Title: Security Ninja – WordPress Security & Firewall Author: cleverplugins Published: 30 augustus 2016 Last modified: 27 maart 2026 --- Plugins zoeken ![](https://ps.w.org/security-ninja/assets/banner-772x250.png?rev=3492847) ![](https://ps.w.org/security-ninja/assets/icon-256x256.gif?rev=2312630) # Security Ninja – WordPress Security & Firewall Door [cleverplugins](https://profiles.wordpress.org/cleverplugins/) [Download](https://downloads.wordpress.org/plugin/security-ninja.5.276.zip) * [Details](https://nl.wordpress.org/plugins/security-ninja/#description) * [Beoordelingen](https://nl.wordpress.org/plugins/security-ninja/#reviews) * [Installatie](https://nl.wordpress.org/plugins/security-ninja/#installation) * [Ontwikkeling](https://nl.wordpress.org/plugins/security-ninja/#developers) [Ondersteuning](https://wordpress.org/support/plugin/security-ninja/) ## Beschrijving Security Ninja is a lightweight **WordPress security plugin** that helps protect your site from common attacks and security mistakes — without turning your dashboard into a cockpit. **Free includes a basic Web Application Firewall (WAF)** (based on the 8G ruleset) to block common malicious requests, plus 50+ security checks, a full vulnerability scanner, and a core integrity scanner to spot risky settings and unexpected file changes. Upgrade to Pro if you need deeper protection like advanced malware scanning/cleanup, stronger WAF controls (e.g. country blocking), and more automation/alerting. This plugin can be downloaded for free without any paid subscription from [the official WordPress repository](https://wordpress.org/plugins/security-ninja/). **Why Security Ninja** **Included for free** – **Basic Firewall (8G-based)** – Blocks common malicious requests and bot noise before it becomes a problem. – **50+ Security Tests** – Fast audit of common WordPress security misconfigurations. – **Vulnerability Scanner**– Highlights known issues in plugins/themes so you can patch faster. – **Core Scanner**– Detect modified or unexpected files in WordPress core folders. – **Basic Events Logger** – Logs **firewall events** and **login attempts (successful/failed)**. **Pro adds** – **Advanced Malware Scanner** – Detect and clean malicious code and suspicious files. – **Advanced Firewall/WAF controls** – e.g. country blocking, stronger rules and automation. – **Secure Login & 2FA** – Add stronger authentication and login protections. – **Automation & reporting** – Scheduled scans, reports, and advanced tracking. – **AI Security Advisor** – Get a single, privacy-focused security report (no PII sent; uses WordPress 7 AI Connectors or WP Security Ninja AI). **Key Features** Security Ninja is a lightweight **WordPress firewall plugin** and security toolkit designed to protect your website from hackers, malware, brute-force attacks, and known vulnerabilities — without slowing it down. **Comprehensive WordPress Security Testing** Security Ninja performs 50+ advanced security tests to identify vulnerabilities before hackers exploit them. This includes: * **Brute-force protection** – Blocks unauthorized login attempts to prevent forced entry. * **File integrity monitoring** – Detects unauthorized changes to WordPress core files, themes, and plugins. * **Database security checks** – Identifies weak database permissions and potential SQL injection threats. * **User role audits** – Ensures no unauthorized administrator accounts exist. * **Security misconfiguration scans** – Identifies and fixes weak settings that could compromise security. **Enhanced Vulnerability Scanner** * **Stay Ahead of Threats** – Our vulnerability scanner proactively alerts you to known vulnerabilities, allowing you to address potential threats before they exploit your website. * **Comprehensive Protection** – Security Ninja not only checks and warns for common issues but also checks for known vulnerabilities in plugins and themes. * **Peace of Mind** – Knowing your site is monitored for the latest vulnerabilities means you can focus on what matters most, growing your business and creating content, worry-free. **Core Scanner – Comprehensive Protection for Your WordPress Installation** The Core Scanner module adds a critical layer of security by ensuring your WordPress installation remains untampered and free of unauthorized files. * **Full Core File Integrity Check**: Every file in your core WordPress folders is scanned to ensure it hasn’t been modified or compromised. * **Detection of Unknown Files**: The scanner flags any extra or unknown files in your core WordPress directories, alerting you to potential threats. * **Built-in File Viewer**: Review flagged files directly within your WordPress dashboard using the integrated file viewer for a clear and easy inspection. * **Restore Core Files**: If a core WordPress file has been altered, you can quickly restore it with a single click, ensuring your site is running the official version. * **Easy File Management**: For unknown or suspicious files, you have the option to delete them right from the interface, keeping your WordPress installation clean and secure. **Advanced Malware Scanner – Detect & Remove Malware Instantly (PRO)** Security Ninja includes a high-performance malware scanner that automatically checks your WordPress core, plugins and themes for: * **Malicious scripts and backdoors** – Identifies hidden malware and harmful injections. * **Trojan and virus detection** – Scans for suspicious PHP and JavaScript entries. * **One-click malware removal** – Instantly quarantine and delete infected files. **WordPress Firewall & Real-Time Threat Protection** Security Ninja includes a **basic firewall for free** (8G-based) to block common malicious requests. Upgrade to Pro for more advanced WAF controls. * **Basic protection (Free)** – Blocks common exploit patterns and bad requests. * **Advanced protection (Pro)** – Country blocking, stronger controls, and additional intelligence/automation. * **Brute-force & bot mitigation** – Reduce noisy and abusive traffic hitting WordPress. **Login