JR Security Hardening and Login Protection -- WordPress 插件

开发者	reinajhon46
更新时间	2026年5月21日 10:15
PHP版本:	7.4 及以上
WordPress版本:	6.9
版权:	GPLv2 or later
版权网址:	版权信息

JR Security Hardening and Login Protection secures your WordPress installation at the application level with one-click hardening modules. Designed to be secure by default and Cloudflare compatible. Included modules:

Disable XML-RPC — Full block (filter + hard block) to prevent brute force attacks and pingback DDoS.
Hide WordPress version — Removes version from generator meta and CSS/JS assets.
Disable file editor — Prevents theme and plugin editing from the admin panel (DISALLOW_FILE_EDIT).
Disable emojis — Removes WordPress emoji scripts and styles, improving performance.
Block user enumeration (?author= and /author/) — Dual-layer protection against username discovery.
Block REST enumeration (wp-json users) — Prevents enumeration via the WordPress REST API.
Block sensitive paths/files — Blocks access to readme.html, license.txt, .env, .git, composer.json, etc. (only what passes through WordPress).
Security headers — X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, HSTS (HTTPS only) and removal of technology-revealing headers.
Login protection — Rate limiting by IP and by user+IP with configurable temporary lockout.
IP whitelist — Excludes trusted IPs from rate limiting to avoid accidental lockouts.
Email notification — Receive an email when an IP is locked out due to too many failed login attempts.
Activity log — Security event logging in a dedicated database table with configurable retention and automatic cleanup via cron.
Ready-to-use server rules — Code for Apache (.htaccess) and Nginx to block static files that WordPress cannot reach.

Smart IP detection:

Native support for Cloudflare (CF-Connecting-IP).
Option to trust X-Forwarded-For / X-Real-IP behind trusted proxies.
Fallback to REMOTE_ADDR.

Clean uninstall: When the plugin is deleted, all options, the events table and transients are removed. No data is left behind in your database.

安装:

Upload the jr-security-hardening-login-protection folder to /wp-content/plugins/.
Activate the plugin from the WordPress "Plugins" menu.
Go to Settings → JR Security and configure the modules.
For full static file protection, apply the server rules shown in the "Server" tab.

常见问题:

更新日志:

1.0.0

First release.
Modules: XML-RPC, WP version, file editor, emojis, user enumeration (?author= and /author/), REST enumeration, sensitive paths, security headers, login protection, IP whitelist, email notification, activity log, server rules.
IP detection with Cloudflare support (CF-Connecting-IP), X-Forwarded-For/X-Real-IP and REMOTE_ADDR.
Admin panel with tabs: Dashboard, Hardening, Login, Logs, Server.
Automatic log cleanup via WP Cron with configurable retention.
Clean uninstall (options, events table, transients).

JR Security Hardening and Login Protection

标签

下载

详情介绍:

安装:

升级注意事项:

常见问题:

更新日志: