 24-hour ban, with subnet blocking and trusted X-Forwarded-For; lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, and every lockout surfaces as an incident. Hardening — Fifteen one-click toggles across surface reduction, credential hardening, request filtering and account monitoring: disable XML-RPC/pingbacks, the file editor, version exposure, application passwords and author enumeration; block reserved usernames (Unicode-confusable detection); add a login honeypot; get alerted on new administrators. Two-Factor Authentication — TOTP, one-time codes by email and printable backup codes, with trusted devices for thirty days, per-role enforcement, a configurable grace period and an email recovery flow when the authenticator is lost. Detection and Incidents — A real-time engine groups raw events into six attack patterns, each with a drill-down (timeline, source IPs, target users, severity, UA fingerprint) and one-click actions (reset password, block subnet, mark resolved). Activity Log — A compliance-ready, tamper-evident (hash-chained) audit trail of admin actions across seven logger domains, with filtering, CSV export, configurable retention and optional signed webhook forwarding to a SIEM. Login Page Security Headers — Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy and X-Content-Type-Options on wp-login.php and the lockout page, in two presets with an optional CSP report-uri; baseline headers can optionally extend site-wide. Breach Check — Detect logins using a breached password via privacy-preserving k-anonymity against Have I Been Pwned (only a 5-character SHA-1 prefix leaves the server); optional XposedOrNot email lookup, fail-soft so an outage never blocks login. Password Policy — Enforce strong, unique passwords at registration, profile update and reset: minimum length and character classes, forbid the username inside the password, optionally reject breached passwords, with optional non-locking expiration nudges. Session Management — Idle-timeout logout measured on real page loads, a maximum session lifetime regardless of “remember me”, an optional single-active-device restriction, and a one-click “sign out all other devices”. IP Geolocation — Show the attacker’s country on the Incidents and Events tabs; lazy, cached thirty days, capped per page load, private ranges never sent. Keyless ipwho.is by default, swappable for an offline database via a filter. Request Firewall — An optional, 8G-inspired PHP filter that blocks malicious query strings, paths, HTTP methods and (opt-in) user-agents/referrers before WordPress loads, on Apache/Nginx/LiteSpeed alike; off by default, starts in monitor mode, never filters admins, skips REST/cron/WP-CLI, with an IP/path allowlist (CIDR). Not scored. AI Security Briefing (optional) Built on the WordPress 7 native AI Client, one click turns your last thirty days of activity into a plain-language verdict, an IP picture and a short list of prioritised actions; “Explain with AI” does the same on a single incident. Minimised mode (anonymised signals) is the default and deep mode is an explicit opt-in. No API key is stored — it uses your own WordPress AI connector, so provider and cost stay yours. It always leads with a deterministic facts snapshot that works with or without AI. Plus Guided onboarding — a first-run wizard with a one-click safe baseline (Simple) or manual setup (Advanced); the “Apply safe baseline” button stays available, and upgrading sites never see the wizard. Security score — a weighted 0-100 read of your posture with a one-click “next best action”; observability features (geolocation, notifications, the AI assistant) are deliberately not scored. Conflict detection — warns when another login-security plugin (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress and more) or a cache plugin (with Hide Login on) could clash. Notifications — email, Slack, Discord or webhook with SSRF-safe URL validation, severity threshold and rate limiting. WP-CLI suite and a dashboard widget (14-day sparkline, six headline metrics). GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies. Douze modules de sécurité. Une seule extension légère. Zéro compromis. Login Armor est une stack complète de sécurité WordPress conçue pour les agences, les freelances et les pros qui livrent des sites prêts à passer un audit. Pas de version premium, pas de tableau de bord marketing intégré, pas de télémétrie. Chaque module tourne en local, embarque des réglages par défaut