Title: Atlant Security Author: Atlant Published: March 30, 2026 Last modified: May 1, 2026 --- Search plugins ![](https://ps.w.org/atlant-security/assets/banner-772x250.png?rev=3494942) ![](https://ps.w.org/atlant-security/assets/icon-256x256.png?rev=3494942) # Atlant Security By [Atlant](https://profiles.wordpress.org/xorred/) [Download](https://downloads.wordpress.org/plugin/atlant-security.1.1.9.zip) * [Details](https://zh-sg.wordpress.org/plugins/atlant-security/#description) * [Reviews](https://zh-sg.wordpress.org/plugins/atlant-security/#reviews) * [Installation](https://zh-sg.wordpress.org/plugins/atlant-security/#installation) * [Development](https://zh-sg.wordpress.org/plugins/atlant-security/#developers) [Support](https://wordpress.org/support/plugin/atlant-security/) ## Description **Atlant Security** is a comprehensive WordPress security plugin that provides enterprise- grade protection through 17 integrated security modules organized in a 5-layer defense architecture. #### 5-Layer Defense Architecture 1. **Pre-WordPress WAF** – Firewall, rate limiter, and IP blocking run before WordPress processes the request. 2. **Application-Aware** – Login security, custom login URL, two-factor authentication, session hardening, cron monitoring, and REST API policies. 3. **Content & Config** – WordPress hardening, security headers, AI crawler management, and honeypot traps. 4. **Outbound & Data** – SSRF prevention, malware scanning (files and database). 5. **Response & Recovery** – Post-breach recovery, notifications, visitor log, and audit log. #### Key Features **Web Application Firewall (WAF)** Inspects every request against 28+ attack pattern families including SQL injection, XSS, remote code execution, path traversal, PHP object injection, and WordPress-specific attacks. Block or log-only mode. Triple URL decoding prevents evasion. **Brute Force Protection** Progressive lockout system (5 min > 30 min > 24 hours) with configurable thresholds. Generic login error messages prevent username enumeration. Author enumeration blocking. **Malware Scanner** Local file and database scanner with 38 malware signatures. Detects backdoors, webshells (WSO, c99, r57), crypto miners, credit card skimmers, and obfuscated code. Quarantine system with web access blocking. **Two-Factor Authentication (2FA)** TOTP (Google Authenticator, Authy) and email OTP. Per-role enforcement, 10 recovery codes, 5-minute challenge timeout, replay attack prevention. **Honeypot Traps** Zero-false-positive bot detection: hidden link traps, fake login pages, comment honeypots, and Contact Form 7 integration. 3-layer safe bot protection ensures Googlebot, Bingbot, and allowed AI crawlers are never blocked. **AI Crawler Management** Control 20+ known AI/LLM training crawlers (GPTBot, ClaudeBot, Google-Extended, Bytespider, and more). Per-crawler toggles, robots.txt integration, and 403 enforcement. Block training crawlers while allowing browsing bots. **Security Headers** Manage HSTS, X-Frame-Options, X-Content-Type-Options, Referrer- Policy, Permissions-Policy, CSP, CORP, and COOP. Letter-grade scoring system. Remove X-Powered-By and Server headers. **Session Security** Cookie hardening (HttpOnly, Secure, SameSite). Session binding via IP + User-Agent fingerprint detects hijacking. Concurrent session limits. Idle timeout. Optional admin bypass for all session restrictions. **Rate Limiter** Sliding-window rate limiting across 11 endpoint categories: frontend, login, search, feed, REST API, WooCommerce checkout, XML-RPC, and cron. **REST API Policies** Per-route access control with authentication requirements, HTTP method restrictions, rate limits, and IP whitelists. 5 built-in policies protect user enumeration, search, and write endpoints. **Cron Guard** Monitors wp-cron.php for flood attacks. Detects suspicious scheduled tasks via baseline comparison. System cron migration helper. **Outbound Monitor (SSRF Prevention)** Monitors all outgoing HTTP requests. Blocks requests to private/internal IP ranges including cloud metadata endpoints. Domain allowlist with wildcard support. Caller detection traces requests to specific plugins. **Post-Breach Recovery** 12 emergency actions: terminate sessions, force password reset, rotate secret keys, emergency lockdown, reinstall core, reinstall plugins, audit admin accounts, clear caches, malware scan, disable plugins, and downloadable incident report. **Real-Time Dashboard** Live visitor monitoring with 15-second auto-refresh. Stat cards, traffic charts, top IPs with VirusTotal integration, browser distribution, and IP detail modals. **Visitor Log & Audit Log** Complete request history with filters (IP, URL, bots, blocked, time range). Tamper-resistant admin action audit trail. **Notifications** Email alerts (HTML formatted, color-coded severity), Slack webhooks, custom JSON webhooks, and daily digest. Configurable severity threshold with 5-minute deduplication. **WordPress Hardening** One-click toggles: disable XML-RPC, hide WordPress version, block REST API user enumeration, block author enumeration, disable file editor, block PHP execution in uploads. #### What Makes Atlant Security Different * **Pre-WordPress WAF** – Blocks attacks via auto_prepend_file before WordPress even loads * **Outbound HTTP Monitor** – Detects SSRF attacks and unauthorized outbound connections * **Database Backdoor Scanner** – Scans wp_options and wp_posts for eval(), base64, and hidden backdoors * **Client-Side Bot Detection** – JavaScript challenges and browser fingerprinting catch sophisticated bots * **AI/LLM Crawler Blocking** – Identify and block AI training crawlers scraping your content * **Honeypot Traps** – Hidden links, fake login pages, invisible form fields that only bots trigger * **Cron Guard** – Monitors wp-cron for unauthorized scheduled tasks planted by malware * **Post-Breach Recovery** – Guided recovery toolkit with 12 emergency actions in one place * **Session Fingerprint Binding** – Binds sessions to IP + User-Agent so stolen cookies are useless * **Real-Time Visitor Dashboard** – Live visitor feed updated every 15 seconds * **Smart Password Policy** – Minimum length, complexity, common-password blocking, and passphrase support * **Granular REST API Policies** – Per-endpoint control, not just a global on/off switch * **Safe Mode Override** – One constant in wp-config.php disables all blocking features instantly * **Deactivation Data Control** – Choose to keep or wipe all security data when deactivating * **Zero phone-home** – No telemetry, no tracking, fully GDPR-compliant (external services used only when explicitly enabled by the admin – see External Services section) #### Why Atlant Security? * **All-in-one** – Replaces 5-6 separate security plugins * **No external dependencies** – Core security features run locally on your server * **Zero phone-home** – No telemetry, no tracking (optional features like GeoIP use external services only when explicitly enabled – see External Services section) * **GDPR-friendly** – No external fonts, no CDN resources * **Setup wizard** – Configure core security in under 2 minutes * **Clean uninstall** – Removes all database tables and options when deleted (opt- in) * **Safe Mode** – Emergency override if you get locked out of your site ### External Services This plugin connects to the following third-party services under specific conditions: #### Cloudflare IP Ranges When Cloudflare integration is enabled, the plugin periodically fetches the current list of Cloudflare edge IP ranges from Cloudflare’s official endpoints. This is used to correctly identify visitor IP addresses behind the Cloudflare proxy and to whitelist Cloudflare edge servers. * Data sent: No user data is sent. The plugin fetches publicly available IP range lists. * When: Once per week via a scheduled cron job (aswp_refresh_cloudflare_ips), only when Cloudflare integration is enabled. * Endpoints: https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips- v6 * [Cloudflare Terms of Use](https://www.cloudflare.com/terms/) * [Cloudflare Privacy Policy](https://www.cloudflare.com/privacypolicy/) #### MaxMind GeoLite2 GeoIP Database When GeoIP country detection is enabled and a MaxMind license key is configured, the plugin downloads the GeoLite2-Country database from MaxMind. This database is stored locally and used to resolve visitor IP addresses to country codes for display in the visitor log and dashboard. * Data sent: Your MaxMind license key is sent to authenticate the download request. No visitor data is sent to MaxMind. * When: On initial setup and once per week via a scheduled cron job (aswp_update_geoip_db), only when GeoIP is enabled and a license key is configured. * Endpoint: https://download.maxmind.com/app/geoip_download * [MaxMind End User License Agreement](https://www.maxmind.com/en/geolite2/eula) * [MaxMind Privacy Policy](https://www.maxmind.com/en/privacy-policy) #### Google IP Ranges When Google integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Google IP ranges from Google’s official endpoint. This is used to automatically whitelist known Google infrastructure IPs (Googlebot, Google Cloud, etc.) so legitimate Google traffic is never blocked. * Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Google IP ranges. * When: Once per week via a scheduled cron job (aswp_refresh_google_ips), only when Google integration is enabled. * Endpoint: https://www.gstatic.com/ipranges/goog.json * [Google Terms of Service](https://policies.google.com/terms) * [Google Privacy Policy](https://policies.google.com/privacy) #### Microsoft / Bing IP Ranges When Microsoft integration is enabled in the IP Whitelist, the plugin periodically fetches the current list of Bing bot IP ranges from Microsoft’s official endpoint. This is used to automatically whitelist known Bing crawler IPs so legitimate Bing traffic is never blocked. * Data sent: No user data is sent. The plugin fetches a publicly available JSON file containing Bing bot IP ranges. * When: Once per week via a scheduled cron job (aswp_refresh_microsoft_ips), only when Microsoft integration is enabled. * Endpoint: https://www.bing.com/toolbox/bingbot.json * [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement/) * [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement) #### WordPress.org Core Checksums API The Malware Scanner verifies the integrity of WordPress core files by comparing their MD5 hashes against the official checksums published by WordPress.org. Files that match are skipped during pattern scanning (vendor-verified, safe by definition). Files that mismatch are flagged as critical “core_modified” findings. * Data sent: WordPress version number and locale. No site data, no visitor data, no PII. * When: Once per WordPress version (cached for 24 hours), only when the Malware Scanner runs and the “Use core checksums” setting is enabled. * Endpoint: https://api.wordpress.org/core/checksums/1.0/ * [WordPress.org Terms of Service](https://wordpress.org/about/domains/) * [WordPress.org Privacy Policy](https://wordpress.org/about/privacy/) #### WordPress.org Secret Key API The Post-Breach Recovery module can generate new WordPress secret keys and salts using the official WordPress.org API. This is used when an administrator manually triggers the “Rotate Secret Keys” emergency action after a security breach. * Data sent: No user data is sent. The plugin fetches randomly generated keys from the API. * When: Only when an administrator manually triggers the “Rotate Secret Keys” action in the Post-Breach Recovery module. * Endpoint: https://api.wordpress.org/secret-key/1.1/salt/ * [WordPress.org Terms of Service](https://wordpress.org/about/domains/) * [WordPress.org