Security & Two-Factor Authentication (2FA) (PRO)** Your WordPress login page is a primary target for hackers. Security Ninja enhances login security with: * **Two-Factor Authentication (2FA)** – Requires additional verification for safer logins. * **Brute-force attack protection** – Limits failed login attempts to block unauthorized access. * **Rename login** – Getting a lot of requests to your login form? Hide it for spammers. **One-Click Security Fixes & WordPress Hardening (PRO)** Manually fixing security issues is time-consuming. Security Ninja provides one-click hardening to: * **Disable XML-RPC** – Blocks common DDoS attacks and brute-force exploits. * **Restrict file editing** – Prevents unauthorized theme and plugin modifications. * **Hide PHP error messages** – Stops hackers from exploiting sensitive error details. And many more fixes to harden your WordPress security! **Events Logger / Activity Tracking** Security Ninja includes a **basic events logger for free** so you can see what’s happening on your site. * **Free:** firewall events + login attempts (successful/failed). * **Pro:** deeper tracking, alerting, and reporting. * Export security logs for audits and compliance reports. * Includes webhook functionality so you can integrate with other services (e.g. Slack/Discord/webhooks). **Automated Security Scans & Reports (PRO)** Security Ninja performs scheduled security scans and sends reports directly to your inbox. * Set up daily, weekly, or monthly security scans. * Receive email alerts about vulnerabilities and malware infections. * Analyze detailed reports to keep your website secure. **Block Spam & Malicious Bots Instantly (PRO)** Hackers and spammers use bots to exploit WordPress websites. Security Ninja prevents: * **Fake registrations and spam comments** – Stops bots from even getting to your site. * **Malicious bot attacks** – Blocks scripts attempting to hack your site. * **Unwanted traffic** – Reduces server load by preventing unnecessary bot access. **Join thousands of satisfied users who trust Security Ninja to keep their websites safe. Start protecting your online presence today and help yourself to peace of mind.** **Why Security Ninja is Best WordPress Security Plugin** Security Ninja is the best WordPress security plugin because it provides a comprehensive, lightweight, and easy-to-use solution to protect your website from hackers, malware, and vulnerabilities. With 50+ security tests, an advanced malware scanner, a firewall, and two-factor authentication (2FA), it ensures complete website protection without slowing down performance. Unlike bloated security plugins, Security Ninja is optimized for speed and efficiency. It offers one-click security fixes, automated scans, real-time threat detection, and login protection, making it ideal for beginners and advanced users alike. Trusted since 2011, it keeps thousands of websites secure while offering proactive protection against cyber threats. ### Extensions * MainWP – The MainWP Dashboard allows administrators to manage many WordPress websites from a central location. Install the **FREE [Security Ninja for MainWP Extension](https://wordpress.org/plugins/security-ninja-for-mainwp/)** to get an overview of all websites you have installed Security Ninja on! https://wordpress.org/plugins/security-ninja-for-mainwp/ ### Security Tests for your website Security Ninja – Your WordPress Guardian ### Key Features * **Immediate Vulnerability Alerts**: Get instant notifications about vulnerabilities to keep your website safe and secure. * **Comprehensive One-click Security Audit**: With just one click, perform over 50+ detailed security checks that scrutinize every corner of your site for security vulnerabilities and performance issues. * **You’re in Command**: Security Ninja respects your autonomy, providing insights and recommendations without making unsolicited changes to your site. * **Holistic Security Evaluation**: Comprehensive checks on everything from the WordPress core, plugins, and themes to ensure they are up-to-date and secure. * **Proactive Defense Strategies**: Equip yourself with the tools and knowledge to prevent attacks before they happen, safeguarding your site from potential threats. * **Optimization Beyond Security**: Improve your site’s performance with database optimization tips, ensuring a seamless experience for your users. * **Knowledge**: Each test comes with an easy-to-understand explanation, documentation, and actionable steps to fix identified issues. * **Customized Security Insights**: Tailored security assessments to check critical updates and configurations specific to your WordPress setup for a personalized protection strategy. * **Future-Proof Your Site**: Stay ahead with tests that include the latest WordPress features and best practices for site security. * **Prevent Unauthorized Access**: Strengthen your defenses with checks designed to prevent weak passwords and unauthorized file access. * **Secure Configuration Checks**: Ensure your website is configured according to security best practices, from file permissions to security headers, for comprehensive protection against threats. Enhance your website’s security, performance, and user experience with Security Ninja – your trusted partner in WordPress protection. > **Security Ninja Pro** has extra features: Firewall, Filter Suspicious Queries, > Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, > Events Logger & Scheduled Scans. An all-in-one security solution for any site. With premium support and continuous updates Security Ninja **Pro** is a perfect tool to keep your site safe. [See what the PRO version offers](https://wpsecurityninja.com/?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=see-what-pro-offers) Automatically block **600+ million bad IPs** with one click! [Security Ninja Pro Firewall](https://wpsecurityninja.com/?