=== Iron Security – WordPress Security Plugin === Contributors: wpiron Donate link: https://wpiron.com Tags: security, firewall, malware, firewall, login Requires at least: 4.7 Tested up to: 6.7 Stable tag: 2.2.2 Requires PHP: 7.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Iron Security is a powerful WordPress security plugin to protect your site from common threats. Lock down your site with login protection, file security, and HTTP headers — all in one lightweight plugin. == Description == **Iron Security** is the ultimate **WordPress security plugin** built to secure and harden your website with essential protection features. Whether you're a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access. With a user-friendly interface and effective tools like **custom login URL**, **two-factor authentication (2FA)**, **brute-force protection**, and **HTTP security headers**, Iron Security is the all-in-one solution for WordPress security. === 🔐 Key Features === **General Hardening** - Disable XML-RPC API - Disable REST API - Hide WordPress version - Disable file editor - Enable plugin & core auto-updates **Login & Authentication Security** - Custom admin area URL - Limit login attempts - Limit the number of administrators - Session timeout for idle users - Change default Admin ID - Block user enumeration **Files & Directory Protection** - Block PHP file uploads - Prevent direct file access **HTTP Security Headers** - X-Content-Type-Options - X-Frame-Options - X-XSS-Protection - Strict-Transport-Security (HSTS) - Referrer-Policy - Content-Security-Policy (CSP) - Permissions-Policy **Easy to Use** - Clean and intuitive admin panel - Lightweight and optimized for performance - Compatible with major themes and plugins > Iron Security is perfect for anyone looking for a **security plugin for WordPress** that offers practical protection features without bloating your site. == Installation == 1. Upload the plugin files to the `/wp-content/plugins/iron-security` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the 'Plugins' screen in WordPress. 3. Go to the **Iron Security** menu in the admin dashboard to configure your settings. == Frequently Asked Questions == == Frequently Asked Questions == = What makes Iron Security different from other WordPress security plugins? = Iron Security is designed to be lightweight, fast, and focused on practical features that matter most for securing your WordPress site. = Is Iron Security suitable for beginners? = Yes! Iron Security comes with an intuitive dashboard and clear explanations for each option. Whether you're a WordPress beginner or an experienced developer, you'll find it easy to use and configure. = How does the custom login URL help protect my site? = Changing the default `/wp-admin` or `/wp-login.php` URL makes it harder for bots and attackers to find your login page, reducing brute force attempts. You can set your own unique login slug in a few clicks from the plugin settings. = What happens when a user exceeds the allowed login attempts? = If a user exceeds the allowed number of login attempts, their IP will be temporarily blocked based on your configured lockout settings. You can customize the number of allowed attempts, lockout duration, and view attempt logs. = How does the Admin ID protection work? = By default, WordPress assigns user ID 1 to the first admin account — a known vulnerability targeted by bots. Iron Security lets you assign a different ID to your admin account, making it harder to guess and exploit. = Does Iron Security block XML-RPC and REST API? Why? = Yes, you can optionally disable XML-RPC and REST API — two common attack vectors. XML-RPC is often used in DDoS and brute force attacks, while REST API may expose user data. Disabling them improves security, especially if you don’t use them. = What are HTTP security headers and why should I enable them? = HTTP security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security provide an extra layer of browser-based protection. They help prevent XSS, clickjacking, and other code injection attacks. Iron Security lets you enable them easily from the dashboard. = Will Iron Security slow down my website? = Not at all. The plugin is built to be lightweight and uses efficient code practices. It doesn’t run background scans or heavy processes, so your site’s performance remains unaffected. = Can I use Iron Security on WooCommerce stores? = Absolutely. Iron Security is fully compatible with WooCommerce and protects your login area, admin panel, and core files without affecting your store’s functionality. = Where can I get support or report a bug? = You can submit issues or ask for help via the [support forum on WordPress.org](https://wordpress.org/support/plugin/iron-security/) or by contacting us directly at [https://wpiron.com](https://wpiron.com). = How often is Iron Security updated? = We actively maintain and improve Iron Security. You can expect regular updates for new features, security patches, and WordPress compatibility improvements. == Screenshots == 1. screenshot-1.png 2. screenshot-2.png 3. screenshot-3.png 4. screenshot-4.png 5. screenshot-5.png 6. screenshot-6.png 7. screenshot-7.png 8. screenshot-8.png == Changelog == = 2.2.2 = * Made Support window * Fixed all other issues we had = 2.2.0 = * Added HTTP Security Headers * Enhanced UI/UX for admin panel * Bug fixes and performance improvements = 2.1.0 = * Added file and directory protection options * Improved session timeout management = 2.0.0 = * Login and authentication section introduced * Custom admin URL, 2FA, and login limiter added = 1.1.3 = * Fixed issues for WordPress.org plugin review = 1.1.2 = * Fixed issues for WordPress.org plugin review = 1.1.1 = * Fixed issues for WordPress.org plugin review = 1.1.0 = * Initial plugin build == Upgrade Notice == = 2.2.0 = New security headers support added. It is strongly recommended to update to benefit from enhanced protection. == Credits == Developed by [WPIron](https://wpiron.com) == License == This plugin is licensed under the GPLv2 or later.