Privacy Policy](https://wordpress.org/about/privacy/) #### Slack Webhooks When Slack notifications are enabled and a Slack webhook URL is configured, the plugin sends security alert messages to the specified Slack channel. This allows administrators to receive real-time security notifications in Slack. * Data sent: Security alert messages containing the alert subject, description, severity level, site URL, and the IP address that triggered the alert. No visitor personal data or cookies are sent. * When: Only when a security event occurs (e.g., brute force attempt, WAF block, honeypot trip) and Slack notifications are enabled. * Endpoint: Administrator-configured Slack Incoming Webhook URL (e.g., https:// hooks.slack.com/services/…) * [Slack Terms of Service](https://slack.com/terms-of-service) * [Slack Privacy Policy](https://slack.com/privacy-policy) #### Custom Webhooks When webhook notifications are enabled and a webhook URL is configured, the plugin sends security alert payloads in JSON format to the specified endpoint. This allows integration with any external monitoring or alerting system. * Data sent: JSON payload containing the alert subject, description, severity level, site URL, timestamp, and the IP address that triggered the alert. No visitor personal data or cookies are sent. * When: Only when a security event occurs and webhook notifications are enabled. * Endpoint: Administrator-configured webhook URL. * Terms and privacy: Determined by the third-party service the administrator configures. #### Google reCAPTCHA When CAPTCHA bot protection is enabled and the provider is set to “Google reCAPTCHA v2” or “Google reCAPTCHA v3”, visitor browsers load Google’s reCAPTCHA library and the server verifies submitted tokens with Google. This is OPT-IN – disabled by default. * Data sent (browser Google): visitor IP address and standard reCAPTCHA telemetry that Google uses to score human-vs-bot likelihood. Google’s reCAPTCHA library is loaded from www.google.com/recaptcha/api.js. * Data sent (server Google): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (`remoteip` field), to https://www.google.com/recaptcha/api/siteverify. * When: only when the configured provider is reCAPTCHA AND the visitor reaches / wp-login.php, the WordPress registration form, or the lost-password form (per- form toggle). * Endpoints: https://www.google.com/recaptcha/api.js and https://www.google.com/ recaptcha/api/siteverify * [Google reCAPTCHA Terms of Service](https://policies.google.com/terms) * [Google Privacy Policy](https://policies.google.com/privacy) #### Cloudflare Turnstile When CAPTCHA bot protection is enabled and the provider is set to “Cloudflare Turnstile”, visitor browsers load Cloudflare’s Turnstile library and the server verifies submitted tokens with Cloudflare. This is OPT-IN – disabled by default. Turnstile is the privacy- respecting alternative to reCAPTCHA – Cloudflare states it does NOT track users across sites. * Data sent (browser Cloudflare): visitor IP address and standard Turnstile telemetry. The Turnstile library is loaded from challenges.cloudflare.com/turnstile/v0/api. js. * Data sent (server Cloudflare): the verification token returned by the visitor’s browser, the configured secret key, and the visitor’s IP address (`remoteip` field), to https://challenges.cloudflare.com/turnstile/v0/siteverify. * When: only when the configured provider is Cloudflare Turnstile AND the visitor reaches /wp-login.php, the WordPress registration form, or the lost-password form (per-form toggle). * Endpoints: https://challenges.cloudflare.com/turnstile/v0/api.js and https:// challenges.cloudflare.com/turnstile/v0/siteverify * [Cloudflare Terms of Service](https://www.cloudflare.com/terms/) * [Cloudflare Privacy Policy](https://www.cloudflare.com/privacypolicy/) ### Upgrade Notices #### 1.1.9 Cosmetic-only release: removes em-dashes from all plugin text. No functional changes. #### 1.1.8 Restores the policy: legitimate vendor bots (Google, Anthropic, OpenAI, Bing) are NEVER blocked unless the site operator explicitly opts in. Two fixes – AI crawler defaults flipped to “allow”, and the Honeypot reverse-DNS check now fails open so transient DNS issues can’t ban real Googlebots. Recommended for everyone running an SEO-sensitive site. #### 1.1.7 Critical security release. Fixes 14 CRITICAL and 12 HIGH issues found during a full external audit, including a fatal-at-login bug, IP-block bypass via IPv6-mapped addresses, an SSRF DNS-rebinding race in the outbound monitor, and a wp-config-backup- leaks-old-keys flaw. Recommended upgrade for every install. #### 1.1.6 Big scanner-accuracy improvement. Verified WordPress core files are now skipped ( MD5-matched against the official api.wordpress.org checksums), tightened iframe/ base64 signatures, fixed an over-broad path match, and added a “Mark as False Positive” button. Recommended upgrade for everyone running scans. #### 1.1.5 Adds CAPTCHA support on login / registration / lost-password forms. Three providers: reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile. Configure in **Login Security Bot Protection (CAPTCHA)**. #### 1.1.4 Adds CSV export on the Malware Scanner (per Reddit community suggestion) – download full untruncated File + Database Findings before committing to Quarantine. Compatibility declared through WP 7.0. #### 1.1.3 Security hardening release. Fixes custom-login-URL cookie bypass, 2FA enforcement, SSRF log-only default, session-limit token/verifier mix, and adds real wp-config. php rewriting for key rotation. Existing 2FA recovery codes generated before 1.1.3 may not verify – regenerate them from your user profile after upgrading. #### 1.1.2 New About page consolidates defense architecture and competitive features. Setup wizard no longer auto-redirects on activation. Dashboard is cleaner