Security Ninja - Secure Firewall & Secure Malware Scanner -- WordPress 插件

开发者	lkoudal cleverplugins freemius
更新时间	2026年6月2日 10:15
捐献地址:	去捐款
PHP版本:	7.4 及以上
WordPress版本:	7.0
版权:	GPLv3
版权网址:	版权信息

Security Ninja is a lightweight WordPress security plugin that helps protect your site from common attacks and security mistakes — without turning your dashboard into a cockpit. [youtube https://www.youtube.com/watch?v=5zzzQTPmbS0] Web Application Firewall (WAF) (based on the 8G ruleset) to block common malicious requests, plus 50+ security checks, a full vulnerability scanner, and a core integrity scanner to spot risky settings and unexpected file changes. Upgrade to Pro for Cloud Firewall, malware scanning/cleanup, login brute-force protection and 2FA, export/webhooks, and scheduled scans. This plugin can be downloaded for free without any paid subscription from the official WordPress repository. Included for free

Basic Firewall (8G-based) – Blocks common malicious requests and bot noise before it becomes a problem.
50+ Security Tests – Fast audit of common WordPress security misconfigurations.
Vulnerability Scanner – Highlights known issues in plugins/themes so you can patch faster.
Core Scanner – Detect modified or unexpected files in WordPress core folders.
Basic Events Logger – Logs firewall events and login attempts (successful/failed).
AI Security Advisor (WordPress 7) – AI-generated audit summaries and guided follow-ups from your scans, using WordPress AI Connectors (you choose the LLM provider). Optional WordPress Abilities let other AI tools on your site read test summaries, attack activity, and your latest saved report. Pro adds
Cloud Firewall & advanced WAF – Block 600+ million known bad IPs, country blocking, IP management, and stronger firewall controls (free includes the 8G-based firewall).
Advanced Malware Scanner – Detect and clean malicious code and suspicious files.
Login protection & 2FA – Limit failed logins, rename the login URL, and add two-factor authentication.
One-click Fixes – Harden WordPress from the Fixes page (XML-RPC, file editor, headers, and more).
Full Events Logger – Export logs, scheduled email reports, webhooks (e.g. Slack/Discord), and deeper alerting.
Scheduled scans & reporting – Automated security scans and reports. Key Features

Security Ninja is a lightweight WordPress firewall plugin and security toolkit designed to help you find misconfigurations, block common attacks, and stay ahead of known vulnerabilities — without slowing your site down. Comprehensive WordPress Security Testing Security Ninja performs 50+ advanced security tests to identify issues before attackers exploit them. This includes:

Login and password checks – Audits weak passwords and related settings (Pro adds failed-login limits, rename login, and 2FA).
File integrity monitoring – Detects unauthorized changes to WordPress core files, themes, and plugins.
Database security checks – Identifies weak database permissions and potential SQL injection threats.
User role audits – Ensures no unauthorized administrator accounts exist.
Security misconfiguration scans – Identifies and fixes weak settings that could compromise security.

Enhanced Vulnerability Scanner

Stay Ahead of Threats – Our vulnerability scanner proactively alerts you to known vulnerabilities, allowing you to address potential threats before they exploit your website.
Comprehensive Protection – Security Ninja not only checks and warns for common issues but also checks for known vulnerabilities in plugins and themes.
Peace of Mind – Knowing your site is monitored for the latest vulnerabilities means you can focus on what matters most, growing your business and creating content, worry-free.

Core Scanner – Comprehensive Protection for Your WordPress Installation The Core Scanner module adds a critical layer of security by ensuring your WordPress installation remains untampered and free of unauthorized files.

Full Core File Integrity Check: Every file in your core WordPress folders is scanned to ensure it hasn't been modified or compromised.
Detection of Unknown Files: The scanner flags any extra or unknown files in your core WordPress directories, alerting you to potential threats.
Built-in File Viewer: Review flagged files directly within your WordPress dashboard using the integrated file viewer for a clear and easy inspection.
Restore Core Files: If a core WordPress file has been altered, you can quickly restore it with a single click, ensuring your site is running the official version.
Easy File Management: For unknown or suspicious files, you have the option to delete them right from the interface, keeping your WordPress installation clean and secure.

