Title: Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…
Author: Fernando Tellado
Published: Februaro 11, 2026
Last modified: Majo 6, 2026
---
Priserĉi kromprogramojn
# Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…
De [Fernando Tellado](https://profiles.wordpress.org/fernandot/)
[Elŝuti](https://downloads.wordpress.org/plugin/vigilante.2.3.0.zip)
[Live Preview](https://eo.wordpress.org/plugins/vigilante/?preview=1)
* [Detaloj](https://eo.wordpress.org/plugins/vigilante/#description)
* [Pritaksoj](https://eo.wordpress.org/plugins/vigilante/#reviews)
* [Instalo](https://eo.wordpress.org/plugins/vigilante/#installation)
* [Programado](https://eo.wordpress.org/plugins/vigilante/#developers)
[Helpo](https://wordpress.org/support/plugin/vigilante/)
## Priskribo
### Premium Security. Zero Cost.
Vigilant provides enterprise-level WordPress security features completely free.
No premium version, no upsells, no hidden features behind paywalls.
Protect your site with a complete security suite: firewall, two-factor authentication,
brute force protection, security headers, file integrity monitoring, malware detection,
user management, security audit logging, under attack mode and much more.
### Instant Protection
Once activated, Vigilant immediately applies essential security measures:
* Firewall rules against common attacks (SQL injection, XSS, file inclusion)
* Security headers for browser protection
* Login attempt monitoring
* XML-RPC blocking
* WordPress version hiding
* Sensitive file protection (.htaccess, wp-config.php)
* Automatic backup of your existing configuration files
### One-Click Security Presets
Choose a preset and get protected instantly:
**Standard** – Balanced security suitable for most websites. Enables all modules
with sensible defaults that won’t interfere with normal site operation.
**Maximum Security** – Strictest settings for high-security sites. Tighter rate
limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning
for some setups.
You can always customize individual settings after applying a preset.
### Under Attack Mode
Is your site under active attack? Activate Under Attack mode with one click and
stop malicious traffic instantly:
* **JavaScript challenge** – Every visitor must pass an automatic browser verification
before accessing your site. Real browsers solve it in seconds, bots get blocked
completely
* **Aggressive rate limiting** – Requests limited to 30 per minute with 15-minute
blocks for offenders
* **HTTP method restriction** – Only GET, POST, and HEAD allowed. PUT, DELETE,
PATCH, OPTIONS, and TRACE are blocked
* **Empty user agent blocking** – Requests without a user agent header are rejected
* **Full XML-RPC lockdown** – All XML-RPC access is blocked during the attack
* **REST API restriction** – Only authenticated users can access the REST API
* **Auto-deactivation** – Mode automatically turns off after 4 hours so you never
forget it’s on
* **Email notifications** – Get notified when the mode is activated and deactivated
* **HMAC-signed cookies** – Verified visitors receive a cryptographically signed
cookie so they only see the challenge once
Under Attack mode works independently from your preset configuration. Your regular
security settings are preserved and restored when the mode deactivates.
### Core Security Features
**Two-Factor Authentication (2FA)**
Add a second verification step to your WordPress login. Choose the method that works
best for your team:
* **Authenticator app (TOTP)** – Google Authenticator, Authy, Microsoft Authenticator,
or any TOTP-compatible app
* **Email codes** – One-time 6-digit verification codes sent via email
* QR code setup directly in user profiles
* 10 backup codes for emergency access if you lose your device
* Configurable grace period for users to set up their authenticator app
* Trusted devices feature – optionally allow users to skip 2FA on recognized devices
for 30 days
* Role-based enforcement – require 2FA for administrators, editors, or any role
* Exclude specific users from 2FA requirements
* Admin tool to reset TOTP for users who lost their authenticator
* Configurable code expiry, attempt limits, and email sender name
* User notification emails when 2FA is enabled or method changes
**Firewall Protection**
Block malicious requests before they reach WordPress:
* SQL injection blocking
* XSS (Cross-Site Scripting) attack prevention
* File inclusion protection (LFI/RFI)
* Directory traversal blocking
* Bad bot detection and blocking
* Rate limiting against DDoS and brute force
* IP whitelist and blacklist management
* User-Agent whitelist and blacklist with partial matching
* HTTP method restriction
**Login Security**
Stop unauthorized access attempts:
* Limit login attempts with configurable thresholds
* Progressive lockouts – longer blocks for repeat offenders
* Custom login URL – hide wp-login.php from bots
* Login URL change notifications to all admin-area users
* Hide login error messages – don’t reveal valid usernames
* XML-RPC disable – block this common attack vector
* Application passwords control
* Admin login notifications via email
* IP whitelist for trusted locations
**User Security**
Comprehensive user account protection:
* Block insecure usernames (admin, test, root, etc.)
