plugin-icon

WordSec

WordSec yazdı·
Enterprise-grade WordPress security: WAF, malware scanner, 2FA login, IP/Geo blocking, live traffic, audit log and real-time alerts.
Sürüm
1.0.3
Son güncellenme
Jul 16, 2026
WordSec

WordSec is an advanced WordPress security and threat intelligence platform, built for modern security teams and site owners who need enterprise-grade protection. Eight integrated modules, from a Web Application Firewall to real-time security alerts, work together behind a single modern dashboard, and your live security score is always in view. Every module can be enabled or disabled independently, so you get exactly the protection your site needs without paying for it in performance.

Firewall

Inspect every request, write your own rules, and harden WordPress with one-click toggles. * Multi-condition custom rule builder with regex and wildcard matching * Built-in rules across the major attack categories (SQL injection, XSS, path traversal, PHP and command injection, and more) * WAF learning and active modes, bot blocking and security headers * 25+ one-click hardening toggles for wp-config access, author enumeration, REST API and more * Optional Extended Protection: pre-WordPress request inspection via an auto_prepend_file bootstrap (explicit opt-in, fully reverted when disabled or on deactivation) * Endpoint rate limiting, XML-RPC protection and detailed firewall logs

Scanner

A seven-stage scanning system that examines files, the database and scheduled tasks. * malware detection rules (synced from the WordSec service) based content scanning * WordPress core, plugin and theme file-integrity verification (via the WordPress.org API) * Scheduled scans with batch processing to avoid timeouts * One-click quarantine and restore, with complete scan history

Login Security

Stop credential attacks before they start. * Role-based two-factor authentication (RFC 6238 TOTP), no external library required * Three CAPTCHA providers (reCAPTCHA, hCaptcha, Cloudflare Turnstile) plus a built-in math CAPTCHA * Brute-force protection with progressive lockout and honeypot traps * Leaked-password checking (Have I Been Pwned, k-anonymity) and Argon2 password enforcement * Session management and a custom login page designer

Live Traffic

Watch your traffic in real time, then replay it historically. * Real-time request logging (IP, URI, method, status, response time) * Safe request and response inspection with automatic bot detection * Exclusion filtering by role, IP, country or URI, with CSV export

Blocking

  • Country and continent allow or block lists
  • Single IP and CIDR range blocking, temporary or permanent, with allow-list support
  • Automatic abuse protection and endpoint rate limiting
  • Custom block messages

Supply Chain

  • Reputation scoring for every installed plugin and theme
  • Known-vulnerability alerts (data from the WordSec service) for core, plugins, themes and PHP
  • Abandoned plugin and theme detection
  • Update-integrity verification with automatic backups and a full SBOM inventory

Audit Log

  • Complete activity tracking across 11 object types and 14 actions
  • Content changes, plugin, theme and setting changes, and more
  • Fast filtering and one-click export

Alarm

  • 36 event types across six categories
  • Delivery by Email, Telegram or Slack
  • Basic, Advanced and Full alert modes

WordSec is fully functional out of the box. Every feature (WAF, malware and file-integrity scanning, login security, two-factor authentication, hardening, IP and country blocking, audit log, supply-chain monitoring and alarms) runs locally on your server with no license key and no restrictions. Optionally, the WordSec service at wordsec.net supplies continuously-updated threat-intelligence data that cannot be produced locally: managed WAF rule sets, the full malware signature feed, IP-reputation lists, the GeoIP database, the disposable-email domain list and known-vulnerability records. Connecting the service is optional; the local features work with or without it, simply using whatever data is available. Every external service and the data it receives is documented in the “External services” section below.

External services

WordSec is designed to run locally, and with no license key it makes no outbound requests to the WordSec service. Core request filtering and file scanning run on your server. The services listed below are contacted only for the specific features described, and most of them only when you explicitly enable that feature (or, for the WordSec API, only after you activate a license key). This section documents every third-party service the plugin can connect to and the data each one receives.