Advanced Malware Scanner – Detect & Remove Malware Instantly (PRO) Security Ninja includes a high-performance malware scanner that automatically checks your WordPress core, plugins and themes for:

Malicious scripts and backdoors – Identifies hidden malware and harmful injections.
Trojan and virus detection – Scans for suspicious PHP and JavaScript entries.
One-click malware removal – Instantly quarantine and delete infected files.

WordPress Firewall & Real-Time Threat Protection Security Ninja includes a basic firewall for free (8G-based) to block common malicious requests. Upgrade to Pro for more advanced WAF controls.

Basic protection (Free) – 8G rules block many common exploit patterns and abusive requests.
Advanced protection (Pro) – Cloud Firewall, country blocking, IP lists, and additional intelligence/automation.
Login brute-force protection (Pro) – Limit failed logins and harden the login flow (not included in the free firewall).

Login Security & Two-Factor Authentication (2FA) (PRO) Your WordPress login page is a primary target for hackers. Security Ninja enhances login security with:

Two-Factor Authentication (2FA) – Requires additional verification for safer logins.
Brute-force attack protection – Limits failed login attempts to block unauthorized access.
Rename login - Getting a lot of requests to your login form? Hide it for spammers.

One-Click Security Fixes & WordPress Hardening (PRO) Manually fixing security issues is time-consuming. Security Ninja provides one-click hardening to:

Disable XML-RPC – Blocks common DDoS attacks and brute-force exploits.
Restrict file editing – Prevents unauthorized theme and plugin modifications.
Hide PHP error messages – Stops hackers from exploiting sensitive error details.

And many more fixes to harden your WordPress security! Events Logger / Activity Tracking Security Ninja includes a basic events logger for free so you can see what’s happening on your site.

Free: firewall events and login attempts (successful/failed) in the dashboard.
Pro: export security logs, scheduled email reports, webhooks (e.g. Slack/Discord), and deeper alerting.

Automated Security Scans & Reports (PRO) Security Ninja performs scheduled security scans and sends reports directly to your inbox.

Set up daily, weekly, or monthly security scans.
Receive email alerts about vulnerabilities and malware infections.
Analyze detailed reports to keep your website secure.

Block Spam & Malicious Bots Instantly (PRO) Hackers and spammers use bots to exploit WordPress websites. Security Ninja prevents:

Fake registrations and spam comments – Stops bots from even getting to your site.
Malicious bot attacks – Blocks scripts attempting to hack your site.
Unwanted traffic – Reduces server load by preventing unnecessary bot access.

AI Security Advisor — from scan results to clear next steps (WordPress 7) Understanding a security scan shouldn’t feel like homework. AI Security Advisor uses your connected LLM (via WordPress 7 AI Connectors) to turn Security Ninja findings into a readable audit: executive summary, prioritized improvements, and suggested follow-up prompts—not an open-ended chatbot. Reports draw on Security Tests, the Vulnerability Scanner, Core Scanner, recent firewall/login events, and on Pro sites Malware Scanner results when available. Saved reports stay on your site until you remove them. What you need\ AI Security Advisor is included in the free plugin but requires WordPress 7. You connect the AI/LLM provider yourself under Settings → Connectors in WordPress; Security Ninja does not host or supply API keys. WordPress Abilities (optional)\ On WordPress 7, Security Ninja can register read-only Abilities so other AI tools on the same site can fetch a test summary, 7-day attack activity, or your latest saved audit—useful if you use multiple AI integrations. Report generation and follow-ups on the Security Advisor page work independently of this. Privacy, in everyday language\ Only non-identifying security context (test results, scan status, event counts—not personal data) is sent to your chosen AI provider to build a report. If you are not on WordPress 7 yet, you will see a notice on the AI Security Advisor screen; the rest of Security Ninja continues to work as usual. Join thousands of satisfied users who trust Security Ninja to keep their websites safe. Start protecting your online presence today.

