Title: Vigilant – 100% Free Security: Firewall, 2FA Login, Malware Scan, Audit… Author: Fernando Tellado Published: 11 de febrer de 2026 Last modified: 7 d'abril de 2026 --- Cerca extensions ![](https://ps.w.org/vigilante/assets/banner-772x250.jpg?rev=3482619) ![](https://ps.w.org/vigilante/assets/icon-256x256.png?rev=3482619) # Vigilant – 100% Free Security: Firewall, 2FA Login, Malware Scan, Audit… Per [Fernando Tellado](https://profiles.wordpress.org/fernandot/) [Baixa](https://downloads.wordpress.org/plugin/vigilante.1.11.1.zip) [Previsualitza](https://ca.wordpress.org/plugins/vigilante/?preview=1) * [Detalls](https://ca.wordpress.org/plugins/vigilante/#description) * [Ressenyes](https://ca.wordpress.org/plugins/vigilante/#reviews) * [Instal·lació](https://ca.wordpress.org/plugins/vigilante/#installation) * [Desenvolupament](https://ca.wordpress.org/plugins/vigilante/#developers) [Suport](https://wordpress.org/support/plugin/vigilante/) ## Descripció ### Premium Security. Zero Cost. Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls. Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, malware detection, user management, security audit logging, under attack mode and much more. ### Instant Protection Once activated, Vigilant immediately applies essential security measures: * Firewall rules against common attacks (SQL injection, XSS, file inclusion) * Security headers for browser protection * Login attempt monitoring * XML-RPC blocking * WordPress version hiding * Sensitive file protection (.htaccess, wp-config.php) * Automatic backup of your existing configuration files ### One-Click Security Presets Choose a preset and get protected instantly: **Standard** – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation. **Maximum Security** – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups. You can always customize individual settings after applying a preset. ### Under Attack Mode Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly: * **JavaScript challenge** – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely * **Aggressive rate limiting** – Requests limited to 30 per minute with 15-minute blocks for offenders * **HTTP method restriction** – Only GET, POST, and HEAD allowed. PUT, DELETE, PATCH, OPTIONS, and TRACE are blocked * **Empty user agent blocking** – Requests without a user agent header are rejected * **Full XML-RPC lockdown** – All XML-RPC access is blocked during the attack * **REST API restriction** – Only authenticated users can access the REST API * **Auto-deactivation** – Mode automatically turns off after 4 hours so you never forget it’s on * **Email notifications** – Get notified when the mode is activated and deactivated * **HMAC-signed cookies** – Verified visitors receive a cryptographically signed cookie so they only see the challenge once Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates. ### Core Security Features **Two-Factor Authentication (2FA)** Add a second verification step to your WordPress login. Choose the method that works best for your team: * **Authenticator app (TOTP)** – Google Authenticator, Authy, Microsoft Authenticator, or any TOTP-compatible app * **Email codes** – One-time 6-digit verification codes sent via email * QR code setup directly in user profiles * 10 backup codes for emergency access if you lose your device * Configurable grace period for users to set up their authenticator app * Trusted devices feature – optionally allow users to skip 2FA on recognized devices for 30 days * Role-based enforcement – require 2FA for administrators, editors, or any role * Exclude specific users from 2FA requirements * Admin tool to reset TOTP for users who lost their authenticator * Configurable code expiry, attempt limits, and email sender name * User notification emails when 2FA is enabled or method changes **Firewall Protection** Block malicious requests before they reach WordPress: * SQL injection blocking * XSS (Cross-Site Scripting) attack prevention * File inclusion protection (LFI/RFI) * Directory traversal blocking * Bad bot detection and blocking * Rate limiting against DDoS and brute force * IP whitelist and blacklist management * User-Agent whitelist and blacklist with partial matching * HTTP method restriction **Login Security** Stop unauthorized access attempts: * Limit login attempts with configurable thresholds * Progressive lockouts – longer blocks for repeat offenders * Custom login URL – hide wp-login.php from bots * Login URL change notifications to all admin-area users * Hide login error messages – don’t reveal valid usernames * XML-RPC disable – block this common attack vector * Application passwords control * Admin login notifications via email * IP whitelist for trusted locations **User Security** Comprehensive user account protection: * Block insecure usernames (admin, test, root, etc.) * Force strong passwords with minimum length * Password expiration with configurable intervals * Password history – prevent reusing old passwords * Force password reset — by specific users, by role, or all users (post-hack recovery) * Session limits – control concurrent logins per user * Session management – view and revoke active sessions * Email verification for new registrations * Registration approval workflow – manually approve new users * Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation * Display name protection – prevent exposing login username publicly **Security Headers** Achieve Grade A security ratings: * Content Security Policy (CSP) with visual builder * HSTS (HTTP Strict Transport Security) with preload option * X-Frame-Options – prevent clickjacking * X-Content-Type-Options – prevent MIME sniffing * Referrer Policy control * Permissions Policy (camera, microphone, geolocation) * Cross-Origin policies (COEP, COOP, CORP) * HTTPS enforcer with automatic mixed content fix * Built-in header testing tool **File Integrity Monitoring** Detect unauthorized changes to your