with focus on operational data. #### 1.0.7 Major UI overhaul: inner sidebar navigation replaces 23 WordPress submenu items with a clean, persistent sidebar panel. All page URLs remain the same – bookmarks still work. #### 1.0.4 Adds GeoIP country flags in visitor log, custom login URL, password policy enforcement, and Force SSL Admin setting. Internal prefix migration runs automatically – no action required. #### 1.0.3 Adds honeypot traps, security headers management, two-factor authentication, and notification channels. Fixes IP management and status code logging. Recommended update. #### 1.0.0 Initial release. Run the Setup Wizard after activation to configure your site’s security. ## Screenshots * [[ * Security Dashboard – real-time visitor monitoring, stat cards, traffic charts, top IPs, and browser distribution. * [[ * Web Application Firewall (WAF) – overview with attack stats, mode toggle, and rule category summary. * [[ * WAF Rules – 28+ attack pattern families with per-rule enable/disable and log/ block controls. * [[ * IP Block List – blocked IPs with reasons, durations, hit counts, and VirusTotal integration. ## Installation 1. Upload the `atlant-security` folder to `/wp-content/plugins/`. 2. Activate the plugin through the **Plugins** menu in WordPress. 3. Navigate to **Atlant Security** in the admin sidebar to access the dashboard. 4. Optionally run the **Setup Wizard** from the sidebar to configure core security settings quickly. The Setup Wizard configures your WAF, login protection, hardening, visitor logging, and notifications. You can run it at any time from the inner sidebar navigation. #### Minimum Requirements * WordPress 6.0 or higher * PHP 8.0 or higher #### Safe Mode If you ever get locked out of your site, add this line to `wp-config.php`: ``` define( 'ASWP_SAFE_MODE', true ); ``` This disables all blocking features (custom login URL, IP blocking, WAF, rate limiting) while keeping the admin interface accessible so you can fix settings. ## FAQ ### I locked myself out with the Custom Login URL Add `define( 'ASWP_SAFE_MODE', true );` to your `wp-config.php`. This disables all blocking features while keeping the admin accessible. Alternatively, rename the plugin folder via FTP to `atlant-security-disabled`, log in normally, rename it back, then whitelist your IP. ### The WAF is blocking my page builder (Elementor, Divi) Switch WAF to **Log Only** mode, reproduce the issue, then check the **Audit Log** for the triggered rule. Page builders may trigger false positives due to base64- encoded content in their save payloads. ### Users keep getting logged out unexpectedly This is caused by Session Binding with IP binding enabled. Go to **Session Security** and disable “Bind to IP” while keeping “Bind to User-Agent” enabled. Mobile and VPN users frequently change IPs. You can also enable “Exempt Administrators” to bypass all session restrictions for admin users. ### Will this slow down my site? No. The WAF runs at `init` priority 0 with optimized pattern matching. Rate limiting uses APCu when available for microsecond lookups. The visitor log is a single lightweight INSERT per request. ### Email notifications are not arriving WordPress default `wp_mail()` uses PHP mail() which many hosts block. Install an SMTP plugin like **WP Mail SMTP** or **FluentSMTP** to route emails through a proper mail provider. ### The malware scan is running slowly Reduce “Files per Batch” to 20-30 on shared hosting. The scanner processes files in AJAX batches to avoid timeouts. Files larger than 5 MB are automatically skipped. ### How does the honeypot protect legitimate crawlers? Three layers of protection: (1) Trap URLs are added as Disallow rules in robots. txt, (2) hidden links use rel=”nofollow”, and (3) 35+ known-good bot user agents( Googlebot, Bingbot, etc.) are pattern-matched and receive a 404 instead of a ban. AI crawlers marked “allowed” in your settings are also protected. ### Does this plugin work with multisite? The plugin is designed for single-site WordPress installations. Multisite support is planned for a future release. ### What happens to my data when I deactivate the plugin? Nothing is deleted on deactivation. When you delete the plugin, a dialog asks whether to keep or remove all data. You can also control this in Settings > “Delete data on uninstall”. ## Reviews ![](https://secure.gravatar.com/avatar/4cd81b3f128a9e1e92a9f630f92135012f7eed25943bbc7f04c409fe20d3bfa4? s=60&d=retro&r=g) ### 󠀁[Very promising so far](https://wordpress.org/support/topic/very-promising-so-far-2/)󠁿 [paulshultz](https://profiles.wordpress.org/paulshultz/) April 25, 2026 1 reply I am using plugins from the major players (have been for years) which are limited in features for today’s attackers so this is a very promising plugin. Also refreshing to see no promotions of products and services. [ Read all 1 review ](https://wordpress.org/support/plugin/atlant-security/reviews/) ## Contributors & Developers “Atlant Security” is open source software. The following people have contributed to this plugin. Contributors * [ Atlant ](https://profiles.wordpress.org/xorred/) [Translate “Atlant Security” into your language.](https://translate.wordpress.org/projects/wp-plugins/atlant-security) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/atlant-security/), check out the [SVN repository](https://plugins.svn.wordpress.org/atlant-security/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/atlant-security/) by [RSS](https://plugins.trac.wordpress.org/log/atlant-security/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.1.9 – Typography Cleanup * Stylistic: replaced 754 em-dashes (U+2014) with regular hyphens across all plugin descriptions, admin UI text, error messages, view templates, and translation strings. Pure cosmetic change with zero functional impact – improves consistency for translators and copy-paste-friendliness in support contexts. #### 1.1.8 – Default-Allow Policy for Vendor Bots Two related fixes that codify a clear policy: **the plugin will not block legitimate vendor bots (Google, Anthropic, OpenAI, Bing, etc.) unless the site operator explicitly opts in.