5.286

2026-06-01
NEW: MainWP integration — child sites accept allowlisted Security Ninja settings updates from the Security Ninja for MainWP extension (update_settings remote action; changed keys only).
IMPROVED: MainWP settings updates are logged in Events with a list of changed setting keys (no values stored), so you can see what was changed from the dashboard.
IMPROVED: AI Security Advisor — works more reliably with WordPress 7 AI connectors (including DeepSeek and OpenAI). The plugin picks the right request format for each service instead of failing when structured JSON is not supported.
IMPROVED: AI Security Advisor — Reports are faster and cheaper. Only tests that need attention are included, with short summaries.
IMPROVED: AI Security Advisor — report output is cleaned up and checked before it is saved.
IMPROVED: AI Security Advisor — full reports can be longer (higher token limit).
IMPROVED: AI Security Advisor — when something goes wrong, the page shows a more helpful error message, and the failure is logged in Events so you can see what happened.
IMPROVED: AI Security Advisor — successful and failed AI requests in Events now record which connector and model were used (prompt chip id only when relevant).

5.285

2026-05-26
FIX: Upgrading from the free plugin to Pro no longer causes a site error when both versions are present during install or activation. Pro skips loading Composer again if the free copy already loaded it, then Freemius deactivates free on activation.
IMPROVED: AI Security Advisor — when an AI connector request fails, the page now shows the provider's actual error message instead of a generic "temporarily unavailable" notice, so quota, billing, and configuration issues are easier to diagnose.
NEW: MainWP integration (Phase 1) — sync now includes IP management entries (up to 200), AI Security Advisor executive summary, and optional event raw_data for the top 50 events. Remote IP actions (whitelist/blacklist add/remove, lift local ban, lift 404 guard ban) via the Security Ninja for MainWP extension 2.1.0+.

5.284

2026-05-23
FIX: Change Login URL (Pro) — Checkout and other frontend flows that use WordPress admin-post.php (for example FluentCart account creation during checkout) no longer show “Access Denied” for visitors. Legitimate public handlers registered with admin_post_nopriv_* are allowed; direct access to the rest of wp-admin stays blocked.
IMPROVED: Rename Login (Pro) — Recognized temporary-login plugin links (Temporary Login Without Password, One Time Login, Magic Login, Login Links) are no longer blocked when accessing wp-admin before authentication completes. Extend via the securityninja_rename_login_allow_autologin filter.
IMPROVED: AI Security Advisor now uses WordPress 7 structured AI responses for more reliable report output.
IMPROVED: AI Security Advisor reports now include richer context from Security Tests, Vulnerability Scanner, Core Scanner, and recent security events.
IMPROVED: Pro sites now include Malware Scanner findings in AI report context when available.
NEW: WordPress 7 Abilities (optional, on by default): expose read-only security data to other WordPress AI clients—Security Test summary (passed/warning/failed), 7-day attack activity vs the previous week, and the latest saved AI Security Advisor report. Control exposure under Security Advisor → Settings; turning this off does not affect generating reports or follow-ups on the Security Advisor page.
NEW: Added a dismissable "Re-evaluate with AI" reminder after tests, scans, and firewall setting changes (stays hidden after dismiss until a new security event occurs).

5.283

2026-05-18
FIX: Cloud Firewall (Pro) — Satellite ASN softening now works consistently across country blocking (including Starlink).
FIX: 2FA setup during frontend login now shows the manual entry secret key again, matching the backend user profile setup flow.
IMPROVED: Cloud Firewall (Pro) — IP Management shows your blacklist, whitelist, and temporary blocks in one searchable table, so you can see everything in one place.
IMPROVED: Add, edit, and remove IP rules directly from the table; add several at once with one IP or range per line.
IMPROVED: Copy your full blacklisted or whitelisted lists, or clear temporary blocks, from easy buttons below the table.

5.282

2026-05-05
FIX: Two-factor authentication (Pro) — When 2FA is enabled but required roles were missing or invalid, login could skip the 2FA step. Security Ninja now falls back to requiring Administrator so the code prompt always appears for protected accounts.
FIX: Saving 2FA status would fail if firewall not enabled. Thank you Vassos.
Added a new Tools-page Cleanup button. Securely removes any legacy options or data. Thank you Davina for the idea.
FIX: Cloud Firewall (Pro) — Clearing all countries in country blocking and saving now actually turns country blocking off. Previously, choosing “none” could leave old selections in place because empty lists were not saved correctly.
IMPROVED: Cloud Firewall — IP whitelist entries written as ranges (CIDR, one per line on IP Management) now apply the same way everywhere: visitor checks, secret recovery links, and automatic whitelist logic no longer treat ranges like plain single IPs only in some code paths.
NEW: Cloud Firewall (Pro) — Option to soften country blocking for satellite ISPs like Starlink. Easily enable or adjust under Firewall → Settings for smoother access while keeping strong protection.
IMPROVED: Cloud Firewall (Pro) — If a country or cloud block is skipped because the visitor is using a satellite ISP (satellite ASN softening), you'll now see this clearly in the Events log.

