Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…

Premium Security. Zero Cost.

Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.

Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, closed plugin detection, malware detection, user management, security audit logging, under attack mode and much more.

Instant Protection

Once activated, Vigilant immediately applies essential security measures:

• Firewall rules against common attacks (SQL injection, XSS, file inclusion)
• Security headers for browser protection
• Login attempt monitoring
• XML-RPC blocking
• WordPress version hiding
• Sensitive file protection (.htaccess, wp-config.php)
• Automatic backup of your existing configuration files

One-Click Security Presets

Choose a preset and get protected instantly:

Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.

Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.

You can always customize individual settings after applying a preset.

Under Attack Mode

Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:

• JavaScript challenge – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely
• Aggressive rate limiting – Requests limited to 30 per minute with 15-minute blocks for offenders
• HTTP method restriction – Only GET, POST, and HEAD allowed. PUT, DELETE, PATCH, OPTIONS, and TRACE are blocked
• Empty user agent blocking – Requests without a user agent header are rejected
• Full XML-RPC lockdown – All XML-RPC access is blocked during the attack
• REST API restriction – Only authenticated users can access the REST API
• Auto-deactivation – Mode automatically turns off after 4 hours so you never forget it’s on
• Email notifications – Get notified when the mode is activated and deactivated
• HMAC-signed cookies – Verified visitors receive a cryptographically signed cookie so they only see the challenge once

Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates.

Core Security Features

Two-Factor Authentication (2FA)

Add a second verification step to your WordPress login. Choose the method that works best for your team:

• Authenticator app (TOTP) – Google Authenticator, Authy, Microsoft Authenticator, or any TOTP-compatible app
• Email codes – One-time 6-digit verification codes sent via email
• QR code setup directly in user profiles
• 10 backup codes for emergency access if you lose your device
• Configurable grace period for users to set up their authenticator app
• Trusted devices feature – optionally allow users to skip 2FA on recognized devices for 30 days
• Role-based enforcement – require 2FA for administrators, editors, or any role
• Exclude specific users from 2FA requirements
• Admin tool to reset TOTP for users who lost their authenticator
• Configurable code expiry, attempt limits, and email sender name
• User notification emails when 2FA is enabled or method changes

Firewall Protection

Block malicious requests before they reach WordPress:

• SQL injection blocking
• XSS (Cross-Site Scripting) attack prevention
• File inclusion protection (LFI/RFI)
• Directory traversal blocking
• Bad query string filtering (catches generic suspicious patterns the specific blockers miss)
• Bad bot detection and blocking
• Block requests with empty user agent
• Block legacy HTTP/1.0 requests (almost always automated tools, never modern browsers)
• Rate limiting against DDoS and brute force, with optional progressive lockouts
• IP whitelist and blacklist management (with CIDR ranges)
• User-Agent whitelist and blacklist with partial matching
• HTTP method restriction
• Server-level file protection via .htaccess: block direct access to wp-config.php, .htaccess, wp-includes/, and sensitive files (.log, .sql, .bak, .ini, debug.log, readme.html, etc.), and optionally wp-cron.php external access
• Block PHP execution in /uploads (one of the most common post-exploit vectors)
• Disable directory browsing

Login Security

Stop unauthorized access attempts:

• Limit login attempts with configurable thresholds
• Progressive lockouts – longer blocks for repeat offenders
• Custom login URL – hide wp-login.php from bots
• Login URL change notifications to all admin-area users
• Hide login error messages – don’t reveal valid usernames
• XML-RPC disable – block this common attack vector, with a separate toggle for just the pingback method if you still need other XML-RPC features
• Application passwords control
• Email notification when an IP is blocked for exceeding login attempts
• Admin login notifications via email
• IP whitelist for trusted locations

User Security

Comprehensive user account protection:

