=== Defender Security - Malware Scanner, Login Security & Firewall ===
Plugin Name: Defender Security - Malware Scanner, Login Security & Firewall
Version: 6.0.1
Author: WPMU DEV
Author URI: https://wpmudev.com/
Contributors: WPMUDEV
Tags: security, malware, firewall, malware scanner, login security
Requires at least: 6.4
Tested up to: 7.0.1
Stable tag: 6.0.1
Requires PHP: 8.0.0
License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

== Description ==

**Keep your sites safe from hackers, brute force attacks and malware with Defender, your easy-to-set-up, enterprise-level security plugin. With Defender, you can rely on the protection of a firewall, one-click hardening and 2FA, without having to be a cybersecurity expert.**

As hackers continue to evolve, you know you need to stay on top of your site's security. But you don't have the time to learn to code, stay abreast of every emerging threat, or apply complicated technical settings.

Defender is here to give you the powerful security tools you need, without the technical headaches. Trusted by over 1 million WordPress users, this plugin works immediately with no confusing setup. Just activate Defender and let it handle the rest!

**Trusted by 1+ Million Sites | 4.8/5 Star Rating**

= Defender makes it easy to: =

* Run on-demand malware scans to find suspicious files and code
* Block malicious IPs with a global firewall
* Enforce strong passwords, 2FA, and login limits
* Apply recommended hardening settings in one click
* Get clear reports that show what needs attention
* Protect against compromised passwords before they are used on your site

= Free Malware Scanner: Stop security threats before they harm your site =

If your site has been infected by malware, this malicious code can cause a lot of damage before you even realize it's there. Hackers use malware, often hidden in themes, extensions and plugins, to steal personal data, encrypt files for ransom, or spy on your activity.

Defender gives you a highly-effective yet easy-to-use malware scanner that runs deep diagnostics across your entire site, making sure no malware is lurking in the shadows.

Defender will scan your site for:

* **Files that have changed unexpectedly:** The scan will compare all core files and extensions against the official WordPress repository and flag any modifications or rogue additions instantly.
* **Known vulnerabilities:** Defender will check verified exploit registries to catch any security gaps in your active themes, plugins and core version, and help you fix them before they can be targeted.
* **Suspicious code:** By continually checking your server files, Defender will spot any potential code injections or backdoors, a common way bad actors try to gain access to your site.
* **Outdated & removed plugins:** Plugins that have been delisted from the repository or have not been updated in over two years become a significant risk to your site's integrity. Defender flags these weak spots before they can cause a problem.

= AntiBot Global Firewall: Block harmful IPs with data from over 750,000 sites =

Put the collective threat intelligence of a massive network to work for your site. Powered by real-time threat data from over 750,000+ sites, the free AntiBot Global Firewall automatically blocks harmful traffic and spam bots with a single click.

When any site on our network flags a threat, all other sites get protected too. It's like having a bouncer for your website. If an IP is on the blocklist (updated every 12 hours), they're not getting in!

The most important part is, you'll be in complete control.

* **User-friendly setup:** Defender Pro gives you AntiBot on every site you connect, regardless of where they're hosted. Just flip the switch and it'll start working so efficiently you won't even notice it's there.
* **Choose your security level:** Basic Mode offers balanced, everyday protection, while Strict Mode offers tighter security that blocks even the slightest suspicious activity.
* **Manage IPs in The Hub:** Manually block specific IPs, apply blocklists and allowlists across all sites, implement Geo IP blocking and configure everything from one central dashboard.

Want to see AntiBot in action? You can click [here](https://wpmudev.com/antibot-global-firewall-statistics/) to get a real-time look at the malicious IPs and suspicious requests it's detected and blocked in the last 24 hours.

= Firewall Security & IP Management: Take control over your site's traffic =

Defender's advanced Web Application Firewall (WAF) makes it easy to lock out hackers, scrapers, and malicious bots without touching a single line of code.

* **Advanced IP Lockouts:** Manually block specific IPs, import custom blocklists, or set automated timed and permanent lockouts for repeat offenders.
* **Geo IP Blocking:** Instantly ban traffic from specific countries or geographic locations with a single click.
* **User Agent Banning:** Instantly block spam and scrapers using built-in bad bot presets. We automatically allowlist major search engines to protect your SEO.
* **Malicious Bot Detector:** Deploy layered defenses to trap aggressive bots that ignore your robots.txt rules and catch fake crawlers impersonating legitimate search engines.