5.281

2026-04-22
FIX: 2FA — Post-verification redirects now match WordPress core validation for relative and absolute redirect_to URLs ( Rename Login compatible ). AJAX responses always include a safe redir_to / redirect_url with admin_url() fallback so editors and other roles are not sent to the front page unexpectedly. Thank you Davina.
IMPROVED: Security Tests — the "outdated plugins" check no longer saves full WordPress.org plugin metadata to the database. Thank you Davina.
IMPROVED: AI Security Advisor — improved PII handling.
FIX: Malware Scanner — "Revert Whitelist" now correctly persists file removal, so reverted files no longer reappear after page reload. Thank you Vassos.
IMPROVED: Malware Scanner — respects the same ignore paths as the scanner library during filesystem traversal (e.g. wp-admin/ and wp-includes/), so WordPress core files are no longer signature-scanned when already excluded—use Core Scanner for core integrity.
IMPROVED: Malware Scanner — WordPress core JS bundles under wp-includes/js/dist/ and wp-admin/js/ are excluded from malware pattern matching by default (fewer false positives on minified/vendor scripts). Plugins, themes, and uploads are still scanned.

5.280

2026-04-17
Fix for display bug on Events -> Settings subtab. Thank you Aldin for spotting it.

5.279

2026-04-15
Improved - AI Security Advisor interface and functionality - Big improvements.
FIX: Cloud Firewall — Failed login warning emails no longer cause a fatal error ("Class Wf_Sn_Security_Utils not found") when wp_login_failed ran before the init hook (e.g. another plugin handling login during plugins_loaded).
IMPROVED: Security Tests — long help text is no longer embedded on every plugin admin screen, so the dashboard stays lighter in memory and loads faster.
Updated translation files

5.277

2026-04-04
FIX: Firewall redirect - Blocked visitor redirect now supports external URLs as configured. We now use validated wp_redirect() for this setting (http/https only), preventing fallback to wp-admin when an external domain is set.
IMPROVED: Cloud Firewall crawler validation now supports verified AI crawlers (OpenAI and Perplexity) using user-agent plus cached published IP ranges. Anthropic are not auto-whitelisted.

5.276

2026-03-27
Maintenance release - Minor improvements and stability.
FIX: Security Fixes — Saving the Fixes screen now applies wp-config changes only when toggles are ON: disable file editor, disable WP_DEBUG, and secure session cookies. Previously, always-present form keys made the “on” paths run even when options were OFF, which could append duplicate define() lines and trigger PHP notices (thanks Masahiro Kasahara for the report). update_define also skips appending a constant that is already defined (e.g. set from an included file).
Setup wizard – Fixed errors in the wizard and made a few small improvements.

5.275

2026-03-16
FIX: Event Logger – Plugin and theme installs are now logged (previously only updates were recorded). Activate and deactivate events are always logged with a fallback label when plugin name cannot be read.
NEW: Event Logger – Now also logs activated_plugin, deactivated_plugin, add_user_role, and remove_user_role for a fuller audit trail.
Event Logger – reliability: Event Logger now records settings changes, post updates, plugin activation/deactivation, and user events correctly when the module is enabled. Previously, events could be missing due to licensing checks blocking the write path; logging no longer depends on that for storing events.
Event Logger – less noise: A single click to update an already-published post now creates one log entry instead of three. Saving a settings page (e.g. General) creates one entry instead of duplicate entries.
Event Logger – clearer actions: Settings saves are logged with the action "options_saved" and show which settings page was updated (e.g. General, Reading). Internal WordPress hook names like "whitelist_options" are no longer shown in the log.
Event Logger – security: Passwords and account activation keys are never stored in the log or shown in event details. User registration and profile update events only store non-sensitive data.
AI Security Advisor – Get a plain-English security summary and top improvements from your security tests. Uses WordPress 7 AI Connectors (OpenAI, Google, Anthropic); no domains, URLs, or personal data are sent.
AI Security Advisor – Overview tab shows when your site was last reviewed and a one-line teaser from the latest report, or invites you to run your first review or set up a connector.
AI Security Advisor – Dashboard widget shows advisor status at a glance (last reviewed, ready for first review, or set up) with a quick link to the Security Advisor page.
Event Logger – Login events are recorded only when a valid user is present, so your log stays accurate when other plugins or tools fire login-related hooks.

