Title: Login Armor Author: wpformation Published: April 27, 2026 Last modified: June 17, 2026 --- Search plugins ![](https://ps.w.org/login-armor/assets/banner-772x250.png?rev=3517031) ![](https://ps.w.org/login-armor/assets/icon-256x256.png?rev=3517031) # Login Armor By [wpformation](https://profiles.wordpress.org/wpformation/) [Download](https://downloads.wordpress.org/plugin/login-armor.2.4.0.zip) * [Details](https://vec.wordpress.org/plugins/login-armor/#description) * [Reviews](https://vec.wordpress.org/plugins/login-armor/#reviews) * [Installation](https://vec.wordpress.org/plugins/login-armor/#installation) * [Development](https://vec.wordpress.org/plugins/login-armor/#developers) [Support](https://wordpress.org/support/plugin/login-armor/) ## Description **Twelve security modules. One lightweight plugin. Zero compromise.** Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way. Stop juggling Wordfence’s bloat, Solid Security’s upsells, and Limit Login Attempts’ gaps — Login Armor delivers twelve independent modules in about one megabyte. #### New in 2.4.0 * **Request Firewall** — an optional, 8G-inspired PHP filter that blocks malicious requests (SQL injection, code execution, traversal, XSS, disallowed HTTP methods) before WordPress finishes loading, on Apache, Nginx and LiteSpeed alike. Off by default, it starts in monitor mode and never filters logged-in administrators; every block is logged, aggregated to one incident per IP per hour. * **Guided onboarding** — a first-run wizard offers a one-click “safe baseline” that turns on the no-risk essentials, so a beginner is protected in seconds. The same “Apply safe baseline” button stays available any time. #### Why Login Armor * **No upsells, ever.** No “premium” tier, no greyed-out “Pro” buttons. Every feature is GPL. * **No external services to sign up for.** No API keys, no remote dashboards, no telemetry. The only outbound calls are opt-in: Have I Been Pwned (breach/password checks), Slack/Discord/webhook (notifications), the keyless ipwho.is API (geolocation), and your own WordPress 7 AI connector. * **Built to be invisible.** Sub-megabyte ZIP, lazy-loaded modules, indexed queries— under 2 ms on a normal login flow. * **Multisite-aware, PHP 8.1-native, production-grade defaults.** Network-activate a fleet, configure per-site, manage from a complete WP-CLI suite; zero-config gets you 80 percent of the protection. #### Twelve independent modules 1. **Hide Login** — Replace wp-login.php with a custom slug; the old URL returns a 404, and a branded pre-activation modal lets you pick or generate the slug and emails it to you so you can’t lock yourself out. Compatible with multisite, reverse proxies and password-recovery flows. 2. **Brute Force Protection** — Cascading lockouts escalating to a 24-hour ban, with subnet blocking and trusted X-Forwarded-For; lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, and every lockout surfaces as an incident. 3. **Hardening** — Fifteen one-click toggles across surface reduction, credential hardening, request filtering and account monitoring: disable XML-RPC/pingbacks, the file editor, version exposure, application passwords and author enumeration; block reserved usernames (Unicode-confusable detection); add a login honeypot; get alerted on new administrators. 4. **Two-Factor Authentication** — TOTP, one-time codes by email and printable backup codes, with trusted devices for thirty days, per-role enforcement, a configurable grace period and an email recovery flow when the authenticator is lost. 5. **Detection and Incidents** — A real-time engine groups raw events into six attack patterns, each with a drill-down (timeline, source IPs, target users, severity, UA fingerprint) and one-click actions (reset password, block subnet, mark resolved). 6. **Activity Log** — A compliance-ready, tamper-evident (hash-chained) audit trail of admin actions across seven logger domains, with filtering, CSV export, configurable retention and optional signed webhook forwarding to a SIEM. 7. **Login Page Security Headers** — Content-Security-Policy, X-Frame-Options, Permissions- Policy, Referrer-Policy and X-Content-Type-Options on wp-login.php and the lockout page, in two presets with an optional CSP report-uri; baseline headers can optionally extend site-wide. 8. **Breach Check** — Detect logins using a breached password via privacy-preserving k-anonymity against Have I Been Pwned (only a 5-character SHA-1 prefix leaves the server); optional XposedOrNot email lookup, fail-soft so an outage never blocks login. 