= Login Security & 2FA: Prevent unauthorized access =

Make sure the only users logging into your WordPress site are the ones you actually *want*. Defender can protect your sites from unauthorized access or brute force attacks with sophisticated login security features.

These features keep your site safe from malicious logins, while still ensuring legitimate users can log in easily.

* **Hide Login URL:** Change the location of WordPress's default login area, making it harder for automated bots to find and more convenient for your users.
* **Session Security:** Protect your site from session hijacking, preventing attackers from stealing session tokens to impersonate users and gain unauthorized access to your website.
* **Smart Password Rules:** Enforce strong passwords for new registrations, automatically block compromised credentials using a public "pwned" passwords database, limit login attempts so hackers can't guess passwords, and force a site-wide password reset upon the next login if you suspect a security breach.
* **Two-Factor Authentication (2FA):** Add an extra layer of protection and security to your WordPress sites to prevent brute force attacks and login security vulnerabilities. Defender's two-factor authentication (2FA) features include plenty of ways to verify logins, from mobile app verification (Google Authenticator, Authy) to Biometric Authentication (fingerprint/facial recognition) to Hardware Key Authentication (USB security keys.) Plus, built-in backup code generation, lost device emails and WooCommerce 2FA.

= Security Hardening: Apply recommended settings with a single click =

WordPress security hardening is all about adding multiple layers of protection to your website, to reduce your risk of attacks and unauthorized access.

Defender makes it easy to do this, with 12 recommended hardening settings you can apply with one click.

For example, Defender's hardening settings include:

* Disabling the file editor to stop internal tampering
* Updating outdated security keys
* Hiding PHP error reporting on the frontend
* Adding advanced security headers (XSS protection, Strict Transport, etc.)
* Disabling trackbacks and pingbacks to prevent spam

= Automated Defenses: Protect your entire site, on autopilot =

You've got a lot to handle while running your business, wouldn't it be nice if security was something you could set and forget? [Learn more about Defender Pro](https://wpmudev.com/project/wp-defender/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme-above-the-fold&utm_content=wp_defender_pro).

With Defender, you can put your security on autopilot. It'll be working around the clock with hands-off, automated defenses that run seamlessly in the background to keep intruders out and your data safe.

Here's what Defender will be doing while you work on other things:

* **Performing scheduled scans for issues:** Set up regular scans that look for malicious code, suspicious code injections, vulnerabilities, abandoned plugins, and missing hardening recommendations.
* **Creating automated security reports:** Stay informed with health updates and immediate threat summaries delivered directly to your inbox.
* **Making comprehensive audit logs:** Defender tracks and logs every backend event, to trace file edits, unauthorized changes and active hacking attempts instantly.

= Why choose Defender? =

There are plenty of WordPress security plugins out there, but many make it needlessly complicated to protect your site. Defender keeps the essentials simple.

You can scan for malware, block harmful traffic, strengthen login security, and harden your site from one plugin, without digging through confusing technical options.

It's built specifically for WordPress, trusted across the WPMU DEV ecosystem, and designed to help you protect your site without slowing down your work.

With Defender, you get:

* Security trusted by over 1 million WordPress users
* Protection built specifically for WordPress vulnerabilities
* Regular updates and threat intelligence improvements
* Malware scanning, firewall protection, and login security in one plugin
* Support from the award-winning WPMU DEV team

So you get serious WordPress security, without the overwhelming setup.

= Built for speed and security =

A security plugin should protect your site without getting in the way.

Defender is built to stop threats before they waste your server resources, with lightweight protection that runs quietly in the background.

With Defender, you can:

* Detect and limit 404 bots before they drain server resources
* Run malware scans without overloading your CPU
* Keep your site protected without adding performance drag

So you get the security your site needs, without making visitors wait for it.

= Works with your existing setup =

You shouldn't have to change your plugins, tools or workflow just to secure your site. Defender works smoothly with your current WordPress setup.

With Defender, you can:

* Protect WooCommerce, BuddyPress, and sites built with major page builders
* Apply saved security configs across multiple sites in a few clicks
* Enable and configure protection alongside your favorite plugins

So you get the security your site needs, without getting in the way of the plugins, tools, and workflows you already rely on.

= Get started in minutes =

Defender works as soon as you activate it.

Install the plugin, run your first malware scan, enable your firewall, strengthen login security, and apply recommended hardening settings in just a few clicks. Defender shows you what needs attention, so you can lock down your site without editing code or guessing which settings matter.