files: * WordPress core verification against official checksums * Plugin and theme file monitoring with WordPress.org checksums * Suspicious code scanning for plugins and themes without checksums * Extra file detection in plugins and themes (files not in original distribution) * Two-level detection: strict obfuscation combos for plugins, broad patterns for uploads * Uploads directory scanning for PHP files, double extensions, and .htaccess * Root directory scanning for non-core PHP files (common attack vector) * Smart .htaccess classification in uploads – distinguishes dangerous rules from protective ones * String concatenation obfuscation detection * Configurable notification levels (all issues, suspicious only, or disabled) * Ignore list to dismiss known files from results * Excluded paths and file extensions * Scheduled automatic scans (daily, weekly) * HTML formatted email alerts with severity sections **Security Audit** Track everything happening on your site: * Successful and failed login attempts * Two-factor authentication events * User account changes (creation, deletion, role changes) * Content modifications (posts, pages) * Plugin and theme activations/deactivations * Security events and blocked threats * HTTP request method tracking and filtering (GET, POST, PUT, DELETE) * Enhanced log detail popup with grouped sections and quick actions * One-click add IP or User-Agent to firewall whitelist/blacklist from log entries * Direct IP lookup links to AbuseIPDB * Configurable retention period * Export logs to CSV * Filter by event type, severity, request method, or date **WordPress Hardening** Additional security measures: * wp-config.php security constants (DISALLOW_FILE_EDIT, etc.) * WP_DEBUG detection – dashboard warning when debug mode is active in production * Automatic removal of readme.html, license.txt, and licencia.txt (daily cleanup) * Database prefix security check and one-click change tool * Comment spam protection with honeypot fields * Disable pingbacks and trackbacks * Close comments on old posts * WordPress head cleanup (remove version, RSD, WLW links) * Feed management and security **REST API Security** Control API access to your site: * Three access modes: public, authenticated only, or selective * Block user enumeration via REST API * Protect sensitive endpoints * Maintain compatibility with popular plugins (WooCommerce, Contact Form 7, Elementor) ### Security Tools Utilities included: * **Database Backup** – Download a full or partial database backup as ZIP with table selection * **Database Prefix Change** – Change the default wp_ prefix to a random secure prefix * **Export/Import Settings** – Transfer your configuration between sites * **Manual Backup** – Create backups of .htaccess and wp-config.php on demand * **Reset to Defaults** – Start fresh with one click ### Safe by Design **Automatic Backup System** Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content/vigilante-backups/, persisting through plugin updates. **Clean Rollback** When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites. ### Why choose Vigilant? Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront — no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, and more. All free, all maintained, all following WordPress coding standards. If your current security plugin asks you to pay for features that should be basic, take a look at what Vigilant offers out of the box. ### How does Vigilant compare? We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin offers in its free version and where Vigilant fills the gaps. → [View the full comparison](https://vigilante.works/comparison.html) ### Support Need help or have suggestions? * [Official website](https://servicios.ayudawp.com/) * [WordPress support forum](https://wordpress.org/support/plugin/vigilante/) * [YouTube channel](https://www.youtube.com/AyudaWordPressES) * [Documentation and tutorials](https://ayudawp.com/) Love the plugin? Please leave us a 5-star review and help spread the word! ### About AyudaWP We are specialists in WordPress security, SEO, and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements. ## Captures * [[ * Security Dashboard – Security score, module controls, and preset selection * [[ * Two-Factor Authentication – Second verification step during login * [[ * Login Security – Brute force protection, 2FA, lockouts, and custom login URL * [[ * User Security – Complete user protection tools and settings * [[ * Password Expiration – Force periodic password changes with history * [[ * Registration Approval and Session Limits – Control new users and concurrent logins * [[ * File Integrity – Scanner settings and verification results * [[ * Security Audit – Filterable event viewer with export option ## Instal·lació 1. Upload the plugin files to `/wp-content/plugins/vigilante/` or install directly from the WordPress plugin repository 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. Go to ‘Vigilant’ in the admin menu 4. Apply a security preset or customize individual module settings **Requirements:** * WordPress 6.2 or higher * PHP 7.4 or higher * Apache or LiteSpeed server (for .htaccess features) * SSL certificate recommended for HSTS ## PMF ### Will this plugin slow down my site? No. Vigilant is optimized for performance. The firewall uses efficient pattern matching, database queries are cached with transients, and .htaccess rules execute at server level before PHP even loads. ### What happens when I activate the plugin? Vigilant immediately creates a backup of your existing .htaccess and wp-config.php files, then applies default security settings. All modules are enabled with balanced defaults suitable for most sites. ### What happens when I deactivate the plugin? All security modifications are automatically reverted. The .htaccess rules are removed, wp-config.php constants are restored to their original values, and scheduled tasks are cleared. Your site returns to its pre-Vigilant state. ### How does two-factor authentication work? Vigilant supports two 2FA methods. With the **authenticator app** (TOTP), you scan a QR code in your profile to link an app like Google Authenticator or Authy, then enter a 6-digit code from the app on every login. With **email codes**, you receive a one-time code via email after entering your password. If enabled by the site administrator, you can mark your device as trusted to skip 2FA for 30 days. ### What if I lose my phone or authenticator app? When you set up TOTP, Vigilant generates 10 backup codes. You can use any of them as a one-time replacement for the authenticator code. If you run out of backup codes, an administrator can reset your TOTP from the plugin settings. ### What if I don’t receive the 2FA email code? Check your spam folder first. You can click “Resend code” on the verification form. Codes expire after 10 minutes by default. If issues persist, an administrator can temporarily disable 2FA from the plugin settings. ### Can I switch between email and authenticator app? Yes. Go to Login Security > Two-Factor Authentication and change the verification method. If notifications are enabled, affected users will receive an email explaining the new method and how to set it up. ### Which user roles require 2FA? By default, 2FA is enforced for administrators and editors. You can customize which roles require 2FA in the Login Security settings, and exclude specific users individually. ### How do I recover if I’m locked out? Access your site via FTP/SFTP and either rename the plugin folder to disable it temporarily, or delete the `vigilante_login_attempts` table rows for your IP address in the database. ### Will the firewall block legitimate users? The firewall is configured to allow normal WordPress operations, including the block editor, REST API, and popular page builders. If you experience issues, you can whitelist specific IPs or adjust rate limiting thresholds. ### Can I use this with other security plugins? While Vigilant works standalone, running multiple security plugins can cause conflicts. We recommend testing in a staging environment first if you need to combine security solutions. ### Does this work with caching plugins? Yes. Vigilant is compatible with popular caching plugins. The firewall runs before cache layers, and .htaccess rules don’t interfere with caching mechanisms. ### Does this work with WooCommerce? Yes. Vigilant includes compatibility settings for WooCommerce. The REST API security module automatically allows WooCommerce endpoints, and the firewall won’t block payment gateway connections. ### How do I test my security headers? Use the built-in header testing tool in the Security Headers tab, or visit securityheaders. com with your site URL to get a security grade. ### What is password expiration? You can require users to change their passwords after a set number of days (30, 60, 90, etc.). Users receive warnings before expiration and are forced to change their password on next login when it expires. Password history prevents reusing recent passwords. ### What is registration approval? When enabled, new user registrations require manual approval by an administrator before the account becomes active. Pending users cannot log in until approved. You can configure auto-rejection after a set number of days. ### What does email verification do? New users must verify their email address by clicking a link before their account becomes active. This prevents fake registrations and ensures valid contact information. ### How do session limits work? You can limit how many concurrent sessions each user can have. When the limit is reached, either the new login is blocked or the oldest session is terminated, depending on your configuration. ### Can I export the security audit log? Yes. The security audit log can be exported to CSV format for external analysis or compliance reporting. You can also filter logs by event type, user, or date range before exporting. ### What files does the integrity scanner check? The scanner compares WordPress core files, plugin files, and theme files against official checksums from WordPress.org. Plugins and themes without available checksums are also scanned using strict obfuscation pattern detection. The uploads directory is scanned for PHP files, double extensions, and .htaccess files. Extra PHP files not present in original distributions are detected and, if they contain suspicious code, automatically flagged as suspicious. ### How often does the file integrity scan run? You can configure automatic scans to run daily or weekly. You can also run manual scans at any time. Email notifications support three levels: all issues, suspicious files only, or disabled. ### What is the difference between Standard and Maximum presets? Standard applies balanced settings suitable for most sites. Maximum applies stricter rules: lower rate limits, tighter CSP policies, required admin notifications, session limits, and more aggressive hardening. Maximum may require adjustments for sites with complex functionality. ### Where are backups stored? Backups are stored in wp-content/vigilante-backups/. This location persists through plugin updates. The directory is protected with .htaccess rules to prevent direct access. ### What is Under Attack mode? Under Attack mode is an emergency feature you can activate when your site is experiencing an active attack. It adds a JavaScript challenge that real browsers solve automatically in a few seconds, while bots and automated scripts are blocked completely. It also applies aggressive rate limiting, blocks restricted HTTP methods, and restricts API access. ### Will Under Attack mode affect my logged-in users? No. Logged-in users, admin pages, cron jobs, AJAX requests, and the login page are all excluded from the JavaScript challenge. Only unauthenticated frontend visitors see the verification page. ### What if I forget to turn off