X Security is a comprehensive, lightweight, and completely free WordPress security plugin that protects your website from hackers, brute force attacks, malware, and other security threats. Built with modern PHP practices and WordPress coding standards.
π Secure Β· β‘ Lightweight Β· π 100% Free Β· π Open Source
- Features
- Requirements
- Installation
- Configuration
- Usage Guide
- Screenshots
- Hooks & Filters
- Database Tables
- Contributing
- Security
- Changelog
- Roadmap
- Support
- License
- Credits
| Feature | Description |
|---|---|
| Brute Force Protection | Automatically locks out IP addresses after failed login attempts |
| Login Lockout | Configurable lockout duration and attempt limits |
| Honeypot Field | Invisible form field that catches automated bots |
| Math CAPTCHA | Simple math challenge to prevent bot logins |
| Hide Login Errors | Prevents username enumeration via login error messages |
| Feature | Description |
|---|---|
| Bad Query Blocking | Blocks SQL injection, XSS, and other malicious requests |
| Bad Bot Blocking | Blocks known malicious bots and vulnerability scanners |
| XML-RPC Protection | Disable XML-RPC to prevent DDoS and brute force attacks |
| Pingback Protection | Disable pingbacks to prevent DDoS amplification |
| Version Hiding | Removes WordPress version from source code |
| Feature | Description |
|---|---|
| User Enumeration Protection | Prevents discovery of usernames via ?author= scans |
| REST API Protection | Disables user endpoints for non-authenticated users |
| Strong Password Enforcement | Requires uppercase, lowercase, numbers, and special characters |
| Minimum Password Length | Configurable minimum password length requirement |
| Block "admin" Username | Prevents registration with common admin usernames |
| Disable File Editor | Disables the theme/plugin editor in WordPress admin |
| Feature | Description |
|---|---|
| IP Blocking | Manually block suspicious IP addresses |
| IP Whitelisting | Whitelist trusted IPs to bypass security checks |
| Automatic Blocking | IPs are automatically blocked after security violations |
| Feature | Description |
|---|---|
| Activity Log | Comprehensive logging of all security events |
| Login Tracking | Track successful and failed login attempts |
| Event Types | Categorized events for easy filtering |
| Auto Cleanup | Automatic cleanup of old log entries |
| Feature | Description |
|---|---|
| .htaccess Rules | Server-level protection rules for Apache |
| wp-config.php Protection | Blocks direct access to configuration file |
| Directory Browsing | Disables directory listing |
| Sensitive File Protection | Protects .htaccess and other sensitive files |
| Feature | Description |
|---|---|
| Security Score | Visual security score (0-100) based on enabled features |
| Quick Stats | At-a-glance view of blocked IPs, lockouts, and events |
| Security Scan | One-click security audit with recommendations |
| Quick Actions | Common tasks accessible from dashboard |
- WordPress: 5.0 or higher
- PHP: 7.4 or higher
- MySQL: 5.6 or higher / MariaDB 10.0 or higher
- Web Server: Apache (for .htaccess features) or Nginx
- Download the latest release from GitHub Releases
- Go to WordPress Admin β Plugins β Add New
- Click Upload Plugin
- Choose the downloaded
x-security.zipfile - Click Install Now
- Click Activate Plugin
- Download and unzip the plugin
- Upload the
x-securityfolder to/wp-content/plugins/ - Activate the plugin through the Plugins menu in WordPress
composer require liveupx/x-securitywp plugin install x-security --activateAfter activation, navigate to X Security in your WordPress admin sidebar.
- Go to X Security β Settings
- Configure each security module according to your needs
- Save your settings
- Optionally enable .htaccess protection under X Security β Firewall
For most websites, we recommend enabling:
β
Login Lockout (3 attempts, 60 min lockout)
β
Honeypot Field
β
Hide Login Errors
β
User Enumeration Protection
β
Strong Passwords (12+ characters)
β
Disable File Editor
β
Firewall
β
Block Bad Queries
β
Block Bad Bots
β
Disable XML-RPC
β
Remove WP Version
β
Email Notifications
The dashboard provides an overview of your site's security status:
- Security Score: A score from 0-100 based on enabled security features
- Quick Stats: Number of blocked IPs, active lockouts, and today's events
- Recent Activity: Latest security events logged by the plugin
- Quick Actions: Common tasks like clearing lockouts and running scans
- Go to X Security β Dashboard
- Click the Run Security Scan button
- Review the results showing passed checks, issues, and warnings
- Address any issues by enabling the recommended features
- Go to X Security β IP Manager
- View currently blocked IPs
- To manually block an IP:
- Enter the IP address
- Optionally add a reason
- Click Block IP
- To unblock an IP, click the Unblock button next to it
Whitelisted IPs bypass all security checks:
- Go to X Security β IP Manager
- Enter the IP address to whitelist
- Add a description (e.g., "Office IP")
- Click Whitelist IP
- Go to X Security β Firewall
- Check that your .htaccess file is writable
- Click Enable .htaccess Protection
- The plugin will add security rules to your .htaccess file
- Go to X Security β Activity Log
- View all security events with timestamps
- Use pagination to browse older entries
- Click Clear Log to remove all entries
X Security provides hooks for developers to extend functionality:
// Fired when an IP is blocked
do_action('xsec_ip_blocked', $ip_address, $reason);
// Fired when an IP is unblocked
do_action('xsec_ip_unblocked', $ip_address);
// Fired when a login lockout is created
do_action('xsec_lockout_created', $ip_address, $username, $duration);
// Fired when a security event is logged
do_action('xsec_event_logged', $event_type, $description, $ip_address);
// Fired after security scan completes
do_action('xsec_scan_completed', $results);// Modify the list of bad bot user agents
add_filter('xsec_bad_bots', function($bots) {
$bots[] = 'CustomBadBot';
return $bots;
});
// Modify bad query patterns
add_filter('xsec_bad_queries', function($patterns) {
$patterns[] = 'malicious_pattern';
return $patterns;
});
// Modify the security score calculation
add_filter('xsec_security_score', function($score) {
// Add custom scoring logic
return $score;
});
// Modify lockout duration
add_filter('xsec_lockout_duration', function($duration, $ip, $username) {
// Increase lockout for repeat offenders
return $duration;
}, 10, 3);
// Customize the blocked page message
add_filter('xsec_blocked_message', function($message) {
return 'Custom blocked message';
});
// Whitelist additional IPs programmatically
add_filter('xsec_whitelisted_ips', function($ips) {
$ips[] = '192.168.1.100';
return $ips;
});X Security creates the following database tables:
| Table | Purpose |
|---|---|
{prefix}_xsec_login_lockouts |
Stores active and historical login lockouts |
{prefix}_xsec_failed_logins |
Records failed login attempts |
{prefix}_xsec_activity_log |
Comprehensive security event log |
{prefix}_xsec_blocked_ips |
Manually and automatically blocked IPs |
{prefix}_xsec_whitelist_ips |
Whitelisted IP addresses |
-- Login Lockouts
CREATE TABLE {prefix}_xsec_login_lockouts (
id bigint(20) NOT NULL AUTO_INCREMENT,
ip_address varchar(100) NOT NULL,
username varchar(255) NOT NULL,
lockout_time datetime NOT NULL,
release_time datetime NOT NULL,
reason varchar(255) DEFAULT '',
PRIMARY KEY (id)
);
-- Activity Log
CREATE TABLE {prefix}_xsec_activity_log (
id bigint(20) NOT NULL AUTO_INCREMENT,
user_id bigint(20) DEFAULT 0,
username varchar(255) DEFAULT '',
ip_address varchar(100) NOT NULL,
event_type varchar(100) NOT NULL,
event_description text NOT NULL,
event_data longtext,
event_time datetime NOT NULL,
PRIMARY KEY (id)
);We welcome contributions from the community! Here's how you can help:
- π Report Bugs: Open an issue with detailed reproduction steps
- π‘ Suggest Features: Open an issue with your feature request
- π Improve Documentation: Submit PRs for documentation improvements
- π» Submit Code: Fork, code, and submit a pull request
- π Translate: Help translate the plugin to other languages
- β Star the Repo: Show your support by starring the repository
-
Clone the repository:
git clone https://github.com/liveupx/x-security-wordpress-security-plugin-free.git
-
Set up a local WordPress development environment
-
Symlink or copy the plugin to your
wp-content/pluginsdirectory -
Activate the plugin and start developing
- Follow WordPress Coding Standards
- Use meaningful commit messages
- Add PHPDoc comments to all functions
- Write unit tests for new features
- Ensure PHP 7.4+ compatibility
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Run tests and ensure coding standards compliance
- Commit your changes (
git commit -m 'Add amazing feature') - Push to your branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you discover a security vulnerability, please report it responsibly:
- DO NOT open a public issue
- Email security concerns to: [email protected]
- Include detailed steps to reproduce
- Allow up to 48 hours for initial response
We take security seriously and will address valid reports promptly.
