=== Ultimate Security โ€“ Login Protection, 2FA, Anti-Spam CAPTCHA, Brute-Force & Security Tools === Contributors: wpultimatesecurity Donate link: https://www.wpultimatesecurity.com Tags: security, login security, two factor authentication, brute force, captcha Requires at least: 5.8 Tested up to: 6.9.4 Requires PHP: 8.1 Stable tag: 1.0.20 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Block hackers, bots and brute-force attacks with 2FA, CAPTCHA, login protection, session controls, security tools and more. == Description == #### WORDPRESS SECURITY PLUGIN โ€” PROTECTION WITHOUT THE COMPLEXITY Automated bots probe WordPress logins and forms around the clock. Ultimate Security shuts that down โ€” with two-factor authentication, brute-force lockouts, anti-spam CAPTCHA, a hidden login URL, session controls, and security maintenance tools โ€” all from a clean dashboard you do not need to be a security expert to run. ๐Ÿ›ก๏ธ **Lightweight. Privacy-first. No bloat.** = Why Ultimate Security? = * **It just works.** Sensible defaults out of the box โ€” turn it on, you are safer in minutes. * **Built for real attacks.** Stops the automated login, brute-force and spam traffic that actually hits WordPress sites. * **Zero learning curve.** Plain-English settings, a Test Mode to preview rules before they go live. * **Privacy-respecting.** No tracking, no data collection. Pro features are clearly labelled. = ๐Ÿ” Login & Two-Factor Authentication = * **Two-Factor Authentication (2FA)** โ€” Email one-time codes **and** authenticator apps via TOTP/HOTP. * **Per-user 2FA with role-based configuration options** โ€” Let users enable 2FA and configure which roles should use email or app-based 2FA. * **Brute-force login lockout** โ€” Limit failed attempts, auto-lock offenders, auto-reset retries, block specific users, and keep a recovery URL for emergencies. * **Custom login URL** โ€” Hide `wp-admin` / `wp-login.php` behind a secret address so bots cannot find it. * **Strong password policies** โ€” Enforce length, complexity, expiry and password history. * **Session control** โ€” Limit concurrent logins per user and harden auth cookies. = ๐Ÿค– Bot & Brute-Force Protection = * **Anti-spam CAPTCHA** โ€” Google reCAPTCHA v2/v3 **and** Cloudflare Turnstile. * **Form coverage** โ€” Protect WordPress login, registration and lost-password forms; Turnstile also supports comment forms; WooCommerce login/register forms are supported when enabled. * **No-conflict mode** โ€” Plays nicely alongside other CAPTCHA setups. = ๐Ÿงฑ Security Maintenance & Controls = * Rotate WordPress security keys / salts on demand. * Use the Update Manager to control WordPress core, plugin and theme update behavior. * Connect Cloudflare and deploy configurable WAF rule groups from the dashboard. * Review a basic Security Score with prioritized security checks. * Advanced hardening toggles, API privacy filtering and scheduled salt rotation are available in Pro. = ๐Ÿ“Š Monitoring & Tools = * **Login Activity snapshot** โ€” Review recent successful and failed login activity from the dashboard. * **Basic Security Score** โ€” See a scored security posture based on enabled protections. * **Site Health snapshot** โ€” WordPress/PHP versions, memory, active plugins and theme at a glance. * **Test Mode** โ€” Simulate security rules and review what *would* have been blocked before enforcing. * **Settings backup & restore** โ€” Export/import your configuration as JSON for migrations or disaster recovery. ๐Ÿ‘‰ **[Check Out ยป](https://www.wpultimatesecurity.com)** == Installation == **Requirements:** WordPress 5.8+ and PHP 8.1+. HTTPS is strongly recommended for 2FA and secure sessions. 1. In WordPress, go to **Plugins โ†’ Add New** and search for "WPUltimateSecurity". 2. Click **Install Now**, then **Activate**. 3. Open the **Ultimate Security** menu and follow the setup flow. = Quick Start = = Recommended first 5 minutes = 1. Enable **2FA** for all administrator accounts. 2. Set **login attempt limits** and a lockout duration. 3. Add **CAPTCHA** (reCAPTCHA or Cloudflare Turnstile) to the login, registration and comment forms. 4. Set a **custom login URL** and save it somewhere safe. 5. Review the **Security Score**, **Site Health** and **Test Mode** before enabling stricter rules. == Frequently Asked Questions == = Will this slow down my site? = It is built to stay lightweight โ€” security checks run on login and form submission, not on every page view. = Do I need any technical or coding knowledge? = No. Defaults are safe out of the box and every setting is in plain English with a guided setup flow. = I enabled 2FA / a custom login URL and locked myself out. How do I get back in? = Disable the plugin to restore default login: via FTP/SFTP rename the folder `/wp-content/plugins/ultimate-security`, or over SSH/WP-CLI run `wp plugin deactivate ultimate-security`. Then log in and reconfigure. = Does it work with WooCommerce? = CAPTCHA and login protection cover WooCommerce login and registration forms where enabled. Checkout CAPTCHA is not currently part of the verified free feature set. = Does it work on WordPress Multisite? = Yes, it runs on Multisite. Network-wide behaviour depends on how you configure it per site. = Does the custom login URL work with caching / CDNs? = Yes. Exclude the login path from full-page caching (most caching plugins do this for login/admin automatically) so the secret URL is never served from cache. = Will it conflict with other security or CAPTCHA plugins? = It can