* Force strong passwords with minimum length
* Password expiration with configurable intervals
* Password history – prevent reusing old passwords
* Force password reset — by specific users, by role, or all users (post-hack recovery)
* Session limits – control concurrent logins per user
* Session management – view and revoke active sessions
* Email verification for new registrations
* Registration approval workflow – manually approve new users
* Admin account monitoring – alerts for new admins, email changes, password changes,
privilege escalation
* Display name protection – prevent exposing login username publicly
**Security Headers**
Achieve Grade A security ratings:
* Content Security Policy (CSP) with visual builder
* HSTS (HTTP Strict Transport Security) with preload option
* X-Frame-Options – prevent clickjacking
* X-Content-Type-Options – prevent MIME sniffing
* Referrer Policy control
* Permissions Policy (camera, microphone, geolocation)
* Cross-Origin policies (COEP, COOP, CORP)
* HTTPS enforcer with automatic mixed content fix
* Built-in header testing tool
**File Integrity Monitoring**
Detect unauthorized changes to your files:
* WordPress core verification against official checksums
* Plugin and theme file monitoring with WordPress.org checksums
* Critical config files (wp-config.php, .htaccess) monitored against baseline —
detects code injection even in files with no official checksum
* Line-level diff view of changes, with per-file approval workflow
* Suspicious code scanning for plugins and themes without checksums
* Extra file detection in plugins and themes (files not in original distribution)
* Two-level detection: strict obfuscation combos for plugins, broad patterns for
uploads
* Uploads directory scanning for PHP files, double extensions, and .htaccess
* Root directory scanning for non-core PHP files (common attack vector)
* Smart .htaccess classification in uploads – distinguishes dangerous rules from
protective ones
* String concatenation obfuscation detection
* Configurable notification levels (all issues, suspicious only, or disabled)
* Ignore list to dismiss known files from results
* Excluded paths and file extensions
* Scheduled automatic scans (daily, weekly)
* HTML formatted email alerts with severity sections
**Security Audit**
Track everything happening on your site:
* Successful and failed login attempts
* Two-factor authentication events
* User account changes (creation, deletion, role changes)
* Content modifications (posts, pages)
* Plugin and theme activations/deactivations
* Security events and blocked threats
* HTTP request method tracking and filtering (GET, POST, PUT, DELETE)
* Enhanced log detail popup with grouped sections and quick actions
* One-click add IP or User-Agent to firewall whitelist/blacklist from log entries
* Direct IP lookup links to AbuseIPDB
* Configurable retention period
* Export logs to CSV
* Filter by event type, severity, request method, or date
**Security Check**
On-demand security audit built into the Dashboard. No external services, no accounts,
no API keys — everything runs on your server:
* 40+ checks across 6 categories: SSL/TLS, HTTP Headers, WP Exposure, Access &
Auth, Sensitive Files, and Internal Checks
* Single 0–100 score with A–E grade, plus per-category breakdown and explanatory
details for every check
* 13 exclusive internal checks impossible from the outside: PHP end-of-life status,
pending updates, inactive plugins, file permissions, default salts detection,`
wp_` table prefix, `admin` username, administrators without 2FA enrolled, module
status, recent audit errors, and last File Integrity scan result
* DNS-only reputation lookup against Spamhaus ZEN, Barracuda BRBL and SpamCop SCBL(
informational — listings are flagged but don’t deduct from the score)
* Two-phase scan: fast local checks appear in under a second, remote checks stream
in as they complete
* Weekly automatic scan with opt-in email alert if the score drops by 10+ points
or a new critical check starts failing
* 30-scan history with sparkline trend and delta chip so you can see how changes
to your site affect security over time
* “Go to setting” fix link on every failing check — jump straight to the exact
Vigilant field that resolves it, with a visual pulse on arrival
* Smart header diagnostics report “configured but not being served” when a cache/
CDN overrides your headers, instead of just marking it green or red
**WordPress Hardening**
Additional security measures:
* wp-config.php security constants (DISALLOW_FILE_EDIT, etc.)