** * Fixed: AI Crawler default rules. Out-of-the-box, the plugin previously had `default_action:' block'` on GPTBot (OpenAI), ClaudeBot + anthropic-ai (Anthropic), Google-Extended( Google), and several others – meaning a fresh install silently blocked legitimate AI crawlers. ALL crawler default_actions are now ‘allow’. To block them, the site operator must: - Toggle “Block all AI crawlers” globally, or - Set per-crawler block rules on the AI Crawlers admin page, or - Click “Apply recommended” (which still opts in to blocking AI training crawlers, with clear documentation). * Fixed: Honeypot reverse-DNS verification (added in 1.1.7) was fail-CLOSED. A transient DNS failure on the WordPress host could deny safe-bot status to a real Googlebot crawl and ban its IP – devastating for SEO. Now fail-OPEN: tri-state verdict (`verified` / `mismatch` / `unknown`) where only `mismatch` (definite spoof: rDNS exists and points elsewhere) denies safe-bot status. DNS errors and missing PTR records grant the bot the benefit of the doubt. * Improved: The `recommended_crawler_rules()` preset is now explicitly documented as the ONLY place in the plugin that blocks vendor AI crawlers, and only when the operator clicks “Apply recommended.” #### 1.1.7 – Critical Audit Hardening This release ships fixes for 14 CRITICAL and 12 HIGH-severity issues found during a full external audit of the codebase. Several of these were genuine showstoppers– including a fatal-at-login bug, IP-block bypass over IPv6, and an SSRF in the outbound monitor. Recommended upgrade for everyone. * Fixed (CRITICAL): Concurrent-session enforcement could fatal at login on hosts where notices are promoted to errors (undefined `$tokens_to_remove` variable in SessionSecurity). * Fixed (CRITICAL): Every IP block in the database was bypassable on dual-stack servers via `::ffff:1.2.3.4` IPv4-mapped-IPv6 addresses. All IP comparisons now go through a normalization helper that collapses mapped addresses and canonicalises IPv6 representations. * Fixed (CRITICAL): Outbound SSRF protection had a DNS-rebinding TOCTOU race – DNS resolved at check-time, cURL connected at use-time, allowing attacker-controlled records to flip between public and `169.254.169.254`. cURL is now pinned to the vetted IP via `CURLOPT_RESOLVE`. * Fixed (CRITICAL): Trusted-proxy list silently failed for CIDR entries (admins routinely list `10.0.0.0/8`). CIDR support is now wired through the existing ` Whitelist::ip_in_cidr()`. * Fixed (CRITICAL): Cloudflare integration auto-whitelisted ALL Cloudflare IP space– including 104.16.0.0/13 used by Cloudflare Pages. Removed; the integration now only validates the `CF-Connecting-IP` header source. Google/Microsoft auto-whitelists are now scoped: IP match AND verifiable bot UA. * Fixed (CRITICAL): Quarantine destination was inside `wp-content/uploads/` (web- accessible). Quarantined files were MORE accessible to attackers post-quarantine than pre-. Moved to `wp-content/aswp-quarantine/` outside `/uploads/` with stripped extensions, multi-server-config Deny rules. * Fixed (CRITICAL): `wp-config.php` backup written by Rotate Secret Keys was directly HTTP-accessible on Apache hosts and contained the OLD plaintext keys. Backups now go to `dirname(ABSPATH)/aswp-config-backups/` (outside web root) with a `. txt` extension. * Fixed (CRITICAL): Rotate Secret Keys regex couldn’t replace key values containing single quotes – when it failed, a duplicate `define()` was injected, fatally breaking the site on next request. Replaced with a NAME-anchored line replacement plus atomic temp-file-then-rename write. * Fixed (CRITICAL): Notifications webhook/Slack URLs only got `wp_http_validate_url()`( loopback-only). Added a resolver-based check that rejects ALL private, link-local, CGNAT, and cloud-metadata destinations. * Fixed (CRITICAL): WAF JavaScript-URI rule had catastrophic-backtracking ReDoS via overlapping `\s*` runs. Pattern collapsed; long crafted cookies/URLs no longer hold PHP hostage. * Fixed (CRITICAL): WAF disabled-rule list now defensively filtered against the rule whitelist on read – a poisoned option (e.g. via SQLi in another plugin) cannot disable arbitrary rules. * Fixed (CRITICAL): Custom Login URL recovery token was stored in plaintext in ` wp_options`. Now stored as SHA-256 hash; plaintext is shown to the admin exactly once at enable time. Old plaintext tokens are auto-migrated to hash on first verification. * Fixed (CRITICAL): PostBreach `restore_plugins` was `public` (callable from anywhere) and trusted whatever was in `aswp_disabled_plugins_backup` without validation. Now `private`, validates every entry against the live `get_plugins()` list and on-disk file existence, with traversal protection. * Fixed (CRITICAL): On uninstall, the plugin left `wp-config.php.aswp-backup-*` files on disk in the web root with old plaintext keys. Now all known backup paths and quarantine directories are scrubbed. * Fixed (HIGH): 2FA enrollment-required users were given a fully authenticated WordPress session and were only confined via an admin-init redirect – bypassable via direct REST/XML-RPC calls. Session is now destroyed; enrollment-required users go through the same challenge flow as enrolled users. * Fixed (HIGH): 2FA challenge nonce used `wp_create_nonce` which binds to the current user id – but at challenge time the user is logged out, so all nonces verified for ANY pending challenge (cross-user nonce reuse). Replaced with per-token HMAC bound to `wp_salt('auth')`. * Fixed (HIGH): Disabling 2FA required only the shared `aswp_nonce` and