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=cloud-firewall) will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site. > Read more about Pro features on the [Security Ninja website](https://wpsecurityninja.com/?utm_source=wordpressorg&utm_medium=content&utm_campaign=readme&utm_content=readmoreaboutpro) **What others say about the plugin** * [WP Mayor: “Easy-to-Use WordPress Security Plugin”](https://wpmayor.com/security-ninja-review-wordpress-security-plugin/) * [WPLift](https://wplift.com/security-ninja-review) * [WPExplorer](https://www.wpexplorer.com/wordpress-security-can-security-ninja-keep-your-site-safe/) * [WP Loop](https://wploop.com/security-ninja-review/) * [Bitcatcha.com](https://www.bitcatcha.com/blog/security-ninja-plugin-review/) * [WebHostingSecretRevealed](https://www.webhostingsecretrevealed.net/blog/wordpress-blog/10-actionable-wordpress-security-tips/) * [Ravi Singh](https://www.ravisinghblog.in/wp-security-ninja-review/) * [Tutorials 7](https://tutorials7.com/security-ninja-review.html) * [onlinedecoded.com](https://www.onlinedecoded.com/security-ninja-review/) **Tests** * The tests include: * brute-force attack on user accounts to test password strength * numerous installation parameters tests * file permissions * version hiding* 0-day exploits tests * debug and auto-update modes tests * database configuration tests * Apache and PHP related tests * WP options tests * Complete list of tests: - Check if Application Passwords feature is enabled (new to WP 5.6) - Check if WordPress core is up to date - Check if automatic WordPress core updates are enabled - Check if plugins are up to date - Check if there are deactivated plugins - Check if active plugins have been updated in the last 12 months - Check if active plugins are compatible with your version of WP - Check if themes are up to date - Check if there are any deactivated themes - Check if full WordPress version info is revealed in page’s meta data - Check if REST API links are displayed in page’s meta data - Check the PHP version is up to date - Check the MySQL version - Check if server response headers contain detailed PHP version info - Check if expose_php PHP directive is turned off - Check if user with username “admin” and administrator privileges exists - Check if “anyone can register” option is enabled - Check user’s password strength with a brute-force attack - Check for display of unnecessary information on failed login attempts - Check if database table prefix is the default one - Check if security keys and salts have proper values - Check the age of security keys and salts - Test the strength of WordPress database password - Check if general debug mode is enabled - Check if the debug.log file exists - Check if database debug mode is enabled - Check if JavaScript debug mode is enabled - Check if display_errors PHP directive is turned off - Check if WordPress installation address is the same as the site address - Check if wp-config.php file has the right permissions (chmod) set - Check if register_globals PHP directive is turned off - Check if PHP safe mode is disabled - Check if allow_url_include PHP directive is turned off - Check if plugins/themes file editor is enabled - Check if uploads folder is browsable by browsers - Test if user with ID 1 and administrator role exists - Check if Windows Live Writer link is present in pages’ header data - Check if wp-config.php is present on the default location - Check if MySQL server is connectable from outside with the WP user - Check if EditURI link is present in pages’ header data - Check if TimThumb script is used in the active theme - Check if the server is vulnerable to the Shellshock bug #6271 - Check if the server is vulnerable to the Shellshock bug #7169 - Check if admin interface is delivered via SSL - Check if MySQL account used by WordPress has too many permissions - Test if a list of usernames can be fetched by looping through user IDs on http://siteurl.com/?author={ID} (also called username enumeration) - Check if server response headers contain Strict-Transport-Security - Check if server response headers contain X-Frame-Options - Check if server response headers contain X-Content-Type-Options - Check if server response headers contain Content-Security-Policy - Check if server response headers contain Strict-Transport-Security - Check if server response headers contain Referrer-Policy - Check if server response headers contain Feature-Policy - Check for unwanted files in your root folder you should remove **License info** * [jQuery Cookie Plugin, Copyright 2013 Klaus Hartl](https://github.com/carhartl/jquery-cookie) * The vulnerability scanner uses data from the [National Vulnerability Database – NVD](https://nvd.nist.gov/) * This product includes IP2Location LITE data available from [https://lite.ip2location.com](https://lite.ip2location.com). * This plugin uses the [Persist Admin notice Dismissals](https://github.com/collizo4sky/persist-admin-notices-dismissal) by Collins Agbonghama @collizo4sky * Firewall rules are based on 8G Firewall by Jeff Starr – https://perishablepress. com/8g-blacklist/ #### How can I report security bugs? You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.](https://patchstack.com/database/vdp/security-ninja) ## Installatie #### Installing from WordPress 1. Open WordPress admin, go to Plugins, click Add New 2. Enter “Security Ninja” in search and hit Enter 3. Plugin will show up as the first on the list, click “Install Now” 4. Activate & go to Tools – Security Ninja to make your site more secure #### Installing Manually 1. Download the plugin. 