* WP_DEBUG detection – dashboard warning when debug mode is active in production
* Automatic removal of readme.html, license.txt, and licencia.txt (daily cleanup)
* Database prefix security check and one-click change tool
* Comment spam protection with honeypot fields
* Disable pingbacks and trackbacks
* Close comments on old posts
* WordPress head cleanup (remove version, RSD, WLW links)
* Feed management and security
**REST API Security**
Control API access to your site:
* Three access modes: public, authenticated only, or selective
* Block user enumeration via REST API
* Protect sensitive endpoints
* Maintain compatibility with popular plugins (WooCommerce, Contact Form 7, Elementor)
### Security Tools
Utilities included:
* **Database Backup** – Download a full or partial database backup as ZIP with
table selection
* **Database Prefix Change** – Change the default wp_ prefix to a random secure
prefix
* **Export/Import Settings** – Transfer your configuration between sites
* **Manual Backup** – Create backups of .htaccess and wp-config.php on demand
* **Reset to Defaults** – Start fresh with one click
### Safe by Design
**Automatic Backup System**
Your existing .htaccess, wp-config.php, and robots.txt are automatically backed
up before any modifications. Backups include integrity verification (MD5 checksums)
and are stored safely in wp-content/vigilante-backups/, persisting through plugin
updates.
**Clean Rollback**
When you deactivate Vigilant, all security rules are automatically removed and your
original configuration files are restored. No leftover code, no broken sites.
### Why choose Vigilant?
Most WordPress security plugins reserve their best features for paid plans. Vigilant
gives you everything upfront — no premium tier, no feature locks, no upsells. Firewall,
2FA with authenticator app, security headers, file integrity scanner, security audit,
on-demand Security Check with weekly regression alerts, and more. All free, all
maintained, all following WordPress coding standards.
If your current security plugin asks you to pay for features that should be basic,
take a look at what Vigilant offers out of the box.
### How does Vigilant compare?
We maintain a detailed feature comparison between Vigilant and other popular security
plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin
offers in its free version and where Vigilant fills the gaps.
→ [View the full comparison](https://vigilante.works/comparison.html)
### Support
Need help or have suggestions?
* [Official website](https://servicios.ayudawp.com/)
* [WordPress support forum](https://wordpress.org/support/plugin/vigilante/)
* [YouTube channel](https://www.youtube.com/AyudaWordPressES)
* [Documentation and tutorials](https://ayudawp.com/)
Love the plugin? Please leave us a 5-star review and help spread the word!
### About AyudaWP
We are specialists in WordPress security, SEO, AI and performance optimization plugins.
We create tools that solve real problems for WordPress site owners while maintaining
the highest coding standards and accessibility requirements.
## Ekrankopioj
* [[
* Security Dashboard – Security score, module controls, and preset selection
* [[
* Two-Factor Authentication – Second verification step during login
* [[
* Login Security – Brute force protection, 2FA, lockouts, and custom login URL
* [[
* User Security – Complete user protection tools and settings
* [[
* Password Expiration – Force periodic password changes with history
* [[
* Registration Approval and Session Limits – Control new users and concurrent logins
* [[
* File Integrity – Scanner settings and verification results
* [[
* Security Audit – Filterable event viewer with export option
* [[
* Database Backup – Download full or partial database backups with table selection
* [[
* Security Check – On-demand audit widget with score, per-category breakdown, and
fix links
## Instalo
1. Upload the plugin files to `/wp-content/plugins/vigilante/` or install directly
from the WordPress plugin repository
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. Go to ‘Vigilant’ in the admin menu
4. Apply a security preset or customize individual module settings
**Requirements:**
* WordPress 6.2 or higher
* PHP 7.4 or higher
* Apache or LiteSpeed server (for .htaccess features)
* SSL certificate recommended for HSTS
## OD
### Will this plugin slow down my site?
No. Vigilant is optimized for performance. The firewall uses efficient pattern matching,
database queries are cached with transients, and .htaccess rules execute at server
level before PHP even loads.