Under Attack mode? It automatically deactivates after 4 hours. You will also receive an email notification when it activates and deactivates. ### Does Under Attack mode change my regular security settings? No. It operates independently from your preset configuration (Standard or Maximum). Your regular settings are untouched and continue working normally after Under Attack mode deactivates. ### How does the database backup work? Go to Vigilant > Tools > Database Backup. Select which tables to include (or leave all selected), then click Download. The backup is generated as a ZIP file containing a SQL dump. No files are stored on the server. ### What does changing the database prefix do? WordPress uses wp_ as default table prefix. Changing it to a random prefix adds a layer of protection against SQL injection attacks that target default table names. Go to Vigilant > WP Hardening > Database Hardening. Always create a backup before changing the prefix. ### How do I exclude management services like ManageWP from the firewall? Go to Vigilant > Firewall > User-Agent Lists and add the service name (e.g., ManageWP, MainWP, UptimeRobot) to the User-Agent Whitelist. Partial matching is used, so entering“ ManageWP” will match any User-Agent string containing that keyword. ### Can I send security notifications to someone other than the site admin? Yes. Go to Vigilant > Settings & Tools > Notification settings. You can add additional email recipients (one per line) and optionally uncheck the WordPress admin email. This is useful for maintenance professionals managing multiple sites who need to receive all security alerts. ### Can I customize notification recipients programmatically? Yes. Use the `vigilante_notification_recipients` filter. It receives and returns an array of email addresses used for all administrative notifications: ``` add_filter( 'vigilante_notification_recipients', function( $recipients ) { $recipients[] = 'security-team@example.com'; return $recipients; } ); ``` ## Ressenyes ![](https://secure.gravatar.com/avatar/374f11d3eff492f7c4d376bc44e84faeab263269a4e6047dac4e5ee87198e9e8? s=60&d=retro&r=g) ### 󠀁[Más y mejores opciones que uno de pago](https://wordpress.org/support/topic/mas-y-mejores-opciones-que-uno-de-pago/)󠁿 [fpuenteonline](https://profiles.wordpress.org/fpuenteonline/) 25 de març de 2026 1 resposta Un placer encontrar esto que ha preparado Fernando, se notan los años de experiencia y los múltiples snippets de código que acumula. Todo lo que necesitas para proteger tu sitio con WordPress sin necesidad de ser un experto en seguridad. ![](https://secure.gravatar.com/avatar/015ae887f7e65c7af2459539410f0baedee43336bb63ff6c0e19025d4850532a? s=60&d=retro&r=g) ### 󠀁[Un excelente aporte por parte de autor](https://wordpress.org/support/topic/un-excelente-aporte-por-parte-de-autor/)󠁿 [Samot80](https://profiles.wordpress.org/samot80/) 24 de març de 2026 1 resposta Muy buen plugin, me pareció excelente ![](https://secure.gravatar.com/avatar/a99fefc4b348f94c4896320b23ecc6048bbf68399f8f381f51ec9f52f3fe1105? s=60&d=retro&r=g) ### 󠀁[Seguridad sólida sin sobrecargas](https://wordpress.org/support/topic/seguridad-solida-sin-sobrecargas/)󠁿 [Francisco Vivo](https://profiles.wordpress.org/capitancapo/) 24 de març de 2026 1 resposta Llevo años probando plugins de seguridad y todos acaban igual: panel infinito, avisos de “compra premium” hasta en la sopa, y un rendimiento que te hace dudar si el problema de seguridad es el propio plugin. La seguridad total debería ser gratis en Wordpress como ofrece este plugin. Vigilante no. Lo instalas, lo configuras en cinco minutos, y desaparece. Hace su trabajo sin recordarte cada día que existe, aunque recomiendo pasar de vez en cuando para ver sus actividad. Sin popups, sin dramas, sin “¡Tu sitio está en peligro!” cuando no lo está. Ligero, no ralentiza el sitio Interfaz clara, sin intentar venderte algo cada dos clics Hace lo que promete sin funciones innecesarias Funciona, no molesta, no pesa. Así de simple. Así debería ser todo. ![](https://secure.gravatar.com/avatar/f9da5ef9bf6f0831965cd74530fcdbeeba9b49922b05e956544626de7d21c5dd? s=60&d=retro&r=g) ### 󠀁[Imprescindible](https://wordpress.org/support/topic/imprescindible-81/)󠁿 [tlozano](https://profiles.wordpress.org/tlozano/) 24 de març de 2026 1 resposta En estos tiempos de bots, IA’s, y ataques buscando código vulnerable, un plugin de este tipo es imprescindible (bajo mi punto de vista). He estado usando otro durante mucho tiempo, pero este hace lo mismo o más, pero mucho mas sencillo y focalizando en funciones útiles de forma sencilla. Cuando Fernando saca un nuevo plugin le echo un vistazo y lo pruebo, la verdad es que siempre me sorprende (para bien) y da mucho más de lo que dan otros plugins; va a lo útil y siempre los está mejorando. Muchas gracias ![](https://secure.gravatar.com/avatar/a299cf0eda34ddb3cfee009b60dcecf4dcdfe1662bdc29c08c27bc2c51343bfe? s=60&d=retro&r=g) ### 󠀁[Imprescindible](https://wordpress.org/support/topic/imprescindible-80/)󠁿 [freelancesgroup](https://profiles.wordpress.org/freelancesgroup/) 23 de març de 2026 1 resposta Lo he probado en varias páginas y me sorprendo de cómo un puglin de seguridad es lo que tiene que ser y gratis.Muchas veces este tipo de plugin lo único que hace es convertirse en un cuello de botella, aparte de hacer que las bases de datos crezcan de forma exponencial. Vigilante, en cambio, es todo lo contrario y con herramientas verdaderamente útiles. Solo puedo darte las GRACIAS por este nuevo aporte a la comunidad. ![](https://secure.gravatar.com/avatar/83dda8bb744d526406dbc9f2f10b4057793838b5481ff329189cd9c9d585b8ab? s=60&d=retro&r=g) ### 󠀁[Demasiado bueno para ser cierto](https://wordpress.org/support/topic/demasiado-bueno-para-ser-cierto/)󠁿 [neoset](https://profiles.wordpress.org/neoset/) 18 de març de 2026 3 respostes Hola, un saludo a todo el equipo de Vigilante.Primeramente dar la enhorabuena por este proyecto ya que