=== Iron Security – WordPress Security Plugin === Contributors: wpiron Donate link: https://wpiron.com Tags: security, firewall, malware, firewall, login Requires at least: 4.7 Tested up to: 6.8 Stable tag: 2.3.4 Requires PHP: 7.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Iron Security is a powerful WordPress security plugin to protect your site from common threats. Lock down your site with login protection, file security, and HTTP headers — all in one lightweight plugin. == Description == **Iron Security** is the ultimate **WordPress security plugin** built to secure and harden your website with essential protection features. Whether you're a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access. With a user-friendly interface and effective tools like **custom login URL**, **HTTP security headers**, Iron Security is the all-in-one solution for WordPress security. === 🔐 Key Features === **General Hardening** - Disable XML-RPC API - Disable REST API - Hide WordPress version - Block AI crawlers from crawling your website - Disable file editor - Enable plugin & core auto-updates **Login & Authentication Security** - Custom admin area URL - Limit login attempts & Lockout User From Authentications - Limit the number of administrators - Session timeout for idle users - Change default Admin ID - Block user enumeration - Change Default Admin Username **Files & Directory Protection** - Block PHP file uploads - Prevent direct file access **HTTP Security Headers** - X-Content-Type-Options - X-Frame-Options - X-XSS-Protection - Strict-Transport-Security (HSTS) - Referrer-Policy - Content-Security-Policy (CSP) - Permissions-Policy **Easy to Use** - Clean and intuitive admin panel - Lightweight and optimized for performance - Compatible with major themes and plugins > Iron Security is perfect for anyone looking for a **security plugin for WordPress** that offers practical protection features without bloating your site. == Installation == 1. Upload the plugin files to the `/wp-content/plugins/iron-security` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the 'Plugins' screen in WordPress. 3. Go to the **Iron Security** menu in the admin dashboard to configure your settings. == Frequently Asked Questions == = What makes Iron Security different from other WordPress security plugins? = Iron Security is lightweight, fast, and focused on the most effective hardening techniques. Instead of bloated features, it delivers practical tools that directly protect your WordPress site from real threats. = Is Iron Security suitable for beginners? = Absolutely. Iron Security features an intuitive dashboard with clear explanations for each setting. Whether you’re new to WordPress or a seasoned developer, you’ll find it easy to set up and use. = How does changing the login URL protect my site? = By replacing the default /wp-admin or /wp-login.php URLs, you reduce the risk of automated brute force attacks. Bots and attackers can’t easily locate your login page, adding an extra layer of protection. = What happens if someone exceeds the allowed login attempts? = Their IP will be temporarily blocked based on your configured settings. You can set how many failed attempts are allowed, how long the lockout lasts, and monitor the attempt logs directly from the plugin dashboard. = How does Admin ID protection work? = WordPress assigns the first admin user an ID of 1 — a known target for attacks. Iron Security helps you avoid this by allowing you to assign a different user ID to your admin account, reducing exposure to targeted exploits. = Can Iron Security block XML-RPC and REST API access? = Yes. These features can be optionally disabled. XML-RPC and REST API are common targets for attacks like brute force or user data enumeration. If you don’t use them, disabling them can significantly reduce your attack surface. = What are HTTP security headers, and why should I enable them? = HTTP security headers such as X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security enhance browser-level security. They help protect your site against XSS, clickjacking, and other injection-based attacks. Iron Security lets you enable these headers with just a few clicks. = Will Iron Security slow down my website? = No. Iron Security is performance-focused and doesn't include heavy scans or background processes. It’s designed to secure your site without impacting loading speed or user experience. = Is Iron Security compatible with WooCommerce? = Yes, Iron Security works seamlessly with WooCommerce. It protects your admin area, login forms, and critical files without interfering with your