### What happens when I activate the plugin?
Vigilant immediately creates a backup of your existing .htaccess and wp-config.php
files, then applies default security settings. All modules are enabled with balanced
defaults suitable for most sites.
### What happens when I deactivate the plugin?
All security modifications are automatically reverted. The .htaccess rules are removed,
wp-config.php constants are restored to their original values, and scheduled tasks
are cleared. Your site returns to its pre-Vigilant state.
### How does two-factor authentication work?
Vigilant supports two 2FA methods. With the **authenticator app** (TOTP), you scan
a QR code in your profile to link an app like Google Authenticator or Authy, then
enter a 6-digit code from the app on every login. With **email codes**, you receive
a one-time code via email after entering your password. If enabled by the site administrator,
you can mark your device as trusted to skip 2FA for 30 days.
### What if I lose my phone or authenticator app?
When you set up TOTP, Vigilant generates 10 backup codes. You can use any of them
as a one-time replacement for the authenticator code. If you run out of backup codes,
an administrator can reset your TOTP from the plugin settings.
### What if I don’t receive the 2FA email code?
Check your spam folder first. You can click “Resend code” on the verification form.
Codes expire after 10 minutes by default. If issues persist, an administrator can
temporarily disable 2FA from the plugin settings.
### Can I switch between email and authenticator app?
Yes. Go to Login Security > Two-Factor Authentication and change the verification
method. If notifications are enabled, affected users will receive an email explaining
the new method and how to set it up.
### Which user roles require 2FA?
By default, 2FA is enforced for administrators and editors. You can customize which
roles require 2FA in the Login Security settings, and exclude specific users individually.
### How do I recover if I’m locked out?
Access your site via FTP/SFTP and either rename the plugin folder to disable it
temporarily, or delete the `vigilante_login_attempts` table rows for your IP address
in the database.
### Will the firewall block legitimate users?
The firewall is configured to allow normal WordPress operations, including the block
editor, REST API, and popular page builders. If you experience issues, you can whitelist
specific IPs or adjust rate limiting thresholds.
### Can I use this with other security plugins?
While Vigilant works standalone, running multiple security plugins can cause conflicts.
We recommend testing in a staging environment first if you need to combine security
solutions.
### Does this work with caching plugins?
Yes. Vigilant is compatible with popular caching plugins. The firewall runs before
cache layers, and .htaccess rules don’t interfere with caching mechanisms.
### Does this work with WooCommerce?
Yes. Vigilant includes compatibility settings for WooCommerce. The REST API security
module automatically allows WooCommerce endpoints, and the firewall won’t block
payment gateway connections.
### How do I test my security headers?
Use the built-in header testing tool in the Security Headers tab, or visit securityheaders.
com with your site URL to get a security grade.
### What is Security Check?
Security Check is an on-demand audit built into the Dashboard. It runs 40+ checks
across 6 categories (SSL/TLS, HTTP headers, WordPress exposure, access and authentication,
sensitive files, and internal checks) and returns a 0–100 score with an A–E grade.
Unlike external online scanners, it runs entirely on your server and has access
to 13 exclusive internal checks: PHP end-of-life status, pending updates, file permissions,
default salts detection, administrators without 2FA enrolled, and more.
### Does Security Check send my data to an external service?
No. All checks run on your server. The only external traffic is three DNS-only lookups
against public blacklists (Spamhaus, Barracuda, SpamCop) for the reputation category—
these are standard DNS queries with no authentication, no API keys, and no payload
beyond your site’s IP address. If you disable the reputation category, Security
Check makes zero external network calls.
### How often should I run Security Check?
Run it manually after any significant change (plugin update, server migration, new
user role configuration). For ongoing monitoring, enable the weekly automatic scan
from the widget. You’ll only receive an email if the score drops by 10 points or
more, or if a new critical check starts failing — so no spam from routine scans.
### What is password expiration?
You can require users to change their passwords after a set number of days (30,
60, 90, etc.). Users receive warnings before expiration and are forced to change
their password on next login when it expires. Password history prevents reusing
recent passwords.
### What is registration approval?
When enabled, new user registrations require manual approval by an administrator
before the account becomes active. Pending users cannot log in until approved. You
can configure auto-rejection after a set number of days.
### What does email verification do?
New users must verify their email address by clicking a link before their account
becomes active. This prevents fake registrations and ensures valid contact information.
