Atlant Security

Atlant Security is a comprehensive WordPress security plugin that provides enterprise-grade protection through 17 integrated security modules organized in a 5-layer defense architecture. 5-Layer Defense Architecture

1. Pre-WordPress WAF - Firewall, rate limiter, and IP blocking run before WordPress processes the request.
2. Application-Aware - Login security, custom login URL, two-factor authentication, session hardening, cron monitoring, and REST API policies.
3. Content & Config - WordPress hardening, security headers, AI crawler management, and honeypot traps.
4. Outbound & Data - SSRF prevention, malware scanning (files and database).
5. Response & Recovery - Post-breach recovery, notifications, visitor log, and audit log.

Key Features Web Application Firewall (WAF) Inspects every request against 28+ attack pattern families including SQL injection, XSS, remote code execution, path traversal, PHP object injection, and WordPress-specific attacks. Block or log-only mode. Triple URL decoding prevents evasion. Brute Force Protection Progressive lockout system (5 min > 30 min > 24 hours) with configurable thresholds. Generic login error messages prevent username enumeration. Author enumeration blocking. Malware Scanner Local file and database scanner with 38 malware signatures. Detects backdoors, webshells (WSO, c99, r57), crypto miners, credit card skimmers, and obfuscated code. Quarantine system with web access blocking. Two-Factor Authentication (2FA) TOTP (Google Authenticator, Authy) and email OTP. Per-role enforcement, 10 recovery codes, 5-minute challenge timeout, replay attack prevention. Honeypot Traps Zero-false-positive bot detection: hidden link traps, fake login pages, comment honeypots, and Contact Form 7 integration. 3-layer safe bot protection ensures Googlebot, Bingbot, and allowed AI crawlers are never blocked. AI Crawler Management Control 20+ known AI/LLM training crawlers (GPTBot, ClaudeBot, Google-Extended, Bytespider, and more). Per-crawler toggles, robots.txt integration, and 403 enforcement. Block training crawlers while allowing browsing bots. Security Headers Manage HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CSP, CORP, and COOP. Letter-grade scoring system. Remove X-Powered-By and Server headers. Session Security Cookie hardening (HttpOnly, Secure, SameSite). Session binding via IP + User-Agent fingerprint detects hijacking. Concurrent session limits. Idle timeout. Optional admin bypass for all session restrictions. Rate Limiter Sliding-window rate limiting across 11 endpoint categories: frontend, login, search, feed, REST API, WooCommerce checkout, XML-RPC, and cron. REST API Policies Per-route access control with authentication requirements, HTTP method restrictions, rate limits, and IP whitelists. 5 built-in policies protect user enumeration, search, and write endpoints. Cron Guard Monitors wp-cron.php for flood attacks. Detects suspicious scheduled tasks via baseline comparison. System cron migration helper. Outbound Monitor (SSRF Prevention) Monitors all outgoing HTTP requests. Blocks requests to private/internal IP ranges including cloud metadata endpoints. Domain allowlist with wildcard support. Caller detection traces requests to specific plugins. Post-Breach Recovery 12 emergency actions: terminate sessions, force password reset, rotate secret keys, emergency lockdown, reinstall core, reinstall plugins, audit admin accounts, clear caches, malware scan, disable plugins, and downloadable incident report. Real-Time Dashboard Live visitor monitoring with 15-second auto-refresh. Stat cards, traffic charts, top IPs with VirusTotal integration, browser distribution, and IP detail modals. Visitor Log & Audit Log Complete request history with filters (IP, URL, bots, blocked, time range). Tamper-resistant admin action audit trail. Notifications Email alerts (HTML formatted, color-coded severity), Slack webhooks, custom JSON webhooks, and daily digest. Configurable severity threshold with 5-minute deduplication. WordPress Hardening One-click toggles: disable XML-RPC, hide WordPress version, block REST API user enumeration, block author enumeration, disable file editor, block PHP execution in uploads. What Makes Atlant Security Different

• Pre-WordPress WAF - Blocks attacks via auto_prepend_file before WordPress even loads
• Outbound HTTP Monitor - Detects SSRF attacks and unauthorized outbound connections
• Database Backdoor Scanner - Scans wp_options and wp_posts for eval(), base64, and hidden backdoors
• Client-Side Bot Detection - JavaScript challenges and browser fingerprinting catch sophisticated bots
• AI/LLM Crawler Blocking - Identify and block AI training crawlers scraping your content
• Honeypot Traps - Hidden links, fake login pages, invisible form fields that only bots trigger
• Cron Guard - Monitors wp-cron for unauthorized scheduled tasks planted by malware
• Post-Breach Recovery - Guided recovery toolkit with 12 emergency actions in one place
• Session Fingerprint Binding - Binds sessions to IP + User-Agent so stolen cookies are useless
• Real-Time Visitor Dashboard - Live visitor feed updated every 15 seconds
• Smart Password Policy - Minimum length, complexity, common-password blocking, and passphrase support
• Granular REST API Policies - Per-endpoint control, not just a global on/off switch
• Safe Mode Override - One constant in wp-config.php disables all blocking features instantly
• Deactivation Data Control - Choose to keep or wipe all security data when deactivating
• Zero phone-home - No telemetry, no tracking, fully GDPR-compliant (external services used only when explicitly enabled by the admin - see External Services section)

Why Atlant Security?

• All-in-one - Replaces 5-6 separate security plugins
• No external dependencies - Core security features run locally on your server
• Zero phone-home - No telemetry, no tracking (optional features like GeoIP use external services only when explicitly enabled - see External Services section)
• GDPR-friendly - No external fonts, no CDN resources
• Setup wizard - Configure core security in under 2 minutes
• Clean uninstall - Removes all database tables and options when deleted (opt-in)
• Safe Mode - Emergency override if you get locked out of your site

1. Upload the atlant-security folder to /wp-content/plugins/.
2. Activate the plugin through the Plugins menu in WordPress.
3. Navigate to Atlant Security in the admin sidebar to access the dashboard.
4. Optionally run the Setup Wizard from the sidebar to configure core security settings quickly.

The Setup Wizard configures your WAF, login protection, hardening, visitor logging, and notifications. You can run it at any time from the inner sidebar navigation. Minimum Requirements

• WordPress 6.0 or higher
• PHP 8.0 or higher

Safe Mode If you ever get locked out of your site, add this line to wp-config.php: define( 'ASWP_SAFE_MODE', true ); This disables all blocking features (custom login URL, IP blocking, WAF, rate limiting) while keeping the admin interface accessible so you can fix settings.

1.1.14 - Login 429 Fix

• Fixed: legitimate users could get HTTP 429 "Too Many Requests" on /wp-login.php even without submitting wrong credentials. The login rate limiter counted every hit to the page (GETs, the lostpassword and resetpass flows, the logout link) toward a 10-per-5-min budget. It now counts only credential POST submissions, and skips already-authenticated users. Brute-force defense (the real one - 5 failed attempts locks out) is unchanged.

1.1.13 - Timezone Fix

• Fixed: admin times displayed several hours off on non-UTC sites - the display layer double-converted stored timestamps. New FortressWP\Time helper; the admin JavaScript now shows times in the site timezone, not the visitor's browser.
• Fixed: GeoIP "last updated", the brute-force lockout countdown, and the 08:00 daily digest schedule now all use the correct timezone.

1.1.12 - Quarantine Review Ritual

• New: quarantine now opens a review modal - file details, a forensic download button, VirusTotal / Hybrid-Analysis links, and three required acknowledgment checkboxes (also enforced server-side).
• Improved: CSV export includes confidence and matched-signature columns.

1.1.11 - Conservative Quarantine

• New: per-signature fidelity ratings and per-finding confidence; quarantine is gated to HIGH confidence and single ambiguous hits are review-only.
• New: regex matches inside string literals or comments are treated as data, not malware - eliminates self-match false positives.