if two plugins do the same job. Pick one plugin per function (one 2FA, one CAPTCHA, one login limiter) and disable the overlapping feature in the other. = Is my data private? Does the plugin track me or phone home? = No telemetry, no tracking, no usage data collection. It only contacts third-party services you explicitly enable (see External Services below). = Is it GDPR-friendly? = Yes. The plugin is self-hosted and stores its data in your own database. The only outbound calls are the optional services you turn on (reCAPTCHA, Turnstile, WordPress.org salt API). = What happens to my data when I uninstall? = You control whether plugin data is removed on uninstall via the plugin's settings. = What is the difference between Free and Pro? = Free covers core protection: Email/App 2FA, brute-force lockout, CAPTCHA, custom login URL, password policies, session limits, manual salt rotation, update controls, basic Security Score, Cloudflare WAF rules, Site Health, Test Mode and backup/restore. Pro adds will add more advanced security features once it is released. = How do I get support? = Use the plugin support forum on WordPress.org, or visit https://www.wpultimatesecurity.com. == External Services == This plugin connects to the following third-party services, and only when you explicitly enable the related feature: = Google reCAPTCHA = * When: reCAPTCHA CAPTCHA protection is enabled. * Data sent: the visitor's reCAPTCHA response token and your site secret key. * Endpoint: https://www.google.com/recaptcha/api/siteverify * Terms: https://policies.google.com/terms โ€” Privacy: https://policies.google.com/privacy = Cloudflare Turnstile = * When: Cloudflare Turnstile CAPTCHA protection is enabled. * Data sent: the visitor's Turnstile response token and your site secret key. * Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify * Terms: https://www.cloudflare.com/website-terms/ โ€” Privacy: https://www.cloudflare.com/privacypolicy/ = WordPress.org Secret-Key (Salt) API = * When: you request rotation of WordPress security keys/salts. * Data sent: a request for randomly generated salt strings (no site or user data). * Endpoint: https://api.wordpress.org/secret-key/1.1/salt/ * Privacy: https://wordpress.org/about/privacy/ = WordPress.org Core Version Check = * When: the Update Manager checks for available WordPress core updates. * Data sent: a standard WordPress core version-check request (no user data). * Endpoint: https://api.wordpress.org/core/version-check/1.7/ * Privacy: https://wordpress.org/about/privacy/ = Cloudflare API = * When: you connect Cloudflare or deploy/view WAF rules. * Data sent: Cloudflare credentials/token, selected zone/rule data, and Cloudflare API requests needed for verification, deployment and analytics. * Endpoint: https://api.cloudflare.com/client/v4/ * Terms: https://www.cloudflare.com/website-terms/ โ€” Privacy: https://www.cloudflare.com/privacypolicy/ == Changelog == = 1.0.20 = * New: Improved Session Management settings including concurrent login limits, session cookie hardening and more, * New: Cloudflare Turnstile and reCAPTCHA CAPTCHA verifcation when applying their respective keys. * Improvement: Cloudflare WAF rules function improvement. * Improvement: Code optimization and performance improvements. = 1.0.19 = * Fix: 2FA User role was not working properly. * Fix: Login activity dashboard modal was showing wrong agent. * Improvement: Better user friendly Server Protection Card Design * Improvement: Code cleanup and optimization. = 1.0.18 = * New: One-click Cloudflare WAF rules apply * New: New Modal for Login activity with detailed information. * Improvement: Code cleanup and optimization * Fix: Login redirected URL was showing exisiting login for password reset = 1.0.17 = * Fix: Minor bug fixes and stability improvements * Improvement: Code cleanup and optimization = 1.0.16 = * Improvement: Code improvements to the ovearll plugin making it snappier. = 1.0.15 = * Improvement: Conflict management between applied settings. * Improvement: UI improvements to existing settings pages. Making it more intuitive to use. * Fix: Multiple bug fixes to dashboard. You should get more accurate results now. * Fix: New deactivation URL was not saving after deactiviting-activating plugin. = 1.0.14 = * Fix: Email 2FA codes were not being sent properly * Fix: 2FA code page flickering effect after login = 1.0.13 = * New: Completely redesigned user interface for better usability = 1.0.12 = * New: Security Score meter to track your site's security level * Improvement: Enhanced modal design for better UI/UX = 1.0.11 = * Fix: Minor UI bug fixes = 1.0.10 = * Security: Removed unauthenticated AJAX actions * Security: REST routes now require admin permission = 1.0.9 = * Fix: Dashboard emergency deactivation URL display issue = 1.0.8 = * Improvement: Human-readable values in activity log * Improvement: Reduced plugin size with optimized code * Fix: 2FA reset issue for users * Fix: Password policy not applying to new users = 1.0.7 = * New: Activity Log feature * New: Improved dashboard design * Fix: Nonce validation issues * Fix: Turnstile not showing on comment forms = 1.0.6 = * Fix: Custom login setup issues * Fix: Email 2FA asking for OTP twice * Fix: Feedback form email delivery * Improvement: Reorganized menu navigation * Improvement: Performance optimizations = 1.0.5 = * Fix: Request logs page display issue * Fix: URL Guard SQL query display * Improvement: Performance optimizations = 1.0.4 = * Redesigned settings page interface