### How do session limits work?
You can limit how many concurrent sessions each user can have. When the limit is
reached, either the new login is blocked or the oldest session is terminated, depending
on your configuration.
### Can I export the security audit log?
Yes. The security audit log can be exported to CSV format for external analysis
or compliance reporting. You can also filter logs by event type, user, or date range
before exporting.
### What files does the integrity scanner check?
The scanner compares WordPress core files, plugin files, and theme files against
official checksums from WordPress.org. Plugins and themes without available checksums
are also scanned using strict obfuscation pattern detection. The uploads directory
is scanned for PHP files, double extensions, and .htaccess files. Extra PHP files
not present in original distributions are detected and, if they contain suspicious
code, automatically flagged as suspicious.
### How often does the file integrity scan run?
You can configure automatic scans to run daily or weekly. You can also run manual
scans at any time. Email notifications support three levels: all issues, suspicious
files only, or disabled.
### What is the difference between Standard and Maximum presets?
Standard applies balanced settings suitable for most sites. Maximum applies stricter
rules: lower rate limits, tighter CSP policies, required admin notifications, session
limits, and more aggressive hardening. Maximum may require adjustments for sites
with complex functionality.
### Where are backups stored?
Backups are stored in wp-content/vigilante-backups/. This location persists through
plugin updates. The directory is protected with .htaccess rules to prevent direct
access.
### What is Under Attack mode?
Under Attack mode is an emergency feature you can activate when your site is experiencing
an active attack. It adds a JavaScript challenge that real browsers solve automatically
in a few seconds, while bots and automated scripts are blocked completely. It also
applies aggressive rate limiting, blocks restricted HTTP methods, and restricts
API access.
### Will Under Attack mode affect my logged-in users?
No. Logged-in users, admin pages, cron jobs, AJAX requests, and the login page are
all excluded from the JavaScript challenge. Only unauthenticated frontend visitors
see the verification page.
### What if I forget to turn off Under Attack mode?
It automatically deactivates after 4 hours. You will also receive an email notification
when it activates and deactivates.
### Does Under Attack mode change my regular security settings?
No. It operates independently from your preset configuration (Standard or Maximum).
Your regular settings are untouched and continue working normally after Under Attack
mode deactivates.
### How does the database backup work?
Go to Vigilant > Tools > Database Backup. Select which tables to include (or leave
all selected), then click Download. The backup is generated as a ZIP file containing
a SQL dump. No files are stored on the server.
### What does changing the database prefix do?
WordPress uses wp_ as default table prefix. Changing it to a random prefix adds
a layer of protection against SQL injection attacks that target default table names.
Go to Vigilant > WP Hardening > Database Hardening. Always create a backup before
changing the prefix.
### How do I exclude management services like ManageWP from the firewall?
Go to Vigilant > Firewall > User-Agent Lists and add the service name (e.g., ManageWP,
MainWP, UptimeRobot) to the User-Agent Whitelist. Partial matching is used, so entering“
ManageWP” will match any User-Agent string containing that keyword.
### Can I send security notifications to someone other than the site admin?
Yes. Go to Vigilant > Settings & Tools > Notification settings. You can add additional
email recipients (one per line) and optionally uncheck the WordPress admin email.
This is useful for maintenance professionals managing multiple sites who need to
receive all security alerts.
### Can I customize notification recipients programmatically?
Yes. Use the `vigilante_notification_recipients` filter. It receives and returns
an array of email addresses used for all administrative notifications:
```
add_filter( 'vigilante_notification_recipients', function( $recipients ) {
$recipients[] = 'security-team@example.com';
return $recipients;
} );
```
## Pritaksoj
### [How WordPress security should be by default](https://wordpress.org/support/topic/how-wordpress-security-should-be-by-default/)
[jburg3333](https://profiles.wordpress.org/jburg3333/) Majo 2, 2026 1 reply
In the meantime, we have our Vigilant plugin. It’s honestly great and gets the job
done!
### [Great plugin](https://wordpress.org/support/topic/great-plugin-41424/)
[pdjp](https://profiles.wordpress.org/pdjp/) Aprilo 13, 2026 5 replies
But one security audit question: I set up Vigilant on a small website and after
a week i already have 7000 log entries and 99% are from “Firewall: rate limit exceeded”.