5.274

Including email template properly.
Improvements for 2FA redirect logic.

5.273

2026-03-07
FIX: Removed unencrypted malware signature files from the plugin package (vendor/scr34m/.../definitions/ and base64_patterns/). The scanner uses only encrypted .dat files stored elsewhere. The bundled .txt files were never used at runtime but triggered false-positive virus alerts on some hosts. They are now stripped so they are never included in the plugin itself.

5.272

2026-03-04
FIX: Security tests – Prevent "Undefined array key" and "sprintf(): Passing null to parameter #1" PHP warnings/deprecations when building test result messages. Tests that do not define msg_ok, msg_bad, or msg_warning now use a safe default format string so scheduled runs and step-by-step runs no longer log errors (fixes issues in both free and premium when test definitions omit these keys).
IMPROVED: Malware Scanner – The "Scan your website" button is now disabled while a scan is running, so you can't accidentally start a second scan. It becomes clickable again as soon as the scan finishes or if something goes wrong.
IMPROVED: Malware Scanner – Scan progress and results now appear directly under the scan button instead of further down the page, so you can follow what's happening without scrolling.
FIX: Scheduler – Malware Scanner now runs correctly when you have "Enable scheduled scans for all" selected. If your scan log was created before Malware support was added, the plugin will update it automatically the next time a scheduled scan runs, so the Malware column in the scan log will show results instead of "Not run".
IMPROVED: Scheduler – Added a short reminder that Malware Scanner is included only when you choose "Enable scheduled scans for all", so it's clear how to get Malware in your scheduled runs.
IMPROVED: Scheduler – Scheduled scans (Security Tests, Core Scanner, Malware Scanner) now use the bundled Action Scheduler (Pro). "Run now" queues the scan in the background so it no longer times out on slow or remote requests; recurring scans run via Action Scheduler for reliable unattended execution. The Pro plugin bundles Action Scheduler; no separate install required. The library is included only in the premium build (free version does not load or reference it).
IMPROVED: Malware Scanner is now faster and more reliable; scans use less memory and you get clearer progress feedback. You can also include the Malware Scanner in the Scheduler (Security Ninja → Scheduler): choose "Enable scheduled scans for all" to run security tests, Core Scanner, and Malware Scanner on a schedule and get a single email report so you stay alerted to changes or suspicious files.
NEW: Malware Scanner – "Reset results" link under the scan button lets you clear previous scan results when a scan has been run before and you want to refresh.
NEW: Malware Scanner – You can now exclude specific paths or folders from malware scans. Use "Exclude paths from scan" on the Malware Scanner tab: enter one path pattern per line (e.g. /plugins/plugin-name/). Paths listed there are skipped by the scanner and never reported as malware. Ideal for excluding trusted plugins (e.g. Leadpages, AccessAlly, UpdraftPlus) that trigger false positives.
NEW: Malware Scanner – Path patterns are stored in the same whitelist as per-file whitelisted items; both are included in Import/Export (Tools page) under malware scanner settings.
NEW: Malware Scanner – Developers can add or modify excluded paths in code using the securityninja_malware_exclude_paths filter. Documentation: https://wpsecurityninja.com/docs/malware-scanner/how-to-exclude-paths/
FIX: Country blocking – Visitors whose country cannot be determined (e.g. some IPv6 addresses) are no longer blocked, this could happen on some servers.

5.271

2026-02-25
FIX: 2FA login redirect – After completing 2FA, users (including admins) are now redirected to the dashboard or requested URL instead of the front page. Redirect logic now matches WordPress core: uses wp_validate_redirect() and the login_redirect filter.
FIX: 404 Guard – IPs whose monitoring window has expired are no longer shown in "Being Monitored". Expired count transients are excluded from the list and deleted to avoid DB bloat, so stale entries no longer appear.
IMPROVED: 404 Guard – First 404 from an IP is no longer logged; logging starts from the 2nd 404 onward to reduce log noise. Approaching-threshold, final-warning, and block events are unchanged.
IMPROVED: Visitor Log – Country flag is now shown next to the IP when country is known, matching Event Log behavior. A geolocation fallback is used for older entries where country was not stored.
FIX: Visitor Log – Fixed undefined variable ($allowed_html) when formatting log row details (wp_kses).
NEW: MainWP – Remote "force create database tables" action for incomplete installations.
FIX: Resolved fatal error when Security Ninja and AR for WooCommerce (or other plugins using chillerlan/php-settings-container) were active together; our copy is now loaded early and aliased in admin to prevent duplicate class declaration.