1.1.10 - Critical: Self-Quarantine Lockout Fix

• Fixed (critical): the scanner could quarantine its own files and take the whole site offline; it now hard-excludes known security plugin directories.
• Fixed (critical): the plugin bootstrap survives a missing module file instead of fataling the site.

1.1.8 - Default-Allow Policy for Vendor Bots

• Fixed: AI crawler defaults flipped to "allow" - legitimate vendor bots (Google, OpenAI, Anthropic, Bing) are never blocked unless the operator opts in.
• Fixed: the Honeypot reverse-DNS check now fails open, so a transient DNS error can't ban a real Googlebot.

1.1.7 - Critical Audit Hardening Fixes for 14 critical and 12 high-severity issues found during a full external audit. Recommended upgrade for everyone.

• Fixed (critical): fatal-at-login bug in concurrent-session enforcement; IPv4-mapped-IPv6 IP-block bypass; outbound SSRF DNS-rebinding race; CIDR trusted-proxy parsing; over-broad Cloudflare auto-whitelist; web-accessible quarantine directory and wp-config key backups; a WAF-rule ReDoS; plaintext Custom Login URL recovery token; unvalidated plugin-restore input.
• Fixed (high): 2FA enrollment-session bypass and cross-user nonce reuse; 2FA disable without re-authentication; racy IP blocking; Googlebot user-agent-spoof honeypot exemption; notification webhook SSRF; scan symlink escape; WAF encoded-escape and capability bypasses; and more.

1.1.6 - Scanner Accuracy

• Fixed: malware scanner false-positive flood on fresh installs - WordPress core checksum verification, a known-safe path allowlist, and tightened signatures.
• New: "Mark as False Positive" and Undo on file findings, recorded to the audit log.

1.1.5

• New: CAPTCHA on the login, registration, and lost-password forms - reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile, with per-form toggles and a theme picker.

1.1.4

• New: CSV export of full, untruncated scan findings; white-label filters for the Enterprise add-on. Tested up to WordPress 7.0.

1.1.3 - Security Hardening

• Security: HMAC-signed Custom Login URL grace cookie; enforced 2FA for required roles; webhook-secret redaction in the outbound log; always-on SSRF blocking of private ranges; IPv6 DNS checks.
• New: trusted proxy IP setting and a weekly cron schedule.

1.1.2

• New: About page with defense architecture and feature overview.
• Fixed: setup wizard no longer auto-redirects on activation.

1.1.1

• Improved: visitor log layout and filter bar spacing.

1.1.0

• Improved: denser, more compact admin layout.
• Fixed: session timeout now respects the "Exempt Administrators" setting.

1.0.9

• Improved: compact sidebar, shorter table headers, and denser global spacing.

1.0.8

• Fixed: visitor log and dashboard table column widths.

1.0.7

• New: inner sidebar navigation - all plugin pages in one persistent panel with a single WordPress menu entry.

1.0.6

• Improved: no-cache headers on admin pages; Top IPs / Top Pages widget fixes.

1.0.5

• Fixed: HTML entity rendering bug in the admin JavaScript.

1.0.4

• New: GeoIP country resolution, Custom Login URL, Password Policy, Force SSL Admin, and auto-update toggles.
• Internal: codebase prefix migration to aswp_ with automatic database migration on upgrade.

1.0.3

• New: Honeypot, Security Headers, Two-Factor Authentication, and Notifications modules.

1.0.2

• New: AI Crawlers, REST API Policies, Session Security, Outbound Monitor, and Cron Guard modules.

1.0.1

• New: Setup Wizard and IP Detail Modal.

1.0.0

• Initial release: 17 security modules - WAF, brute-force protection, malware scanner, post-breach recovery, IP blocking, visitor log, audit log, hardening, rate limiter, and real-time dashboard.