esto es experiencia pura y dura de años de pequeñas soluciones de una empresa que tiene como pilar principal la seguridad web, una empresa referente en España bajo un lider referente a nivel mundial en el ecosistema de WordPress como es Fernando.Esto es algo que quiero puntualizar ya que en España no le damos la importancia que deberian a nuestros gurus y en otros paises por menos de la cuarta parte ya tendrian estatua en la plaza de su pueblo.No se puede tener mejor reseña ni mayor confianza en un proyecto de seguridad que estando bajo el respaldo de Fernando Tellado.Muchas gracias por este gran proyecto y un gran saludo al equipo de Vigilante y en especial a Fernando Tellado desde Pontevedra. [ Llegiu totes les 7 ressenyes ](https://wordpress.org/support/plugin/vigilante/reviews/) ## Col·laboradors i desenvolupadors «Vigilant – 100% Free Security: Firewall, 2FA Login, Malware Scan, Audit…» és programari de codi obert. La següent gent ha col·laborat en aquesta extensió. Col·laboradors * [ Fernando Tellado ](https://profiles.wordpress.org/fernandot/) * [ Ayuda WordPress ](https://profiles.wordpress.org/ayudawp/) “Vigilant – 100% Free Security: Firewall, 2FA Login, Malware Scan, Audit…” s’ha traduït a 1 configuració regional. Gràcies als [traductors](https://translate.wordpress.org/projects/wp-plugins/vigilante/contributors) per les seves aportacions. [Traduïu «Vigilant – 100% Free Security: Firewall, 2FA Login, Malware Scan, Audit…» a la vostra llengua.](https://translate.wordpress.org/projects/wp-plugins/vigilante) ### Interessats en el desenvolupament? [Navegueu pel codi](https://plugins.trac.wordpress.org/browser/vigilante/), baixeu- vos el [repositori SVN](https://plugins.svn.wordpress.org/vigilante/), o subscriviu- vos al [registre de desenvolupament](https://plugins.trac.wordpress.org/log/vigilante/) per [fisl de subscripció RSS](https://plugins.trac.wordpress.org/log/vigilante/?limit=100&mode=stop_on_copy&format=rss). ## Registre de canvis #### 1.11.1 * Fix: Additional notification recipients were saved without line breaks, causing only the admin email to receive notifications * Fix: Disabling “Send to admin email” now works correctly when additional recipients are configured * Fix: Creating a new user no longer generates a duplicate “role changed” log entry * Fix: Comment approvals and rejections are now logged * Fix: Instant alert description clarified in File Integrity settings * Fix: Noisy options from management plugins (ManageWP, MainWP, InfiniteWP) and hit counters filtered from option change logging * Improved: Events to Log checkboxes in two-column layout * Improved: Exclusion fields include descriptive helper text * Improved: Settings change log shows readable names instead of internal slugs #### 1.11.0 * New: Content edits without status change (e.g. editing a published post) are now logged as “edited” events. * New: Plugin and theme installations are now logged (previously only activations, updates, and deletions were tracked). * New: Theme updates are now logged via the upgrader. * New: “Security” event type added for Under Attack mode events, with proper label and filter support. * New: Complete settings form for Security Audit — all toggles are now visible and functional: failed logins, comments, media, file integrity, WordPress option changes, max entries, excluded users, and excluded IPs. * New: Media uploads and deletions are now logged. * Improved: WordPress option change logging now uses a blacklist approach instead of a 10-item whitelist, covering settings from WordPress core, WooCommerce, and other plugins. * Improved: Refresh button shows visual feedback (spinner) during loading and displays errors when requests fail. * Improved: Database migration automatically repairs sites where logging was silently disabled by previous versions. * Improved: Comment status changes (approve, reject, hold) are now logged, not just creation, spam, and deletion. * Improved: Settings change log entries now show readable names (e.g. “Notification Settings”) instead of internal slugs. * Improved: Events to Log checkboxes displayed in two-column layout to reduce scrolling. * Improved: Exclusion fields include descriptive helper text. * Fix: Security Audit logging was silently disabled after saving settings due to an internal flag being incorrectly reset. This was the root cause of inconsistent or missing log entries across sites. * Fix: Per-category toggles (login, user changes, file changes) now actually control logging. Previously, external modules logged events regardless of user preferences. * Fix: Extra data in log entries no longer duplicates object fields already stored in dedicated columns. * Fix: Exclusion lists (users, IPs) and cleanup settings now use fresh values instead of stale cached data. * Fix: Removed dead code in AJAX trait (unused sanitizer, preset handler calling non-existent method). * Fix: Creating a new user no longer generates a duplicate “role changed” log entry. * Fix: Noisy counter options from other plugins (e.g. hit counters) are filtered from WordPress option change logging. #### 1.10.1 * Improved: Notification table status column now adjusts to text width to prevent wrapping #### 1.10.0 * New: Centralized notification recipients – configure who receives all administrative emails from a single location in Settings & Tools * New: Additional recipients field – add maintenance professionals or security contacts alongside the WordPress admin email * New: Notification summary table – view all active notifications at a glance with direct links to configure each one * New: File integrity instant alert – receive an immediate email when suspicious or additional files are detected, regardless of periodic report settings * New: Developer filter `vigilante_notification_recipients` to programmatically modify admin email recipients * Improved: Tools tab renamed to “Settings & Tools” with notification settings at the top * Improved: Each notification section now shows a link to the centralized recipient settings * Fix: Admin monitoring section no longer displays a misleading reference to a non-existent “Login Security > Notification Email” field * Fix: File integrity scan “Total Scanned” now correctly sums OK + modified + suspicious + extra + ignored files instead of using an incomplete internal counter #### 1.9.0 * Removed: Performance settings section from WP Hardening (post revisions, autosave interval, trash days, memory limit, auto updates). These are outside the scope of a security plugin and could cause conflicts with hosting configurations. * Removed: CONCATENATE_SCRIPTS, WP_POST_REVISIONS, AUTOSAVE_INTERVAL, EMPTY_TRASH_DAYS, WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT, and WP_AUTO_UPDATE_CORE from wp-config. php managed constants. Vigilante no longer comments out or overwrites these constants. * Fix: wp-config.php constants with multiple occurrences (e.g. duplicate WP_DEBUG defines) are now all properly commented. Previously only the first occurrence was handled, leaving duplicates active and causing conflicts. * Fix: WP_DEBUG is now explicitly set to false in wp-config.php when debug mode is disabled, instead of relying on WordPress implicit defaults. * Improved: Updated promotional banner with latest plugin and service catalog. * Tested up to WordPress 7.0 #### 1.8.0 * New – Force password reset by role: select one or more roles to reset all their users at once, ideal for security incidents * New – Informative login message when a user tries to log in after a forced password reset #### 1.7.2 * Improved: Dashboard recommendations now include a direct link to the relevant settings tab * Improved: Your current IP address is displayed in the firewall IP management section * Improved: wp-config.php settings now visually separated into Security and Performance sections * Improved: File integrity scan summary stats are now centered for better visual consistency * Improved: Firewall description includes a compatibility note about full page caching systems (Varnish, LiteSpeed Cache, NGINX FastCGI, Cloudflare APO) * Improved: Activity Log renamed to Security Audit across the entire admin interface( internal slugs unchanged) * Fixed: File integrity scan totals now include an Ignored count so the summary numbers add up correctly #### 1.7.1 * Fixed: Under Attack mode now correctly auto-deactivates when the timer expires * Fixed: JavaScript challenge no longer loops indefinitely – visitors pass through and get redirected properly * Fixed: Challenge page assets externalized to CSS/JS files for Content Security Policy compatibility * Fixed: Cache bypass on activation now works correctly with SiteGround (NGINX + Memcached + file-based cache), LiteSpeed, WP Rocket, WP Super Cache, W3 Total Cache, and other major caching solutions * Fixed: Admin countdown timer now updates immediately on page load * Improved: Added .htaccess cache-busting rules during Under Attack mode (auto- removed on deactivation) * Improved: Added NGINX and CDN no-cache headers (X-Accel-Expires, Surrogate-Control) for reverse proxy environments #### 1.7.0 * New: Activity log search — find entries by IP, user agent, username, message, or any text. Minimum 3 characters, 400ms debounce. Works combined with existing type, severity, and method filters. Export respects active search and filters. * New: Activity log type and severity columns now display translated labels instead of raw database values. * Fix: Insecure username detection (admin, root, test, etc.) now checks all user roles, not just administrators. Consistent with username creation blocking which already prevents these names regardless of role. * Fix: Insecure username warning now always active, independent of the “block insecure usernames” setting. Previously, disabling the setting also silenced the warning. * Fix: Security score now penalizes installations with accounts using insecure usernames (-3 points). * Fix: Insecure usernames now appear in dashboard security recommendations with high priority. * Fix: Plugin name in browser tab titles is now translatable instead of hardcoded. * Fix: Activity log table no longer crushes the Message column on narrow screens. Uses auto layout with horizontal scroll instead of fixed layout. #### 1.6.1 * New: Legacy WordPress core file detection in root scanner (wp-feed.php, wp-pass. php, etc.) – marked as additional instead of suspicious * New: Browser tab title now shows plugin name and active tab (e.g. “Vigilant > Firewall”) * Improved: Search engine verification files (BingSiteAuth.xml, LiveSearchSiteAuth. xml) and php.ini excluded from root directory scan #### 1.6.0 * New: Root directory scanning in file integrity – detects non-core PHP files in WordPress root (common attack vector) * New: phpinfo() detection pattern in file integrity scanner * New: WP_DEBUG active warning in security dashboard with score penalty * New: Display name protection – prevents saving display name matching login username( User Security) * New: Dashboard recommendation when users have display name equal to login * New: Smart .htaccess classification in uploads – dangerous rules flagged as suspicious, protective rules as additional with content summary * Fix: readme.html and license.txt were never deleted due to mismatched setting keys * Fix: Sensitive file cleanup now runs daily (WordPress core updates recreate these files) * Fix: Added licencia.txt (Spanish locale) to sensitive file deletion, firewall blocking, and htaccess protection #### 1.5.5 * Fix: Submenu links (Activity Log, File Integrity) showing blank page on some hosting environments #### 1.5.4 * Fix: Close old comments setting no longer blocks WooCommerce product reviews * Fix: Email header plugin name was not translatable due to wrong text domain * Improved: Close old comments disabled by default (only active in Maximum preset) * Improved: Database tables list in backup tool