5.270

2026-02-22
FIX: Secure cookies fix now writes ini_set lines before any closing PHP tag in wp-config.php, preventing "headers already sent" and cookie/login issues. Thanks to Olga for the detailed report that made this fix possible.
NEW: Core Scanner – You can now open a printable report when the scan finds issues. Use "Print / Download report" to open the report in a new window and print or save as PDF for your records or support.
IMPROVED: Core Scanner – The report button is always visible; when no issues are detected it shows a short notice so you know the option is available after the next scan with findings.
IMPROVED: Core Scanner – Original WordPress core files are cached for one day when restoring or comparing, so repeat operations are faster and put less load on external servers.
IMPROVED: Core Scanner – "View differences" now opens in the same unified File Viewer layout as "View File", with consistent styling, file metadata, and shared security validation instead of a separate standalone page.
FIX: Firewall enable modal – "Send email" (activate and send unblock link) now works. The unblock-email AJAX action was not registered and the handler expected the email in GET; the action is now registered and all unblock-email requests use POST only.
TECH: All internal script and style references now use non-minified JS and CSS only; minified copies have been removed to simplify the codebase.
FIX: Fixed PHP 8.1 deprecation notice "Implicit conversion from float to int loses precision" in Cloud Firewall IPv6 CIDR matching. Thanks to Lesford for the report.

5.269

2026-02-19
NEW: Added compatibility with temporary login plugins ("Temporary Login Without Password", "One Time Login", "Magic Login", "Login Links"). Temporary login links are now automatically whitelisted from suspicious query detection when the corresponding plugin is active. Detection is logged for audit purposes. Other plugins can extend this compatibility using the securityninja_temporary_login_params and securityninja_is_temporary_login_link filters - more info on website.
FIX: Fixed fatal error "Object of class WP_Error could not be converted to string" in Overview tab when displaying event details containing WP_Error objects. The code now properly checks for WP_Error objects before passing them to esc_html() and displays the error message instead.
FIX: Fixed fatal error preventing WooCommerce logins via public forms when SN_Geolocation class was not loaded. Code now checks for class existence before use.

5.268

2026-02-18
FIX: Firewall now allows logged-in administrators to access WordPress backend (wp-admin, admin-ajax.php) even when their IP address is banned. This prevents administrators from being locked out when their IP was banned by a false positive from the suspicious query filter, 404 Guard, brute-force protection, or other firewall features. This fixes the "Updating failed. The response is not a valid JSON response" error when saving pages in the block editor (Gutenberg) when the admin's IP was previously banned.
IMPROVED: UI label for suspicious query filtering has been updated from "Block Suspicious Page Requests" to "Filter Suspicious Queries" to match support documentation and make it easier for users to find the setting when following support instructions.
FIX: 2FA login redirects now work correctly for users logging in via public forms (such as Paid Member Subscriptions, WooCommerce, and other third-party login forms).

5.267

2026-02-13
IMPROVED: Litespeed servers - Added documentation and in-app notices for all security headers (CSP, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, Permissions-Policy). LiteSpeed users can add headers directly to .htaccess using the examples in each test description. Thank you Tom for the feedback.
FIX: Events Logger, Overview, and Visitor Log – Country flags now correctly show the event/visitor IP's country instead of the logged-in admin's IP when the site is behind Cloudflare or similar proxies.
Improved: Core Scanner - Interface loads faster with tabs lazy-loading content in different tabs.
IMPROVED: Firewall – When "Block IP Network" is enabled, known social and link-preview crawlers (e.g. Facebook, LinkedIn, Twitter) are no longer blocked by default. Link previews when you share your site on social networks now work without having to whitelist IPs.

