Description

Defender adds the best in WordPress plugin security to your website with just a few clicks. Stop brute force attacks, SQL injections, cross-site scripting XSS, and other WordPress vulnerabilities and hacks with Defender malware scans, antivirus scans, IP blocking, firewall, activity log, security log, and two-factor authentication login security.

No longer do you have to go through hideously complex settings and get a virtual PhD in security. Defender adds all the hardening and security recommendations you need.

Security Recommendations

Defender starts with a list of one-click hardening techniques that will instantly add layers of protection to your site.

Block hackers at every level:

Two-factor authentication – passwords and mobile app verification codes
Login masking – change the location of WordPress’s default login area
Login lockout – failed login attempts lockout
Security Headers – Add an extra layer of defense and protect against common attacks like: XSS, code injection, and more
404 Detection – automated block of bot IPs
Configs – Create your ideal Defender security settings and export / import saved configs to any other site
Geolocation IP lockout – block users based on location and country (IP blocking)
WordPress Security Firewall – block or allowlist IPs
Disable trackbacks and pingbacks – spam prevention
Core and server update recommendations – stay on top of your system
Disable file editor – if they get in, they won’t get far
Hide error reporting – don’t reveal your issues
Update security keys – reset on-demand
Prevent information disclosure – why tell them what you have
Prevent PHP execution – because it’s daaaangerous
Resolve security recommendations and issues in bulk
Google reCAPTCHA – easy to add, stop fraud and abuse.
Pwned Password Check – Protect against compromised passwords.
Force Password Reset – Force users with selected roles to reset passwords.
User Agent Banning – Block bad bots and user agents from accessing your site.

Learn The Ropes With These Hands-On Defender Tutorials

WordPress Security Scans

Run free malware scans that check WordPress for suspicious code and malware. The Defender scan tool compares your WordPress install with the master copy in WP directory, reports changes and lets you restore the original file with a click.

Google 2-step Verification

Join the millions of users that make their accounts safer with Google 2-Step Verification – along with other third-party integrations like Microsoft Authenticator and Authy. Activate two-factor authentication and protect your account with both your password and your phone.

Google reCAPTCHA Integration

Add reCAPTCHA to your login, registration, and password reset pages in a couple of steps to help protect from fraud and abuse. Select reCAPTCHA type, language, location, and style to suit.

Firewall and IP Manager

Keep your site safe with Defender’s IP manager and firewall. Manually block specific IPs, import a list of banned IPs and set automated timed and permanent lockouts. Defender makes it easy to block and unblock specific locations quickly thanks to its advanced firewall (WAF).

Login Protection

Brute force attacks are no match for Defender. Limit login attempts to stop users trying to guess passwords. Permanently ban IPs or trigger a timed lockout after a set number of failed login attempts.

Login Screen Masking

Defender makes it easy to move your login screen to a custom URL. Not only does login screen masking improve security, but it also lets you white label your login user experience and improves branding.

Force Password Reset

Password Reset enables you to force all users with selected roles to reset their password at any time. Especially helpful if you suspect a possible data breach on your site.

User Agent Banning

Add user agents to the block or allowlist and stop bad bots from spamming and scraping your site. All major search engines and special network bots are allow-listed out of the box. Easy to set up, Defender does all the work, no editing of the .htaccess file required.

Security Headers

Security headers protect your site against the most likely types of attacks, such as: XSS, code injection, cross site scripting, and more. You can enable the following headers:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict Transport
Referrer Policy
Permissions-Policy

404 Limiter

Defender detects when bots are being used to scan your site for vulnerabilities and shuts them down. The 404 limiter lets you stop the scan by detecting when a bot keeps visiting pages that do not exist, which can also save you from a giant strain on your site’s performance.

Notifications and Reports

Defender runs surveillance and sends notifications with information that matters.

Reduce Setup Time With Saved Configs

The configs module allows you to save your Defender configurations and reapply them to your other sites in just a few clicks. You can create and save an unlimited number of configurations.

Pwned Password Check

Protect your site against password leak attacks. Entered passwords are checked against public database breach records. If a password is identified as compromised, the user will be asked to change it.

What Do People Say About Defender?

