Vigilant – 100% Free Security Suite
Premium Security. Zero Cost. Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls. Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, closed plugin detection, malware detection, user management, security audit logging, under attack mode and much more. Once activated, Vigilant immediately applies firewall rules against common attacks (SQL injection, XSS, file inclusion), security headers, login attempt monitoring, XML-RPC blocking, WordPress version hiding and sensitive file protection (.htaccess, wp-config.php), after automatically backing up your existing configuration files. One-Click Security Presets Choose a preset and get protected instantly: Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation. Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups. You can always customize individual settings after applying a preset. Under Attack Mode Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly: JavaScript challenge – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely Aggressive rate limiting – Requests limited to 30 per minute with 15-minute blocks for offenders HTTP method restriction – Only GET, POST and HEAD allowed; PUT, DELETE, PATCH, OPTIONS and TRACE are blocked Empty user agent blocking – Requests without a user agent header are rejected Full XML-RPC lockdown during the attack REST API restriction – Only authenticated users can access the REST API Auto-deactivation – Mode turns off after 4 hours so you never forget it’s on Email notifications when the mode activates and deactivates HMAC-signed cookies – Verified visitors get a signed cookie so they only see the challenge once Under Attack mode works independently from your preset configuration. Your regular settings are preserved and restored when the mode deactivates. Two-Factor Authentication (2FA) Add a second verification step to your WordPress login: Authenticator app (TOTP) – Google Authenticator, Authy, Microsoft Authenticator or any TOTP-compatible app Email codes – One-time 6-digit verification codes sent via email QR code setup directly in user profiles 10 backup codes for emergency access if you lose your device Configurable grace period for users to set up their authenticator app Trusted devices – optionally let users skip 2FA on recognized devices for 30 days Role-based enforcement – require 2FA for administrators, editors or any role Exclude specific users from 2FA requirements Admin tool to reset TOTP for users who lost their authenticator Configurable code expiry, attempt limits and email sender name User notification emails when 2FA is enabled or the method changes Firewall Protection Block malicious requests before they reach WordPress: SQL injection blocking XSS (Cross-Site Scripting) attack prevention File inclusion protection (LFI/RFI) Directory traversal blocking Bad query string filtering (catches generic suspicious patterns the specific blockers miss) Bad bot detection and blocking Block requests with empty user agent Block legacy HTTP/1.0 requests (almost always automated tools, never modern browsers) Rate limiting against DDoS and brute force, with optional progressive lockouts IP whitelist and blacklist management (IPv4 and IPv6, with CIDR ranges and wildcards) User-Agent whitelist and blacklist with partial matching Visitor IP detection control – read the real IP directly from the connection (a spoof-proof default) or from a proxy header when behind Cloudflare, a reverse proxy or a load balancer, with an admin notice if a proxy is detected but not configured HTTP method restriction Server-level file protection via .htaccess: block direct access to wp-config.php, .htaccess, wp-includes/ and sensitive files (.log, .sql, .bak, .ini, debug.log, readme.html, etc.), and optionally wp-cron.php external access Block PHP execution in /uploads (one of the most common post-exploit vectors) Disable directory browsing Login Security Stop unauthorized access attempts: Limit login attempts with configurable thresholds Progressive lockouts – longer blocks for repeat offenders Custom login URL – hide wp-login.php from bots Login URL change notifications to all admin-area users Hide login error messages – don’t reveal valid usernames XML-RPC disable, with a separate toggle for just the pingback method if you still need other XML-RPC features Application passwords control Email notification when an IP is blocked for exceeding login attempts Admin login notifications via email IP whitelist for trusted locations User Security Comprehensive user account protection: Block insecure usernames (admin, test, root, etc.) on new registrations Warn about existing users with insecure usernames so you can rename or remove them Block author scanning – intercept ?author=N URLs so WordPress doesn’t redirect them to /author/USERNAME/ and leak the login slug Force strong passwords with minimum length Password expiration with configurable intervals Password history – prevent reusing old passwords Force password reset – by specific users, by role, or all users (post-hack recovery) Session limits – control concurrent logins per user Session management – view and revoke active sessions Email verification for new registrations Registration approval workflow – manually approve new users Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation Display name protection – prevent exposing login username publicly Security Headers Achieve Grade A security ratings: Content Security Policy (CSP) with visual builder and Report-Only mode for safe testing before enforcing HSTS (HTTP Strict Transport Security) with includeSubdomains and preload options X-Frame-Options – prevent clickjacking X-Content-Type-Options – prevent MIME sniffing Referrer Policy control Permissions Policy (camera, microphone, geolocation, payment, USB) Cross-Origin policies (COEP, COOP, CORP) HTTPS enforcer with automatic mixed content fix Server fingerprint hiding – the Server: header is neutralized and X-Powered-By and other fingerprinting headers are stripped from responses File Integrity Monitoring Detect unauthorized changes to your files and compromised plugins: WordPress core verification against official checksums Plugin and theme file monitoring with WordPress.org checksums Critical config files (wp-config.php, .htaccess) monitored against baseline, detecting code injection even in files with no official checksum Closed and removed plugins detection – daily check against the WordPress.org repository, flagging any installed plugin closed for malware, security issues or guideline violations, including both explicit closures and silent “removed” takedowns, with per-slug Ignore for legacy plugins you can’t uninstall yet Line-level diff view of changes, with per-file approval workflow Suspicious code scanning for plugins and themes without checksums Extra file detection in plugins and themes (files not in original distribution) Uploads directory scanning for PHP files, double extensions and .htaccess, with smart classification of dangerous rules vs protective ones Root directory scanning for non-core PHP files (common attack vector) String concatenation obfuscation detection Configurable notification levels and an ignore list to dismiss known files Excluded paths and file extensions Scheduled automatic scans (daily, weekly) HTML formatted email alerts with severity sections, including a dedicated section for closed plugins Security Audit Track everything happening on your site: Successful and failed login attempts Two-factor authentication events User account changes (creation, deletion, role changes) Content modifications (posts, pages) Plugin and theme activations/deactivations Security events and blocked threats HTTP request method tracking and filtering (GET, POST, PUT, DELETE) Enhanced log detail popup with grouped sections and quick actions One-click add IP or User-Agent to firewall whitelist/blacklist from log entries Direct IP lookup links to AbuseIPDB Configurable retention period, CSV export, and filtering by event type, severity, request method or date Audit Alerts – get an email when the audit log points to something worth your attention, off by default and configured under Security Audit: Immediate alerts the moment a serious event is logged, by minimum severity (a new administrator, a closed plugin or a privilege escalation are all logged as Critical) Threshold alerts when a category spikes – firewall blocks, login failures, user, plugin, file integrity, security, system and content events – over a 30-minute, 1, 6 or 24 hour window, counting only warning and critical events so routine activity never trips them A single anti-repeat cooldown keeps a storm of events down to one notice instead of flooding your inbox Active alerts surface in Settings & Tools, the Dashboard, the Configuration Score and the Security Check “Send test email” button to confirm delivery Security Check On-demand security audit built into the Dashboard. No external services, no accounts, no API keys – everything runs on your server: 40+ checks across 6 categories: SSL/TLS, HTTP Headers, WP Exposure, Access & Auth, Sensitive Files and Internal Checks Single 0-100 score with A-E grade, plus per-category breakdown and explanatory details for every check 15 exclusive internal checks impossible from the outside: PHP end-of-life status, pending updates, inactive plugins, closed or removed plugins, file permissions, default salts detection, wp_ table prefix, admin username, administrators without 2FA enrolled, module status, recent audit errors, last File Integrity scan result and whether audit alerts are configured DNS-only reputation lookup against Spamhaus ZEN, Barracuda BRBL and SpamCop SCBL (informational – listings are flagged but don’t deduct from the score) Two-phase scan: fast local checks appear in under a second, remote checks stream in as they complete Weekly automatic scan with opt-in email alert if the score drops by 10+ points or a new critical check starts failing 30-scan history with sparkline trend and delta chip “Go to setting” fix link on every failing check, jumping straight to the exact Vigilant field that resolves it Smart header diagnostics that report “configured but not being served” when a cache/CDN overrides your headers WordPress