9. **Password Policy** — Enforce strong, unique passwords at registration, profile update and reset: minimum length and character classes, forbid the username inside the password, optionally reject breached passwords, with optional non-locking expiration nudges. 10. **Session Management** — Idle-timeout logout measured on real page loads, a maximum session lifetime regardless of “remember me”, an optional single-active-device restriction, and a one-click “sign out all other devices”. 11. **IP Geolocation** — Show the attacker’s country on the Incidents and Events tabs; lazy, cached thirty days, capped per page load, private ranges never sent. Keyless ipwho.is by default, swappable for an offline database via a filter. 12. **Request Firewall** — An optional, 8G-inspired PHP filter that blocks malicious query strings, paths, HTTP methods and (opt-in) user-agents/referrers before WordPress loads, on Apache/Nginx/LiteSpeed alike; off by default, starts in monitor mode, never filters admins, skips REST/cron/WP-CLI, with an IP/path allowlist (CIDR). Not scored. #### AI Security Briefing (optional) Built on the WordPress 7 native AI Client, one click turns your last thirty days of activity into a plain-language verdict, an IP picture and a short list of prioritised actions; “Explain with AI” does the same on a single incident. Minimised mode (anonymised signals) is the default and deep mode is an explicit opt-in. No API key is stored— it uses your own WordPress AI connector, so provider and cost stay yours. It always leads with a deterministic facts snapshot that works with or without AI. #### Plus * **Guided onboarding** — a first-run wizard with a one-click safe baseline (Simple) or manual setup (Advanced); the “Apply safe baseline” button stays available, and upgrading sites never see the wizard. * **Security score** — a weighted 0-100 read of your posture with a one-click “ next best action”; observability features (geolocation, notifications, the AI assistant) are deliberately not scored. * **Conflict detection** — warns when another login-security plugin (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress and more) or a cache plugin( with Hide Login on) could clash. * **Notifications** — email, Slack, Discord or webhook with SSRF-safe URL validation, severity threshold and rate limiting. * **WP-CLI suite** and a **dashboard widget** (14-day sparkline, six headline metrics). GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies. **Douze modules de sécurité. Une seule extension légère. Zéro compromis.** Login Armor est une stack complète de sécurité WordPress conçue pour les agences, les freelances et les pros qui livrent des sites prêts à passer un audit. Pas de version premium, pas de tableau de bord marketing intégré, pas de télémétrie. Chaque module tourne en local, embarque des réglages par défaut sécurisés, et reste discret. Fini de jongler entre la lourdeur de Wordfence, les fenêtres d’upsell de Solid Security et les angles morts de Limit Login Attempts — Login Armor regroupe douze modules indépendants en environ un méga-octet. #### Nouveau en 2.4.0 * **Pare-feu de requêtes** : un filtre PHP optionnel, inspiré du pare-feu 8G, qui bloque les requêtes malveillantes (injection SQL, exécution de code, traversée de répertoires, XSS, méthodes HTTP non autorisées) avant même que WordPress ait fini de charger, aussi bien sur Apache que Nginx ou LiteSpeed. Désactivé par défaut, il démarre en mode surveillance et ne filtre jamais les administrateurs connectés ; chaque blocage est journalisé, agrégé en un incident par IP et par heure. * **Assistant de configuration** : à la première activation, un assistant propose une « base sûre » en un clic qui active les essentiels sans risque — un débutant est protégé en quelques secondes. Le même bouton « Appliquer la base sûre » reste disponible à tout moment. #### Pourquoi Login Armor * **Aucun upsell, jamais.** Pas de niveau « premium », pas de boutons « Pro » grisés. Tout est en GPL. * **Aucun service externe à activer.** Pas de clé API, pas de tableau distant, pas de télémétrie. Les seuls appels sortants sont opt-in : Have I Been Pwned ( fuites/mots de passe), Slack/Discord/webhook (notifications), l’API sans clé ipwho.is (géolocalisation) et votre propre connecteur IA WordPress 7. * **Conçu pour être invisible.** ZIP de moins d’un méga, modules chargés à la demande, requêtes indexées — sous 2 ms sur un flux de connexion normal. * **Compatible multisite, natif PHP 8.1, réglages prêts pour la production.** Activation réseau d’une flotte, configuration par site, pilotage via une suite WP-CLI complète; sans configuration, vous avez déjà 80 % de la protection. #### Douze modules indépendants 1. **Masquer la connexion** : remplace wp-login.php par une URL personnalisée (l’ancienne renvoie une 404) ; une modale de pré-activation choisit ou génère le slug et vous l’envoie par e-mail pour éviter tout verrouillage. Compatible multisite, reverse proxies et récupération de mot de passe. 2. **Protection contre la force brute** : verrouillages en cascade montant à un bannissement de 24 h, blocage de sous-réseaux et support X-Forwarded-For ; lostpassword, register, XML-RPC et l’endpoint REST users sont bloqués pour une IP verrouillée, et chaque verrouillage devient un incident. 3. **Renforcement** : quinze bascules en un clic (réduction de surface, identifiants, filtrage des requêtes, surveillance des comptes) — désactiver XML-RPC/pingbacks, l’éditeur de fichiers, l’exposition de version, les mots de passe applicatifs et l’énumération d’auteurs ; bloquer les identifiants réservés (homoglyphes Unicode); ajouter un pot de miel ; être alerté à la création d’un administrateur. 4. **Authentification à deux facteurs** : TOTP, codes à usage unique par e-mail et codes de secours imprimables, avec appareils de confiance 30 jours, application par rôle, période de grâce configurable et récupération par e-mail en cas de perte. 5. **Détection et incidents** : un moteur en temps réel regroupe les événements en six patterns d’attaque, chacun avec une vue détaillée (chronologie, IP sources, comptes cibles, sévérité, empreinte UA) et des actions en un clic. 6. **Journal d’activité** : piste d’audit conforme et inviolable (chaîne de hachage) des actions admin sur sept domaines, avec filtrage, export CSV, rétention configurable et transfert webhook signé optionnel vers un SIEM. 7. **En-têtes de sécurité** : CSP, X-Frame-Options, Permissions-Policy, Referrer- Policy et X-Content-Type-Options sur wp-login.php et la page de verrouillage, en deux préréglages avec CSP report-uri optionnel ; les en-têtes de base peuvent s’étendre à tout le site. 8. **Détection de fuites** : repère les connexions avec un mot de passe fuité via k-anonymat sur Have I Been Pwned (seul un préfixe SHA-1 de 5 caractères sort) ; vérification e-mail XposedOrNot optionnelle, fail-soft. 9. **Politique de mot de passe** : impose des mots de passe forts à l’inscription, au profil et à la réinitialisation (longueur, classes de caractères, interdiction de l’identifiant, rejet optionnel des mots de passe fuités), avec expiration optionnelle qui ne verrouille jamais personne dehors. 10. **Gestion des sessions** : déconnexion sur inactivité mesurée sur les vrais chargements, durée de vie maximale indépendante de « se souvenir de moi », limitation optionnelle à un seul appareil actif, et « déconnecter tous les autres appareils » en un clic. 11. **Géolocalisation IP** : affiche le pays des IP attaquantes dans Incidents et Événements ; recherches paresseuses, cache 30 jours, plafonnées par page, plages privées jamais envoyées. ipwho.is sans clé par défaut, base hors ligne possible via un filtre. 12. **Pare-feu de requêtes** : filtre PHP optionnel inspiré du 8G qui bloque chaînes de requête, chemins, méthodes HTTP et (en option) user-agents/referrers malveillants avant le chargement de WordPress, sur Apache/Nginx/LiteSpeed ; désactivé par défaut, démarre en mode surveillance, ne filtre jamais les admins, ignore REST/cron/WP- CLI, allowlist IP/chemins (CIDR). Non noté. #### Briefing de sécurité IA (optionnel) Bâti sur le client IA natif de WordPress 7, un clic transforme vos trente derniers jours d’activité en un verdict en langage clair, un panorama des IP et une courte liste d’actions prioritaires ; « Expliquer avec l’IA » fait de même sur un incident. Le mode minimisé (signaux anonymisés) est par défaut, le mode approfondi est un opt-in explicite. Aucune clé API stockée : il utilise votre propre connecteur IA WordPress, le coût et le fournisseur restent les vôtres. Il s’ouvre toujours sur un instantané de faits déterministes, utile avec ou sans IA. #### En plus * **Assistant de configuration** : un assistant à la première activation propose une base sûre en un clic (Simple) ou une voie manuelle (Avancée) ; le bouton « Appliquer la base sûre » reste disponible, et les sites en mise à jour ne le voient jamais. * **Score de sécurité** : lecture pondérée 0-100 de votre posture avec une action prioritaire en un clic ; les fonctions d’observabilité (géolocalisation, notifications, assistant IA) ne sont pas notées. * **Détection de conflits** : alerte quand une autre extension de sécurité axée connexion (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress et d’autres) ou un plugin de cache (avec Hide Login actif) peut entrer en conflit. * **Notifications** : e-mail, Slack, Discord ou webhook, avec validation d’URL anti-SSRF, seuil de sévérité et rate limiting. * **Suite WP-CLI** et **widget Tableau de bord** (sparkline 14 jours, six métriques clés). #### Conçu par Login Armor est conçu et maintenu par Fabrice Ducarme de [WPFormation](https://wpformation.com/login-armor/), expert WordPress français obsédé par les sites propres, rapides et prêts pour l’audit. On l’utilise sur chaque site qu’on livre. * [Présentation et fonctionnement de Login Armor](https://wpformation.com/login-armor/) * [Guides de sécurité WordPress](https://wpformation.com/securite-wordpress/) sur WPFormation * [Veille des vulnérabilités WordPress](https://wpformation.com/outils/veille-securite/): l’outil de veille sécurité de WPFormation GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zéro dépendance. ### External Services #### AI Security Briefing (optional) The AI Security Briefing and the “Explain with AI” incident analysis are powered by the **WordPress 7 native AI Client** (`wp_ai_client_prompt()`). When the administrator clicks the analysis button, LoginArmor asks WordPress to send a prompt to the ** AI connector that the administrator configured in their own WordPress** (for example OpenAI, Anthropic or Google, depending on the connector). LoginArmor itself stores no API key and contacts no endpoint directly: the request, the provider and the cost are owned by the site’s own AI connector. Data sent: a text prompt describing the security situation. In **minimised mode ( the default)**, only anonymised, non-identifying signals are included (counts, categories, severities, role buckets) – no IP address and no username in clear. In **deep mode**( an explicit, off-by-default opt-in), the prompt additionally includes real IP addresses and event details so the analysis can name specific sources. No data is ever sent unless the administrator clicks the analysis button. This feature is inactive unless WordPress 7 (or the AI Building Blocks feature plugin) is present with a configured, approved AI connector. The applicable terms and privacy policy are those of the AI provider the administrator chose for their connector; please refer to that provider’s documentation. #### Webhook Notifications (optional) When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks. Data sent: incident type, severity level, IP address, target username, event count, and site URL. No data is sent unless the administrator actively enables and configures a notification channel. * **Slack** – [Terms of Service](https://slack.com/terms-of-service) | [Privacy Policy](https://slack.com/privacy-policy) * **Discord** – [Terms of Service](https://discord.com/terms) | [Privacy Policy](https://discord.com/privacy) * **Custom Webhook URL** – User-configured endpoint (administrator’s responsibility) #### Gravatar (Automattic) The Activity Log tab uses WordPress core’s `get_avatar()` function to display user avatars. WordPress may send a hashed email address to [Gravatar](https://gravatar.com/) servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars. * **Gravatar** – [Automattic Terms of Service](https://automattic.com/tos/) | [Privacy Policy](https://automattic.com/privacy/) #### Breach Check – Have I Been Pwned (optional) When the administrator explicitly enables the **Breach Check** module (LoginArmor > Settings > Breach … ## Screenshots [⌊Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.