Is there a way to prevent something like this? Also, why are many logs from the
same IP, often made in seconds? Shouldn’t they been blocked for 300s after exceeding
rate limit one time?
### [Más y mejores opciones que uno de pago](https://wordpress.org/support/topic/mas-y-mejores-opciones-que-uno-de-pago/)
[fpuenteonline](https://profiles.wordpress.org/fpuenteonline/) Marto 25, 2026 1
reply
Un placer encontrar esto que ha preparado Fernando, se notan los años de experiencia
y los múltiples snippets de código que acumula. Todo lo que necesitas para proteger
tu sitio con WordPress sin necesidad de ser un experto en seguridad.
### [Un excelente aporte por parte de autor](https://wordpress.org/support/topic/un-excelente-aporte-por-parte-de-autor/)
[Samot80](https://profiles.wordpress.org/samot80/) Marto 24, 2026 1 reply
Muy buen plugin, me pareció excelente
### [Seguridad sólida sin sobrecargas](https://wordpress.org/support/topic/seguridad-solida-sin-sobrecargas/)
[Francisco Vivo](https://profiles.wordpress.org/capitancapo/) Marto 24, 2026 1
reply
Llevo años probando plugins de seguridad y todos acaban igual: panel infinito, avisos
de “compra premium” hasta en la sopa, y un rendimiento que te hace dudar si el problema
de seguridad es el propio plugin. La seguridad total debería ser gratis en Wordpress
como ofrece este plugin. Vigilante no. Lo instalas, lo configuras en cinco minutos,
y desaparece. Hace su trabajo sin recordarte cada día que existe, aunque recomiendo
pasar de vez en cuando para ver sus actividad. Sin popups, sin dramas, sin “¡Tu
sitio está en peligro!” cuando no lo está. Ligero, no ralentiza el sitio Interfaz
clara, sin intentar venderte algo cada dos clics Hace lo que promete sin funciones
innecesarias Funciona, no molesta, no pesa. Así de simple. Así debería ser todo.
### [Imprescindible](https://wordpress.org/support/topic/imprescindible-81/)
[tlozano](https://profiles.wordpress.org/tlozano/) Marto 24, 2026 1 reply
En estos tiempos de bots, IA’s, y ataques buscando código vulnerable, un plugin
de este tipo es imprescindible (bajo mi punto de vista). He estado usando otro durante
mucho tiempo, pero este hace lo mismo o más, pero mucho mas sencillo y focalizando
en funciones útiles de forma sencilla. Cuando Fernando saca un nuevo plugin le echo
un vistazo y lo pruebo, la verdad es que siempre me sorprende (para bien) y da mucho
más de lo que dan otros plugins; va a lo útil y siempre los está mejorando. Muchas
gracias
[ Legi ĉiujn 9 pritaksojn ](https://wordpress.org/support/plugin/vigilante/reviews/)
## Kontribuantoj k. programistoj
“Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…” estas
liberkoda programo. La sekvaj homoj kontribuis al la kromprogramo.
Kontribuantoj
* [ Fernando Tellado ](https://profiles.wordpress.org/fernandot/)
* [ Ayuda WordPress ](https://profiles.wordpress.org/ayudawp/)
“Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…” has
been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/vigilante/contributors)
for their contributions.
[Traduki “Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…” en vian lingvon.](https://translate.wordpress.org/projects/wp-plugins/vigilante)
### Ĉu interesita en programado?
[Browse the code](https://plugins.trac.wordpress.org/browser/vigilante/), check
out the [SVN repository](https://plugins.svn.wordpress.org/vigilante/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/vigilante/) by [RSS](https://plugins.trac.wordpress.org/log/vigilante/?limit=100&mode=stop_on_copy&format=rss).
## Ŝanĝprotokolo
#### 2.3.0
* New: Bulk selection in File Integrity scan results. Each table (Suspicious, Extra,
Modified, Ignored) now has a checkbox column with native WordPress “select all”
header, plus an “Ignore selected” / “Stop ignoring selected” action button per
table. No more clicking Ignore one row at a time after a plugin update bumps
a checksum and a hundred files appear.
* New: Developer filter `vigilante_skip_rate_limit` for modules that need to opt
visitors out of firewall rate limiting (used internally by Under Attack mode
for verified visitors).