2. Unzip it and upload to _wp-content/plugin/_ 3. Open WordPress admin – Plugins and click “Activate” next to the plugin 4. Activate & go to Security Ninja to make your site more secure ## FAQ ### Does the free version include a WordPress firewall (WAF)? Yes. Security Ninja includes a **basic Web Application Firewall (WAF) for free**, based on the 8G ruleset. It blocks common malicious requests and reduces bot noise. ### Does Security Ninja protect against brute force attacks and login attempts? Yes. It includes login protections (Pro adds more), and the **free Events Logger records login attempts (successful/failed)** so you can spot suspicious behavior. ### Does Security Ninja include a WordPress vulnerability scanner? Yes. The **Vulnerability Scanner is fully available in the free version** and helps you identify known vulnerabilities in plugins/themes so you can patch quickly. ### Who is this plugin for? Site owners, agencies, and developers who want a lightweight WordPress security plugin to harden sites and catch problems early. ### Will this plugin slow down my site? In normal operation, no. Some scans can temporarily use more resources while they run. ### What changes will Security Ninja make to my site? Security Ninja runs checks and shows recommendations. Some Pro features can add active protection layers (firewall/WAF controls, login protection), which you can configure. ### What if I encounter issues with the plugin? While we strive for universal compatibility, if you face any issues, our support team is ready to assist. Visit our [support forum](https://wordpress.org/support/plugin/security-ninja) to open a new thread, and we’ll help you as soon as possible. ## Beoordelingen ![](https://secure.gravatar.com/avatar/8155bdab580f5c0388f30a55c3aba08fb29f24e1f379c5a83402735bd7c5cc48? s=60&d=retro&r=g) ### 󠀁[Amazingly user-friendly security plugin](https://wordpress.org/support/topic/amazingly-user-friendly-security-plugin/)󠁿 [joshuarbeal](https://profiles.wordpress.org/joshuarbeal/) 21 januari 2026 Thank you, Security Ninja! Your plugin is easy to use, provides clear reports of activity, and includes built-in tools that make security a lightweight task. I look forward to incorporating this into future websites. ![](https://secure.gravatar.com/avatar/5724f2d2f357ac934836583c6ab4e0ec52fb4228ea07bac5c76d14d43322c3d5? s=60&d=retro&r=g) ### 󠀁[Devenu payant](https://wordpress.org/support/topic/devenu-payant/)󠁿 [nadeistos](https://profiles.wordpress.org/nadeistos/) 26 augustus 2025 1 reactie Pas le choix que de payer… et très cher pour ce que ca apporte ! tant pis, ca sera sans moi ![](https://secure.gravatar.com/avatar/eeb7ea6f439bfc9fc4ad60178cbb342b23687095d4d79faa400c775ef85d7d1d? s=60&d=retro&r=g) ### 󠀁[A good plugin to check your security settings with](https://wordpress.org/support/topic/no-free-version-anymore/)󠁿 [josflachs](https://profiles.wordpress.org/josflachs/) 29 juli 2025 I like security ninja, and use it on all my sites to check security. It’s really great! The nice thing about this plugin is that it gives you a report of all security settings that need to be improved, and (this is where it stands out) gives you a detailed explanation how to do that.I rate it one star because of the irritating nag screens. ![](https://secure.gravatar.com/avatar/075ac5f9288dcc22b6bbf5058a062225573fe524cde7be8cc6953bcd97d88fee? s=60&d=retro&r=g) ### 󠀁[Force you to go through licensing for freeware update](https://wordpress.org/support/topic/force-you-to-buy-a-license-for-freeware-upgrade/)󠁿 [traqbar](https://profiles.wordpress.org/traqbar/) 30 mei 2025 1 reactie I have been using it for a while to occasionally check out security. But then the latest update is forcing you to bgo through a licensing system. Totally not what is expected with Wordpress plugins – it is expected you have a choice to upgrade to premium through an external website. Now they interrupt the plugin updating system. It has already been annoying with the licensing system they use, but just about bearable. Now it is too far down the plughole and will be removed, it is hyper-aggressive and very uncomfortable to have around. ![](https://secure.gravatar.com/avatar/d5d85d79f79baba4f5b9a619c51000a67c90c4a228473a9b3d30773859ec200e? s=60&d=retro&r=g) ### 󠀁[Free version is useless](https://wordpress.org/support/topic/free-version-is-useless-97/)󠁿 [skylabb](https://profiles.wordpress.org/skylabb/) 29 augustus 2024 4 reacties The only thing you can run is “Test your website security” which tells you where the vulnerabilities are. My site is hacked and want to find where the malware is, ![](https://secure.gravatar.com/avatar/33fadaf8aef05d4f5ce5153c47ec1ecc45fa47b6bb54f6c06825ee4abfe32321? s=60&d=retro&r=g) ### 󠀁[This plugin is amazing](https://wordpress.org/support/topic/this-plugin-is-amazing-53/)󠁿 [Vassos Hadjivassiliou](https://profiles.wordpress.org/more2think/) 19 april 2024 1 reactie If you’re in the WordPress game, WP Security Ninja is a total game-changer. Seriously, it’s like a secret weapon for developers. It’s so user-friendly, you’ll wonder why you didn’t snag it sooner. And let me tell you, I grabbed the Pro version, and man, no regrets whatsoever. It’s worth every single penny. [ Lees alle 99 beoordelingen ](https://wordpress.org/support/plugin/security-ninja/reviews/) ## Bijdragers & ontwikkelaars “Security Ninja – WordPress Security & Firewall” is open source software. De volgende personen hebben bijgedragen aan deze plugin. Bijdragers * [ cleverplugins ](https://profiles.wordpress.org/cleverplugins/) * [ Lars Koudal ](https://profiles.wordpress.org/lkoudal/) * [ Freemius ](https://profiles.wordpress.org/freemius/) “Security Ninja – WordPress Security & Firewall” is vertaald in 9 localen. Dank voor [de vertalers](https://translate.wordpress.org/projects/wp-plugins/security-ninja/contributors) voor hun bijdragen. [Vertaal “Security Ninja – WordPress Security & Firewall” in je eigen taal.](https://translate.wordpress.org/projects/wp-plugins/security-ninja) ### Interesse in ontwikkeling? [Bekijk de code](https://plugins.trac.wordpress.org/browser/security-ninja/), haal de [SVN repository](https://plugins.svn.wordpress.org/security-ninja/) op, of abonneer je op het [ontwikkellog](https://plugins.trac.wordpress.org/log/security-ninja/) via [RSS](https://plugins.trac.wordpress.org/log/security-ninja/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 5.276 * 2026-03-27 * Maintenance release – Minor improvements and stability. * FIX: Security Fixes — Saving the Fixes screen now applies wp-config changes only when toggles are ON: disable file editor, disable WP_DEBUG, and