⌉⌊Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.⌉[ Quick tour of all eight modules – Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard. [⌊Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks.⌉⌊Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks.⌉[ Overview dashboard – health cards, security pulse, live event tail, threat banner that surfaces active attacks. [⌊Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution.⌉⌊Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution.⌉[ Incidents – real-time pattern detection grouped by attack class with severity and one-click resolution. [⌊Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag.⌉⌊Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag.⌉[ Incident drill-down – full timeline, user-agent fingerprint, suggested actions, escalation flag. [⌊Events - complete login attempts log with filters and CSV export.⌉⌊Events - complete login attempts log with filters and CSV export.⌉[ Events – complete login attempts log with filters and CSV export. [⌊Activity Log - admin action audit trail across seven domains, filterable and exportable.⌉⌊ Activity Log - admin action audit trail across seven domains, filterable and exportable .⌉[ Activity Log – admin action audit trail across seven domains, filterable and exportable. [⌊Settings - modular configuration with live security score and a sticky save bar.⌉⌊ Settings - modular configuration with live security score and a sticky save bar.⌉[ Settings – modular configuration with live security score and a sticky save bar. [⌊Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch.⌉⌊Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch.⌉[ Hide Login pre-activation modal – pick or generate the secret URL and email it to yourself before flipping the switch. [⌊Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering.⌉⌊Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering.⌉[ Hardening – thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering. [⌊Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification.⌉⌊Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification.⌉[ Two-factor authentication setup – QR code for any authenticator app, copy-paste fallback, and live verification. [⌊Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default.⌉⌊Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default.⌉[ Breach Check – fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default. ## Installation 1. Upload the `login-armor` directory to `/wp-content/plugins/` 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. Go to LoginArmor in the admin menu to configure For multisite: Network Activate the plugin to apply it across all sites. #### Setting up Hide Login 1. Go to LoginArmor > Settings > Hide Login section 2. Enter your desired login slug (e.g., `my-login`) 3. Save settings 4. **Bookmark your new login URL**: you will need it to access your admin #### Recovering access If you forget your custom login URL: * Use the recovery email feature (configurable in settings) * Connect to your database and delete the `login_armor_hide_slug` row from the ` wp_options` table * Use WP-CLI: `wp option delete login_armor_hide_slug` ## FAQ ### Will it lock me out of my own site? No. Hide Login always sends a one-time recovery URL to the admin email. If you lose the slug, check your inbox. The plugin also honors `wp-cli` fallback so you can reset anything from SSH. ### Does it slow my site down? No. Everything is lazy-loaded and indexed. On a normal login flow the extra SQL cost is under 2 ms. ### Is it compatible with Cloudflare / reverse proxies? Yes. IP detection honors trusted `X-Forwarded-For` headers; you pick the header in Settings. ### Does it work with multisite? Yes, subdomain and subfolder. Each site has its own modules, logs, and thresholds. ### Can I use LoginArmor alongside Wordfence / iThemes Security / Solid Security? Yes, but disable overlapping modules on one side to avoid double lockouts. ### Where is the data stored? Three custom tables in your own database: events, incidents, activity. Nothing leaves your server. ### How do I migrate my configuration? Settings are plain WordPress options. Export/import via WP-CLI or any standard options- sync tool. ### Is there a pro version? Not currently. LoginArmor is fully free and open source. GPL forever. ### Where can I report