★★★★★
“I found other pro security plugins a bit too fiddly for my taste…I’m delighted with Defender” – KeithADV

★★★★★
“Thank you for bringing back a free and easy to use 2-Factor Authentication after Clef! Defender helps keep me aware of my sites security.” – awijasa

★★★★★
“Defender’s interface is very intuitive with warnings that are very helpful” – djohns

★★★★★
“Defender Recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.” – David Oswald

Secure Websites, More Trust, Better Profit

Your visitors expect a super-safe extra secure website when deciding whether or not to make a purchase or submit information. If visitors don’t trust your site, they will leave without completing a transaction.

If you’re running a business website or eCommerce store privacy, security, uptime and trust are essential.

Defender is here to help you: it’s a one of a kind WordPress security plugin that makes web security easy for anyone, for free!

Google 2-Step Verification
One-click site hardening and security tweaking
WordPress core file scanning and repair
Google reCAPTCHA
Security headers
One-click configs
Login Screen Masking
Pwned Password Check
IP Blocklist manager and logging
Unlimited file scans
Timed Lockout brute force attack shield for login protection
404 limiter for blocking vulnerability scans
IP lockout notifications and reports

Defender is built to make security simple: it makes your WordPress site harder to hack and it’s insanely easy to set up. Run a scan and implement recommended changes in one-click, for added security in mere minutes.

All the above is free and will secure WordPress for you. If you need extra security for your WordPress site, you should get WPMU DEV Membership.

Our Membership gives you access to Defender Pro – which features automated scanning, scheduled malware scans for Core, themes, plugins and other files, audit logs, Blocklist monitoring – alongside Snapshot Pro cloud backups, the Hub with automated plugin, theme and core updates and safe-upgrade scans, all our premium WordPress plugins, 24/7 WordPress support and if your sites already been hacked our team of security experts will clean it up at no additional cost.

It’s an incredible deal, and you can find out more here.

A Note From Defender

Hey! This is Defender, your trusted solution for WordPress security and hack prevention. I’m part of the WPMU DEV team, a superhero-suite of WordPress plugins, services, and support. Here are some of our other free plugins:

Smush – Image Compression and Optimization
Forminator – Form, Quiz, Poll and Survey Builder
Hummingbird – Page Speed Optimization
Hustle – Pop-ups, Slide-ins and Email Opt-ins
SmartCrawl – SEO checker, Analyzer and Optimizer

And if you need ALL our Pro plugins AND 24/7 WordPress support, get WPMU DEV membership! You can try it free for 30 days: wpmudev.com

My superhero friends run the WPMU DEV Blog, your source for the very best WordPress tutorials. If you need to be in the know about WordPress, check it out.

Thanks for looking at Defender, and I look forward to hardening your site and making it safer than ever.

Enjoy, The Defender

About Us

WPMU DEV is a premium supplier of quality WordPress plugins and themes. For premium support with any WordPress related issues you can join us here:
https://wpmudev.com/

Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:
WPMU DEV Blog

Hey, one more thing… we hope you enjoy our free offerings as much as we’ve loved making them for you!

Screenshots

Malware scans and one-click hardening recommendations.
Layered security recommendations let your harden your site with a few clicks.
Compares your WordPress install with the directory and restore original files with a click.
Use 2-Step Verification to protect your accounts with your phone.
IP blocklisting, 404 limiter and Timed Lockout attack shield.

Installation

Upload the wp-defender plugin to your /wp-content/plugins/ directory.
Activate the plugin through the ‘Plugins’ menu in WordPress.
Configure and manage using the defender menu item in the WordPress dashboard.
Done!

FAQ

Why should I choose Defender over other security plugins?

Defender is built to add all the best hardening and security recommendations used by the pros without having to become a security expert. This means you get all the most effective and proven protection methods other services provide with fewer settings, on-click hardening and faster setup.

Is Defender the only step I need to take in securing my WordPress site?

Hackers and bot attacks are not the only threat to your site. No matter what security plugin or service you use, always be prepared with a secure backup stored in a safe location away from your live site. Security does not protect from hosting outages, server errors and accidentally lost or damaged data. We recommend Snapshot. Defender with scheduled managed backups is the best way to keep your site safe.

