Descrição
A lightweight WordPress security plugin to prevent brute force attacks and disable XML-RPC.
What can you do with WordShield?
- Brute Force Protection
- Disable XML-RPC API exploits
- Change default Login URL –Planned
- Add Security Headers –Planned
- Content Protection –Planned
- Login Security –Planned
- Hide Generator Tags
- Disable PHP Editing
Future Roadmap
- Stop user enumerations.
- Request rate throttler.
- Prevent comment spam.
- IP Ban.
- Prevent code execution.
- 2FA
- Backup & Restore.
- Support for multisite.
- Logs, Notifications, and more!
Note:
The current version of the WordShield Security plugin does not work in a multisite environment.
Advantages of WordShield Security Plugin
- Lean Code— Unlike most other Security Plugins, WordShield focuses on the core functionalities and has zero bloat.
- Ultrafast— This lightweight plugin adds negligible overhead to your website. Each new release is tested for performance before making it available for general use.
- It added only 0.004 seconds of execution time in our internal performance profiling tests.*
- Failsafe— This WordPress security plugin does not modify any core file. It does not alter the .htaccess file as well. With easy-to-use recovery options, you can be sure that your WordPress website will never break.
- Best Practices— WordShield follows WordPress best practices and respects the coding standards.
- Maintenance & Support— WordShield has a planned roadmap for the future. It is well-supported and updated for compatibility with each WordPress upgrade.
How to Limit Login Attempts in WordPress?
You can limit login attempts to your WordPress website using the WordShield security plugin. You can prevent Brute Force attacks with the following steps:
- Open the settings screen after installing and activating the plugin.
- Navigate to the Brute Force tab on the settings screen.
- Set the maximum number of invalid attempts you want to allow for each user.
- Set the time (in minutes) you want to lock a user account after exceeding the maximum number of invalid attempts.
- If you do not want to prevent Brute Force attacks, select 0 for both of these settings.
- Save the settings.
👉 The WordShield security plugin informs the user about the remaining retries before the account becomes locked.
👉 If an account gets locked, WordShield informs the user about the time to wait before trying to log in again.
👉 You can customize the default error messages in any language by keying in the message in the 2 optional fields.
👉 Use %%MINUTES_LEFT%% to show the time in minutes in your custom message. Use %%ATTEMPTS_LEFT%% to show the number of retries left in your custom message.
How to disable XML-RPC API exploits?
XML-RPC is enabled by default in every WordPress installation. While XML-RPC is necessary for certain services and plugins like Jetpack, it can make websites vulnerable to remote code injection.
You can protect your website from the XML-RPC vulnerability as follows:
- Open the settings screen after installing and activating the plugin.
- Navigate to the XML-RPC tab on the settings screen.
- Check the Disable XML-RPC checkbox to disable XML-RPC completely.
- If you are using JetPack, you can select the Enable Jetpack access so that the Jetpack plugin continues to work seamlessly.
- If you need specific IPs to access XML-RPC API, key in the comma-separated list of IPs in the Whitelisted IPs field.
- Save the settings.
How to Hide the Generator tags in WordPress?
WordPress and WooCommerce generator tags let the potential attackers can easily identify the specific version of WordPress (or WooCommerce) you are using. This, in turn, exposes technical vulnerabilities thereby making your site more susceptible to hacking attempts.
You can hide the generator tags in WordPress by the following steps.
- Open the settings screen after installing and activating the plugin.
- Navigate to the Extras tab on the settings screen.
- Select the checkbox Remove Generator tags.
- Save the settings.
How to disable PHP editing?
You can disable PHP editing to prevent accidental changes in plugins and themes causing a complete system crash.
You can disable PHP editing with the following steps:
- Open the settings screen after installing and activating the plugin.
- Navigate to the Extras tab on the settings screen.
- Select the checkbox Disable PHP editing.
- Select the checkbox Disable theme change if you want to hide the Appearance menu as well.
- Save the settings.
Capturas de tela
Disable XML-RPC. 
Prevent Brute Force attacks. 
Extra security settings. 
Instalação
This section describes how to install the plugin and get it working.
- Install the plugin directly through the WordPress plugin directory.
- Activate it.
- Configure the plugin functionality using the Settings panel.
Perguntas frequentes
-
How do I prevent brute force attacks?
-
WordShield can help your WordPress website from brute force attacks. With its login security feature, you can restrict the number of repeated failed attempts. You can lock a user account for a predetermined number of minutes configured in the plugin settings.
-
My website has been locked. How do I reset?
-
In the exceptional scenario of finding your website is locked, simply reset it. Resetting is simple. Add the slug ?reset to your login URL and hit enter!
Example: www.yourwebsite.com/wp-login?reset -
How do I know that XML-RPC is disabled on my website?
-
After selecting the appropriate option on the Settings panel to disable XML-RPC on your website, head over to an XML-RPC validation service like xmlrpc.blog. Key in your website URL and test!
-
How do I know that Jetpack will work even if XML-RPC is disabled on my website?
-
Ensure that you have allowed access to XML-RPC by JetPack in the settings. Then head over to https://jptools.wordpress.com/debug/ and check.
-
The changes made in the plugin settings do not seem to reflect. Why?
-
This may happen because of some extreme cache mechanisms by your Cache plugin or CDN provider. Please clear the cache and check again.
-
Can I use this plugin in a multisite environment?
-
The current version of the WordShield Security plugin does not support Multisite.
However, this feature is in our future roadmap.
-
Whom to contact for any support?
-
Please log a support request on the plugin support page. We will respond as soon as possible.
-
I am looking for a new feature. How do I request a new feature for this plugin?
-
We would love to hear your ideas on enhancing this WordPress security plugin. Please log a request on the plugin support page. We will respond as soon as possible.
Avaliações
Colaboradores e desenvolvedores
“WordPress Security Plugin – WordShield” é um programa de código aberto. As seguintes pessoas contribuíram para este plugin.
Colaboradores
Traduzir “WordPress Security Plugin – WordShield” para seu idioma.
Interessado no desenvolvimento?
Navegue pelo código, consulte o repositório SVN ou assine o registro de desenvolvimento por RSS.
Registro de alterações
23 Jan 2025 – Version 1.1.1
- Add custom error message, locked account message, and reset slug when you limit login attempts.
16 Jan 2025 – Version 1.1.0
- Limit login attempts by locking accounts after consecutive incorrect retries.
12 Jan 2025 – Version 1.0.2
- Whitelist IPs and enable access to XML-RPC API for specific apps, plugins, and websites.
10 Jan 2025 – Version 1.0.1
- Enable XML-RPC support for JetPack
- Disable theme switch
08 Jan 2025 – Version 1.0.0
- Disable XML-RPC
- Hide WordPress and WooCommerce generator tags
- Disable PHP file editing.