store's functionality or customer experience. = How can I get support or report a bug? = You can reach out via the WordPress.org support forum: https://wordpress.org/support/plugin/iron-security/ or contact our team directly at https://wpiron.com. = How often is Iron Security updated? = We actively maintain Iron Security to ensure compatibility with the latest WordPress releases. Expect regular updates with new features, security improvements, and bug fixes. = What is the benefit of disabling file editing in WordPress? = Disabling the file editor in the admin panel prevents attackers from injecting malicious code directly into theme or plugin files if they gain admin access. This is a simple but effective hardening step. = What does hiding the WordPress version do? = Iron Security removes the WordPress version from your website’s source code to reduce the risk of automated attacks targeting specific versions with known vulnerabilities. = How does Iron Security block AI crawlers? = The plugin adds specific rules to your robots.txt file to block AI and data scraping bots, helping protect your content from unauthorized use and training. = What does "Limit number of administrators" mean? = Limiting admin users helps reduce the number of high-privilege accounts on your site. The plugin notifies you if more than one admin account exists, encouraging better access control and role management. = How does session timeout protect my site? = If a logged-in user is inactive for a certain period, they are automatically logged out. This prevents unauthorized access from unattended sessions on shared or public devices. = Can I block user enumeration? = Yes. Iron Security prevents bots from discovering usernames through the `?author=` query parameter, a common tactic used in brute force and targeted attacks. = What does “Change default admin username” do? = If your admin account uses "admin" as the username, it becomes an easy target. Iron Security helps you safely change this default to something unique and secure. = What does "Prevent direct file access" mean? = The plugin restricts access to sensitive files like PHP templates and system files that should not be accessed directly, protecting your site from unauthorized requests. = Can I block PHP file uploads? = Yes. Iron Security allows you to block PHP file uploads in forms and media to prevent malicious scripts from being uploaded to your site. = What are plugin and core auto-updates, and why enable them? = Keeping your WordPress core and plugins updated is critical to staying secure. Iron Security allows you to enable automatic updates, so your site is always protected with the latest patches. == Screenshots == 1. screenshot-1.png 2. screenshot-2.png 3. screenshot-3.png 4. screenshot-4.png 5. screenshot-5.png 6. screenshot-6.png 7. screenshot-7.png 8. screenshot-8.png == Changelog == = 2.3.4 = * Update plugin = 2.3.3 = * Add functionality to change default admin username = 2.3.2 = * Gutenberg some blocks were disabled - fixed it. = 2.3.1 = * Remove AI Crawler notification because it's not working properly = 2.3.0 = * Upgrade patches of packages * Fix error for react library * Fix error when activate in dashbaord settings - in other tabs show changed settings = 2.2.9 = * Fix warnings & Small errors = 2.2.8 = * Update = 2.2.7 = * Fix IP Spoofing possibility * Limit login attempts - Lockout user = 2.2.6 = * Fix Session timeout login message * Added blocking of AI crawlers = 2.2.5 = * Fix errors of htaccess of File & Directory protection = 2.2.4 = * Fixed Fatal Error when editing pages * Fixed styling issues with whole admin panel = 2.2.3 = * Fixed Readme = 2.2.2 = * Made Support window * Fixed all other issues we had = 2.2.0 = * Added HTTP Security Headers * Enhanced UI/UX for admin panel * Bug fixes and performance improvements = 2.1.0 = * Added file and directory protection options * Improved session timeout management = 2.0.0 = * Login and authentication section introduced * Custom admin URL, 2FA, and login limiter added = 1.1.3 = * Fixed issues for WordPress.org plugin review = 1.1.2 = * Fixed issues for WordPress.org plugin review = 1.1.1 = * Fixed issues for WordPress.org plugin review = 1.1.0 = * Initial plugin build == Upgrade Notice == = 2.2.5 = * Please updagrade this plugin, we fixed "Block PHP file Uploads" and "Prevent Direct Access" toggles - not crashing the website. = 2.2.0 = New security headers support added. It is strongly recommended to update to benefit from enhanced protection. == Credits == Developed by [WPIron](https://wpiron.com) == License == This plugin is licensed under the GPLv2 or later.