sécurisés, et reste discret. Fini de jongler entre la lourdeur de Wordfence, les fenêtres d’upsell de Solid Security et les angles morts de Limit Login Attempts — Login Armor regroupe douze modules indépendants en environ un méga-octet. Nouveau en 2.4.0 Pare-feu de requêtes : un filtre PHP optionnel, inspiré du pare-feu 8G, qui bloque les requêtes malveillantes (injection SQL, exécution de code, traversée de répertoires, XSS, méthodes HTTP non autorisées) avant même que WordPress ait fini de charger, aussi bien sur Apache que Nginx ou LiteSpeed. Désactivé par défaut, il démarre en mode surveillance et ne filtre jamais les administrateurs connectés ; chaque blocage est journalisé, agrégé en un incident par IP et par heure. Assistant de configuration : à la première activation, un assistant propose une « base sûre » en un clic qui active les essentiels sans risque — un débutant est protégé en quelques secondes. Le même bouton « Appliquer la base sûre » reste disponible à tout moment. Pourquoi Login Armor Aucun upsell, jamais. Pas de niveau « premium », pas de boutons « Pro » grisés. Tout est en GPL. Aucun service externe à activer. Pas de clé API, pas de tableau distant, pas de télémétrie. Les seuls appels sortants sont opt-in : Have I Been Pwned (fuites/mots de passe), Slack/Discord/webhook (notifications), l’API sans clé ipwho.is (géolocalisation) et votre propre connecteur IA WordPress 7. Conçu pour être invisible. ZIP de moins d’un méga, modules chargés à la demande, requêtes indexées — sous 2 ms sur un flux de connexion normal. Compatible multisite, natif PHP 8.1, réglages prêts pour la production. Activation réseau d’une flotte, configuration par site, pilotage via une suite WP-CLI complète ; sans configuration, vous avez déjà 80 % de la protection. Douze modules indépendants Masquer la connexion : remplace wp-login.php par une URL personnalisée (l’ancienne renvoie une 404) ; une modale de pré-activation choisit ou génère le slug et vous l’envoie par e-mail pour éviter tout verrouillage. Compatible multisite, reverse proxies et récupération de mot de passe. Protection contre la force brute : verrouillages en cascade montant à un bannissement de 24 h, blocage de sous-réseaux et support X-Forwarded-For ; lostpassword, register, XML-RPC et l’endpoint REST users sont bloqués pour une IP verrouillée, et chaque verrouillage devient un incident. Renforcement : quinze bascules en un clic (réduction de surface, identifiants, filtrage des requêtes, surveillance des comptes) — désactiver XML-RPC/pingbacks, l’éditeur de fichiers, l’exposition de version, les mots de passe applicatifs et l’énumération d’auteurs ; bloquer les identifiants réservés (homoglyphes Unicode) ; ajouter un pot de miel ; être alerté à la création d’un administrateur. Authentification à deux facteurs : TOTP, codes à usage unique par e-mail et codes de secours imprimables, avec appareils de confiance 30 jours, application par rôle, période de grâce configurable et récupération par e-mail en cas de perte. Détection et incidents : un moteur en temps réel regroupe les événements en six patterns d’attaque, chacun avec une vue détaillée (chronologie, IP sources, comptes cibles, sévérité, empreinte UA) et des actions en un clic. Journal d’activité : piste d’audit conforme et inviolable (chaîne de hachage) des actions admin sur sept domaines, avec filtrage, export CSV, rétention configurable et transfert webhook signé optionnel vers un SIEM. En-têtes de sécurité : CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy et X-Content-Type-Options sur wp-login.php et la page de verrouillage, en deux préréglages avec CSP report-uri optionnel ; les en-têtes de base peuvent s’étendre à tout le site. Détection de fuites : repère les connexions avec un mot de passe fuité via k-anonymat sur Have I Been Pwned (seul un préfixe SHA-1 de 5 caractères sort) ; vérification e-mail XposedOrNot optionnelle, fail-soft. Politique de mot de passe : impose des mots de passe forts à l’inscription, au profil et à la réinitialisation (longueur, classes de caractères, interdiction de l’identifiant, rejet optionnel des mots de passe fuités), avec expiration optionnelle qui ne verrouille jamais personne dehors. Gestion des sessions : déconnexion sur inactivité mesurée sur les vrais chargements, durée de vie maximale indépendante de « se souvenir de moi », limitation optionnelle à un seul appareil actif, et « déconnecter tous les autres appareils » en un clic. Géolocalisation IP : affiche le pays des IP attaquantes dans Incidents et Événements ; recherches paresseuses, cache 30 jours, plafonnées par page, plages privées jamais envoyées. ipwho.is sans clé par défaut, base hors ligne possible via un filtre. Pare-feu de requêtes : filtre PHP optionnel inspiré du 8G qui bloque chaînes de requête, chemins, méthodes HTTP et (en option) user-agents/referrers malveillants avant le chargement de WordPress, sur Apache/Nginx/LiteSpeed ; désactivé par défaut, démarre en mode surveillance, ne filtre jamais les admins, ignore REST/cron/WP-CLI, allowlist IP/chemins (CIDR). Non noté. Briefing de sécurité IA (optionnel) Bâti sur le client IA natif de WordPress 7, un clic transforme vos trente derniers jours d’activité en un verdict en langage clair, un panorama des IP et une courte liste d’actions prioritaires ; « Expliquer avec l’IA » fait de même sur un incident. Le mode minimisé (signaux anonymisés) est par défaut, le mode approfondi est un opt-in explicite. Aucune clé API stockée : il utilise votre propre connecteur IA WordPress, le coût et le fournisseur restent les vôtres. Il s’ouvre toujours sur un instantané de faits déterministes, utile avec ou sans IA. En plus Assistant de configuration : un assistant à la première activation propose une base sûre en un clic (Simple) ou une voie manuelle (Avancée) ; le bouton « Appliquer la base sûre » reste disponible, et les sites en mise à jour ne le voient jamais. Score de sécurité : lecture pondérée 0-100 de votre posture avec une action prioritaire en un clic ; les fonctions d’observabilité (géolocalisation, notifications, assistant IA) ne sont pas notées. Détection de conflits : alerte quand une autre extension de sécurité axée connexion (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress et d’autres) ou un plugin de cache (avec Hide Login actif) peut entrer en conflit. Notifications : e-mail, Slack, Discord ou webhook, avec validation d’URL anti-SSRF, seuil de sévérité et rate limiting. Suite WP-CLI et widget Tableau de bord (sparkline 14 jours, six métriques clés). Conçu par Login Armor est conçu et maintenu par Fabrice Ducarme de WPFormation, expert WordPress français obsédé par les sites propres, rapides et prêts pour l’audit. On l’utilise sur chaque site qu’on livre. Présentation et fonctionnement de Login Armor Guides de sécurité WordPress sur WPFormation Veille des vulnérabilités WordPress : l’outil de veille sécurité de WPFormation GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zéro dépendance. External Services AI Security Briefing (optional) The AI Security Briefing and the “Explain with AI” incident analysis are powered by the WordPress 7 native AI Client (wp_ai_client_prompt()). When the administrator clicks the analysis button, LoginArmor asks WordPress to send a prompt to the AI connector that the administrator configured in their own WordPress (for example OpenAI, Anthropic or Google, depending on the connector). LoginArmor itself stores no API key and contacts no endpoint directly: the request, the provider and the cost are owned by the site’s own AI connector. Data sent: a text prompt describing the security situation. In minimised mode (the default), only anonymised, non-identifying signals are included (counts, categories, severities, role buckets) – no IP address and no username in clear. In deep mode (an explicit, off-by-default opt-in), the prompt additionally includes real IP addresses and event details so the analysis can name specific sources. No data is ever sent unless the administrator clicks the analysis button. This feature is inactive unless WordPress 7 (or the AI Building Blocks feature plugin) is present with a configured, approved AI connector. The applicable terms and privacy policy are those of the AI provider the administrator chose for their connector; please refer to that provider’s documentation. Webhook Notifications (optional) When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks. Data sent: incident type, severity level, IP address, target username, event count, and site URL. No data is sent unless the administrator actively enables and configures a notification channel. Slack – Terms of Service | Privacy Policy Discord – Terms of Service | Privacy Policy Custom Webhook URL – User-configured endpoint (administrator’s responsibility) Gravatar (Automattic) The Activity Log tab uses WordPress core’s get_avatar() function to display user avatars. WordPress may send a hashed email address to Gravatar servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars. Gravatar – Automattic Terms of Service | Privacy Policy Breach Check – Have I Been Pwned (optional) When the administrator explicitly enables the Breach Check module (LoginArmor > Settings > Breach …
