JR Security Hardening and Login Protection

JR Security Hardening and Login Protection secures your WordPress installation at the application level with one-click hardening modules. Designed to be secure by default and Cloudflare compatible.

Included modules:

• Disable XML-RPC — Full block (filter + hard block) to prevent brute force attacks and pingback DDoS.
• Hide WordPress version — Removes version from generator meta and CSS/JS assets.
• Disable file editor — Prevents theme and plugin editing from the admin panel (DISALLOW_FILE_EDIT).
• Disable emojis — Removes WordPress emoji scripts and styles, improving performance.
• Block user enumeration (?author= and /author/) — Dual-layer protection against username discovery.
• Block REST enumeration (wp-json users) — Prevents enumeration via the WordPress REST API.
• Block sensitive paths/files — Blocks access to readme.html, license.txt, .env, .git, composer.json, etc. (only what passes through WordPress).
• Security headers — X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, HSTS (HTTPS only) and removal of technology-revealing headers.
• Login protection — Rate limiting by IP and by user+IP with configurable temporary lockout.
• IP whitelist — Excludes trusted IPs from rate limiting to avoid accidental lockouts.
• Email notification — Receive an email when an IP is locked out due to too many failed login attempts.
• Activity log — Security event logging in a dedicated database table with configurable retention and automatic cleanup via cron.
• Ready-to-use server rules — Code for Apache (.htaccess) and Nginx to block static files that WordPress cannot reach.

Smart IP detection:

• Native support for Cloudflare (CF-Connecting-IP).
• Option to trust X-Forwarded-For / X-Real-IP behind trusted proxies.
• Fallback to REMOTE_ADDR.

Clean uninstall:

When the plugin is deleted, all options, the events table and transients are removed. No data is left behind in your database.