* Improved: Firewall → IP Whitelist and IP Blacklist now document the supported
formats inline. The descriptions and placeholders show that exact IPs, CIDR ranges(
IPv4 only) and wildcards with `*` are accepted — the matcher already supported
all three, but it wasn’t visible in the UI.
* Fix: Under Attack mode no longer leaves visitors stuck on the JavaScript challenge
page until rate limiting kicks in. Verified visitors (those who already passed
the challenge) now bypass the aggressive 30 req/min cap that the mode applies—
previously, loading a normal page with many WordPress-served images/scripts could
burn the cap and produce a “Rate limit exceeded” message that looked like the
challenge had failed.
* Fix: Refreshing the JS challenge page no longer invalidates an in-flight challenge
nonce. The transient is now reused if still valid, breaking the loop where a
user pressing F5 would post a stale nonce and bounce back to a new challenge
endlessly. Nonce TTL also raised to 15 minutes (was 5) to tolerate slow Proof-
of-Work on weak CPUs.
#### 2.2.0
* New: Two opt-in protections for `wp-cron.php` abuse, both off by default and
clearly labeled as “only enable if your host has real server-side cron”:
* New: **Protect wp-cron.php** (Firewall → File Protection) — adds an `.htaccess`
rule (` Require all denied `) that blocks direct external
HTTP access. This is the actual protection against cron-spam DoS abuse.
* New: **Disable WP Cron** (WP Hardening → wp-config.php Security) — writes `define('
DISABLE_WP_CRON', true)` to wp-config.php, stopping WordPress from auto-spawning
cron from page views. Pairs with the .htaccess block for full coverage.
* Improved: wp-cron.php Security Check now reads both Vigilant settings plus the`
DISABLE_WP_CRON` constant and gives accurate, scenario-specific messages instead
of the previous generic “consider disabling WordPress cron” advice. PASS when
the URL is blocked (with extra confirmation when both Vigilant toggles are also
active). When the URL is still reachable, the message tells you exactly which
protection is missing — and never tells you to “disable WP cron” if you already
have. Clicking “Go to setting” now jumps straight to the Vigilant toggle that
fixes it.
#### 2.1.1
* Fix: `?author=N` author enumeration was still leaking the username even with “
Block author scanning” enabled. The protection’s hook ran with the same priority
as WordPress core’s canonical redirect, which executed first and exposed the
login. Hook now runs at priority 1 so the username never reaches the response.
* Improved: Security Check distinguishes three scenarios when a probe still detects
a leak — sub-toggle on but master module off (explicit FAIL pointing to the master
switch), both toggles on but probe still leaks (WARN suggesting cache/CDN purge),
or both off (clean FAIL). Applied to both `?author=N` and REST API user enumeration
checks.
* Improved: “Excellent” quality tag is now reserved for a perfect 100/100 score.
A single missing point drops to “Good” so the label stays meaningful.
* Improved: Warning color in the Security Check widget now uses the same amber (#
ff9800) as the Configuration Score warnings — less alarming than the previous
deep-orange and consistent across the plugin.
* Improved: Trend card now requires at least 3 scans before drawing a sparkline,
adds a delta chip showing the score change vs. the previous scan, and a clearer“
Score trend (last N scans)” label. Shows a friendly placeholder when fewer than
3 scans exist.
* Improved: Security Score card content centered (was floating left with empty
space) and the Scan now button icon and text now align correctly.
* Changed: Informational categories (Reputation/DNSBL) replaced the confusing “
Not scored” placeholder with an explicit “All clear” (green check) or “N findings”(
amber warning) status. Listed-on-blacklist results now register visually as warnings
without deducting from the score.
* Changed: User-visible English strings now consistently use “Vigilant” (matching
the plugin’s published name) instead of “Vigilante” in detail messages, email
subjects, and the analyzer User-Agent. Internal identifiers (text domain, class
names) remain unchanged.
* Internal: Plugin Check report cleaned up — added missing `translators:` comments
for two header detail strings, fixed `_n()` singular without placeholder, scoped
the `meta_key` slow-query and `fclose` (TLS stream socket, not filesystem) sniffer
ignores precisely.