In addition to using X Security, we recommend:
- Keep WordPress, themes, and plugins updated
- Use strong, unique passwords
- Enable two-factor authentication (coming soon to X Security)
- Use HTTPS/SSL on your site
- Regular backups
- Choose a reputable hosting provider
Full PHPCS Compliance
- π§ Fixed all remaining WordPress Plugin Check warnings
- π§ Improved SQL query handling with proper phpcs directives
- π§ Enhanced array input sanitization using
map_deep() - π§ Full WordPress coding standards compliance
- π§ Ready for WordPress.org submission
Compatibility & Security
- π§ Fixed compatibility with WordPress 5.0+ (removed %i placeholder)
- π§ Improved input sanitization for settings array
- π§ Enhanced security validation
Bug Fixes & Improvements
- π§ Fixed WordPress Playground compatibility
- π§ Fixed all WordPress Plugin Check errors
- π§ Uses WP_Filesystem for file operations
- π§ Improved code quality and PHPCS compliance
- π§ Added proper translators comments for i18n
- π§ Enhanced database query security
- π§ Properly escaped all output
- π§ Added phpcs ignore comments with justifications
Initial Release
- β Login lockout protection
- β Brute force prevention
- β Honeypot field for login form
- β Math CAPTCHA option
- β Hide login error details
- β User enumeration protection
- β REST API user endpoint protection
- β Strong password enforcement
- β Block "admin" username
- β Disable file editor
- β PHP-based firewall
- β Bad query blocking (SQLi, XSS)
- β Bad bot blocking
- β XML-RPC disable option
- β Pingback disable option
- β WordPress version hiding
- β IP blocking and unblocking
- β IP whitelisting
- β Activity logging
- β Security dashboard with score
- β Security scan feature
- β .htaccess protection rules
- β Email notifications
- β Auto-cleanup of old data
Planned features for future releases:
- Two-Factor Authentication (TOTP)
- Login page reCAPTCHA integration
- Custom login URL
- Force logout all users
- File change detection
- Malware scanning
- Database backup
- Database prefix changer
- Country blocking
- Rate limiting
- Comment spam protection
- WooCommerce integration
- Multisite support
- REST API for external monitoring
- Security headers management
- Import/Export settings
Want to vote on features? Open a discussion!
- π Documentation
- π¬ GitHub Discussions
- π Issue Tracker
- π§ Email: [email protected]
Need priority support or custom development? Contact us at liveupx.com/contact
Will this plugin slow down my site?
No. X Security is designed to be lightweight. Security checks are optimized and only run when necessary. The plugin adds minimal overhead to your site.
Is this plugin compatible with caching plugins?
Yes. X Security works with all major caching plugins including WP Rocket, W3 Total Cache, LiteSpeed Cache, and others.
What happens if I lock myself out?
You can regain access by:
- Waiting for the lockout to expire
- Accessing your database and clearing the
xsec_login_lockoutstable - Renaming the plugin folder via FTP to deactivate it
Does this work with Nginx?
Yes, all PHP-based features work with Nginx. However, .htaccess rules only work with Apache. For Nginx, you'll need to manually add security rules to your server configuration.
Can I use this with other security plugins?
We recommend using only one security plugin to avoid conflicts. X Security provides comprehensive protection on its own.
X Security is free software released under the GNU General Public License v2 or later.
Copyright (C) 2024 Liveupx.com
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Liveupx.com - WordPress Development & Security Experts
Thanks to all contributors who help make X Security better!
- The WordPress community
- All users who report bugs and suggest features
- Open source security researchers
If X Security helps protect your website:
- β Star this repository
- π¦ Share on Twitter/X
- π Write a review on WordPress.org
- π¬ Recommend to others
Made with β€οΈ by Liveupx.com
Website β’
Twitter β’
GitHub