secure session cookies. Previously, always-present form keys made the “on” paths run even when options were OFF, which could append duplicate `define()` lines and trigger PHP notices (thanks Masahiro Kasahara for the report). `update_define` also skips appending a constant that is already defined (e.g. set from an included file). * Setup wizard – Fixed errors in the wizard and made a few small improvements. #### 5.275 * 2026-03-16 * FIX: Event Logger – Plugin and theme installs are now logged (previously only updates were recorded). Activate and deactivate events are always logged with a fallback label when plugin name cannot be read. * NEW: Event Logger – Now also logs activated_plugin, deactivated_plugin, add_user_role, and remove_user_role for a fuller audit trail. * Event Logger – reliability: Event Logger now records settings changes, post updates, plugin activation/deactivation, and user events correctly when the module is enabled. Previously, events could be missing due to licensing checks blocking the write path; logging no longer depends on that for storing events. * Event Logger – less noise: A single click to update an already-published post now creates one log entry instead of three. Saving a settings page (e.g. General) creates one entry instead of duplicate entries. * Event Logger – clearer actions: Settings saves are logged with the action “options_saved” and show which settings page was updated (e.g. General, Reading). Internal WordPress hook names like “whitelist_options” are no longer shown in the log. * Event Logger – security: Passwords and account activation keys are never stored in the log or shown in event details. User registration and profile update events only store non-sensitive data. * AI Security Advisor – Get a plain-English security summary and top improvements from your security tests. Uses WordPress 7 AI Connectors (OpenAI, Google, Anthropic); no domains, URLs, or personal data are sent. * AI Security Advisor – Overview tab shows when your site was last reviewed and a one-line teaser from the latest report, or invites you to run your first review or set up a connector. * AI Security Advisor – Dashboard widget shows advisor status at a glance (last reviewed, ready for first review, or set up) with a quick link to the Security Advisor page. * Event Logger – Login events are recorded only when a valid user is present, so your log stays accurate when other plugins or tools fire login-related hooks. #### 5.274 * Including email template properly. * Improvements for 2FA redirect logic. #### 5.273 * 2026-03-07 * FIX: Removed unencrypted malware signature files from the plugin package (vendor/ scr34m/…/definitions/ and base64_patterns/). The scanner uses only encrypted . dat files stored elsewhere. The bundled .txt files were never used at runtime but triggered false-positive virus alerts on some hosts. They are now stripped so they are never included in the plugin itself. #### 5.272 * 2026-03-04 * FIX: Security tests – Prevent “Undefined array key” and “sprintf(): Passing null to parameter #1” PHP warnings/deprecations when building test result messages. Tests that do not define msg_ok, msg_bad, or msg_warning now use a safe default format string so scheduled runs and step-by-step runs no longer log errors (fixes issues in both free and premium when test definitions omit these keys). * IMPROVED: Malware Scanner – The “Scan your website” button is now disabled while a scan is running, so you can’t accidentally start a second scan. It becomes clickable again as soon as the scan finishes or if something goes wrong. * IMPROVED: Malware Scanner – Scan progress and results now appear directly under the scan button instead of further down the page, so you can follow what’s happening without scrolling. * FIX: Scheduler – Malware Scanner now runs correctly when you have “Enable scheduled scans for all” selected. If your scan log was created before Malware support was added, the plugin will update it automatically the next time a scheduled scan runs, so the Malware column in the scan log will show results instead of“ Not run”. * IMPROVED: Scheduler – Added a short reminder that Malware Scanner is included only when you choose “Enable scheduled scans for all”, so it’s clear how to get Malware in your scheduled runs. * IMPROVED: Scheduler – Scheduled scans (Security Tests, Core Scanner, Malware Scanner) now use the bundled Action Scheduler (Pro). “Run now” queues the scan in the background so it no longer times out on slow or remote requests; recurring scans run via Action Scheduler for reliable unattended execution. The Pro plugin bundles Action Scheduler; no separate install required. The library is included only in the premium build (free version does not load or reference it). * IMPROVED: Malware Scanner is now faster and more reliable; scans use less memory and you get clearer progress feedback. You can also include the Malware Scanner in the Scheduler (Security Ninja Scheduler): choose “Enable scheduled scans for all” to run security tests, Core Scanner, and Malware Scanner on a schedule and get a single email report so you stay alerted to changes or suspicious files. * NEW: Malware Scanner – “Reset results” link under the scan button lets you clear previous scan results when a scan has been run before and you want to refresh. * NEW: Malware Scanner – You can now exclude specific paths or folders from malware scans. Use “Exclude paths from scan” on the Malware Scanner tab: enter one path pattern per line (e.g. _/plugins/plugin-name/_). Paths listed there are skipped by the scanner and never reported as malware. Ideal for excluding trusted plugins( e.g. Leadpages, AccessAlly, UpdraftPlus) that trigger false positives. * NEW: Malware Scanner – Path patterns are stored in the same whitelist as per- file whitelisted items; both are included in Import/Export (Tools page) under malware scanner settings. * NEW: Malware Scanner – Developers can add or modify excluded paths in code using the `securityninja_malware_exclude_paths` filter. Documentation: https://wpsecurityninja. com/docs/malware-scanner/how-to-exclude-paths/ * FIX: Country blocking – Visitors whose country cannot be determined (e.g. some IPv6 addresses) are no longer blocked, this could happen on some servers. #### 5.271 * 2026-02-25 * FIX: 2FA login redirect – After completing 2FA, users (including admins) are now redirected to the dashboard or requested URL instead of the front page. Redirect logic now matches WordPress core: uses wp_validate_redirect() and the login_redirect filter. * FIX: 404 Guard – IPs whose monitoring window has expired are no longer shown in “Being Monitored”. Expired count transients are excluded from the list and deleted to avoid DB bloat, so stale entries no longer appear. * IMPROVED: 404 Guard – First 404 from an IP is no longer logged; logging starts from the 2nd 404 onward to reduce log noise. Approaching-threshold, final-warning, and block events are unchanged. * IMPROVED: Visitor Log – Country flag is now shown next to the IP when country is known, matching Event Log behavior. A geolocation fallback is used for older entries where country was not stored. * FIX: Visitor Log – Fixed undefined variable ($allowed_html) when formatting log row details (wp_kses). * NEW: MainWP – Remote “force create database tables” action for incomplete installations. * FIX: Resolved fatal error when Security Ninja and AR for WooCommerce (or other plugins using chillerlan/php-settings-container) were active together; our copy is now loaded early and aliased in admin to prevent duplicate class declaration. #### 5.270 * 2026-02-22 * FIX: Secure cookies fix now writes ini_set lines before any closing PHP tag in wp-config.php, preventing “headers already sent” and cookie/login issues. Thanks to Olga for the detailed report that made this fix possible. * NEW: Core Scanner – You can now open a printable report when the scan finds issues. Use “Print / Download report” to open the report in a new window and print or save as PDF for your records or support. * IMPROVED: Core Scanner – The report button is always visible; when no issues are detected it shows a short notice so you know the option is available after the next scan with findings. * IMPROVED: Core Scanner – Original WordPress core files are cached for one day when restoring or comparing, so repeat operations are faster and put less load on external servers. * IMPROVED: Core Scanner – “View differences” now opens in the same unified File Viewer layout as “View File”, with consistent styling, file metadata, and shared security validation instead of a separate standalone page. * FIX: Firewall enable modal – “Send email” (activate and send unblock link) now works. The unblock-email AJAX action was not registered and the handler expected the email in GET; the action is now registered and all unblock-email requests use POST only. * TECH: All internal script and style references now use non-minified JS and CSS only; minified copies have been removed to simplify the codebase. * FIX: Fixed PHP 8.1 deprecation notice “Implicit conversion from float to int loses precision” in Cloud Firewall IPv6 CIDR matching. Thanks to Lesford for the report. #### 5.269 * 2026-02-19 * NEW: Added compatibility with temporary login plugins (“Temporary Login Without Password”, “One Time Login”, “Magic Login”, “Login Links”). Temporary login links are now automatically whitelisted from suspicious query detection when the corresponding plugin is active. Detection is logged for audit purposes. Other plugins can extend this compatibility using the `securityninja_temporary_login_params` and `securityninja_is_temporary_login_link` filters – more info on website. * FIX: Fixed fatal error “Object of class WP_Error could not be converted to string” in Overview tab when displaying event details containing WP_Error objects. The code now properly checks for WP_Error objects before passing them to esc_html() and displays the error message instead. * FIX: Fixed fatal error preventing WooCommerce logins via public forms when SN_Geolocation class was not loaded. Code now checks for class existence before use. #### 5.268 * 2026-02-18 * FIX: Firewall now allows logged-in administrators to access WordPress backend( wp-admin, admin-ajax.php) even when their IP address is banned. This prevents administrators from being locked out when their IP was banned by a false positive from the suspicious query filter, 404 Guard, brute-force protection, or other firewall features. This fixes the “Updating failed. The response is not a valid JSON response” error when saving pages in the block editor (Gutenberg) when the admin’s IP was previously banned. * IMPROVED: UI label for suspicious query filtering has been updated from “Block Suspicious Page Requests” to “Filter Suspicious Queries” to match support documentation and make it easier for users to find the setting when following support instructions. * FIX: 2FA login redirects now work correctly for users logging in via public forms( such as Paid Member Subscriptions, WooCommerce, and other third-party login forms). #### 5.267 * 2026-02-13 * IMPROVED: Litespeed servers – Added documentation and in-app notices for all security headers (CSP, X-Frame-Options, X-Content-Type-Options, Strict-Transport- Security, Referrer-Policy, Permissions-Policy). LiteSpeed users can add headers directly to .htaccess using the examples in each test description. Thank you Tom for the feedback. * FIX: Events Logger, Overview, and Visitor Log – Country flags now correctly show the event/visitor IP’s country instead of the logged-in admin’s IP when the site is behind Cloudflare or similar proxies. * Improved: Core Scanner – Interface loads faster with tabs lazy-loading content in different tabs. * IMPROVED: Firewall – When “Block IP Network” is enabled, known social and link- preview crawlers (e.g. Facebook, LinkedIn, Twitter) are no longer blocked by default. Link previews when you share your site on social networks now work without having to whitelist IPs. #### 5.266 * 2026-02-10 * Improvement: Logging details for 404 Guard. * FIX: Login Protection – Banned IPs expired entries are removed immediately instead of waiting for the prune job. * IMPROVED: Login Protection – Prune job for banned IPs now runs hourly. * FIX: Cloud Firewall IP Management – “Locally Banned IPs” list now shows only currently banned IPs (expired bans are excluded). * FIX: Cloud Firewall – Test IP and “Clear list of banned IPs” functionality fixed. * Updated language file for translations. #### 5.265 * 2026-02-09 * Tested up to WP 6.9.1 * FIX: Issues with 2FA for some user. * IMPROVED: Vulnerability list updating faster and consume less memory. #### 5.264 * 2026-01-31 * FIX: Fixed wpdb::prepare() error during plugin uninstallation when dropping database tables. * FIX: Vulnerability scanner no longer blocks wp-admin after deactivating and reactivating the plugin. If the vulnerability data files are missing or unreadable (e.g. after reactivation or server changes), the plugin now recovers automatically: it shows the vulnerability count as zero until the data is restored in the background, and the dashboard continues to load normally. * IMPROVED: Vulnerability module now recreates and re-downloads its data files when they are missing, so you no longer need to reinstall the plugin to fix a“ JSONL file not readable” error. * FIX: Hardened vulnerability JSONL file handling: guard fclose() on stream and catch all errors when counting records, so missing or unreadable files never cause a fatal in wp-admin. * FIX: Login Protection – “Failed login warnings” toggle now correctly saves when disabled (was reverting to enabled because unchecked checkbox is omitted from form POST). * FIX: 2FA – Disabling 2FA in settings now persists correctly; toggle uses a hidden input so unchecked state is saved. #### 5.263 * 2026-01-25 * Improved bandwidth usage getting vulnerabilities for all users. * Improved: Vulnerability scanner now reads vulnerability feeds in a streaming, memory-efficient way to reduce peak memory usage. #### 5.262 * 2026-01-20 * NEW: Free users now benefit from the firewall based on the excellent 8G Firewall by Jeff Star. * NEW: Events logger now part of free version, basic event monitoring and logging for your site. More advanced tracking in premium version available. * NEW: Core Scanner – Added ability to ignore specific files and patterns from scan results using the securityninja_core_scanner_ignore_files filter. Ignored files are displayed in a separate section for transparency. https://wpsecurityninja. com/docs/core-scanner/how-to-ignore-files/ – Thank you Gary. * IMPROVED: Events Logger – All modules are now included in email reports by default. Users can deselect specific modules in settings. * FIX: Events Logger – Prevented excessive memory usage by skipping translation hooks and reducing repeated license checks during audit logging. * NEW: Quick firewall stats in the sidebar. * Improved: Added ‘php_errorlog’ to the list of allowed files to view by the file viewer. * Improved: Added firewall events to the overview page for free users. * FIX: Fixed CIDR notation matching in IP whitelist – CIDR ranges now correctly match IPs within the range – Thank you Dirk. * FIX: 2FA generation now uses your site’s URL—rather than the site name—for labeling in authenticator apps, ensuring greater clarity and consistency. * FIX: Refactor local request check in Wf_Sn_Tests class by introducing a dedicated method. Thank you Jean. * Tested up to WP 6.9 #### 5.261 * 2025-11-17 * Fixed: 2FA – Changed key name format from “site_url (username):email” to “site_url: username” – Thank you Davina. * Fixed: Compatibility warning with WordPress 6.7 regarding translation loading timing * Fixed: Server security restriction warning when checking wp-config.php file location * Fixed: Fixed critical bug where database prefix changer added an extra underscore when updating wp-config.php, causing WordPress to look for non-existent tables with double underscores (e.g., wp_12345__posts instead of wp_12345_posts). Thank you Tchai. * Fixed: Database prefix changer to properly update option names and meta keys when changing from custom prefixes (not just “wp_”). * IMPROVED: Database prefix changer now works with any prefix, not just the default“ wp_”. Can now rename tables when changing from one custom prefix to another. All plugin tables are automatically included in the renaming process. #### 5.260 * 2025-11-12 * NEW: Failed login email warnings – administrators receive email notifications when someone attempts to log in with their username and fails. Can be enabled in Login Form Protection settings. * NEW: Admin IPs are automatically whitelisted on plugin activation and successful admin login to prevent administrators from being blocked. Thank you Val. * FIX: Fixed country blocking to respect “only block backend” setting when enabled. Thank you Guru for the tip. * IMPROVED: Secret access URL processing has been moved up in the request cycle to make sure IP whitelisting happens before any ban checks, so blocked visitors should be able to get back on the site more reliably. * IMPROVED: wp-config.php backups are stored in encrypted format (AES-256-CBC) to ensure data security. Each backup uses a unique encryption key and initialization vector. This was introduced in a previous release, but was not added to the changelog. * Update 3rd party libraries – Freemius SDK 2.13.0 among others. #### 5.259 * 2025-11-07 * IMPROVED: Made the dashboard widget visible when white label mode is enabled. Previously the widget was hidden instead. Thank you for the suggestion, Dmitry. * IMPROVED: Added count-based limit (5000 entries) to visitor log pruning to prevent database bloat on high-traffic sites. * IMPROVED: Removed deprecated X-XSS-Protection header from REST API – modern browsers ignore this header and Content-Security-Policy is the recommended replacement. Thank you Dmitry for the suggestions. * IMPROVED: More information on CSP in our knowledgebase. * FIX: Fixed typo in Permissions-Policy description (explitly