Hardening Layered protection at the WordPress level – admin, content, head, feeds and database: Lock down the admin: disable the built-in plugin and theme file editor, block installations and updates from the admin area, and force HTTPS for the admin area. Compatible with any hosting layout, respecting values already in place and never overriding them Disable WordPress’s internal page-view cron when you already have a real server-side cron job configured Dashboard warning when debug mode is left enabled in production, so error output never leaks to visitors Hide your WordPress version everywhere it can leak: from the HTML head, from RSS and Atom feeds, and optionally from every script and style URL on the front-end (stripping only the WordPress version itself, leaving plugin and theme cache busting intact) Automatic daily removal of readme.html, license.txt and licencia.txt from the WordPress root, which otherwise expose your version HTML head cleanup – remove the RSD link, Windows Live Writer manifest, shortlink header and REST API discovery link Database hardening – check for the default wp_ table prefix and one-click rename tool with full backup before the change Comment security – honeypot field against spam bots, force moderation on every new comment, close comments on old posts, disable pingbacks and trackbacks Feed management – completely disable RSS and Atom feeds, or only disable them when the site has no published content REST API Security Control API access to your site: Three access modes: public (default WordPress behavior), authenticated only (closes the API to anonymous visitors), or selective (custom allow/block lists) Block user enumeration via /wp-json/wp/v2/users Protect any list of sensitive endpoints from anonymous access Per-plugin compatibility toggles so authenticated mode doesn’t break the front-end: WooCommerce, Contact Form 7, Gravity Forms, WPForms, Elementor, Jetpack. oEmbed and Site Health endpoints stay accessible by default Security Tools Utilities included: Database Backup – Download a full or partial database backup as ZIP with table selection Database Prefix Change – Change the default wp_ prefix to a random secure prefix Export/Import Settings – Transfer your configuration between sites Manual Backup – Create backups of .htaccess and wp-config.php on demand Reset to Defaults – Start fresh with one click Safe by Design Your existing .htaccess, wp-config.php and robots.txt are automatically backed up before any modifications. Backups are stored in the WordPress database, never as files under the web root, and verified with MD5 checksums. When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites. Why Vigilant? Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront – no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, on-demand Security Check with weekly regression alerts, and more. All free, all maintained, all following WordPress coding standards. We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each offers in its free version and where Vigilant fills the gaps. → View the full comparison Support Need private support or custom development? Do you need one-on-one help, priority troubleshooting, or a custom feature, integration, or tweak built specifically for your site? I offer private support and custom development. Just contact me and tell me what you need. Need help or have suggestions? Official website WordPress support forum YouTube channel Documentation and tutorials Love the plugin? Please leave us a 5-star review and help spread the word! About AyudaWP We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.
Top keywords
- security35×1.62%
- wordpress21×0.97%
- file14×0.65%
- login13×0.60%
- email12×0.56%
- files12×0.56%
- user12×0.56%
- admin11×0.51%
- php11×0.51%
- users11×0.51%
- block10×0.46%
- mode10×0.46%
WP Hide & Security Enhancer
Effortlessly conceal your WordPress site from detection! With over 99.99% of hacks targeting specific plugin and theme vulnerabilities, this plugin significantly boosts site security by making it invisible to hackers’ web scanners. By removing all traces of WordPress, including themes and plugins, potential exploits are rendered harmless. This method ensures that your site is safe without affecting SEO; in fact, it can enhance certain SEO aspects when used strategically. WP-Hide has launched the easiest way to completely hide your WordPress core files, login page, theme and plugins paths from being shown on front side. This is a huge improvement over Site Security, since no one will know whether you are running or not a WordPress. It also provides a simple way to clean up html by removing all WordPress fingerprints. No file and directory change! No file and directory will be changed anywhere. Everything is processed virtually. The plugin code uses URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically without user intervention required at all. Real hide of WordPress core files and plugins The plugin not only allows you to change default URLs of you WordPress, but it also hides/blocks such defaults. Other similar plugins, just change the slugs, but the defaults are still accessible, obviously revealing WordPress as CMS. You can change the default WordPress login URL from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. It becomes totally invisible. Full plugin documentation available at WordPress Hide and Security Enhancer Documentation When testing with WordPress theme and plugins detector services/sites, any setting change may not reflect right away on their reports, since they use cache. So, you may want to check again later, or try a different inner URL. Homepage URL usage is not mandatory. Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes make ita vulnerable spot for every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin. Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites. Over 99,9% of hacked WordPress websites are target of automated malware scripts, which search for certain WordPress fingerprints. This plugin hides or replaces those traces, making the hacking bots attacks useless. It works well with custom WordPress directory structures,e.g. custom plugins, themes, and upload folders. Once configured, you need to clear server cache data and/or any cache plugins (e.g. W3 Cache), for a new html data to be created. If you use CDN this should be cache clear as well. Sample usage Main plugin functionality: Customizes Admin URL Blocks default admin URL Blocks any direct folder access to completely hide the structure Customize wp-login.php filename 2FA – Two-factor Authentication 2FA – Two-factor Authentication – Email Verification Code 2FA – Two-factor Authentication – Authenticator App 2FA – Two-factor Authentication – Recovery Codes 2FA – Two-factor Authentication – Shortcode for front-side user settings interface 2FA – Two-factor Authentication – My Account > Account Details – area for 2FA user settings interface Google Captcha Blocks default wp-login.php Blocks default wp-signup.php Blocks XML-RPC API Creates New XML-RPC paths Adjusts theme URL Creates New child Theme URL Changes theme style file name Cleans any headers for theme style file Customizes wp-include Blocks default wp-include paths Blocks default wp-content Customizes plugins URL Changes Individual plugin URL Blocks default plugins paths Creates New upload URL Blocks default upload URL Removes WordPress version Blocks Meta Generator Disables the emoji and required javascript code Removes pingback tag Removes wlwmanifest Meta Removes rsd_link Meta Removes wpemoji Minifies Html, Css, JavaScript Security Headers and many more. No other plugin functionality will be blocked or interfered in any way by WP-Hide This plugin allows to change the default Admin URL from wp-login.php and wp-admin to something else. All original links turn the default theme to “404 Not Found” page, as if nothing exists there. Besides the huge security advantage, the WP-Hide plugin saves lots of server processing time by reducing php code and MySQL usage since brute-force attacks target the weakURL. Important: Compared to all other similar plugins which mainly use redirects, this plugin turns a default theme to“404 error” page for all blocked URL functionalities, without revealing the link existence at all. Since version 1.2, WP-Hide change individual plugin URLs and made them unrecognizable. For example,the change of the default WooCommerce plugin URL and its dependencies from domain.com/wp-content/plugins/woocommerce/ into domain.com/ecommerce/cdn/ or anything customized. Plugin Sections **Hide -> Scan Exhaustive system security examination with analysis and improvements guidance and fixes Hide -> Rewrite > Theme New Theme Path – Changes default theme path New Style File Path – Changes default style file name and path Remove description header from Style file – Replaces any WordPress metadata information (like theme name, version etc.,) from style file Child – New Theme Path – Changes default child theme path Child – New Style File Path – Changes child theme style-sheet file path and name Child – Remove description header from Style file – Replaces any WordPress metadata information (like theme name, version etc.,) from style file Hide -> Rewrite > WP includes New Include Path – Changes default wp-include path/URL Block wp-include URL – Blocks default wp-include URL Hide -> Rewrite > WP content New Content Path – Change default wp-content path/URL Block wp-content URL – Blocks the default content URL Hide -> Rewrite > Plugins New Plugin Path – Changes default wp-content/plugins path/URL Block plugin URL – Blocks default wp-content/plugins URL New path / URL for Every Active Plugin Customize path and name for any active plugins Hide -> Rewrite > Uploads New Upload Path – Changes default media files path/URL Block upload URL – Blocks default media files URL Hide -> Rewrite > Comments New wp-comments-post.php Path Block wp-comments-post.php Hide -> Rewrite > Author New Author Path Prevent Access to Author Archives Block default path Hide -> Rewrite > Search New Search Path Block default path Hide -> Rewrite > XML-RPC New XML-RPC Path – Changes default XML-RPC path / URL Block default xmlrpc.php – Blocks default XML-RPC URL Disable XML-RPC authentication – Filters whether XML-RPC methods require authentication Remove pingback – Removes pingback link tag from theme Hide -> Rewrite > JSON REST Clean the REST API response Disable JSON REST V1 service – Disables an API service for WordPress which is active by default Disable JSON REST V2 service – Disables an API service for WordPress which is active by default Block any JSON REST calls – Any call for JSON REST API service will be blocked Disable output the REST API link tag into page header Disable JSON REST WP RSD endpoint from XML-RPC responses Disable Sends a Link header for the REST API Hide -> Rewrite > Root Files Block license.txt – Blocks access to license.txt root file Block readme.html – Blocks access to readme.html root file Block wp-activate.php – Blocks access to wp-activate.php file Block wp-cron.php – Blocks outside access to wp-cron.php file Block wp-signup.php – Blocks default wp-signup.php file Block other wp-*.php files – Blocks other wp-.php files within WordPress Root Hide -> Rewrite > URL Slash URL’s add Slash – Add a slash to any links without it. This disguisesthe existence of a file, folder or a wrong URL, which will all be slashed. Hide -> General / Html > Core Disabling Directory Listing Hide -> General / Html > Meta Remove WordPress Generator Meta Remove Other Generator Meta Remove Shortlink Meta Remove DNS Prefetch Remove Resource Hints Remove wlwmanifest Meta Remove feed_links Meta Disable output the REST API link tag into page header Remove rsd_link Meta Remove adjacent_posts_rel Meta Remove profile link Remove canonical link Hide -> General / Block Detectors Block Detectors Hide -> General / Emulate CMS Emulate CMS Hide -> General / Html > Admin Bar Remove WordPress Admin Bar for specified urser roles Hide -> General / Feed Remove feed|rdf|rss|rss2|atom links Hide -> General / Robots.txt Disable admin URL within Robots.txt Hide -> General / Html > Emoji Disable Emoji Disable TinyMC Emoji Hide -> General / Html > Styles Remove Version Remove ID from link tags Hide -> General / Html > Scripts Remove Version Hide -> General / Html > Oembed Remove Oembed Hide -> General / Html > Headers Remove Link Header Remove X-Powered-By Header Remove Server Header Remove X-Pingback Header Hide -> General / Html > HTML Remove HTML Comments Minify Html, CSS, JavaScript Remove general classes from body tag Remove ID from Menu items Remove class from Menu items Remove general classes from post Remove general classes from images Hide -> General / Html > User Interactions Disable Mouse right click Disable Text Selection Disable Copy Disable Cut Disable Paste Disable Print Disable Print Screen Disable Developer Tools Disable View Source Disable Drag / Drop Hide -> Admin > wp-login.php New wp-login.php – Maps a new wp-login.php instead of the default one Block default wp-login.php – Blocks default wp-login.php file from being accessible Customize the default login page Logo image Hide -> Admin > Admin URL New Admin URL – Creates a new admin URL instead of the default ”/wp-admin”. This also applies for admin-ajax.php calls Disable customized Admin Url redirect to the Login page Block default Admin Url – Blocks default admin URL and files from being accessible Security -> 2FA Enable 2FA Enable the 2FA for specific roles Enforce User to Configure 2FA Primary option for Two-Factor Disable 2FA when using Temporary Login Security -> 2FA Email Activate 2FA Email Security -> 2FA Auth App Activate Authenticator app (TOTP) Security -> 2FA Recovery Codes Activate 2FA Recovery Codes Security -> Captcha Google Captcha V2 Google Captcha V3 CloudFlare Turnstile ( PRO ) Settings -> CDN CDN Url – Sets-up CDN if applied. Some providers replace site assets with custom URLs. Security -> Headers HTTP Response Headers are a powerful tool to Harden Your Website Security. * Cross-Origin-Embedder-Policy (COEP) * Cross-Origin-Opener-Policy (COOP) * Cross-Origin-Resource-Policy (CORP) * Referrer-Policy * X-Content-Type-Options * X-Download-Options * X-Frame-Options (XFO) * X-Permitted-Cross-Domain-Policies * X-XSS-Protection This free version works with Apache and IIS server types. For all server types, check with WP Hide PRO This is a basic version that can hide everything for basic sites, example https://demo.wp-hide.com/. When using complex plugins and themes, the WP Hide PRO may be required. We provide free assistance to hide everything on your site, along with the commercial product. Anything wrong with this plugin on your site? Just use the forum or get in touch with us at Contact and we’ll check it out. A website example can be found at https://demo.wp-hide.com/ or our website WP Hide and Security Enhancer Plugin homepage at WordPress Hide and Security Enhancer This plugin is developed by Nsp-Code Localization Please help and translate this plugin to your language at https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer You are kindly asked to promote this plugin if it comes up to your expectations via an article on your site or any other place. If you liked this code/WP-Hide or if it helped with your project, why not leave a 5 star review on this board.