Top keywords
- de74×2.91%
- et33×1.30%
- un32×1.26%
- en25×0.98%
- wordpress23×0.91%
- les21×0.83%
- ai17×0.67%
- login17×0.67%
- par17×0.67%
- ip15×0.59%
- une15×0.59%
- security14×0.55%
ShieldUp – Bad Bots, Scrapers, Attackers
Tired of bad bots, scrapers, attackers and sluggish website performance? By providing real-time monitoring of accessing IPs, HTTP codes, URLs, and user agents, organized analytics, customizable timeline and visualizations, ShieldUp will help you indentify and combat threats like bad bots, scrapers, malicous attackers. Which will improve website security and performance by reducing the load on your server resources for a snappy website and great user experience. Key Features 🛡️ Advanced Security: ShieldUp protects your site from malicious bots, scrapers, attackers and hackers, shielding your website from potential threats. 🚀 Optimized Performance: Improve website speed and user experience by eliminating unnecessary requests from scrapers, bad bots and brute force attackers 🗃️ Comprehensive Data Collection: ShieldUp logs and archive accessing IPs, HTTP response codes, URLs, user agents, timestamps, etc. 📊 Detailed Data Insights: ShieldUp will analyze, organize and displays IP data based on IP ranges, request counts, details, offering a comprehensive view of your traffic within user-friendly tables. 📅 Custom Time Period: Select specific time ranges through an intuitive calendar feature for in-depth data analysis. 📈 Visualize Data: Easily visualize traffic trends and patterns with our user-friendly graphs. 🛠️ IP Tools: Helps you with actions like retrieving detailed IP information from DB or third-party tools. 🌐 Cloudflare Integration (Pro): Seamlessly connect your website to Cloudflare, enhancing security and performance even further by leverage Cloudflare’s powerful features. ⚙️ Advanced IP Management (Pro): Take control with a click. Manage IPs and IP ranges effortlessly, with actions like blocking, JavaScript challenges, whitelisting, or remove rules using Cloudflare’s firewall through the plugin. 💼 Centralized IP Database (Pro): Keep all IPs controlled by your WP plugin and Cloudflare in a centralized database for efficient management and tracking. 📝 User Activity Logging (Pro): Maintain detailed logs of all IP controls by users, ensuring accountability and providing a historical record of security actions. 🏆 Priority Support (Pro): Pro members get priority support, so you can expect quick help with any questions or issues. Please Note: Yes, the Pro version is undeniably impressive. However, the free version is really what you need and will get the job done. How it works 1. Installation and Activation Start by downloading and installing the ShieldUp plugin. Once activated, it seamlessly integrates with your WordPress, ready to work its magic. 2. Data Collection ShieldUp starts by collecting crucial data about the traffic to your website. It keeps a record of accessing IPs, including HTTP response codes, URLs, user agents, and timestamps. This data is organized into user-friendly tables and presented through interactive graphs, allowing you to gain valuable insights into your website’s traffic patterns. 3. Select, Organize and Display Data You can choose a specific time frame, making it easy to identify which IPs are accessing your site the most. It also groups IPs into /16 and /24 ranges and along with graphical representation helps you visualize trends, spot unusual activity and potential security threats. 4. Cloudflare Integration (Pro) ShieldUp seamlessly integrates with Cloudflare in PRO version, enhancing your website’s security even further. Using the Cloudflare API, you can manage IPs and IP ranges right from your WordPress dashboard. Implement blocks, JavaScript challenges, whitelist entries, or remove rules with just a few clicks. 5. IP Tools & IP Management Each IP listed in the user-friendly interface comes with action buttons, enabling you to ban IPs in your website’s firewall or CloudFlare, retrieve detailed IP information from third-party tools, and perform other custom actions. 6. Enhanced Security ShieldUp employs advanced security measures to protect your website from a wide range of threats. It identifies and blocks malicious bots, scrapers, attackers, and hackers, ensuring that your website remains secure. 