bugs or request features? Support forum: [wordpress.org/support/plugin/login-armor/](https://wordpress.org/support/plugin/login-armor/). ## Reviews ![](https://secure.gravatar.com/avatar/378a69601c58f882e421d5f51125fb089faaf93d3af0fcb6d2c9bcc094207f90? s=60&d=retro&r=g) ### 󠀁[Parfait](https://wordpress.org/support/topic/parfait-469/)󠁿 [markusleicht](https://profiles.wordpress.org/markusleicht/) June 18, 2026 Très bien et complet. Je ne suis qu’un simple blogueur mais c’est l’outil indispensable pour sécuriser un site. ![](https://secure.gravatar.com/avatar/2b80d1e4f4d683882f1356f21101263d8f32b55a2842b332860fe774f62b7c5f? s=60&d=retro&r=g) ### 󠀁[Simple, efficace et fait le job sans effort !](https://wordpress.org/support/topic/simple-efficace-et-fait-le-job-sans-effort/)󠁿 [Raphael](https://profiles.wordpress.org/raphaelsanchez/) June 17, 2026 J’utilise pour certain de mes clients d’autres solutions premium, mais quid des petits qui ne veulent pas inverstir dans une licence… Et bien Login Armor fait parfaitement le job ! ![](https://secure.gravatar.com/avatar/4e49f186f76008845f9972741a1853fb964dfde90507cbf5d670a9bfe75ac2d0? s=60&d=retro&r=g) ### 󠀁[Un indispensable pour sécuriser mes sites : simple, efficace et robuste.](https://wordpress.org/support/topic/n-indispensable-pour-securiser-mes-sites-simple-efficace-et-robuste/)󠁿 [Rid Nam](https://profiles.wordpress.org/ridword/) June 17, 2026 J’ai testé pas mal de solutions pour sécuriser mes sites WordPress, et Login Armor est devenu mon incontournable. Ce que j’apprécie par-dessus tout, c’est qu’il fait exactement ce qu’on attend de lui sans alourdir le site ou complexifier la configuration. L’installation est rapide, l’interface est claire, et il m’a permis d’arrêter immédiatement les tentatives de connexion abusives sur mes différents sites. C’est le genre de plugin qu’on installe une fois, on règle ses préférences, et on peut dormir sur ses deux oreilles. Depuis que je l’utilise, je l’intègre systématiquement sur chaque nouveau projet que je lance. Un grand merci aux développeurs pour cet outil fiable et bien pensé. Je recommande à 100 % ! [ Read all 3 reviews ](https://wordpress.org/support/plugin/login-armor/reviews/) ## Contributors & Developers “Login Armor” is open source software. The following people have contributed to this plugin. Contributors * [ wpformation ](https://profiles.wordpress.org/wpformation/) [Translate “Login Armor” into your language.](https://translate.wordpress.org/projects/wp-plugins/login-armor) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/login-armor/), check out the [SVN repository](https://plugins.svn.wordpress.org/login-armor/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/login-armor/) by [RSS](https://plugins.trac.wordpress.org/log/login-armor/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.4.0 Feature release – request firewall, guided onboarding, fuller in-app docs. * New – **Request Firewall** (optional, off by default): a PHP “8G”-style filter that blocks malicious query strings, paths and HTTP methods before WordPress fully loads (Apache/Nginx/LiteSpeed/IIS). Starts in monitor mode; admins, REST, cron, WP-CLI and admin-ajax are never filtered; IP/path allowlist (CIDR); blocks aggregate to one incident per IP per hour. * New – **Onboarding wizard** with a one-click safe baseline (Simple) or manual setup (Advanced), plus a permanent “Apply safe baseline” button. Upgrading sites see no change. * Improvement – Granular security-plugin conflict warnings, a cache-plugin warning when Hide Login is on, and contextual help for the modules added since 2.2.0. #### 2.3.0 Feature release – account-security hardening. * New – **Password Policy**: minimum length and character-class rules, forbid the username in the password, optionally reject breached passwords (privacy-preserving HIBP), optional non-locking expiration. * New – **Session Management**: idle timeout, maximum session lifetime, optional single active device, and “sign out all other devices”. * New – **IP Geolocation** (opt-in): country next to IPs on Incidents/Events; lazy, cached, private ranges never sent (see External Services). * Improvement – Score now accounts for Password Policy and Session Management; baseline headers can apply site-wide; every IP lockout creates an incident. New hardening: disable pingbacks, alert