no re-authentication. Now requires (a) a dedicated nonce action and (b) a valid current TOTP / Email OTP / recovery code. * Fixed (HIGH): IPManager `block_ip()` was a racy SELECT-then-INSERT under concurrent auto-blocking. Replaced with a single atomic `INSERT ... ON DUPLICATE KEY UPDATE`. * Fixed (HIGH): IPManager `is_blocked()` and RequestLogger `check_blocked()` disagreed on rows where `permanent=0 AND blocked_until IS NULL` (legacy / race-state data). Aligned to treat NULL `blocked_until` as permanent. * Fixed (HIGH): Honeypot Googlebot/Bingbot UA spoofing – any attacker could set` User-Agent: Googlebot/2.1` and become exempt from honeypot bans. Major-search- engine bot UAs now require reverse-DNS verification (round-trip: PTR suffix match forward-resolve back to same IP), cached 24h. * Fixed (HIGH): Notifications cross-request dedup did not work (static array is per-request). Added 5-minute transient dedup so a real attack can no longer flood every channel from every PHP-FPM worker. * Fixed (HIGH): Concurrent scan invocations (cron + AJAX poll within the same second) could overwrite each other’s progress. Added 90-second transient mutex. * Fixed (HIGH): Symlinks in scan paths could escape `ABSPATH` – `realpath()` containment now enforced before any `file_get_contents()`. * Fixed (HIGH): Outbound SSRF metadata-IP list expanded to cover Alibaba Cloud (` 100.100.100.200`) and AWS IPv6 metadata. * Fixed (HIGH): `Whitelist::in_whitelist_table()` used `SHOW TABLES LIKE` where`_` is a wildcard – could false-positive on similarly named tables. Switched to ` information_schema.TABLES` exact match. * Fixed (HIGH): WAF `multi_decode()` now also resolves JS-style `\uXXXX` and `\ xNN` escapes – closing an XSS-rule bypass that was specifically called out by the existing `xss_encoded` rule. * Fixed (HIGH): WAF “skip on AJAX for logged-in users” toggle scoped to `manage_options`/` edit_pages` capability – a subscriber-level account (trivial to obtain on WooCommerce) no longer bypasses the entire WAF on AJAX. * Fixed (HIGH): WAF tarpit cap reduced from 10s to 3s – coordinated burst attacks could previously saturate the entire `max_children` worker pool. * Fixed (HIGH): WAF, login-security view, and Scanner now use raw `wp_unslash()` for matching paths/UAs (sanitize_text_field strips characters used by LFI/XSS payloads). Sanitisation only happens at write-to-database time. * Fixed (MEDIUM): Custom Login URL slug pool no longer includes `login` and `admin`( slugs were structurally guessable). Added `haven` and `vault` as replacements. * Fixed (MEDIUM): PostBreach `terminate_sessions` and `rotate_secret_keys` now return `reload_required: true` + a `redirect` to the login page – admin sees an immediate, clean redirect instead of stuck-403 silent-failure on subsequent AJAX calls. * Fixed (MEDIUM): Daily security digest was silently dropped for users with the default `medium` severity threshold. Digest now bypasses the threshold filter. * Improved: Audit-log row written on every false-positive mark/unmark and 2FA disable. #### 1.1.6 – Scanner Accuracy * Fixed: Malware Scanner false-positive flood on fresh WordPress installs (community feedback). Three independent fixes: - **WordPress core checksum verification** – files matching the official MD5 checksums from api.wordpress.org are now skipped entirely. Modified core files are flagged as critical (`core_modified` rule), but vendor-provided WordPress core code no longer mis-fires the iframe / base64 / php signatures. - **Path-based allowlist** for known-safe core files: `class-wp-embed.php`, ` embed-template.php`, oEmbed providers, customize code-editor control, and ` class-pclzip.php` (which legitimately uses base64 fixtures). - **Tightened signatures**: hidden-iframe detection now requires an external( non-this-site) host OR JS-injected DOM construction – eliminates false matches on Stripe Elements, reCAPTCHA, payment widgets, and oEmbed code. Long-base64 detection now requires the base64 string to be wrapped in a code-execution wrapper – so plugin license keys, inline SVG, and minified JS no longer mis- fire. * Fixed: `mal_php_upload` signature was incorrectly applied to plugins/themes whose path contained the substring “uploads” anywhere (e.g. `/wp-content/plugins/foo/ uploads/template.php`). Now uses the actual `wp_upload_dir()` basedir for path comparison. * Added: **Mark as False Positive** button on every file finding. Records (file, signature_id, current SHA-256) and skips that combination on future scans. Marks are automatically invalidated if the file’s hash drifts (so a malicious replacement of an “ignored” file is still caught). * Added: **Undo** button on ignored findings to re-enable a signature on a file. * Added: All false-positive marks are written to the audit log (action: `scan_fp_mark`/` scan_fp_unmark`). * Added: External Services disclosure for the WordPress.org core-checksums API. #### 1.1.5 * Added: CAPTCHA bot protection on the login, registration, and lost-password forms– three providers supported: Google reCAPTCHA v2 (checkbox), Google reCAPTCHA v3( invisible, score-based), and Cloudflare Turnstile (privacy-friendly, no Google dependency) * Added: Per-form toggles so you can enable CAPTCHA on login only, or all three forms * Added: Light / Dark / Auto theme picker for the CAPTCHA widget * Added: reCAPTCHA v3 score threshold (0.0–1.0, default 0.5) – submissions below the threshold are rejected and logged as `captcha_low_score` events * Improved: Whitelisted IPs always bypass CAPTCHA – anti-lockout safety net * Improved: CAPTCHA verification runs at `authenticate` priority 20, BEFORE the brute-force lockout counter – so failing CAPTCHAs no longer trigger lockouts of legitimate users * Improved: Failed CAPTCHA attempts logged as `captcha_failed` events with context( login / register / lostpassword) #### 