plugin-icon

Ultimate Security – Login Protection, 2FA, Anti-Spam CAPTCHA, Brute-Force & Security Tools

Por WP Ultimate Security·
Block hackers, bots and brute-force attacks with 2FA, CAPTCHA, login protection, session controls, security tools and more.
Brute Force
captcha
login security
Votações
Adicionar uma avaliação
Versão
1.0.20
Instalações ativas
10
Última atualização
May 19, 2026
Ultimate Security – Login Protection, 2FA, Anti-Spam CAPTCHA, Brute-Force & Security Tools

WORDPRESS SECURITY PLUGIN — PROTECTION WITHOUT THE COMPLEXITY

Automated bots probe WordPress logins and forms around the clock. Ultimate Security shuts that down — with two-factor authentication, brute-force lockouts, anti-spam CAPTCHA, a hidden login URL, session controls, and security maintenance tools — all from a clean dashboard you do not need to be a security expert to run.

🛡️ Lightweight. Privacy-first. No bloat.

Why Ultimate Security?

  • It just works. Sensible defaults out of the box — turn it on, you are safer in minutes.
  • Built for real attacks. Stops the automated login, brute-force and spam traffic that actually hits WordPress sites.
  • Zero learning curve. Plain-English settings, a Test Mode to preview rules before they go live.
  • Privacy-respecting. No tracking, no data collection. Pro features are clearly labelled.

🔐 Login & Two-Factor Authentication

  • Two-Factor Authentication (2FA) — Email one-time codes and authenticator apps via TOTP/HOTP.
  • Per-user 2FA with role-based configuration options — Let users enable 2FA and configure which roles should use email or app-based 2FA.
  • Brute-force login lockout — Limit failed attempts, auto-lock offenders, auto-reset retries, block specific users, and keep a recovery URL for emergencies.
  • Custom login URL — Hide wp-admin / wp-login.php behind a secret address so bots cannot find it.
  • Strong password policies — Enforce length, complexity, expiry and password history.
  • Session control — Limit concurrent logins per user and harden auth cookies.

🤖 Bot & Brute-Force Protection

  • Anti-spam CAPTCHA — Google reCAPTCHA v2/v3 and Cloudflare Turnstile.
  • Form coverage — Protect WordPress login, registration and lost-password forms; Turnstile also supports comment forms; WooCommerce login/register forms are supported when enabled.
  • No-conflict mode — Plays nicely alongside other CAPTCHA setups.

🧱 Security Maintenance & Controls

  • Rotate WordPress security keys / salts on demand.
  • Use the Update Manager to control WordPress core, plugin and theme update behavior.
  • Connect Cloudflare and deploy configurable WAF rule groups from the dashboard.
  • Review a basic Security Score with prioritized security checks.
  • Advanced hardening toggles, API privacy filtering and scheduled salt rotation are available in Pro.

📊 Monitoring & Tools

  • Login Activity snapshot — Review recent successful and failed login activity from the dashboard.
  • Basic Security Score — See a scored security posture based on enabled protections.
  • Site Health snapshot — WordPress/PHP versions, memory, active plugins and theme at a glance.
  • Test Mode — Simulate security rules and review what would have been blocked before enforcing.
  • Settings backup & restore — Export/import your configuration as JSON for migrations or disaster recovery.

👉 Check Out »

External Services

This plugin connects to the following third-party services, and only when you explicitly enable the related feature:

Google reCAPTCHA

  • When: reCAPTCHA CAPTCHA protection is enabled.
  • Data sent: the visitor’s reCAPTCHA response token and your site secret key.
  • Endpoint: https://www.google.com/recaptcha/api/siteverify
  • Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

Cloudflare Turnstile

  • When: Cloudflare Turnstile CAPTCHA protection is enabled.
  • Data sent: the visitor’s Turnstile response token and your site secret key.
  • Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify
  • Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/

WordPress.org Secret-Key (Salt) API

  • When: you request rotation of WordPress security keys/salts.
  • Data sent: a request for randomly generated salt strings (no site or user data).
  • Endpoint: https://api.wordpress.org/secret-key/1.1/salt/
  • Privacy: https://wordpress.org/about/privacy/

WordPress.org Core Version Check

  • When: the Update Manager checks for available WordPress core updates.
  • Data sent: a standard WordPress core version-check request (no user data).
  • Endpoint: https://api.wordpress.org/core/version-check/1.7/
  • Privacy: https://wordpress.org/about/privacy/

Cloudflare API

  • When: you connect Cloudflare or deploy/view WAF rules.
  • Data sent: Cloudflare credentials/token, selected zone/rule data, and Cloudflare API requests needed for verification, deployment and analytics.
  • Endpoint: https://api.cloudflare.com/client/v4/
  • Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/
Gratuitoem planos pagos
Comece agora
Ao instalar, você concorda com os Termos de Serviço do WordPress.com e com os Termos do plugin de terceiros.
Testado até
WordPress 6.9.4
Esse plugin está disponível para download para o seu .
Fazer download