5.266

2026-02-10
Improvement: Logging details for 404 Guard.
FIX: Login Protection – Banned IPs expired entries are removed immediately instead of waiting for the prune job.
IMPROVED: Login Protection – Prune job for banned IPs now runs hourly.
FIX: Cloud Firewall IP Management – "Locally Banned IPs" list now shows only currently banned IPs (expired bans are excluded).
FIX: Cloud Firewall – Test IP and "Clear list of banned IPs" functionality fixed.
Updated language file for translations.

5.265

2026-02-09
Tested up to WP 6.9.1
FIX: Issues with 2FA for some user.
IMPROVED: Vulnerability list updating faster and consume less memory.

5.264

2026-01-31
FIX: Fixed wpdb::prepare() error during plugin uninstallation when dropping database tables.
FIX: Vulnerability scanner no longer blocks wp-admin after deactivating and reactivating the plugin. If the vulnerability data files are missing or unreadable (e.g. after reactivation or server changes), the plugin now recovers automatically: it shows the vulnerability count as zero until the data is restored in the background, and the dashboard continues to load normally.
IMPROVED: Vulnerability module now recreates and re-downloads its data files when they are missing, so you no longer need to reinstall the plugin to fix a "JSONL file not readable" error.
FIX: Hardened vulnerability JSONL file handling: guard fclose() on stream and catch all errors when counting records, so missing or unreadable files never cause a fatal in wp-admin.
FIX: Login Protection - "Failed login warnings" toggle now correctly saves when disabled (was reverting to enabled because unchecked checkbox is omitted from form POST).
FIX: 2FA – Disabling 2FA in settings now persists correctly; toggle uses a hidden input so unchecked state is saved.

5.263

2026-01-25
Improved bandwidth usage getting vulnerabilities for all users.
Improved: Vulnerability scanner now reads vulnerability feeds in a streaming, memory-efficient way to reduce peak memory usage.

5.262

2026-01-20
NEW: Free users now benefit from the firewall based on the excellent 8G Firewall by Jeff Star.
NEW: Events logger now part of free version, basic event monitoring and logging for your site. More advanced tracking in premium version available.
NEW: Core Scanner - Added ability to ignore specific files and patterns from scan results using the securityninja_core_scanner_ignore_files filter. Ignored files are displayed in a separate section for transparency. https://wpsecurityninja.com/docs/core-scanner/how-to-ignore-files/ - Thank you Gary.
IMPROVED: Events Logger - All modules are now included in email reports by default. Users can deselect specific modules in settings.
FIX: Events Logger - Prevented excessive memory usage by skipping translation hooks and reducing repeated license checks during audit logging.
NEW: Quick firewall stats in the sidebar.
Improved: Added 'php_errorlog' to the list of allowed files to view by the file viewer.
Improved: Added firewall events to the overview page for free users.
FIX: Fixed CIDR notation matching in IP whitelist - CIDR ranges now correctly match IPs within the range - Thank you Dirk.
FIX: 2FA generation now uses your site's URL—rather than the site name—for labeling in authenticator apps, ensuring greater clarity and consistency.
FIX: Refactor local request check in Wf_Sn_Tests class by introducing a dedicated method. Thank you Jean.
Tested up to WP 6.9

5.261

2025-11-17
Fixed: 2FA - Changed key name format from "site_url (username):email" to "site_url:username" - Thank you Davina.
Fixed: Compatibility warning with WordPress 6.7 regarding translation loading timing
Fixed: Server security restriction warning when checking wp-config.php file location
Fixed: Fixed critical bug where database prefix changer added an extra underscore when updating wp-config.php, causing WordPress to look for non-existent tables with double underscores (e.g., wp_12345__posts instead of wp_12345_posts). Thank you Tchai.
Fixed: Database prefix changer to properly update option names and meta keys when changing from custom prefixes (not just "wp_").
IMPROVED: Database prefix changer now works with any prefix, not just the default "wp_". Can now rename tables when changing from one custom prefix to another. All plugin tables are automatically included in the renaming process.