1.1.4 * Added: CSV export on the Malware Scanner page – one-click downloads of full, untruncated File Findings and Database Findings (Reddit community suggestion). Paths, matched snippets, and details are no longer truncated – perfect for researching a hit in Excel/Numbers or sending to a security consultant before committing to Quarantine. * Added: `Tested up to` bumped to WordPress 7.0 * Added: Scanner CSV exports are written to the audit log, so fleet admins can see when and by whom the full-detail extracts were downloaded * Added: `aswp_brand_name`, `aswp_brand_logo_url`, `aswp_brand_support_url` filters so the Enterprise add-on can white-label the UI for agencies reselling the service * Improved: CSV downloads include a UTF-8 BOM so Excel on Windows opens non-ASCII paths correctly #### 1.1.3 – Security Hardening * Security: Custom Login URL grace cookie is now HMAC-signed (bound to user ID + wp_salt); the old “aswp_admin_grace=active” value can no longer bypass the hidden login URL * Security: Two-Factor Authentication is now actually enforced for roles listed in “Required Roles” – users who have not enrolled are confined to profile.php on login until they set up TOTP or Email OTP * Security: Outbound request log strips query strings and redacts Slack/Discord/ Telegram webhook paths before storage – MaxMind license keys, API tokens, signed- URL signatures, and webhook secrets are no longer written to the database * Security: SSRF protection always blocks outbound requests to private/internal IP ranges, regardless of the monitor’s log/enforce mode * Security: SSRF DNS resolution now checks both IPv4 (A) and IPv6 (AAAA) records– previously only A records were inspected, letting a hostname with a public A record but a private AAAA record bypass the check on IPv6-preferring hosts * Security: Concurrent session limiting now keys fingerprint/activity maps by the same verifier hash WordPress uses internally – previously the limiter could never actually destroy old sessions because it mixed raw tokens with verifier hashes * Security: Loopback addresses (127.0.0.1, ::1) are no longer auto-whitelisted when the site is configured behind a reverse proxy or Cloudflare – on proxied hosts every visitor would otherwise appear as trusted * Security: REST API write-block default policy now allows authenticated users with the edit_posts capability (editors, authors) so Gutenberg and the block editor keep working; only unauthenticated writes are refused * Security: Post-Breach “Rotate Secret Keys” now rewrites wp-config.php directly( with a timestamped backup) instead of storing the new keys in wp_options where WordPress never reads them; falls back to a copy-paste snippet if the file is not writable * Security: 2FA recovery codes are now generated and stored lowercased so user- entered codes verify correctly – previously the mixed-case display and lowercased verification hashed different strings, causing valid codes to fail * Added: Trusted proxy IP setting in Settings › Reverse-Proxy / Load-Balancer – required for correct visitor IP detection behind Nginx, HAProxy, AWS ALB, and other reverse proxies * Added: `weekly` cron schedule registration – required by the weekly Cloudflare/ Google / Microsoft / GeoIP refresh jobs which WordPress core does not ship as a default interval * Improved: Cloudflare / Google / Microsoft IP-range refresh cron callbacks now skip the outbound fetch when the matching integration toggle is disabled * Improved: Multi-line settings (currently: trusted proxy IPs) preserve newlines on save instead of being collapsed by sanitize_text_field() #### 1.1.2 * Added: About page with 5-Layer Defense Architecture, competitive features list, attack vector coverage, and plugin information * Improved: Dashboard decluttered – informational panels moved to About page for a cleaner operational view * Improved: About page lists 15 unique competitive features with descriptions * Fixed: Setup wizard no longer auto-redirects on plugin activation or reactivation * Fixed: Setup wizard accessible from sidebar navigation at any time #### 1.1.1 * Improved: Visitor log table uses percentage-based column widths for fluid layout across screen sizes * Improved: Filter bar and results info bar spacing tightened * Fixed: Setup wizard admin notice removed – no longer floats above page layout #### 1.1.0 * Improved: Stat cards compacted – smaller icons, tighter padding, reduced font sizes * Improved: Page header, grid column, and IP list padding reduced for denser layout * Fixed: Session timeout now correctly respects “Exempt Administrators” setting for idle timeout and session fingerprint binding (was only checked for concurrent session limits) * Fixed: Session security settings description updated to reflect full admin bypass scope #### 1.0.9 * Improved: Inner sidebar width reduced from 240px to 200px with tighter item padding * Improved: Table headers shortened (IP Address > IP, Country > flag only, etc.) * Improved: Top IPs widget uses compact 24x24px icon buttons instead of full-width buttons * Improved: Dashboard grid right column uses responsive minmax sizing * Improved: Page content padding and table cell padding reduced globally #### 1.0.8 * Fixed: Visitor log column widths – JS table-resize no longer overrides CSS-defined column classes * Fixed: Added CSS column width classes to all table headers (visitor log + dashboard live visitors) * Fixed: Dashboard live visitors table shows flag only (removed redundant country code text) #### 1.0.7 * Added: Inner sidebar navigation (Nexus SEO style) – all plugin pages accessible from a persistent left panel * Added: WordPress sidebar shows single “Atlant Security” entry instead of 23 submenu items * Added: Sidebar brand header with logo, active page highlighting, version footer * Added: Responsive sidebar – collapses to horizontal