WordSec API (api.wordsec.net)

WordSec runs free without a license, in which case it does not contact this service at all. A free license is available to everyone; once you activate a key the plugin communicates with the WordSec service for two distinct purposes:

  1. Required service calls (only while a license key is active): license activation and validation, and threat-data updates (firewall rules, malware signatures, IP reputation lists, GeoIP data, the disposable-email domain list and known-vulnerability data). These enable the cloud-backed features and cannot be performed locally; with no key, none of these calls are made. The local enforcement code for these features (the WAF engine, the malware scanner, the IP-blocking filters and the signup-restriction filter) is always present and active; without an up-to-date feed it simply has no threat-intelligence data to check requests against.

* When: on activation/validation and on scheduled threat-data update checks. * Data sent: your site URL and license key (used to authenticate you and bind the license to this site) and, for update checks, the current versions of your installed threat-data feeds.

  1. Optional usage/environment telemetry (OPT-IN, OFF by default): an anonymous once-daily snapshot used to improve WordSec. It is only sent after you explicitly enable “Share usage & environment data” (at license activation or in Settings Advanced Usage Data) and can be turned off again at any time.

* When: once daily, only while the opt-in is enabled. * Data sent: a non-personal snapshot of the site environment (server, WordPress, PHP and database versions, the list of active plugins and themes) and aggregate WordSec feature-usage and security statistics. No passwords, database credentials, secret keys or e-mail addresses are ever sent.

  • Terms of Service: https://wordsec.net/terms
  • Privacy Policy: https://wordsec.net/privacy

Have I Been Pwned (api.pwnedpasswords.com)

Used by the optional leaked-password check to detect whether a password appears in known data breaches, using k-anonymity. * When: when a user sets or submits a password and the leaked-password check is enabled. * Data sent: only the first 5 characters of the SHA-1 hash of the password. The password itself and its full hash never leave your site. * Terms & Privacy: https://haveibeenpwned.com/Privacy

WordPress.org API (api.wordpress.org, downloads.wordpress.org, wordpress.org, core.svn.wordpress.org)

Used to verify WordPress core, plugin and theme file integrity, to look up public plugin/theme information (plugins_api/themes_api) for the supply-chain reputation scores and update-integrity checks, and — only when you click “Repair” on a scanner finding — to download the original copy of a modified core/plugin/theme file so it can be restored. Repair downloads come from downloads.wordpress.org (plugin/theme zips), wordpress.org (core release zips) and core.svn.wordpress.org (single core files). * When: during malware/integrity scans and supply-chain reputation checks, and on an explicit repair action. * Data sent: the WordPress core version, site locale, and the slugs/versions of the plugins/themes being checked. * Terms & Privacy: https://wordpress.org/about/privacy/

RDAP (rdap.org)

Used by the WHOIS/RDAP lookup tool on the Tools page to show ownership information for an IP address or domain you inspect. * When: only when you run the WHOIS/RDAP lookup tool. * Data sent: the IP address or domain you chose to look up. * Terms & Privacy: https://about.rdap.org/

ipify (api.ipify.org)

Used by the Tools page blacklist checker and the server-info tool to determine your server’s own public IP address. * When: only when you run the “Blacklist Check” or “Server IPs” tool. * Data sent: a plain request from your server; no site data is included (the service simply echoes the requesting IP). * Terms & Privacy: https://www.ipify.org/

DNS blocklist providers (Blacklist Check tool)

The Tools page “Blacklist Check” queries DNS-based blocklists (DNSBLs) to tell you whether your server’s public IPv4 address is listed. Each provider receives a standard DNS query containing your server’s IP address in reversed form. Five providers are queried: * Spamhaus ZEN (zen.spamhaus.org) – https://www.spamhaus.org/privacy-notice/ * SpamCop (bl.spamcop.net), operated by Cisco – https://www.cisco.com/c/en/us/about/legal/privacy-full.html * Barracuda Reputation Block List (b.barracudacentral.org) – https://www.barracuda.com/company/legal/privacy-policy * UCEPROTECT Level 1 (dnsbl-1.uceprotect.net) – https://www.uceprotect.net/en/index.php * PSBL (psbl.surriel.com) – https://psbl.org/ Details: * When: only when you click “Blacklist Check” on the Tools page. * Data sent: your server’s public IPv4 address, embedded in each DNS blocklist query.