• Block insecure usernames (admin, test, root, etc.) on new registrations
• Warn about existing users with insecure usernames so you can rename or remove them
• Block author scanning — intercept ?author=N URLs so WordPress doesn’t redirect them to /author/USERNAME/ and leak the login slug
• Force strong passwords with minimum length
• Password expiration with configurable intervals
• Password history – prevent reusing old passwords
• Force password reset — by specific users, by role, or all users (post-hack recovery)
• Session limits – control concurrent logins per user
• Session management – view and revoke active sessions
• Email verification for new registrations
• Registration approval workflow – manually approve new users
• Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation
• Display name protection – prevent exposing login username publicly

Security Headers

Achieve Grade A security ratings:

• Content Security Policy (CSP) with visual builder and Report-Only mode for safe testing before enforcing
• HSTS (HTTP Strict Transport Security) with includeSubdomains and preload options
• X-Frame-Options – prevent clickjacking
• X-Content-Type-Options – prevent MIME sniffing
• X-XSS-Protection – kept available for auditors that still check it (deprecated in modern browsers, superseded by CSP)
• Referrer Policy control
• Permissions Policy (camera, microphone, geolocation, payment, USB)
• Cross-Origin policies (COEP, COOP, CORP)
• HTTPS enforcer with automatic mixed content fix
• Server fingerprint hiding — Server: Apache/x.y.z header neutralized, X-Powered-By and other fingerprinting headers stripped from responses

File Integrity Monitoring

Detect unauthorized changes to your files and compromised plugins:

• WordPress core verification against official checksums
• Plugin and theme file monitoring with WordPress.org checksums
• Critical config files (wp-config.php, .htaccess) monitored against baseline — detects code injection even in files with no official checksum
• Closed and removed plugins detection — daily check against the WordPress.org plugin repository, flags any installed plugin closed for malware, security issues, guideline violations or supply chain compromises. Detects two flavors of closure: explicit with closure date and reason, and „removed“ (metadata hidden by wp.org, typical of Security Issue takedowns). Per-slug Ignore for legacy plugins you can’t uninstall yet
• Line-level diff view of changes, with per-file approval workflow
• Suspicious code scanning for plugins and themes without checksums
• Extra file detection in plugins and themes (files not in original distribution)
• Two-level detection: strict obfuscation combos for plugins, broad patterns for uploads
• Uploads directory scanning for PHP files, double extensions, and .htaccess
• Root directory scanning for non-core PHP files (common attack vector)
• Smart .htaccess classification in uploads – distinguishes dangerous rules from protective ones
• String concatenation obfuscation detection
• Configurable notification levels (all issues, suspicious only, or disabled)
• Ignore list to dismiss known files from results
• Excluded paths and file extensions
• Scheduled automatic scans (daily, weekly)
• HTML formatted email alerts with severity sections, including a dedicated section for closed plugins

Security Audit

Track everything happening on your site:

• Successful and failed login attempts
• Two-factor authentication events
• User account changes (creation, deletion, role changes)
• Content modifications (posts, pages)
• Plugin and theme activations/deactivations
• Security events and blocked threats
• HTTP request method tracking and filtering (GET, POST, PUT, DELETE)
• Enhanced log detail popup with grouped sections and quick actions
• One-click add IP or User-Agent to firewall whitelist/blacklist from log entries
• Direct IP lookup links to AbuseIPDB
• Configurable retention period
• Export logs to CSV
• Filter by event type, severity, request method, or date

Security Check

On-demand security audit built into the Dashboard. No external services, no accounts, no API keys — everything runs on your server:

