Vigilante
Premium Security, Zero Cost
Vigilante provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.
Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, user management, and activity logging.
Instant Protection
Once activated, Vigilante immediately applies essential security measures:
- Firewall rules against common attacks (SQL injection, XSS, file inclusion)
- Security headers for browser protection
- Login attempt monitoring
- XML-RPC blocking
- WordPress version hiding
- Sensitive file protection (.htaccess, wp-config.php)
- Automatic backup of your existing configuration files
One-Click Security Presets
Choose a preset and get protected instantly:
Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.
Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.
You can always customize individual settings after applying a preset.
Core Security Features
Two-Factor Authentication (2FA)
Add email-based verification to your WordPress login:
- One-time verification codes sent via email
- Trusted devices feature – skip 2FA on recognized devices for 30 days
- Role-based enforcement – require 2FA for administrators, editors, or any role
- Easy code resend functionality
- Configurable code expiry and attempt limits
Firewall Protection
Block malicious requests before they reach WordPress:
- SQL injection blocking
- XSS (Cross-Site Scripting) attack prevention
- File inclusion protection (LFI/RFI)
- Directory traversal blocking
- Bad bot detection and blocking
- Rate limiting against DDoS and brute force
- IP whitelist and blacklist management
- HTTP method restriction
Login Security
Stop unauthorized access attempts:
- Limit login attempts with configurable thresholds
- Progressive lockouts – longer blocks for repeat offenders
- Custom login URL – hide wp-login.php from bots
- Hide login error messages – don’t reveal valid usernames
- XML-RPC disable – block this common attack vector
- Application passwords control
- Admin login notifications via email
- IP whitelist for trusted locations
User Security
Comprehensive user account protection:
- Block insecure usernames (admin, test, root, etc.)
- Force strong passwords with minimum length
- Password expiration with configurable intervals
- Password history – prevent reusing old passwords
- Force password reset for all users (post-hack recovery)
- Session limits – control concurrent logins per user
- Session management – view and revoke active sessions
- Email verification for new registrations
- Registration approval workflow – manually approve new users
- Admin account monitoring – alerts for new admins, email changes, privilege escalation
Security Headers
Achieve Grade A security ratings:
- Content Security Policy (CSP) with visual builder
- HSTS (HTTP Strict Transport Security) with preload option
- X-Frame-Options – prevent clickjacking
- X-Content-Type-Options – prevent MIME sniffing
- Referrer Policy control
- Permissions Policy (camera, microphone, geolocation)
- Cross-Origin policies (COEP, COOP, CORP)
- HTTPS enforcer with automatic mixed content fix
- Built-in header testing tool
File Integrity Monitoring
Detect unauthorized changes to your files:
- WordPress core verification against official checksums
- Plugin file monitoring
- Theme file checking
- Uploads directory scanning for PHP files
- Suspicious code pattern detection (eval, base64_decode, shell_exec)
- Scheduled automatic scans (hourly, daily, weekly)
- Email alerts when changes are detected
- Excluded paths configuration
Activity Log
Track everything happening on your site:
- Successful and failed login attempts
- Two-factor authentication events
- User account changes (creation, deletion, role changes)
- Content modifications (posts, pages)
- Plugin and theme activations/deactivations
- Security events and blocked threats
- Configurable retention period
- Export logs to CSV
- Filter by event type, user, or date
WordPress Hardening
Additional security measures:
- wp-config.php security constants (DISALLOW_FILE_EDIT, etc.)
- Comment spam protection with honeypot fields
- Disable pingbacks and trackbacks
- Close comments on old posts
- WordPress head cleanup (remove version, RSD, WLW links)
- Feed management and security
REST API Security
Control API access to your site:
- Three access modes: public, authenticated only, or selective
- Block user enumeration via REST API
- Protect sensitive endpoints
- Maintain compatibility with popular plugins (WooCommerce, Contact Form 7, Elementor)
Security Tools
Utilities included at no extra cost:
- Export/Import Settings – Transfer your configuration between sites
- Manual Backup – Create backups of .htaccess and wp-config.php on demand
- Reset to Defaults – Start fresh with one click
Safe by Design
Automatic Backup System
Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content/vigilante-backups/, persisting through plugin updates.
Clean Rollback
When you deactivate Vigilante, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.
Support
Need help or have suggestions?
Love the plugin? Please leave us a 5-star review and help spread the word!
About AyudaWP
We are specialists in WordPress security, SEO, and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.