Telegram Bot API (api.telegram.org)

Optional alarm delivery channel. Active only when you configure your own Telegram bot token and chat ID. * When: when a security alarm you enabled fires and Telegram delivery is configured. * Data sent: the alarm message text (event type, site name, relevant IP/user context) to the bot/chat you configured. * Terms of Service: https://telegram.org/tos * Privacy Policy: https://telegram.org/privacy

Slack Incoming Webhooks (hooks.slack.com)

Optional alarm delivery channel. Active only when you configure your own Slack incoming-webhook URL. * When: when a security alarm you enabled fires and Slack delivery is configured. * Data sent: the alarm message text (event type, site name, relevant IP/user context) to the webhook you configured. * Terms of Service: https://slack.com/terms-of-service * Privacy Policy: https://slack.com/privacy-policy

Google reCAPTCHA (www.google.com, www.gstatic.com)

Optional login/registration CAPTCHA. Active only when you select reCAPTCHA and provide your own keys. * When: on login and registration forms while enabled. * Loaded remotely: reCAPTCHA requires its widget script (www.google.com/recaptcha/api.js, served with assets from www.gstatic.com) to be loaded from Google in the visitor’s browser; it is enqueued only on those forms and only while reCAPTCHA is the selected provider. Token verification is a server-side call from your site to www.google.com. * Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address. * Terms of Service: https://policies.google.com/terms * Privacy Policy: https://policies.google.com/privacy

hCaptcha (hcaptcha.com, js.hcaptcha.com)

Optional login/registration CAPTCHA. Active only when you select hCaptcha and provide your own keys. * When: on login and registration forms while enabled. * Loaded remotely: hCaptcha requires its widget script (js.hcaptcha.com/1/api.js) to be loaded from hCaptcha in the visitor’s browser; it is enqueued only on those forms and only while hCaptcha is the selected provider. Token verification is a server-side call from your site to hcaptcha.com. * Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address. * Terms of Service: https://www.hcaptcha.com/terms * Privacy Policy: https://www.hcaptcha.com/privacy

Cloudflare Turnstile (challenges.cloudflare.com)

Optional login/registration CAPTCHA. Active only when you select Turnstile and provide your own keys. * When: on login and registration forms while enabled. * Loaded remotely: Turnstile requires its widget script (challenges.cloudflare.com/turnstile/v0/api.js) to be loaded from Cloudflare in the visitor’s browser; it is enqueued only on those forms and only while Turnstile is the selected provider. Token verification is a server-side call from your site to challenges.cloudflare.com. * Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address. * Terms of Service: https://www.cloudflare.com/website-terms/ * Privacy Policy: https://www.cloudflare.com/privacypolicy/

ipwhois.io (ipwho.is)

Optional IP geolocation service, disabled by default. All requests go over HTTPS with certificate verification, and none are made until you enable “External IP Lookup Service” in WordSec Settings (Visitor IP Handling section). It is used for three things: (1) resolving a visitor IP’s country when no local GeoIP database is available, (2) resolving a visitor IP’s city for the Live Traffic log when the local database cannot answer, and (3) the “IP details” lookup in Live Traffic (country, region, city, ISP, organization, ASN). * When: only while the External IP Lookup Service opt-in is enabled — automatically for country/city during traffic logging, and on your click for the IP details lookup. * Data sent: the IP address being looked up (a visitor’s IP for country/city, or the IP you chose to inspect). * Terms of Service: https://ipwhois.io/terms * Privacy Policy: https://ipwhois.io/privacy

VirusTotal (virustotal.com)

Not contacted automatically. The scanner shows a “Check on VirusTotal” link you can click to open VirusTotal in your browser for a given file. * When: only when you click the link. * Data sent: the file hash contained in the link URL. * Terms & Privacy: https://docs.virustotal.com/docs/privacy-policy

Qualys SSL Labs (ssllabs.com)