• 40+ checks across 6 categories: SSL/TLS, HTTP Headers, WP Exposure, Access & Auth, Sensitive Files, and Internal Checks
• Single 0–100 score with A–E grade, plus per-category breakdown and explanatory details for every check
• 14 exclusive internal checks impossible from the outside: PHP end-of-life status, pending updates, inactive plugins, closed or removed plugins in the WordPress.org repository, file permissions, default salts detection, wp_ table prefix, admin username, administrators without 2FA enrolled, module status, recent audit errors, and last File Integrity scan result
• DNS-only reputation lookup against Spamhaus ZEN, Barracuda BRBL and SpamCop SCBL (informational — listings are flagged but don’t deduct from the score)
• Two-phase scan: fast local checks appear in under a second, remote checks stream in as they complete
• Weekly automatic scan with opt-in email alert if the score drops by 10+ points or a new critical check starts failing
• 30-scan history with sparkline trend and delta chip so you can see how changes to your site affect security over time
• „Go to setting“ fix link on every failing check — jump straight to the exact Vigilant field that resolves it, with a visual pulse on arrival
• Smart header diagnostics report „configured but not being served“ when a cache/CDN overrides your headers, instead of just marking it green or red

WordPress Hardening

Layered protection at the WordPress level — admin, content, head, feeds, and database:

• Lock down the WordPress admin: disable the built-in plugin and theme file editor, block installations and updates from the admin area, and force HTTPS for the admin area. Compatible with any hosting layout, including managed hosts and custom configurations that already define some of these settings on their own — Vigilant always respects values already in place and never overrides them
• Disable WordPress’s internal page-view cron when you already have a real server-side cron job configured, removing the small performance hit caused by triggering scheduled tasks on every visit
• Dashboard warning when debug mode is left enabled in production, so error output never leaks to visitors
• Hide your WordPress version everywhere it can leak: from the HTML head, from RSS and Atom feeds, and optionally from every script and style URL on the front-end. The asset cleanup is precise — it only strips the WordPress version itself, leaving versions added by plugins and themes intact so their cache busting keeps working
• Automatic daily removal of readme.html, license.txt, and licencia.txt from the WordPress root, which otherwise expose your WordPress version to anyone visiting them directly
• HTML head cleanup — remove the RSD link, Windows Live Writer manifest, shortlink header, and REST API discovery link
• Database hardening — security check for the default wp_ table prefix and one-click rename tool with full backup before the change
• Comment security — honeypot field against spam bots, force moderation on every new comment, close comments on old posts after a configurable number of days, disable pingbacks and trackbacks
• Feed management — completely disable RSS and Atom feeds, or only disable them when the site has no published content

REST API Security

Control API access to your site:

• Three access modes: public (default WordPress behavior), authenticated only (closes the API to anonymous visitors), or selective (custom allow/block lists)
• Block user enumeration via /wp-json/wp/v2/users
• Protect any list of sensitive endpoints from anonymous access
• Per-plugin compatibility toggles so authenticated mode doesn’t break the front-end: WooCommerce, Contact Form 7, Gravity Forms, WPForms, Elementor, Jetpack. oEmbed and Site Health endpoints stay accessible by default so embeds and the Tools > Site Health screen keep working

Security Tools

Utilities included:

• Database Backup – Download a full or partial database backup as ZIP with table selection
• Database Prefix Change – Change the default wp_ prefix to a random secure prefix
• Export/Import Settings – Transfer your configuration between sites
• Manual Backup – Create backups of .htaccess and wp-config.php on demand
• Reset to Defaults – Start fresh with one click

Safe by Design

Automatic Backup System

Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content/vigilante-backups/, persisting through plugin updates.

Clean Rollback

When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.

Why choose Vigilant?

Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront — no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, on-demand Security Check with weekly regression alerts, and more. All free, all maintained, all following WordPress coding standards.

If your current security plugin asks you to pay for features that should be basic, take a look at what Vigilant offers out of the box.

How does Vigilant compare?

We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin offers in its free version and where Vigilant fills the gaps.

→ View the full comparison

Support

Need help or have suggestions?

• Official website
• WordPress support forum
• YouTube channel
• Documentation and tutorials

Love the plugin? Please leave us a 5-star review and help spread the word!

About AyudaWP

We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.