nav on screens below 1024px * Fixed: Plugin footer now renders inside page layout instead of WP’s admin footer area * Fixed: “Sorry, you are not allowed to access this page” error caused by removing WordPress $submenu entries – now uses CSS-based hiding to preserve permission checks #### 1.0.6 * Improved: All plugin admin pages now send no-cache headers to prevent stale data from caching plugins * Fixed: Top Pages widget CSS class mismatch causing broken styling * Fixed: Top IPs widget now excludes whitelisted IPs from the list #### 1.0.5 * Fixed: decodeEntities function scoping bug in admin.js causing HTML entity rendering issues #### 1.0.4 * Added: GeoIP country resolution – MaxMind GeoLite2-Country integration with pure- PHP MMDB reader, auto-download, weekly auto-update, and dedicated admin page with test lookup * Added: Custom Login URL module – move wp-login.php to a custom slug with automatic redirect of the default login page * Added: Password Policy module – configurable minimum length, character requirements, common password blocking, and passphrase generator * Added: Force SSL Admin as a plugin-managed setting (defines FORCE_SSL_ADMIN constant at runtime) * Added: Auto-Update Plugins and Auto-Update Themes toggles in Settings and Hardening checklist * Improved: Admin sidebar pages reordered alphabetically for easier navigation * Improved: Post-Breach Command Center layout – lockdown status widget moved into Critical Actions grid * Improved: Hardening checklist – Force SSL Admin now toggleable from the checklist( was “Manual fix required”) * Fixed: Post-Breach page SQL queries referenced nonexistent table name (aswp_ip_blocks > aswp_blocked_ips) * Fixed: Post-Breach blocked IP count query used wrong column names (expires_at > permanent/blocked_until) * Fixed: Database migration duplicate-key error that broke all AJAX endpoints ( visitor log, dashboard widgets) * Fixed: Settings loss on plugin reactivation – WAF mode, auto-blocks, and setup wizard no longer reset * Fixed: Timezone mismatch between stat cards and live visitors (gmdate/NOW vs current_time) * Fixed: Text domain loaded too early warning on WordPress 6.7+ (moved to init hook) * Fixed: Plugin deletion wiped all data – uninstall now requires explicit opt-in via deactivation dialog or Settings toggle * Fixed: ALTER TABLE ADD INDEX SQL errors corrupting AJAX JSON responses when WP_DEBUG_DISPLAY is on * Fixed: Consistent timezone handling across all 12 modules * Fixed: Correlated subquery in update_blocked_counts cron job – replaced with single JOIN * Fixed: Daily digest cron hook not cleared on plugin deactivation * Fixed: GeoIP database directory cleanup in uninstall.php * Internal: Complete codebase prefix migration from fwwp_ to aswp_ with automatic database migration on upgrade #### 1.0.3 * Added: Honeypot module with hidden link trap, fake login page, comment honeypot, CF7 integration * Added: 3-layer safe bot protection for honeypots (robots.txt, nofollow, UA detection) * Added: Security Headers admin page with letter-grade scoring * Added: Two-Factor Authentication admin page with TOTP and Email OTP * Added: Notifications admin page (Email, Slack, Webhook, Daily Digest) * Fixed: Top IPs widget now shows VirusTotal link, Block button, and Details button * Fixed: IP Detail Modal – added max-height, scroll, wider layout * Fixed: Blocked IPs now correctly log 403 status code instead of 200 * Fixed: TwoFA role handling for comma-separated role strings #### 1.0.2 * Added: 5 new security modules – AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard * Added: 5 new admin pages with full settings UI for each module * Improved: Dashboard with live visitors auto-refresh, traffic chart, top IPs/pages widgets #### 1.0.1 * Added: Setup Wizard with 7-step guided configuration * Added: IP Detail Modal on Dashboard * Improved: Dashboard stat cards, browser distribution chart * Fixed: Setup wizard pagination and button responsiveness #### 1.0.0 * Initial release with 17 security modules * Web Application Firewall with 28+ attack pattern rules * Brute force protection with progressive lockout * Malware scanner (file and database) * Post-breach recovery toolkit (12 actions) * IP blocking and whitelisting * Visitor log with filtering and pagination * Admin audit log * WordPress hardening (6 toggles) * Rate limiter (11 endpoint categories) * Real-time security dashboard ## Meta * Version **1.1.9** * Last updated **5 days ago** * Active installations **20+** * WordPress version ** 6.0 or higher ** * Tested up to **7.0** * PHP version ** 8.0 or higher ** * Language * [English (US)](https://wordpress.org/plugins/atlant-security/) * Tags * [Brute Force](https://zh-sg.wordpress.org/plugins/tags/brute-force/)[firewall](https://zh-sg.wordpress.org/plugins/tags/firewall/) [malware scanner](https://zh-sg.wordpress.org/plugins/tags/malware-scanner/)[security](https://zh-sg.wordpress.org/plugins/tags/security/) [two factor authentication](https://zh-sg.wordpress.org/plugins/tags/two-factor-authentication/) * [Advanced View](https://zh-sg.wordpress.org/plugins/atlant-security/advanced/) ## Ratings 5 out of 5 stars. * [ 1 5-star review ](https://wordpress.org/support/plugin/atlant-security/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/atlant-security/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/atlant-security/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/atlant-security/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/atlant-security/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/atlant-security/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/atlant-security/reviews/) ## Contributors * [ Atlant ](https://profiles.wordpress.org/xorred/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/atlant-security/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://atlantsecurity.com)