Linux 软件免费装

在这里免费安装WordPress以及其他软件

Banner图

Vigilant - 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…

开发者 fernandot
ayudawp
更新时间 2026年3月19日 07:24
PHP版本: 7.4 及以上
WordPress版本: 6.9
版权: GPL v2 or later
版权网址: 版权信息

标签

security protection firewall malware 2fa

下载

1.0.2 1.0.3 1.4.1 1.4.2 1.3.2 1.5.2 1.1.1 1.5.0 1.0.0 1.0.1 1.3.1 1.4.0 1.5.3 1.5.4 1.5.1 1.0.4 1.1.0 1.2.0 1.2.1 1.2.2 1.2.3 1.3.0

详情介绍:

Premium Security, Zero Cost Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls. Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, malware detection, user management, activity logging, under attack mode and much more. Instant Protection Once activated, Vigilant immediately applies essential security measures: One-Click Security Presets Choose a preset and get protected instantly: Standard - Balanced security suitable for most websites. Enables all modules with sensible defaults that won't interfere with normal site operation. Maximum Security - Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups. You can always customize individual settings after applying a preset. Under Attack Mode Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly: Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates. Core Security Features Two-Factor Authentication (2FA) Add a second verification step to your WordPress login. Choose the method that works best for your team: Firewall Protection Block malicious requests before they reach WordPress: Login Security Stop unauthorized access attempts: User Security Comprehensive user account protection: Security Headers Achieve Grade A security ratings: File Integrity Monitoring Detect unauthorized changes to your files: Activity Log Track everything happening on your site: WordPress Hardening Additional security measures: REST API Security Control API access to your site: Security Tools Utilities included: Safe by Design Automatic Backup System Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content/vigilante-backups/, persisting through plugin updates. Clean Rollback When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites. Why choose Vigilant? Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront — no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, activity log, and more. All free, all maintained, all following WordPress coding standards. If your current security plugin asks you to pay for features that should be basic, take a look at what Vigilant offers out of the box. How does Vigilant compare? We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin offers in its free version and where Vigilant fills the gaps. → View the full comparison

安装:

  1. Upload the plugin files to /wp-content/plugins/vigilante/ or install directly from the WordPress plugin repository
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. Go to 'Vigilant' in the admin menu
  4. Apply a security preset or customize individual module settings
Requirements:

屏幕截图:

  • Two-Factor Authentication - Second verification step during login
  • Login Security - Brute force protection, 2FA, lockouts, and custom login URL
  • User Security - Complete user protection tools and settings
  • Password Expiration - Force periodic password changes with history
  • Registration Approval and Session Limits - Control new users and concurrent logins
  • File Integrity - Scanner settings and verification results
  • Activity Log - Filterable event viewer with export option
  • Database Backup - Download full or partial database backups with table selection

升级注意事项:

1.5.4 WooCommerce compatibility: close old comments no longer blocks product reviews. Email header translation fix. Database backup table list visual improvements. 1.5.2 2FA remember device now admin-controlled (disabled by default). Password expiry email reminders now work. File integrity scanner reduces false positives by skipping version.php and readme files. Default notification level is now "Suspicious only". 1.5.0 New TOTP authenticator app 2FA (Google Authenticator, Authy, etc.) alongside email codes. Backup codes, grace period, admin reset tool, QR setup in profiles, HTML emails, admin password change alerts, and email delivery fixes. 1.4.2 All list tables now include pagination (20 items per page) with navigation controls: activity log, file integrity results, ignored files, blocked IPs, and active sessions. Faster page loads on sites with many log entries. 1.4.1 Firewall messages are now fully translatable. Session limits default to "Close oldest session" (recommended). Memory limit default raised to 1024 MB with new 2048 MB option. 1.4.0 Major file integrity overhaul: two-level detection, plugin/theme extra file scanning, HTML email notifications, ignore list, excluded paths/extensions, double extension and .htaccess detection in uploads. 1.3.2 Fixed file integrity email notifications not being sent when the notification email field was left empty. 1.3.1 Full translation support for all admin interface strings. File integrity email notifications now work correctly for both manual and scheduled scans. 1.3.0 Firewall User-Agent whitelist/blacklist for service exclusions. Activity log now tracks HTTP methods with filtering and improved detail popup with quick firewall actions. 1.2.3 Fixes a bug where firewall IP whitelist/blacklist entries were not saved correctly, causing exclusions to fail. Existing corrupted IP lists are automatically repaired on update. 1.2.1 Better wp-config.php constants insertion. 1.2.0 New database tools: download database backups and change the default wp_ prefix for better security. 1.1.0 New Under Attack mode: One-click emergency protection with JavaScript challenge verification. Activate it from the Vigilant dashboard when your site is under attack. 1.0.4 File Integrity scanner improvements. Suspicious files in uploads are now detected reliably. 1.0.1 Important compatibility fix for plugins using REST API. After updating, go to Vigilant settings and save your Firewall settings to regenerate htaccess rules. 1.0.0 Initial release. Please backup your site before installing any security plugin.

常见问题:

Will this plugin slow down my site?

No. Vigilant is optimized for performance. The firewall uses efficient pattern matching, database queries are cached with transients, and .htaccess rules execute at server level before PHP even loads.

What happens when I activate the plugin?

Vigilant immediately creates a backup of your existing .htaccess and wp-config.php files, then applies default security settings. All modules are enabled with balanced defaults suitable for most sites.

What happens when I deactivate the plugin?

All security modifications are automatically reverted. The .htaccess rules are removed, wp-config.php constants are restored to their original values, and scheduled tasks are cleared. Your site returns to its pre-Vigilant state.

How does two-factor authentication work?

Vigilant supports two 2FA methods. With the authenticator app (TOTP), you scan a QR code in your profile to link an app like Google Authenticator or Authy, then enter a 6-digit code from the app on every login. With email codes, you receive a one-time code via email after entering your password. If enabled by the site administrator, you can mark your device as trusted to skip 2FA for 30 days.

What if I lose my phone or authenticator app?

When you set up TOTP, Vigilant generates 10 backup codes. You can use any of them as a one-time replacement for the authenticator code. If you run out of backup codes, an administrator can reset your TOTP from the plugin settings.

What if I don't receive the 2FA email code?

Check your spam folder first. You can click "Resend code" on the verification form. Codes expire after 10 minutes by default. If issues persist, an administrator can temporarily disable 2FA from the plugin settings.

Can I switch between email and authenticator app?

Yes. Go to Login Security > Two-Factor Authentication and change the verification method. If notifications are enabled, affected users will receive an email explaining the new method and how to set it up.

Which user roles require 2FA?

By default, 2FA is enforced for administrators and editors. You can customize which roles require 2FA in the Login Security settings, and exclude specific users individually.

How do I recover if I'm locked out?

Access your site via FTP/SFTP and either rename the plugin folder to disable it temporarily, or delete the vigilante_login_attempts table rows for your IP address in the database.

Will the firewall block legitimate users?

The firewall is configured to allow normal WordPress operations, including the block editor, REST API, and popular page builders. If you experience issues, you can whitelist specific IPs or adjust rate limiting thresholds.

Can I use this with other security plugins?

While Vigilant works standalone, running multiple security plugins can cause conflicts. We recommend testing in a staging environment first if you need to combine security solutions.

Does this work with caching plugins?

Yes. Vigilant is compatible with popular caching plugins. The firewall runs before cache layers, and .htaccess rules don't interfere with caching mechanisms.

Does this work with WooCommerce?

Yes. Vigilant includes compatibility settings for WooCommerce. The REST API security module automatically allows WooCommerce endpoints, and the firewall won't block payment gateway connections.

How do I test my security headers?

Use the built-in header testing tool in the Security Headers tab, or visit securityheaders.com with your site URL to get a security grade.

What is password expiration?

You can require users to change their passwords after a set number of days (30, 60, 90, etc.). Users receive warnings before expiration and are forced to change their password on next login when it expires. Password history prevents reusing recent passwords.

What is registration approval?

When enabled, new user registrations require manual approval by an administrator before the account becomes active. Pending users cannot log in until approved. You can configure auto-rejection after a set number of days.

What does email verification do?

New users must verify their email address by clicking a link before their account becomes active. This prevents fake registrations and ensures valid contact information.

How do session limits work?

You can limit how many concurrent sessions each user can have. When the limit is reached, either the new login is blocked or the oldest session is terminated, depending on your configuration.

Can I export the activity log?

Yes. The activity log can be exported to CSV format for external analysis or compliance reporting. You can also filter logs by event type, user, or date range before exporting.

What files does the integrity scanner check?

The scanner compares WordPress core files, plugin files, and theme files against official checksums from WordPress.org. Plugins and themes without available checksums are also scanned using strict obfuscation pattern detection. The uploads directory is scanned for PHP files, double extensions, and .htaccess files. Extra PHP files not present in original distributions are detected and, if they contain suspicious code, automatically flagged as suspicious.

How often does the file integrity scan run?

You can configure automatic scans to run daily or weekly. You can also run manual scans at any time. Email notifications support three levels: all issues, suspicious files only, or disabled.

What is the difference between Standard and Maximum presets?

Standard applies balanced settings suitable for most sites. Maximum applies stricter rules: lower rate limits, tighter CSP policies, required admin notifications, session limits, and more aggressive hardening. Maximum may require adjustments for sites with complex functionality.

Where are backups stored?

Backups are stored in wp-content/vigilante-backups/. This location persists through plugin updates. The directory is protected with .htaccess rules to prevent direct access.

What is Under Attack mode?

Under Attack mode is an emergency feature you can activate when your site is experiencing an active attack. It adds a JavaScript challenge that real browsers solve automatically in a few seconds, while bots and automated scripts are blocked completely. It also applies aggressive rate limiting, blocks restricted HTTP methods, and restricts API access.

Will Under Attack mode affect my logged-in users?

No. Logged-in users, admin pages, cron jobs, AJAX requests, and the login page are all excluded from the JavaScript challenge. Only unauthenticated frontend visitors see the verification page.

What if I forget to turn off Under Attack mode?

It automatically deactivates after 4 hours. You will also receive an email notification when it activates and deactivates.

Does Under Attack mode change my regular security settings?

No. It operates independently from your preset configuration (Standard or Maximum). Your regular settings are untouched and continue working normally after Under Attack mode deactivates.

How does the database backup work?

Go to Vigilant > Tools > Database Backup. Select which tables to include (or leave all selected), then click Download. The backup is generated as a ZIP file containing a SQL dump. No files are stored on the server.

What does changing the database prefix do?

WordPress uses wp_ as default table prefix. Changing it to a random prefix adds a layer of protection against SQL injection attacks that target default table names. Go to Vigilant > WP Hardening > Database Hardening. Always create a backup before changing the prefix.

How do I exclude management services like ManageWP from the firewall?

Go to Vigilant > Firewall > User-Agent Lists and add the service name (e.g., ManageWP, MainWP, UptimeRobot) to the User-Agent Whitelist. Partial matching is used, so entering "ManageWP" will match any User-Agent string containing that keyword.

更新日志:

1.5.4 1.5.3 1.5.2 1.5.1 1.5.0 1.4.2 1.4.1 1.4.0 1.3.2 1.3.1 1.3.0 1.2.3 1.2.2 1.2.1 1.2.0 1.1.1 1.1.0 1.0.4 1.0.3 1.0.2 1.0.1 1.0.0