Does Defender protect against harmful bots?

Yes! Defender’s Firewall gives you robust site protection by allowing you to block bad bot IPs.

Can I use Defender with other security plugins?

You can. Just make sure not to enable the same features in the third-party plugin, that you also have enabled in Defender, as this might cause conflicts.

Is Defender compatible with WordPress Multisite?

Yes! The plugin is fully compatible with a multisite installation. It can be network enabled and managed from the network admin.

Does Defender offer spam protection?

A high percentage of Trackbacks and Pingbacks are spam. Defender allows you to easily disable both, giving you added protection.

Will my site be protected from DDoS attacks?

Yes. Defender’s IP banning, IP lockouts, and 404 detections can identify DDoS attacks and block bad IPs.

I’ve locked myself out of my admin panel, what can I do?

Add the code below to your theme’s function.php file, which you’ll find in the main directory of an active theme. Replace “YOUR IP HERE” with your IP address. Use a site like whatsmyip to get your IP.

add_filter( 'ip_lockout_default_whitelist_ip', function ( $ips ) {
  $ip    = 'YOUR IP HERE';
  $ips[] = $ip;
  return $ips;
} );

Help! I was already hacked. What should I do?

WPMU DEV’s expert support can advise you on how to clean up your site if it’s been hacked. Create a new thread in our support forum, or start a free 7 day trial of Defender Pro to get access to 24/7 live support.

I have another question, where’s the best place to get help?

Please open a new thread in Defender’s support forum. Our support team is always happy to help!

Reviews

sofi21 November 24, 2021

This plugin helped me secure my site. Special thanks to everyone who supports and improves the plugin.

ahcaetano November 23, 2021

Indispensável para quem usa o WP.

BlackTrilby November 23, 2021

Great plugin. Changed the login page and have had no hack attempts since.

alanparsons November 22, 2021

Love this product. It is so helpful when there are so many crazy people or countries out there!

soshilaja November 20, 2021

Work well and does what it does well! Great Job!

zenithude November 10, 2021

easy to use

Read all 200 reviews

Contributors & Developers

“Defender Security – Malware Scanner, Login Security & Firewall” is open source software. The following people have contributed to this plugin.

WPMU DEV - Your All-in-One WordPress Platform

“Defender Security – Malware Scanner, Login Security & Firewall” has been translated into 14 locales. Thank you to the translators for their contributions.

Translate “Defender Security – Malware Scanner, Login Security & Firewall” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

2.6.4 ( 2021-11-15 )

Fix: Allow admin-post.php on Mask Login Area

2.6.3 ( 2021-11-03 )

Enhance: White labeling support

2.6.2 ( 2021-11-01 )

New: Plugin vulnerability warnings
New: Import & export User Agent list
New: Highlight new features in Welcome modal
Enhance: Update SUI to latest version
Enhance: Update Upsell buttons
Enhance: Dashboard widget changes
Enhance: Update IP Banning Import-Export icon and note
Enhance: Replace Login Protection ‘Deactivate’ icon
Fix: Some malicious files not flagged
Fix: Malicious plugin not detected
Fix: Defender continually creating scheduled actions
Fix: Audit Logging creating duplicate post entries
Fix: Audit Logging creating user record on multisite
Fix: Mask URL not working correctly on WordPress installed in subdirectory
Fix: reCAPTCHA error thrown on theme login modal

2.6.1 ( 2021-10-18 )

