{"id":51012209,"url":"https://github.com/wlkns/wordpress-security-plugin","last_synced_at":"2026-06-21T04:30:41.975Z","repository":{"id":365639970,"uuid":"1272272627","full_name":"wlkns/wordpress-security-plugin","owner":"wlkns","description":"Lightweight WordPress hardening plugin — blocks brute-force logins with IP banning, traps bots with honeypots, and disables   risky features. All toggleable, zero phone-home.","archived":false,"fork":false,"pushed_at":"2026-06-18T08:22:04.000Z","size":3008,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T09:05:08.338Z","etag":null,"topics":["brute-force-protection","hardening","honeypot","security","wordpress","wordpress-plugin","xmlrpc"],"latest_commit_sha":null,"homepage":"https://wlkns.co","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wlkns.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-17T13:00:11.000Z","updated_at":"2026-06-18T08:22:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wlkns/wordpress-security-plugin","commit_stats":null,"previous_names":["wlkns/wordpress-security-plugin"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/wlkns/wordpress-security-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wlkns%2Fwordpress-security-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wlkns%2Fwordpress-security-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wlkns%2Fwordpress-security-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wlkns%2Fwordpress-security-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wlkns","download_url":"https://codeload.github.com/wlkns/wordpress-security-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wlkns%2Fwordpress-security-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34594326,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force-protection","hardening","honeypot","security","wordpress","wordpress-plugin","xmlrpc"],"created_at":"2026-06-21T04:30:38.046Z","updated_at":"2026-06-21T04:30:41.968Z","avatar_url":"https://github.com/wlkns.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WLKNS Security\n\n![WLKNS Security Plugin](docs/banner.png)\n\nHarden WordPress in one click: disable risky features, limit logins, trap bots with honeypots, and block offending IPs — all from a single **Security** menu.\n\n| | |\n|---|---|\n| **Contributors** | wlkns |\n| **Tags** | security, brute-force, login, honeypot, hardening |\n| **Requires at least** | WordPress 5.8 |\n| **Tested up to** | WordPress 6.5 |\n| **Requires PHP** | 7.4 |\n| **Stable tag** | 1.0.4 |\n| **License** | [GPLv2 or later](https://www.gnu.org/licenses/gpl-2.0.html) |\n\n## Description\n\nWLKNS Security is a lightweight, no-bloat hardening plugin. On activation it switches on a set of sensible defaults that close common attack surfaces, and gives you a single **Security** admin menu to toggle each protection on or off.\n\nEvery feature is optional and individually controllable. Nothing phones home, there are no ads, and there is no premium upsell.\n\n### Protections included\n\n- **Disable plugin installs** — hide and block the \"Add New\"/upload plugin screens (activating existing plugins still works).\n- **Disable theme installs** — the same lockdown for themes; switching existing themes still works.\n- **Disable comments** — close comments site-wide and remove the comment UI.\n- **Disable password resets** — prevent password resets and hide the \"Lost your password?\" link.\n- **Block unauthenticated REST API** — return 401 to logged-out REST requests while leaving the block editor and logged-in users unaffected.\n- **Disable XML-RPC** — turn off `/xmlrpc.php` and pingbacks, a common brute-force/DDoS amplification vector.\n- **Disable application passwords** — remove API auth tokens you may not use.\n- **Disable file editing** — switch off the built-in theme/plugin code editors.\n- **Hide WordPress version** — remove the generator tag and version query strings from assets.\n- **Login hardening** — generic login errors plus blocking of `?author=N` and REST user enumeration.\n- **Login attempt limiter** — temporarily block an IP after too many failed logins (configurable threshold and lockout duration).\n- **Login emails** — email a chosen administrator whenever any user logs in, including the username, role, source IP, and time. Off by default; pick a recipient to enable.\n- **Honeypot** — block any IP that repeatedly requests one of a fixed set of trap paths (e.g. `/.env`, `/wp-config.php`, `/.git`) that no legitimate visitor would request.\n\nBlocked IPs are stored in their own table and managed from a dedicated **Blocked IPs** screen where you can review, unblock, or manually add addresses.\n\n\u003e **Note on proxies/CDNs:** IP detection uses `REMOTE_ADDR` only, because forwarded headers can be spoofed. If your site sits behind a reverse proxy or CDN (e.g. Cloudflare), the originating IP must be resolved before it reaches PHP, or the blocklist will see your proxy's address.\n\n## Installation\n\n1. Upload the `wlkns-security` folder to `/wp-content/plugins/`, or install it through the Plugins screen in WordPress.\n2. Activate the plugin through the **Plugins** screen.\n3. Go to the new **Security** menu to review and adjust the protections. All features are enabled by default.\n\n## Frequently Asked Questions\n\n### Will disabling the REST API break the block editor?\n\nNo. Only logged-out requests are blocked. Logged-in users — including the block editor — continue to work normally.\n\n### I locked myself out with the login limiter. What now?\n\nOpen the **Security → Blocked IPs** screen and remove your IP, or delete the relevant row from the `wp_wlkns_wws_blocked_ips` table.\n\n### Does the honeypot catch every malicious request?\n\nIt catches requests that reach WordPress/PHP. Files served directly by your web server (or blocked at that layer) never hit the plugin, so pair it with sensible server configuration.\n\n### Does the plugin store any personal data?\n\nIt stores blocked IP addresses (and the reason/time) in a custom table so it can enforce blocks. Removing a block deletes the row; uninstalling the plugin drops the table.\n\n## Screenshots\n\n1. The Security settings screen with all hardening toggles.\n\n![Security settings screen](docs/screenshot-1-settings.png)\n\n2. The Blocked IPs screen — review, unblock, or manually add an address.\n\n![Blocked IPs screen](docs/screenshot-2-blocked-ips.png)\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) — generated from commit messages on each release.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwlkns%2Fwordpress-security-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwlkns%2Fwordpress-security-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwlkns%2Fwordpress-security-plugin/lists"}