Not contacted automatically. The Tools page “Check SSL Health” test runs entirely on your own server (it opens a TLS connection to your own domain and reads the certificate). Next to it, a “Deep Scan (SSL Labs)” link opens the Qualys SSL Labs test in a new browser tab; SSL Labs then connects to your site from the outside and grades its TLS configuration. The link carries the “hide results” flag, so the report is not published on the SSL Labs public board. * When: only when you click the “Deep Scan (SSL Labs)” link. * Data sent: your site’s domain name, contained in the link URL. * Terms: https://www.ssllabs.com/about/terms.html * Privacy: https://www.qualys.com/company/privacy/

Credits

WordSec bundles the third-party libraries listed below. Every library is distributed under a license compatible with WordSec’s own “GPLv2 or later” license. Each bundled library keeps its in-file license banner and/or its upstream license file, and the full original (unminified) source for each is available at the linked project and version.

PHP libraries (`vendor/`)

TCPDF 6.11.3 * License: LGPL-3.0-or-later * Copyright: Nicola Asuni, Tecnick.com LTD * Source: https://github.com/tecnickcom/TCPDF * License file: vendor/tecnickcom/tcpdf/LICENSE.TXT * Used for: PDF report/export generation

SimpleXLSXGen 1.5.x * License: MIT * Copyright: (c) 2020-2022 Sergey Shuchkin * Source: https://github.com/shuchkin/simplexlsxgen * License file: vendor/shuchkin/simplexlsxgen/LICENSE * Used for: XLSX (Excel) export

JavaScript / CSS libraries (`assets/*/vendor/`)

Select2 4.1.0-rc.0 * License: MIT * Copyright: Kevin Brown, Igor Vaynberg, and the Select2 contributors * Source: https://github.com/select2/select2 * License text: https://github.com/select2/select2/blob/master/LICENSE.md * Bundled files: assets/js/vendor/select2.min.js, assets/css/vendor/select2.min.css

ApexCharts 5.16.0 * License: MIT * Copyright: (c) 2018-2026 ApexCharts * Source: https://github.com/apexcharts/apexcharts.js * License text: https://github.com/apexcharts/apexcharts.js/blob/main/LICENSE * Bundled files: assets/js/vendor/apexcharts.min.js

jsVectorMap 1.7.0 * License: MIT * Copyright: (c) Mustafa Omar and the jsVectorMap contributors * Source: https://github.com/themustafaomar/jsvectormap * License text: https://github.com/themustafaomar/jsvectormap/blob/master/LICENSE * Bundled files: assets/js/vendor/jsvectormap.min.js, assets/css/vendor/jsvectormap.min.css * Used for: world map visualizations (Live Traffic / Blocking / Firewall)

World map data (world_mill), registered as the jsVectorMap “world” map * License: MIT * Copyright: jvectormap-content contributors; map geometry derived from Natural Earth (public domain) * Source: https://www.npmjs.com/package/jvectormap-content * Bundled files: assets/js/vendor/world.js * Used for: the country geometry rendered by the world map visualizations above

qrcode-generator 1.4.4 * License: MIT * Copyright: Kazuhiko Arase * Source: https://github.com/kazuhikoarase/qrcode-generator * License text: https://github.com/kazuhikoarase/qrcode-generator/blob/master/LICENSE * Bundled files: assets/js/vendor/qrcode.min.js

Icons / assets

flag-icons (country flag SVGs) * License: MIT (SVG markup); the flag designs themselves are in the public domain * Copyright: (c) 2013 Panayiotis Lipiridis * Source: https://github.com/lipis/flag-icons * License text: https://github.com/lipis/flag-icons/blob/main/LICENSE * Bundled files: assets/images/flags/*.svg (country flags, 4×3 viewBox="0 0 640 480")

Ücretsiz(ücretli paketlerde)
Kurulum işlemini tamamlayarak, WordPress.com'un Hizmet Şartları ile Üçüncü Taraf Eklenti Şartlarını kabul etmiş olursunuz.
Test edilen son sürüm
WordPress 7.0.2
Bu eklenti, sitenizde kullanılmak üzere indirilebilir.