7. Optimized Website Performance In addition to security, ShieldUp optimizes your website’s performance. It achieves this by filtering out unnecessary requests from bad bots, scrapers and other unwanted traffic. This optimization reduces the load on your server resources, resulting in a snappy and responsive website and great user experience. Firewalls, What we recommend? One of the best options would be a hardware-type firewall, but we wouldn’t be in this situation if we had one. The next best option for managing HTTP and HTTPS traffic is a cloud-based firewall, such as CloudFlare, especially when it is available for free and offers a wide range of excellent features. In addition to that, we also use CSF for other security solutions and to manage traffic and ports related to services like mail and SSH. So, why do we think CloudFlare is a better solution for HTTP and HTTPS trafic, than “Traditional” Server/Software-Based Firewall (CSF) especially Plugin-Like Firewalls (WordPress Plugins)? Traditional firewalls, while valuable, have limitations when compared to Cloudflare’s robust security and performance capabilities. These firewalls primarily protect your server or website by consuming server resources, leaving them vulnerable to large-scale attacks, among other things. In contrast, Cloudflare operates a global network that defends against threats at the network edge, providing superior DDoS protection and accelerated content delivery. By choosing Cloudflare, you gain a comprehensive, cloud-based solution that strengthens your website’s resilience and speed, effectively surpassing the capabilities of traditional local firewalls when it comes to HTTP and HTTPS trafic. Here are some of the main features of CloudFlare: Global Network Security: Cloudflare operates a vast global network that acts as a protective shield for your website, filtering out malicious traffic and threats before they even reach your server. This distributed approach ensures that attacks are mitigated at the network edge, preserving your server resources. Content Caching: Cloudflare’s caching infrastructure stores copies of your website’s content at data centers around the world. This means visitors experience faster load times as they access cached content from a server nearest to them, reducing server load and improving website responsiveness. Web Application Firewall (WAF): Cloudflare offers a comprehensive Web Application Firewall that can be finely tuned to your specific needs. It provides a robust defense against common web application attacks, such as SQL injection and cross-site scripting (XSS), without the need for additional on-site firewall plugins. IP Control and Access Management: Cloudflare’s firewall allows you to control and manage IP access with precision. You can easily set rules to block or allow specific IPs, IP ranges, or countries, giving you granular control over who can access your website. DDoS Protection: Cloudflare’s network is designed to withstand large-scale DDoS attacks, providing a shield against volumetric threats that would overwhelm on-site firewalls. This ensures uninterrupted website availability. Performance Optimization: Cloudflare’s content delivery network (CDN) optimizes the delivery of your website’s assets, including images, scripts, and stylesheets, resulting in reduced latency and faster load times for your visitors. Scalability and Reliability: Cloudflare’s infrastructure is highly scalable and redundant, ensuring that your website remains available even during traffic spikes or server failures. By integrating Cloudflare with your WordPress site, you not only enhance security but also optimize performance, reduce server load, and simplify IP access control, all while benefiting from Cloudflare’s global network and advanced security features. It’s a comprehensive solution that takes your website’s protection and performance to the next level. This is why we use it on all our websites, including the Pro version of this plugin as well. Therefore, we strongly recommend that you use it for your website if you haven’t already, whether you intend to use this plugin or not. Please note that we still use and recommend that you use a ‘Traditional’ server/software-based firewall like CSF, in conjunction with CloudFlare, to cover various security aspects such as traffic/ports for mail, FTP, SSH, etc.