now has scroll, zebra striping, and better layout #### 1.5.3 * Fix: Plugin name in email header was not translatable * Fix: Overly broad bot detection patterns in PHP firewall that could block legitimate HTTP requests from plugins and external services #### 1.5.2 * New: Admin option to allow/disallow “Remember this device” checkbox on 2FA verification( disabled by default) * New: Password expiry email reminder – sends notification when warning period starts * Improved: File integrity scanner skips known false positives (version.php, readme files) * Improved: Default email notification level changed to “Suspicious only” for file integrity * Improved: Custom login URL placeholder is now translatable * Improved: Explanatory text for password expiry email reminder setting * Fix: Password expiry email reminder setting had no functional implementation #### 1.5.1 * Improved: Plugin rebranded to “Vigilant” for better international naming * Improved: New brand icon and banners #### 1.5.0 * New: Authenticator app (TOTP) two-factor authentication – RFC 6238 compliant * New: Method selector – choose between email codes or authenticator app per site * New: QR code setup in user profile with verification step * New: Backup codes for TOTP – 10 emergency codes generated on setup * New: Grace period for TOTP setup (configurable 0-30 days) * New: Admin TOTP reset tool – search and reset users who lost authenticator access * New: Grace period dashboard notice reminding users to set up their authenticator app * New: Dedicated TOTP database table with encrypted secrets (AES-256-CBC) * New: HTML styled emails for verification codes and activation notifications * New: Admin password change alert in user security monitoring * New: Login URL change notification with auto-send and manual button * New: 2FA settings UI with visual method selector cards * Fix: Admin login notification now fires for all administrator logins * Fix: Plugin deactivation email was never sent * Improved: File integrity scan patterns stored externally for better hosting compatibility #### 1.4.2 * Improved: Pagination for activity log (server-side, 20 items per page with AJAX navigation) * Improved: Pagination for file integrity scan results (suspicious, extra, and modified files) * Improved: Pagination for ignored files, blocked IPs, and active sessions lists * Improved: All paginated tables show item count and range indicator, with navigation arrows when needed * Improved: Pagination updates dynamically when items are removed (ignore file, unblock IP, revoke session) #### 1.4.1 * Improved: All firewall block messages are now fully translatable (46 strings added to translation system) * Improved: Session limits default behavior changed to “Close oldest session” ( recommended) instead of “Block new login” * Improved: Default WordPress memory limit increased to 1024 MB * Added: 2048 MB option for WordPress memory limit #### 1.4.0 * New: Email notification levels – choose between all issues, suspicious only, or disabled * New: Excluded file extensions setting to reduce false positives (e.g., .log, . pot, .po, .mo) * New: Excluded paths UI – configure which directories to skip during scans * New: Ignore list – dismiss individual files from scan results and email notifications * New: Extra file detection in plugins and themes (PHP files not in official WordPress. org packages) * New: Plugins and themes without checksums are now scanned for suspicious code patterns * New: Two-level detection system – strict mode for plugins (obfuscation combos only), standard mode for uploads (broad pattern matching) * New: Extra files with suspicious code automatically escalate to the Suspicious category * New: String concatenation obfuscation detection (e.g., building dangerous function names from split strings) * New: Double extension detection in uploads directory (e.g., file.php.jpg) * New: .htaccess detection in uploads directory * New: HTML formatted email notifications with severity sections and summary stats * New: Enhanced suspicious code pattern detection (hex2bin, create_function, hex- encoded strings, chr() obfuscation, eval+decode combos) * Fix: Missing Scan Themes checkbox in settings UI * Fix: Plugins without available checksums were completely skipped, including suspicious file detection * Improved: Scan results tables now include Ignore buttons for each file * Improved: Scan scope checkboxes grouped in a single fieldset for clarity #### 1.3.2 * Fixed: File integrity email notifications failing with “No recipient forward path” error when notification email field was empty #### 1.3.1 * Fix: All admin JavaScript strings are now fully translatable (activity log popup, scan results, password reset, session management, user approval, preset badges, and more) * Fix: File integrity email notifications now work for both manual and scheduled scans * Fix: Duplicate scheduled file integrity scans removed (respects configured frequency) * Improved: Email notification on file changes is now enabled by default #### 1.3.0 * New: User-Agent whitelist – exclude services like ManageWP, MainWP, UptimeRobot from firewall checks * New: User-Agent blacklist – block requests by User-Agent string with partial matching * New: HTTP request method column in activity log (GET, POST, PUT, DELETE, etc.) * New: Request method filter in activity log * New: Quick action buttons in log detail popup to add IPs or User-Agents to firewall lists * New: IP lookup links to AbuseIPDB directly from log entries * Improved: Log detail popup redesigned with grouped sections (Request, Client, Extra Data) * Improved: CSV export now includes request method column #### 1.2.3 * Fix: IP whitelist and blacklist entries were merged into a single line after page reload, preventing exclusions from working correctly * Fix: Automatic migration repairs previously corrupted IP lists on update #### 1.2.2 * Improved: New plugin suggestion added. #### 1.2.1 * Improved: wp-config.php constant insertion now correctly placed before “That’s all, stop editing” comment, with support for translated wp-config files #### 1.2.0 * New: Database backup download tool with table selection (Tools tab) * New: Database prefix change with random secure prefix generation (WP Hardening tab) #### 1.1.1 * Fix: HTTP method restriction no longer blocks PUT and DELETE, allowing REST API requests from plugins like SiteGround Optimizer to work correctly. #### 1.1.0 * New: Under Attack mode – Emergency JavaScript challenge protection with one-click activation * New: Automatic browser verification with proof-of-work challenge for frontend visitors * New: HMAC-signed verification cookies to prevent cookie forgery * New: Aggressive rate limiting (30 req/min) and HTTP method restriction during attacks * New: Auto-deactivation after 4 hours with email notifications * New: REST API and XML-RPC lockdown during Under Attack mode * New: Non-dismissible admin notice with link to dashboard while mode is active #### 1.0.4 * Fixed: File Integrity scan results are now fully translatable * Fixed: File Integrity scanner now reliably detects suspicious files in uploads * Improved: Uploads directory is now scanned first for faster malware detection * Improved: Scan time limit increased from 25 to 60 seconds for thorough scanning * Improved: File limit in uploads scan increased from 2,000 to 10,000 files #### 1.0.3 * Fixed: Security Headers test button and results are now fully translatable * Improved: Custom plugin icon now displayed in settings page header * Improved: Activation notice now includes shield dashicon #### 1.0.2 * Improved: Settings page now uses full available width for better tab display #### 1.0.1 * Fixed: REST API compatibility with plugins using PUT/DELETE methods * Fixed: wp-config.php constant insertion now works correctly on non-English WordPress installations * Fixed: WP Hardening options now properly apply when unchecking (disabling) settings * Fixed: Custom configuration detection now triggers when changing any section settings * Fixed: Corrupted UTF-8 characters in activity log messages and CSS * Improved: Custom login URL now automatically enables wp-login.php redirect to 404 * Improved: Session limits no longer exclude administrators by default for better security * Improved: Dashboard “Custom Configuration” badge now uses more visible orange color * Improved: htaccess HTTP method restrictions now exclude REST API endpoints #### 1.0.0 * Initial release * Two-factor authentication via email with trusted device support * Role-based 2FA enforcement * Advanced PHP-based firewall with SQL injection, XSS, and file inclusion protection * Rate limiting with configurable thresholds * IP whitelist and blacklist management * Complete security headers implementation (CSP, HSTS, X-Frame-Options, Permissions Policy) * Built-in security header testing tool * HTTPS enforcer with mixed content detection * Login security with brute force protection and progressive lockouts * Custom login URL support * XML-RPC and application passwords control * User security with insecure username blocking * Strong password enforcement with minimum length * Password expiration with history tracking * Force password reset for all users * Session management and concurrent session limits * Email verification for new registrations * Registration approval workflow * Admin account monitoring and alerts * WordPress hardening (wp-config constants, comment security, head cleanup) * Feed management and security * REST API security with selective endpoint protection * User enumeration prevention * Activity log with configurable event tracking * Log export to CSV and filtering * File integrity monitoring against WordPress.org checksums * Two-level suspicious code detection (strict for plugins, broad for uploads) * Extra file and obfuscation detection in plugins and themes * Scheduled scans with HTML email notifications and severity levels * Settings export and import * Manual backup creation tool * Two configuration presets (Standard, Maximum Security) * Automatic backup and restoration system * Clean rollback on deactivation * Full admin interface with tabbed settings ## Meta * Versió **1.11.1** * Darrera actualització **fa 6 hores** * Instal·lacions actives **200+** * Versió del WordPress ** 6.2 o posterior ** * Provada fins a **7.0** * Versió del PHP ** 7.4 o posterior ** * Idiomes * [English (US)](https://wordpress.org/plugins/vigilante/) i [Spanish (Spain)](https://es.wordpress.org/plugins/vigilante/). * [Traduïu a la vostra llengua](https://translate.wordpress.org/projects/wp-plugins/vigilante) * Etiquetes * [2FA](https://ca.wordpress.org/plugins/tags/2fa/)[firewall](https://ca.wordpress.org/plugins/tags/firewall/) [malware](https://ca.wordpress.org/plugins/tags/malware/)[scanner](https://ca.wordpress.org/plugins/tags/scanner/) [security](https://ca.wordpress.org/plugins/tags/security/) * [Vista avançada](https://ca.wordpress.org/plugins/vigilante/advanced/) ## Valoracions 5 sobre 5 estrelles. * [ 7 valoracions de 5 estrelles ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=5) * [ 0 valoracions de 4 estrelles ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=4) * [ 0 valoracions de 3 estrelles ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=3) * [ 0 valoracions de 2 estrelles ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=2) * [ 0 valoracions de 1 estrelles ](https://wordpress.org/support/plugin/vigilante/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/vigilante/reviews/#new-post) [Visualitzeu totes les ressenyes](https://wordpress.org/support/plugin/vigilante/reviews/) ## Col·laboradors * [ Fernando Tellado ](https://profiles.wordpress.org/fernandot/) * [ Ayuda WordPress ](https://profiles.wordpress.org/ayudawp/) ## Suport Problemes resolts durant els darrers dos mesos: 3 de 3 [Visualitza els fòrums de suport](https://wordpress.org/support/plugin/vigilante/)