#### 2.1.0
* New: Security Check — on-demand security audit in a Dashboard widget. 40+ checks
across 6 categories (SSL/TLS, HTTP Headers, WP Exposure, Access & Auth, Sensitive
Files, Internal Checks) score your site 0–100 with an A–E grade. Two-phase AJAX
scan: instant results for local checks (options, filesystem, users), remote checks(
HTTP headers, TLS, public files) stream in as they complete.
* New: 13 exclusive internal checks that external online scanners can’t perform—
PHP end-of-life status, pending WordPress/plugin/theme updates, inactive plugins,`
wp-config.php` file permissions, default salts detection, `wp_` table prefix,`
admin` username, administrators without 2FA enrolled, Vigilant module status,
recent critical audit events, and last File Integrity scan result.
* New: Reputation check (informational) — DNS-only blacklist lookups against Spamhaus
ZEN, Barracuda BRBL, and SpamCop SCBL. No HTTP APIs, no credentials. Listings
are flagged visually but don’t deduct from the score (shared hosting is often
out of your control).
* New: Weekly automatic security scan. Opt-in email alert when the score drops
by 10+ points or a new critical check starts failing — perfect for catching regressions
introduced by plugin updates or hosting changes.
* New: Score history with trend chart. The widget tracks the last 30 scans and
displays a sparkline plus a delta chip showing how the score moved since the
previous scan.
* New: “Go to setting” fix links on every failing check. Jump directly to the exact
Vigilant field that resolves the issue, with a visual pulse to highlight it on
arrival. Eight frequently-targeted fields received dedicated anchors for single-
click navigation.
* New: Configuration Score vs Security Score distinction. The Dashboard “Configuration
Score” reflects how your settings are set up; the new “Security Score” from Security
Check reflects how your site actually looks right now. Both coexist without confusion.
#### 2.0.0
* New: Instant settings search — a search field inline on every tab title. Client-
side matching against translated labels with English fallback. Results grouped
by tab with direct links to the exact section.
* New: Whitelist/blacklist state in the Security Audit “View” popup — IPs and User-
Agents already in a firewall list now show a disabled “In whitelist” / “In blacklist”
button inline, without extra clicks.
* Improved: “Server Protection” section moved from the Firewall tab to the Security
Headers tab, where it fits better. Existing settings are migrated automatically.
* Improved: Database backup table selector now shows the total size next to the
table count. When you deselect tables, the counter switches to “X tables selected”
with the size recalculated live.
* Improved: Cleaner “View” popup in Security Audit — removed the non-actionable“
Extra Data” JSON dump and fixed the double line that appeared below the “Message”
row.
* Changed: Version history moved to a dedicated changelog.txt file served from
the plugin’s public SVN, keeping readme.txt focused on the current release.
For older changelog entries, please check the [changelog.txt](https://plugins.svn.wordpress.org/vigilante/trunk/changelog.txt)
file
## Metadatumoj
* Version **2.3.0**
* Last updated **antaŭ 16 horoj**
* Active installations **500+**
* WordPress version ** 6.2 or higher **
* Tested up to **7.0**
* PHP version ** 7.4 or higher **
* Languages
* [English (US)](https://wordpress.org/plugins/vigilante/) kaj [Spanish (Spain)](https://es.wordpress.org/plugins/vigilante/).
* [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/vigilante)
* Tags
* [2FA](https://eo.wordpress.org/plugins/tags/2fa/)[firewall](https://eo.wordpress.org/plugins/tags/firewall/)
[malware](https://eo.wordpress.org/plugins/tags/malware/)[scanner](https://eo.wordpress.org/plugins/tags/scanner/)
[security](https://eo.wordpress.org/plugins/tags/security/)
* [Altnivela rigardo](https://eo.wordpress.org/plugins/vigilante/advanced/)
## Pritaksoj
5 out of 5 stars.
* [ 9 5-star reviews ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=5)
* [ 0 4-star reviews ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=4)
* [ 0 3-star reviews ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=3)
* [ 0 2-star reviews ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=2)
* [ 0 1-star reviews ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/vigilante/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/vigilante/reviews/)
## Kontribuantoj
* [ Fernando Tellado ](https://profiles.wordpress.org/fernandot/)
* [ Ayuda WordPress ](https://profiles.wordpress.org/ayudawp/)
## Helpo
Problemoj solvitaj en la lastaj du monatoj:
3 el 3
[Vidi helpforumon](https://wordpress.org/support/plugin/vigilante/)