on new admin. #### 2.2.0 Feature release – the AI Security Briefing. * New – **AI Security Briefing** on the Overview: one click turns your last 30 days of activity into a plain-language verdict, an IP picture and prioritised actions. Built on the WordPress 7 native AI Client – uses your own connector, stores no API key, runs only on click. Always leads with a deterministic facts snapshot (with or without AI); plus “Explain with AI” on an incident. * Privacy – Minimised mode (anonymised signals) is the default; deep mode (real IPs) is an explicit opt-in. See External Services. #### 2.1.26 Fix: email/backup 2FA bouncing to “session expired” on browsers that don’t return the verification cookie; the form now also carries the session token. Security unchanged. #### 2.1.25 Fix: email/backup two-factor verification rejected in some browsers (notably Chrome); the form is now uncached and authenticated by the signed same-site cookie. #### 2.1.24 Fix: fatal error during authenticator-app setup on hosts whose wp-config.php does not define AUTH_KEY (e.g. some Infomaniak installs). Existing setups unaffected. #### 2.1.23 Fix: 2FA login screen – “use a different method” links now work, expired/locked sessions explain themselves, and the setup button reports errors. #### 2.1.22 Fix: the Security Score now counts default-on modules (Brute Force, Detection). Display and scoring only. #### 2.1.21 Cleaner user-agent labels in the Events table. #### 2.1.20 Migration-aware Activity Log integrity (amber “Keys changed” instead of a false TAMPERED alarm), an XML-RPC blind-spot warning, and a complete French translation. #### 2.1.19 Clearer attack-type labels on incidents, translatable admin toasts, French translation of the visible tabs, and an integrity-badge verify fix. #### 2.1.18 Fix: bulk actions now work when incidents are all resolved; the attack-vector pill shows only for XML-RPC/REST. #### 2.1.17 Incidents now record and show the attack vector (XML-RPC / REST / login form) and support bulk resolve/ignore. #### 2.1.16 Plain-permalink fixes (Hide Login URL, REST allowlist), activity-log coverage for 2FA/registration/reset, and Honeypot on WooCommerce and frontend forms. #### 2.1.15 Fix: fatal TypeError when plugins (e.g. WP Fastest Cache) call WordPress URL builders with off-contract argument types. #### 2.1.14 Fix: the prevent_author_enum toggle no longer blocks the legitimate ?author=N filter in the wp-admin Posts/Pages lists. #### 2.1.13 Fix: silent 2FA failure on non-trailing-slash permalinks (e.g. /%postname%) – the verify cookie path mismatched the request path. #### 2.1.12 and earlier Bug fixes, security hardening and i18n across the 2.1.x and 2.0.x series (Hide Login host-awareness, CSP, lockout delivery, REST scope, IPv6, HTTP/2, Activity Log integrity), through the initial 2.0.0 release. Full per-version notes: CHANGELOG.md in the plugin folder. ## Meta * Version **2.4.0** * Last updated **1 week ago** * Active installations **100+** * WordPress version ** 6.8 or higher ** * Tested up to **7.0** * PHP version ** 8.1 or higher ** * Language * [English (US)](https://wordpress.org/plugins/login-armor/) * Tags * [Activity Log](https://vec.wordpress.org/plugins/tags/activity-log/)[Brute Force](https://vec.wordpress.org/plugins/tags/brute-force/) [hide login](https://vec.wordpress.org/plugins/tags/hide-login/)[limit login](https://vec.wordpress.org/plugins/tags/limit-login/) [login security](https://vec.wordpress.org/plugins/tags/login-security/) * [Advanced View](https://vec.wordpress.org/plugins/login-armor/advanced/) ## Ratings 5 out of 5 stars. * [ 3 5-star reviews ](https://wordpress.org/support/plugin/login-armor/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/login-armor/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/login-armor/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/login-armor/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/login-armor/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/login-armor/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/login-armor/reviews/) ## Contributors * [ wpformation ](https://profiles.wordpress.org/wpformation/) ## Support Issues resolved in last two months: 2 out of 2 [View support forum](https://wordpress.org/support/plugin/login-armor/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://wpformation.com)