explicitly). * FIX: Updated Permissions-Policy documentation link from Feature-Policy to Permissions- Policy URL. * FIX: Corrected Nginx example in Content-Security-Policy test descriptions (was showing X-Frame-Options instead of CSP). * Preparing for plugin rewrite -> improving the free version and streamlining the premium and free feature set. #### 5.258 * 2025-11-06 * NEW: Enhanced username enumeration protection – Now prevents username discovery via REST API /wp-json/wp/v2/users endpoint and oEmbed API, in addition to existing? author=N scan protection. Thanks Allen. #### 5.257 * 2025-10-22 * Removed duplicate 2FA login requests to prevent error flashes. Thanks to Eric for spotting this. * Added try-catch to prevent problems with corrupted IP location database, thank you Wan. #### 5.256 * 2025-10-09 * Fix for recommendation engine “wp-config.php not found in the wordpress root directory” – now properly checks for when the config file has been moved up on level. Thank you Eric. * Fix – 2FA email, user reported emails were sent twice with two different codes. Thank you Eric. * Improved 2FA setup page stability and performance across different WordPress configurations. * 2FA – naming of the accounts are now a little more intuitive. Thank you Davina. #### 5.255 * NEW: Added XML-RPC protection feature. This update enhances your site’s security by allowing you to easily enable or disable XML-RPC access. * Improved: Malware signatures tweaked and improved, thank you users for suggestions. #### 5.254 * NEW: Add secret key display and copy functionality to 2FA module in frontend and backend. Allowing users to easier add the key to their system. * FIX: Installation issues that pop up occasionally has been fixed. * FIX: Timezone on Overview page was incorrect, thank you for spotting Ivar. * FIX: Resolved JavaScript conflicts that prevented 2FA functionality from working with ARMember and other plugins * FIX: 2FA QR code/key generation now works reliably across all site configurations, even if other scripts have errors. “Skip for now” link, “Generate new QR code” button, code input validation, and temporary secret usage during setup all function correctly. * FIX: 2FA setup UI and logic are now robust—QR code generation. * IMPROVED: Enhanced 2FA JavaScript with robust error handling and DOM ready protection * IMPROVED: Added inline JavaScript handlers as fallback to ensure 2FA works even when external scripts fail * IMPROVED: Better error messages and user feedback during 2FA setup process #### 5.253 * NEW: Setting up 2FA for users in admin pages * Fix for coupon protection in WooCommerce modern block cart and checkout page – Thank you Priit. #### 5.252 * Fixes for REST API warnings. * Updated internal libraries (PHP enums, WordPress SDK, and PHP_CodeSniffer tooling) to latest patch versions for improved stability, coding standards checks, and compatibility. No breaking changes. #### 5.251 * Fix: Removed extra whitespace in “import/export”. * Fix: Improved “Fixes” features proper loading when doing import/export. #### 5.250 * Remove translated messages for errors logging in, creating a loop trying to present translated messages using WP’s translation engine. * Fix: Fixed database prefix renaming to properly handle option names containing embedded prefixes. Thank you Chris! * Enhanced: Improved custom login URL security with proper access control and error handling … Entire changelog can be seen here: [changelog](https://wpsecurityninja.com/changelog/) ## Meta * Versie **5.276** * Laatst geüpdatet **1 week geleden** * Actieve installaties **7.000+** * WordPress versie ** 4.7 of nieuwer ** * Getest t/m **6.9.4** * PHP versie ** 7.4 of nieuwer ** * Talen * [Bulgarian](https://bg.wordpress.org/plugins/security-ninja/), [English (US)](https://wordpress.org/plugins/security-ninja/), [German](https://de.wordpress.org/plugins/security-ninja/), [Italian](https://it.wordpress.org/plugins/security-ninja/), [Korean](https://ko.wordpress.org/plugins/security-ninja/), [Spanish (Colombia)](https://es-co.wordpress.org/plugins/security-ninja/), [Spanish (Ecuador)](https://es-ec.wordpress.org/plugins/security-ninja/), [Spanish (Spain)](https://es.wordpress.org/plugins/security-ninja/), [Spanish (Venezuela)](https://ve.wordpress.org/plugins/security-ninja/) en [Vietnamese](https://vi.wordpress.org/plugins/security-ninja/). * [Vertaal in je eigen taal](https://translate.wordpress.org/projects/wp-plugins/security-ninja) * Tags * [firewall](https://nl.wordpress.org/plugins/tags/firewall/)[malware](https://nl.wordpress.org/plugins/tags/malware/) [security](https://nl.wordpress.org/plugins/tags/security/)[vulnerability](https://nl.wordpress.org/plugins/tags/vulnerability/) [WAF](https://nl.wordpress.org/plugins/tags/waf/) * [Geavanceerde weergave](https://nl.wordpress.org/plugins/security-ninja/advanced/) ## Waarderingen 4.6 van 5 sterren. * [ 89 5 sterren beoordelingen ](https://wordpress.org/support/plugin/security-ninja/reviews/?filter=5) * [ 1 4 ster beoordeling ](https://wordpress.org/support/plugin/security-ninja/reviews/?filter=4) * [ 0 3 sterren beoordelingen ](https://wordpress.org/support/plugin/security-ninja/reviews/?filter=3) * [ 2 2 sterren beoordelingen ](https://wordpress.org/support/plugin/security-ninja/reviews/?filter=2) * [ 7 1 sterren beoordelingen ](https://wordpress.org/support/plugin/security-ninja/reviews/?filter=1) [Mijn beoordeling toevoegen](https://wordpress.org/support/plugin/security-ninja/reviews/#new-post) [Bekijk alle beoordelingen](https://wordpress.org/support/plugin/security-ninja/reviews/) ## Bijdragers * [ cleverplugins ](https://profiles.wordpress.org/cleverplugins/) * [ Lars Koudal ](https://profiles.wordpress.org/lkoudal/) * [ Freemius ](https://profiles.wordpress.org/freemius/) ## Ondersteuning Opgeloste problemen in de laatste twee maanden: 1 van de 2 [Het supportforum bekijken](https://wordpress.org/support/plugin/security-ninja/) ## Doneren Wil je de groei van deze plugin ondersteunen? [ Doneer aan deze plugin ](https://wpsecurityninja.com/)