Just install Defender, switch on the protections you need, and let it handle the rest.

== Frequently Asked Questions ==

= Why should I choose Defender over other security plugins? =

Defender is built to add all the best hardening and website security recommendations used by the pros without having to become a security expert. This means you get all the most effective and proven protection methods other services provide with fewer settings, one-click hardening and faster setup.

= Is installing Defender the only step I need to take for better WordPress security? =

Hackers and bot attacks are not the only security threats to your site. No matter what security plugin or service you use, always be prepared with a secure backup stored in a safe location away from your live site. Security does not protect from hosting outages, server errors and accidentally lost or damaged data. We recommend [Snapshot](https://wpmudev.com/project/snapshot/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=snapshot#trial). Defender with scheduled managed backups is the best way to keep your site safe.

= Does Defender security protect against harmful bots? =

Yes! Defender's Firewall gives you robust site protection and security by allowing you to block bad bot IPs and use geographical IP blocking

= Can I use Defender with other security plugins? =

You can. Just make sure not to enable the same security features in the third-party plugin that you also have enabled in Defender, as this might cause conflicts, such as malware scanners, firewall, and login security features.

= Is Defender’s security compatible with WordPress Multisite? =

Yes! All of Defender's security features are fully compatible with a multisite installation. It can be network enabled and managed from the network admin.

=  Does Defender offer spam protection and security? =

Yes, Defender provides multiple layers of spam protection and security. A large percentage of Trackbacks and Pingbacks are spam, and Defender allows you to easily disable both to reduce spam and improve site security. Additionally, Defender includes the AntiBot Global Firewall, which blocks known malicious IPs and bots before they even reach your site, offering proactive protection against common attacks and spam bots.

= Will my site be protected from DDoS attacks and similar security threats? =

Yes. Defender's IP banning, IP lockout, and 404 detection security features can identify DDoS attacks and block bad IPs.

= I've locked myself out of my admin panel, what can I do? =

If you’re the administrator and you’ve been locked out due to multiple failed login attempts, Defender offers two options:

Option #1: Use the “Unlock Me” feature:

Click the Unlock Me button on the login page and enter your username or the email address linked to your site. You’ll receive an email with a secure link to unlock your account and regain access — no technical steps needed.

Option #2: Use the manual method (if email doesn’t work):

Add the following code to your theme’s functions.php file, located in the main directory of your active theme.
`
add_filter( 'ip_lockout_default_whitelist_ip', function ( $ips ) {
  $ip    = 'YOUR IP HERE';
  $ips[] = $ip;
  return $ips;
} );
`
Replace "YOUR IP HERE" with your actual IP address (you can use a tool like whatsmyip to find it.)

= Help! I was already hacked. What should I do? =

WPMU DEV's expert support can advise you on how to clean up your site if it's been hacked. Create a new thread in our [support forum](https://wordpress.org/support/plugin/defender-security/), or [Defender Pro](https://wpmudev.com/project/wp-defender/) gives you access to 24/7 live support.

= How can I report security issues or bugs? =

We take plugin security incredibly seriously; if you have a bug or vulnerability to report, you can do so through the Patchstack Vulnerability Disclosure Program. It's fast, easy, and you will be notified when the issue is fixed. [Report a vulnerability](https://patchstack.com/database/vdp/defender-security).

= I have another question, where's the best place to get help with security? =

Please open a new thread in Defender's [support forum](https://wordpress.org/support/plugin/defender-security/). Our support team is always happy to help!

== Screenshots ==

1. Malware scans and one-click website security hardening recommendations.
2. Layered security recommendations let you harden your site with a few clicks.
3. Enable AntiBot & Local Firewall for smart, layered defense against bots and brute-force attacks.
4. Keep your account safe with 2FA options including TOTP apps, backup codes, and secure fallback methods.
5. Use built-in password rules to ensure only secure, uncompromised passwords are used.
6. Never miss a threat—Defender emails you security updates on your schedule.

== Installation ==

1. Upload the `wp-defender` plugin to your `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Configure and manage using the `defender` menu item in the WordPress dashboard.
4. Done!

