| 开发者 | webmastersteam |
|---|---|
| 更新时间 | 2026年7月7日 17:53 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
wp-config.php, or .htaccess. Everything works through WordPress hooks and can be disabled at any moment with a single click.
The plugin is completely free, without a PRO version, without ads, and without sending data to external servers. Built by the webmasters.team crew for daily WordPress work.
Modules
xmlrpc.php (403) and filters the XML-RPC methods. Stops brute-force attacks through the most attacked WordPress endpoint./wp/v2/users in the REST API for unauthenticated users./?author=1 to the homepage (another enumeration vector).author_name and author_url from oEmbed responses (WPScan-detectable user-enumeration vector) and drops the oEmbed discovery <link> tags from <head>.<meta name="generator"> tag, ?ver= query strings from assets, and redundant meta tags (wlwmanifest, rsd, shortlink).X-Pingback HTTP header from all responses.wp_options), with hourly cleanup of old entries.DISALLOW_FILE_EDIT, hiding the theme and plugin editor in the admin (an attacker who compromises an account cannot inject a backdoor through the browser).X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, optionally HSTS (use with care - browsers cache it for a year).__()/esc_html__() and a POT file for translators.wt-hardening folder to wp-content/plugins/ on your server.No. Everything is wired through WordPress hooks. Deactivating the plugin instantly reverts all changes (except HSTS, which browsers cache - enabling HSTS is a conscious decision).
Possibly, if you actually rely on them. Disable the XML-RPC module in the settings - the other protection layers stay active.
The table stays in the database (useful for later analysis). On full uninstall the tables are dropped cleanly.
Tested on a single-site install. Multisite should work since we do not use superadmin-specific APIs, but it is not yet formally supported - file an issue if something breaks.
Modules only register the hooks they actually need. The event log is a single INSERT per event. No scanner, no background work beyond an hourly and daily cleanup of old rows. Real impact on response time: under 1 ms.
Because Strict-Transport-Security has a sticky effect - browsers remember the header for a year. Enabling it too early (before your entire traffic works on HTTPS without errors) can lock users out of the site for a long time. Turn it on once HTTPS is rock-solid.
wp_create_user()?No - the policy hooks into admin form validation (profile, registration, reset). Programmatic user creation bypasses these hooks by design. For a typical client workflow (users are created through the admin panel) this is enough.
author_name and author_url from oEmbed JSON responses (a low-effort user-enumeration vector automatically picked up by WPScan) and drops the oEmbed discovery <link> tags from <head> to reduce the public surface. Enabled by default.EventsPage).parse_url() with wp_parse_url() in the XML-RPC module.uninstall.php and add safe-query annotations.