plugin-icon

Aria Security Suite

Por Alireza Aminzadeh·
Enterprise-grade WordPress security: WAF, malware scanner, hide login, 2FA, live traffic monitoring, and optional cloud API.
firewall
login
malware scanner
Votações
Adicionar uma avaliação
Versão
1.2.5
Última atualização
Jun 26, 2026
Aria Security Suite

Aria Security Suite is a modular, production-ready security plugin for WordPress. It delivers enterprise-level protection layers that work standalone on your server — and can optionally connect to your own Enterprise Security API for centralized WAF decisions, integrity checks, and reporting.

Built with clean PHP architecture (PSR-4), a modern AJAX admin experience, and privacy-first defaults: no outbound calls until you configure and enable each feature.

Why Aria Security Suite?

  • All-in-one protection — firewall, login hardening, malware scanning, honeypots, session control, and live traffic monitoring in one plugin.
  • Zero performance penalty — heavy scans and log sync run in the background via WP-Cron or Action Scheduler.
  • Privacy by design — cloud API, Cloudflare, geo lookups, vulnerability scanning, and webhooks are opt-in only.
  • Actionable security score — grades your site A–F with clear recommendations.
  • Developer-friendly — modular codebase, REST API endpoints, HMAC-signed API client, and GPL-licensed.

Setup & Dashboard

  • 3-step Onboarding Wizard — choose Basic, Medium, or Strict presets in seconds.
  • Security Grade Score (0–100) — real-time posture analysis with actionable tips.
  • Dashboard Widget & Admin Bar — security status at a glance from any admin screen.
  • Modern AJAX UI — fast, reload-free settings with responsive design.

Login & Authentication

  • Hide Login Page — replace wp-login.php with a custom secret URL.
  • Passwordless Login (Magic Links) — secure email-based one-time login tokens.
  • Two-Factor Authentication (2FA) — API-integrated second factor for admin accounts.
  • Session Manager — view and remotely destroy active sessions across devices.
  • Device Fingerprinting — recognize trusted admin devices.
  • Brute-Force Protection — rate limiting and automatic IP bans on failed logins.

Firewall & Network (WAF)

  • Web Application Firewall — local rules plus optional offload to Enterprise API.
  • Cloudflare Integration — push banned IPs to Cloudflare edge firewall (CDN level).
  • Geo-Blocking — block traffic by country with 24-hour local IP cache.
  • PHP Execution Blocker — prevent PHP execution in uploads via .htaccess / web.config.
  • User-Agent Filtering — block known malicious bots and scanners.
  • XML-RPC Control — disable xmlrpc.php to stop pingback and brute-force vectors.

Scanners & Integrity

  • Heuristic Malware Scanner — background scan for suspicious patterns (eval, base64_decode, obfuscated code).
  • File Integrity Monitor — detect unauthorized changes to core WordPress files.
  • Hash Scanner — verify file hashes against known-good baselines.
  • Vulnerability Scanner — optional cloud comparison of installed plugin versions (explicit opt-in).

Spam & Intrusion Prevention

  • Invisible Honeypots — registration, comments, login, and Contact Form 7 — no CAPTCHA needed.
  • Behavioral Analysis — detect anomalous request patterns.
  • Global Ban Sync — share ban lists when connected to Enterprise API.

Monitoring, Logging & Alerts

  • Live Traffic Monitoring — real-time request log with IP, path, status codes, and user-agents (Wordfence-style).
  • SQL Query Analyzer — surface slow or suspicious database queries.
  • Log Rotation — automatic cleanup with configurable retention.
  • Webhooks — instant alerts to Slack, Telegram, or custom JSON endpoints.
  • Central Reporting — signed log export to your Enterprise API.
  • Encrypted Backup Requests — trigger cloud backups from the admin panel.

Hardening & Headers

  • Security Headers — CSP, X-Frame-Options, X-Content-Type-Options, and more.
  • Table Prefix Advisor — guidance for safer database prefixes.
  • Crypto Vault — secure storage for API secrets and sensitive options.

Optional Enterprise API

Connect your own API endpoint for WAF offload, heartbeat health checks, hash verification, ban reporting, quota lookups, and vulnerability intelligence. Credentials are stored encrypted; every request is signed with HMAC-SHA256.

Developers: Alireza Aminazdeh · syeedalireza Websites: aryait.net · ariacoder.ir

External services

This plugin may connect to third-party or external services only when you explicitly enable and configure the related feature. No outbound tracking or data collection occurs by default.

Enterprise Security API (optional)

When you enter an API Base URL, Site ID, and Secret Key under API & Connection, the plugin can send signed requests to your configured Enterprise Security API for features such as WAF decisions, heartbeat health checks, hash integrity verification, ban reporting, quota lookups, and (if opted in) vulnerability scanning.

Data sent: Request metadata (IP, path, HTTP method, user-agent, query parameter names), security event logs, file hashes, and—only when the Vulnerability Scanner opt-in is enabled—installed plugin slugs and versions.

When: Only after credentials are saved and the relevant feature is turned on. Heartbeat runs on WP-Cron when the API is configured. Plugin inventory is sent only when the Vulnerability Scanner opt-in is enabled.

Service provider: Your own Enterprise Security API endpoint (URL you provide). You are responsible for that service’s terms and privacy policy.

Cloudflare API (optional)

When Cloudflare integration is enabled and you provide a Zone ID and API token, the plugin calls the Cloudflare API to create firewall access rules that block malicious IP addresses at the CDN edge.

Data sent: IP addresses of blocked visitors and a short note identifying the block source.

When: Only after you enable Cloudflare integration and supply credentials, and only when a local security rule triggers an IP ban.

Service provider: Cloudflare, Inc. — Terms of Use, Privacy Policy.

ip-api.com (optional)

When Geo-Blocking is enabled and you configure blocked countries, the plugin queries ip-api.com to resolve a visitor’s country code from their IP address.

Data sent: The visitor’s IP address.

When: Only when Geo-Blocking is enabled, a country block list is configured, and the country for an IP is not already cached locally (results are cached for 24 hours).

Service provider: ip-api.com — Terms & Legal, Privacy Policy.

User-configured webhooks (optional)

When you add Slack, Telegram, or generic webhook URLs under Alerts & Notifications, the plugin POSTs JSON alert payloads to those URLs when security events occur.

Data sent: Alert severity, message text, and contextual fields (e.g., IP address, event type).

When: Only after you save a webhook URL and a qualifying security event fires.

Service provider: The third-party service behind the URL you provide (e.g., Slack, Telegram). See their respective terms and privacy policies.

Gratuitoem planos pagos
Comece agora
Ao instalar, você concorda com os Termos de Serviço do WordPress.com e com os Termos do plugin de terceiros.
Testado até
WordPress 6.7.5
Esse plugin está disponível para download para o seu .
Fazer download