New: Google reCAPTCHA integration with WooCommerce plugin
New: “What’s New” modal hidden on fresh installs
Enhance: Upgrade required minimum PHP version
Enhance: Unlock active lockouts using WP CLI
Enhance: Show more detailed log with Audit Logging
Enhance: Audit Logging on subsites
Enhance: Rename Feature Policy header to Permission Policy header
Enhance: “Send notifications when Defender couldn’t scan the files” not working
Enhance: Set a time limit to cancel malware scanning
Enhance: Mobile view improvements
Enhance: Add log entry when signing in with 2FA
Enhance: Change “Basic config” to “Basic Config”
Enhance: Save a post as Draft and see 3 entries created in Audit log on multisite
Enhance: Add “Activate” button instead of “Continue” when activating the Notification
Enhance: Hide malware scan filter when there is no issue
Enhance: Remove Academy link
Fix: Audit log duplicates when updating menu items
Fix: Max countdown showing 24 hours instead of 72 hours
Fix: Conflict with WooCommerce Payments
Fix: Typo in User Agent Banning Allowlist UI
Fix: Issue with 2FA flow
Fix: Getting PHP Notice / warming on malware scanning
Fix: Google reCAPTCHA for comments doesn’t work with HB Lazy Load
Fix: Redirect to optimal URL on 2FA OTP success in custom login page
Fix: Incorrect Google reCAPTCHA error Code for multisite user registration
Fix: PHP version shows null inside the recommendation
Fix: Aren’t able to explore Recommendations on our hosting

2.6.0 ( 2021-09-20 )

New: User Agent banning
New: “What’s New” modal hidden on fresh installs
Enhance: Update Firewall filters and widgets to include User Agent lockouts
Enhance: Add Countdown timer on the lockout screen
Enhance Update IP Banning Blocklist/Allowlist UI
Enhance: Update misaligned pagination on Firewall Logs page
Fix: GEOIP.PHP issue in Defender Pro
Fix: Update Malware Scanning loopback request params to same as WP core
Fix: Can’t login using WooCommerce’s login/registration forms when Defender reCAPTCHA is enabled
Fix: PHP version recommendation
Fix: Integrate Defender password features with activated 2FA feature
Fix: Issue with activated Mask Login Area and 2FA features
Fix: Malware Scanning reports not sent on MU sites

2.5.7 ( 2021-08-25 )

Fix: Firewall Locations ban issue

2.5.6 ( 2021-08-23 )

New: reCAPTCHA for comments
Enhance: 404 lockout – CSS, JS and MAP files excluded
Enhance: Hide “Powered by Defender” line when Whitelabel is enabled
Enhance: Hide “What’s New Modal” when Whitelabel is enabled
Enhance: Integrated Force Password Reset feature with Forminator
Enhance: Option to automatically regenerate security keys
Enhance: Recipient user list can be sorted and filtered by user role
Fix: Login Protection and 404 Detection deactivated by itself
Fix: Google reCAPTCHA v3 Locations issue
Fix: Problem while navigating malware issues in Defender Pro
Fix: Defender Pro sends the same reports twice
Fix: Security Header Referrer description
Fix: Updating from 2.3.2 to 2.4.4 resets security key recommendation to 60 days
Fix: Updating from 2.3.2 to 2.4.4 removes previous malware scanning data
Fix: Notification recipients – ‘load more’ interaction not visible when adding users

2.5.5 ( 2021-07-26 )

New: Pwned Passwords settings added to Configs
New: “What’s New” modal hidden on fresh installs
Enhance: “Clear Temporary IP Block List” option added to Configs
Enhance: Asset Optimization to increase loading speed in the backend
Enhance: Malware scanning rules improvements
Enhance: File scan not detecting code inside wp-config.php
Enhance: Updated white label method from the WPMU DEV Dashboard
Enhance: Updated footer text on Preset Configs page
Fix: Forced Password Reset not applied if user of one subsite tries to login to another subsite
Fix: Displayed number of actioned recommendations in incorrect
Fix: Free Defender version sending Pro version notifications
Fix: Callbacks to avoid slow log
Fix: Browser console error when changing default admin username
Fix: Fix list of auxiliary WP-CLI commands
Fix: Language translation not updating on multisite
Fix: 2FA can be forced for user roles when inactive for that role
Fix: Password reset doesn’t work for Flywheel sites if Defender Pro is active
Fix: Pwned Passwords security flaw
Fix: Plugin updates via WPMU DEV Dashboard missing from Event Logs
Fix: File scan reporting empty non-WP directories
Fix: File scan missing files that start with a dot
Fix: Defender sending mail reports to [email protected] instead of [email protected]
Fix: 2FA > Active Users > View users link should open in new tab
Fix: Issues viewing Dashboard and Notifications pages on Mobile
Fix: Console error on Mask Login page
Fix: Change reCaptcha to reCAPTCHA

Changelog for previous versions.

WordPress.org