== Changelog ==

= 6.0.1 ( 2026-07-08 ) =

- Fix: Resolved a fatal error caused by legacy null date values

= 6.0.0 ( 2026-07-07 ) =

- New: Reimagined Defender interface for a seamless, clutter-free optimization experience
- New: Comprehensive Activity Log to track scans, optimizations, and configuration changes in real time
- Enhancement: Transitioned to real-time Auto-save for all settings to provide a frictionless workflow
- Fix: Minor code improvements and performance refinements

= 5.11.0 ( 2026-03-31 ) =

- Enhancement: Improvements to Audit Logging in both API and plugin
- Enhancement: Compatibility with WordPress 7.0
- Enhancement: Improve compliance with wp.org guidelines throughout the plugin
- Enhancement: Submit button activates without radio button selection on Deactivate modal
- Fix: Error when Uninstall plugin settings are set to Delete value
- Fix: Console error when saving User Agent Banning changes
- Fix: Deprecated function warnings on PHP 8.5.X

= 5.10.0 ( 2026-02-26 ) =

- Enhancement: Improve AntiBot Stats endpoint
- Enhancement: Improve handling of response data in the Audit API
- Enhancement: Update malware signatures
- Enhancement: Improve suspicious issue view on the Malware Scanning page
- Enhancement: Include selected presets in the User Agent blocklist during export
- Fix: Error when filtering the Firewall logs
- Fix: Error when switching languages with WPML while Bot Trap is enabled
- Fix: Strong Passwords do not work when Mask Login URL is enabled
- Fix: Colored elements appear on Defender admin pages when High Contrast Mode is enabled
- Fix: Exported Firewall logs do not follow the selected sort order

= 5.9.0 ( 2026-01-27 ) =

- New: WooCommerce and BuddyPress integrations in Cloudflare Turnstile
- Enhancement: Compatibility with PHP 8.4
- Enhancement: Update malware signatures
- Enhancement: Update ALTCHA functionality
- Enhancement: Improve plugin code style using PHPStan
- Enhancement: Refactor CAPTCHA file structure
- Enhancement: Add Thinkbot user agent to Blocklist Presets
- Enhancement: Display the readme file on the Malware Scanning page after it is renamed
- Enhancement: Add new "Outdated and closed plugin" key to the config structure
- Fix: Prevent audit logs from being created when updating a user profile without changes
- Fix: Backslash character in salt generator can break the site
- Fix: Update copy for Mask URL block page
- Fix: Hide Settings > General > "More info" link when Whitelabel is enabled
- Fix: Inconsistent validation in CAPTCHA when the Preview test is not passed
- Fix: IP address and event type filters not working in the audit log export file
- Fix: Masked Login URL slug validation after activation

= 5.8.1 ( 2026-01-12 ) =

- Enhancement: Miscellaneous improvements

= 5.8.0 ( 2025-12-24 ) =

- New: Detect suspicious code in JavaScript files during Malware Scanning
- Enhancement: Prevent false lockouts when requests contain mixed Facebook/Twitterbot user agents
- Enhancement: Update Axios and form-data package versions
- Enhancement: Update malware signatures
- Enhancement: Split Bulk checkboxes between tabs on Malware Scanning page
- Enhancement: Display Disconnect Site button on Defender’s general settings screen
- Enhancement: Improve plugin code style using PHPStan
- Enhancement: Improve UI for background Malware Scanning
- Enhancement: Restore reCAPTCHA class alias for backward compatibility
- Enhancement: Add new audit logging events
- Enhancement: Migrate notification events to the centralized Cron Manager
- Enhancement: Migrate common plugin events to the centralized Cron Manager
- Fix: Update .htaccess rules for LiteSpeed servers
- Fix: Duplicate user agent records in robots.txt
- Fix: Extra space and hidden Google reCAPTCHA field shown on multisite registration page
- Fix: Duplicates of Ignored Scan issues
- Fix: Deprecation warnings from the thecodingmachine/safe package in PHP 8.4
- Fix: Quarantine activation link does not work in the free version
- Fix: Incorrect "Configure" button flow in the Firewall widget on the Dashboard
- Fix: UI improvements

[Changelog for previous versions](https://wpmudev.com/project/wp-defender/#view-changelog).

== Upgrade Notice ==

== About Us ==
WPMU DEV is a premium supplier of quality WordPress plugins and themes. For premium support with any WordPress-related issues you can join us here:
[https://wpmudev.com/](https://wpmudev.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=wpmu_dev_link)

Don't forget to stay up to date on everything WordPress from the Internet's number one resource:
[WPMU DEV Blog](https://wpmudev.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=defender-readme&utm_content=wpmu_dev_blog_link)

Hey, one more thing... we hope you [enjoy our free offerings](http://profiles.wordpress.org/WPMUDEV/) as much as we've loved making them for you!