5.260

2025-11-12
NEW: Failed login email warnings - administrators receive email notifications when someone attempts to log in with their username and fails. Can be enabled in Login Form Protection settings.
NEW: Admin IPs are automatically whitelisted on plugin activation and successful admin login to prevent administrators from being blocked. Thank you Val.
FIX: Fixed country blocking to respect "only block backend" setting when enabled. Thank you Guru for the tip.
IMPROVED: Secret access URL processing has been moved up in the request cycle to make sure IP whitelisting happens before any ban checks, so blocked visitors should be able to get back on the site more reliably.
IMPROVED: wp-config.php backups are stored in encrypted format (AES-256-CBC) to ensure data security. Each backup uses a unique encryption key and initialization vector. This was introduced in a previous release, but was not added to the changelog.
Update 3rd party libraries - Freemius SDK 2.13.0 among others.

5.259

2025-11-07
IMPROVED: Made the dashboard widget visible when white label mode is enabled. Previously the widget was hidden instead. Thank you for the suggestion, Dmitry.
IMPROVED: Added count-based limit (5000 entries) to visitor log pruning to prevent database bloat on high-traffic sites.
IMPROVED: Removed deprecated X-XSS-Protection header from REST API - modern browsers ignore this header and Content-Security-Policy is the recommended replacement. Thank you Dmitry for the suggestions.
IMPROVED: More information on CSP in our knowledgebase.
FIX: Fixed typo in Permissions-Policy description (explitly → explicitly).
FIX: Updated Permissions-Policy documentation link from Feature-Policy to Permissions-Policy URL.
FIX: Corrected Nginx example in Content-Security-Policy test descriptions (was showing X-Frame-Options instead of CSP).
Preparing for plugin rewrite -> improving the free version and streamlining the premium and free feature set.

5.258

2025-11-06
NEW: Enhanced username enumeration protection - Now prevents username discovery via REST API /wp-json/wp/v2/users endpoint and oEmbed API, in addition to existing ?author=N scan protection. Thanks Allen.

5.257

2025-10-22
Removed duplicate 2FA login requests to prevent error flashes. Thanks to Eric for spotting this.
Added try-catch to prevent problems with corrupted IP location database, thank you Wan.

5.256

2025-10-09
Fix for recommendation engine "wp-config.php not found in the wordpress root directory" - now properly checks for when the config file has been moved up on level. Thank you Eric.
Fix - 2FA email, user reported emails were sent twice with two different codes. Thank you Eric.
Improved 2FA setup page stability and performance across different WordPress configurations.
2FA - naming of the accounts are now a little more intuitive. Thank you Davina.

5.255

NEW: Added XML-RPC protection feature. This update enhances your site's security by allowing you to easily enable or disable XML-RPC access.
Improved: Malware signatures tweaked and improved, thank you users for suggestions.

5.254

NEW: Add secret key display and copy functionality to 2FA module in frontend and backend. Allowing users to easier add the key to their system.
FIX: Installation issues that pop up occasionally has been fixed.
FIX: Timezone on Overview page was incorrect, thank you for spotting Ivar.
FIX: Resolved JavaScript conflicts that prevented 2FA functionality from working with ARMember and other plugins
FIX: 2FA QR code/key generation now works reliably across all site configurations, even if other scripts have errors. "Skip for now" link, "Generate new QR code" button, code input validation, and temporary secret usage during setup all function correctly.
FIX: 2FA setup UI and logic are now robust—QR code generation.
IMPROVED: Enhanced 2FA JavaScript with robust error handling and DOM ready protection
IMPROVED: Added inline JavaScript handlers as fallback to ensure 2FA works even when external scripts fail
IMPROVED: Better error messages and user feedback during 2FA setup process

5.253

NEW: Setting up 2FA for users in admin pages
Fix for coupon protection in WooCommerce modern block cart and checkout page - Thank you Priit.

5.252

Fixes for REST API warnings.
Updated internal libraries (PHP enums, WordPress SDK, and PHP_CodeSniffer tooling) to latest patch versions for improved stability, coding standards checks, and compatibility. No breaking changes.

5.251

Fix: Removed extra whitespace in "import/export".
Fix: Improved "Fixes" features proper loading when doing import/export.

5.250

Remove translated messages for errors logging in, creating a loop trying to present translated messages using WP's translation engine.
Fix: Fixed database prefix renaming to properly handle option names containing embedded prefixes. Thank you Chris!
Enhanced: Improved custom login URL security with proper access control and error handling ...

Entire changelog can be seen here: changelog

Security Ninja – WordPress Security & Firewall

标签

下载

详情介绍:

安装:

屏幕截图:

常见问题:

更新日志: