New: an optional Request Firewall (8G-inspired PHP filter) that blocks malicious requests - off by default, starts in monitor mode (logs without blocking), admins never filtered. Plus a first-run onboarding wizard with a one-click safe baseline. All opt-in; existing sites unchanged.<\/p>","2.3.0":"
Account-security release: Password Policy (length\/complexity + reject breached passwords via privacy-preserving HIBP), Session Management (idle timeout, max lifetime, single session), and opt-in IP Geolocation. All off by default; nothing changes until you enable it.<\/p>","2.2.0":"
New: the AI Security Briefing turns your last 30 days of activity into a plain-language verdict, an IP picture and prioritised actions, on top of a deterministic facts snapshot. Built on the WordPress 7 native AI Client - uses your own connector, no API key stored, runs on click.<\/p>","2.1.26":"
Fixes email\/backup 2FA bouncing to "session expired" on browsers that don't return the verification cookie on submit (some Chrome setups; Firefox worked). The form now also carries the session token, so login works regardless. Recommended if Email 2FA is enabled. Security unchanged.<\/p>","2.1.25":"
Fixes email\/backup two-factor verification being rejected ("session expired") in some browsers, notably Chrome, while Firefox worked. The form is now uncached and authenticated by the signed same-site cookie. Recommended if Email 2FA is enabled.<\/p>","2.1.24":"
Fixes a fatal error (HTTP 500 \/ "network error") during authenticator-app (TOTP) setup on hosts whose wp-config.php does not define AUTH_KEY, such as some Infomaniak installs. Recommended if Two-Factor is enabled. Existing setups are unaffected.<\/p>","2.1.23":"
Fixes the two-factor login screen: the "use a different method" links now work (and email a fresh code when switching to Email), expired\/locked sessions explain themselves, and the authenticator-setup button reports errors. Recommended for 2FA users.<\/p>","2.1.22":"
Fixes a Security Score that under-counted active modules: Brute Force and Detection (on by default) are now scored correctly, so the header, the score number and the module list agree. Display and scoring only \u2014 recommended for all installs.<\/p>","2.1.21":"
Cosmetic patch: cleaner user-agent labels in the Events table \u2014 Jetpack\/WordPress.com clients are recognised, and long agents are trimmed at a word boundary with an ellipsis instead of a chopped-off string with a dangling parenthesis.<\/p>","2.1.20":"
Migration-friendly integrity: a security-key change now shows an amber "Keys changed" advisory with one-click chain re-baseline instead of a false "TAMPERED" alarm. Adds an XML-RPC blind-spot warning when Hide Login is on but XML-RPC stays open. Completes the French translation.<\/p>","2.1.19":"
Clearer attack-type labels + descriptions on incidents, French translation of the visible admin tabs, translatable toast notifications, and a fix for the Activity Log integrity badge staying "UNVERIFIED" after a successful verify. Recommended for all installs.<\/p>","2.1.18":"
Patch. Fixes "Select all" \/ bulk actions when incidents are all resolved (checkboxes now on every card) and only labels the attack vector for XML-RPC\/REST (no more misleading "via login form"). Recommended for 2.1.17 users.<\/p>","2.1.17":"
Feature release. Incidents now show the attack vector (XML-RPC \/ REST \/ login form) \u2014 spot which attempts bypass your hidden login URL \u2014 plus bulk mark-resolved\/ignore. Adds a vector column to the incidents table (auto migration). Recommended for all installs.<\/p>","2.1.16":"
Bug fix release from an external audit. Fixes plain-permalinks compat (Hide Login URL, REST API allowlist), restores activity-log coverage for 2FA, frontend registration and password reset, and extends Honeypot to WooCommerce + frontend login forms. Recommended for all installs.<\/p>","2.1.15":"
Fixes a fatal TypeError when third-party plugins (e.g. WP Fastest Cache) call WordPress URL builders with off-contract argument types. Strict parameter hints relaxed on seven callbacks; return types unchanged. Neutral on canonical WP calls.<\/p>","2.1.14":"
Bug fix. The prevent_author_enum hardening toggle no longer blocks the legitimate ?author=N filter in wp-admin Posts\/Pages lists ("All \/ Mine \/ " links). Public enumeration block unchanged. Three-line fix.<\/p>","2.1.13":"
Bug fix. Silent 2FA failure on installs with permalink_structure without trailing slash (e.g. \/%postname%) \u2014 the verify cookie path mismatched the request path after handle_loaded's normalisation. Fixed cookie path to omit trailing slash. Neutral on trailing-slash installs.<\/p>","2.1.12":"
Bug fix. Hide Login rendered without CSS when both apex and www routed to the same WP (shared hosting). Two fixes: canonical-host 301 in Hide Login + host-aware CSP in Login Page Security Headers. Neutral on single-host installs. New filter login_armor_canonical_host_redirect for opt-out.<\/p>","2.1.11":"
Bug fix for multisite + domain mapping: the Hide Login URL is now host-aware (picks home_url or site_url from HTTP_HOST), fixing a 2.1.9 regression where mapped subsites redirected to \/wp-admin\/ (404). Standard and headless installs keep working.<\/p>","2.1.10":"
Cosmetic fix. The 404 page served when an anonymous visitor hits Bug fix. Hide Login now builds the rewritten login URL from Hygiene release after a full 2.1.7 audit. Three LOW fixes: the webhook stats query no longer warns on fresh installs, the lockout_window option is cleaned on uninstall, and five missing French translations were added. No end-user-visible change.<\/p>","2.1.7":" Preventive: hardens the Email 2FA enrollment flow. Failed Preventive release. Eliminates a latent V2.1.3-style fatal risk in the TwoFactor module. Finishes the uninstall.php cleanup (zero residual data). Surfaces Activity Log integrity coverage scope in admin UI. No new features, no DB migration.<\/p>","2.1.4":" Critical hotfix: 2.1.3 fatal-errored on every fresh install (Class "LoginArmor\\ActivityLog\\ActivityLog" not found). Sites with Activity Log already enabled were unaffected. Recommended for every install, urgent for new installs.<\/p>","2.1.3":" Critical hotfix: Hardening "Hide WP version" was stripping cache-buster from our own assets, so updates past 2.1.0 were invisible behind hosting CDNs (LiteSpeed LSADC, Cloudflare). Recommended for every install.<\/p>","2.1.2":" Critical hotfix: the Settings tab fatal-errored on every fresh install that had not yet enabled the Activity Log module (Class WebhookDispatcher not found). Recommended for every install.<\/p>","2.1.1":" Activity Log integrity: every row is HMAC-signed and chained, detects any tampering. Optional signed webhook forwarding (SIEM \/ Slack \/ Datadog \/ any HTTPS). New WP-CLI verify-chain. Bundles 6 hardening fixes. Migration automatic. Recommended for every install.<\/p>","2.1.0":" Security: 2FA pending token moved from URL query string to a signed HttpOnly + SameSite=Strict cookie. Closes URL-leak (browser history \/ Referer \/ access logs) and DB-leak (clear token no longer in wp_options). Recommended for every install with 2FA enabled.<\/p>","2.0.5":" Security audit pass: REST author-enum scope, optional HSTS, IPv6 subnet fix, 0.0.0.0 placeholder DoS skip, .htaccess admin-rules preservation. No regression. Recommended.<\/p>","2.0.4":" Real fix for the lockout 429 page on hosts with a public page cache (LiteSpeed Cache, WP Rocket, Cloudflare). Recommended after the 2.0.1-2.0.3 sequence.<\/p>","2.0.3":" Hotfix: HTTP\/2 stream termination on LiteSpeed\/LSAPI for the branded lockout page. Recommended.<\/p>","2.0.2":" Critical fix: 429 branded lockout page now reaches the browser. Recommended.<\/p>","2.0.1":" Branded 429 lockout page on the triggering attempt + Reset Stats UI + correct WP.org banner\/icon. Recommended.<\/p>","2.0.0":" First WordPress.org release of the V2 line. Eight independent security modules. Recommended.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":3},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3517031,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3517031,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3517031,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3517031,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.2","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.1.0","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.2","2.1.21","2.1.22","2.1.23","2.1.25","2.1.26","2.1.3","2.1.4","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.3.0","2.4.0"],"block_files":[],"assets_screenshots":{"screenshot-1.gif":{"filename":"screenshot-1.gif","revision":3516680,"resolution":"1","location":"assets","locale":"","width":960,"height":648},"screenshot-10.png":{"filename":"screenshot-10.png","revision":3516680,"resolution":"10","location":"assets","locale":"","width":641,"height":732},"screenshot-11.png":{"filename":"screenshot-11.png","revision":3516680,"resolution":"11","location":"assets","locale":"","width":1043,"height":959},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3516680,"resolution":"2","location":"assets","locale":"","width":1366,"height":1063},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3516680,"resolution":"3","location":"assets","locale":"","width":1059,"height":635},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3516680,"resolution":"4","location":"assets","locale":"","width":1229,"height":1086},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3516680,"resolution":"5","location":"assets","locale":"","width":1062,"height":910},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3516680,"resolution":"6","location":"assets","locale":"","width":1389,"height":554},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3516680,"resolution":"7","location":"assets","locale":"","width":1359,"height":858},"screenshot-8.png":{"filename":"screenshot-8.png","revision":3516680,"resolution":"8","location":"assets","locale":"","width":1452,"height":807},"screenshot-9.png":{"filename":"screenshot-9.png","revision":3516680,"resolution":"9","location":"assets","locale":"","width":1052,"height":1022}},"screenshots":{"1":"Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.","2":"Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks.","3":"Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution.","4":"Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag.","5":"Events - complete login attempts log with filters and CSV export.","6":"Activity Log - admin action audit trail across seven domains, filterable and exportable.","7":"Settings - modular configuration with live security score and a sticky save bar.","8":"Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch.","9":"Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering.","10":"Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification.","11":"Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default."}},"plugin_section":[262246],"plugin_tags":[8531,2439,25642,4552,1229],"plugin_category":[],"plugin_contributors":[192025],"plugin_business_model":[],"class_list":["post-301525","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-activity-log","plugin_tags-brute-force","plugin_tags-hide-login","plugin_tags-limit-login","plugin_tags-login-security","plugin_contributors-wpformation","plugin_committers-wpformation"],"banners":{"banner":"https:\/\/ps.w.org\/login-armor\/assets\/banner-772x250.png?rev=3517031","banner_2x":"https:\/\/ps.w.org\/login-armor\/assets\/banner-1544x500.png?rev=3517031","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/login-armor\/assets\/icon-128x128.png?rev=3517031","icon_2x":"https:\/\/ps.w.org\/login-armor\/assets\/icon-256x256.png?rev=3517031","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-1.gif?rev=3516680","caption":"Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-2.png?rev=3516680","caption":"Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-3.png?rev=3516680","caption":"Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-4.png?rev=3516680","caption":"Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-5.png?rev=3516680","caption":"Events - complete login attempts log with filters and CSV export."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-6.png?rev=3516680","caption":"Activity Log - admin action audit trail across seven domains, filterable and exportable."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-7.png?rev=3516680","caption":"Settings - modular configuration with live security score and a sticky save bar."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-8.png?rev=3516680","caption":"Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-9.png?rev=3516680","caption":"Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-10.png?rev=3516680","caption":"Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification."},{"src":"https:\/\/ps.w.org\/login-armor\/assets\/screenshot-11.png?rev=3516680","caption":"Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default."}],"raw_content":"\n Twelve security modules. One lightweight plugin. Zero compromise.<\/strong><\/p>\n\n Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way.<\/p>\n\n Stop juggling Wordfence's bloat, Solid Security's upsells, and Limit Login Attempts' gaps \u2014 Login Armor delivers twelve independent modules in about one megabyte.<\/p>\n\n Built on the WordPress 7 native AI Client, one click turns your last thirty days of activity into a plain-language verdict, an IP picture and a short list of prioritised actions; \"Explain with AI\" does the same on a single incident. Minimised mode (anonymised signals) is the default and deep mode is an explicit opt-in. No API key is stored \u2014 it uses your own WordPress AI connector, so provider and cost stay yours. It always leads with a deterministic facts snapshot that works with or without AI.<\/p>\n\n GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies.<\/p>\n\n\n\n Douze modules de s\u00e9curit\u00e9. Une seule extension l\u00e9g\u00e8re. Z\u00e9ro compromis.<\/strong><\/p>\n\n Login Armor est une stack compl\u00e8te de s\u00e9curit\u00e9 WordPress con\u00e7ue pour les agences, les freelances et les pros qui livrent des sites pr\u00eats \u00e0 passer un audit. Pas de version premium, pas de tableau de bord marketing int\u00e9gr\u00e9, pas de t\u00e9l\u00e9m\u00e9trie. Chaque module tourne en local, embarque des r\u00e9glages par d\u00e9faut s\u00e9curis\u00e9s, et reste discret.<\/p>\n\n Fini de jongler entre la lourdeur de Wordfence, les fen\u00eatres d'upsell de Solid Security et les angles morts de Limit Login Attempts \u2014 Login Armor regroupe douze modules ind\u00e9pendants en environ un m\u00e9ga-octet.<\/p>\n\n B\u00e2ti sur le client IA natif de WordPress 7, un clic transforme vos trente derniers jours d'activit\u00e9 en un verdict en langage clair, un panorama des IP et une courte liste d'actions prioritaires ; \u00ab Expliquer avec l'IA \u00bb fait de m\u00eame sur un incident. Le mode minimis\u00e9 (signaux anonymis\u00e9s) est par d\u00e9faut, le mode approfondi est un opt-in explicite. Aucune cl\u00e9 API stock\u00e9e : il utilise votre propre connecteur IA WordPress, le co\u00fbt et le fournisseur restent les v\u00f4tres. Il s'ouvre toujours sur un instantan\u00e9 de faits d\u00e9terministes, utile avec ou sans IA.<\/p>\n\n Login Armor est con\u00e7u et maintenu par Fabrice Ducarme de WPFormation<\/a>, expert WordPress fran\u00e7ais obs\u00e9d\u00e9 par les sites propres, rapides et pr\u00eats pour l'audit. On l'utilise sur chaque site qu'on livre.<\/p>\n\n GPL pour toujours. PHP 8.1+. WordPress 6.8+. Z\u00e9ro d\u00e9pendance.<\/p>\n\n The AI Security Briefing and the \"Explain with AI\" incident analysis are powered by the WordPress 7 native AI Client<\/strong> ( Data sent: a text prompt describing the security situation. In minimised mode (the default)<\/strong>, only anonymised, non-identifying signals are included (counts, categories, severities, role buckets) - no IP address and no username in clear. In deep mode<\/strong> (an explicit, off-by-default opt-in), the prompt additionally includes real IP addresses and event details so the analysis can name specific sources. No data is ever sent unless the administrator clicks the analysis button.<\/p>\n\n This feature is inactive unless WordPress 7 (or the AI Building Blocks feature plugin) is present with a configured, approved AI connector. The applicable terms and privacy policy are those of the AI provider the administrator chose for their connector; please refer to that provider's documentation.<\/p>\n\n When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks.<\/p>\n\n Data sent: incident type, severity level, IP address, target username, event count, and site URL.<\/p>\n\n No data is sent unless the administrator actively enables and configures a notification channel.<\/p>\n\n The Activity Log tab uses WordPress core's When the administrator explicitly enables the Breach Check<\/strong> module (LoginArmor > Settings > Breach …<\/p>\n\n\n For multisite: Network Activate the plugin to apply it across all sites.<\/p>\n\n If you forget your custom login URL:<\/p>\n\n No. Hide Login always sends a one-time recovery URL to the admin email. If you lose the slug, check your inbox. The plugin also honors No. Everything is lazy-loaded and indexed. On a normal login flow the extra SQL cost is under 2 ms.<\/p><\/dd>\n Yes. IP detection honors trusted Yes, subdomain and subfolder. Each site has its own modules, logs, and thresholds.<\/p><\/dd>\n Yes, but disable overlapping modules on one side to avoid double lockouts.<\/p><\/dd>\n Three custom tables in your own database: events, incidents, activity. Nothing leaves your server.<\/p><\/dd>\n Settings are plain WordPress options. Export\/import via WP-CLI or any standard options-sync tool.<\/p><\/dd>\n Not currently. LoginArmor is fully free and open source. GPL forever.<\/p><\/dd>\n\/wp-admin\/<\/code> with Hide Login enabled now renders as a proper WordPress 404 (body class error404<\/code>, SEO noindex<\/code> meta, theme 404 template) instead of a half-bootstrapped page. No security or functional change.<\/p>","2.1.9":"site_url()<\/code> (matching wp_login_url()<\/code> in WP core) instead of home_url()<\/code>. Fixes silent breakage on multisite headless, WordPress in subdirectory, and reverse-proxy installs. Neutral on standard installs.<\/p>","2.1.8":"wp_mail()<\/code> no longer leaves a half-committed 2FA state, and a new pre-activation modal forces a real test email + a safety-net check before the user can lock themselves out. Recommended for every install where Email-based 2FA is enabled.<\/p>","2.1.6":"New in 2.4.0<\/h4>\n\n
\n
Why Login Armor<\/h4>\n\n
\n
Twelve independent modules<\/h4>\n\n
\n
AI Security Briefing (optional)<\/h4>\n\n
Plus<\/h4>\n\n
\n
Nouveau en 2.4.0<\/h4>\n\n
\n
Pourquoi Login Armor<\/h4>\n\n
\n
Douze modules ind\u00e9pendants<\/h4>\n\n
\n
Briefing de s\u00e9curit\u00e9 IA (optionnel)<\/h4>\n\n
En plus<\/h4>\n\n
\n
Con\u00e7u par<\/h4>\n\n
\n
External Services<\/h3>\n\n
AI Security Briefing (optional)<\/h4>\n\n
wp_ai_client_prompt()<\/code>). When the administrator clicks the analysis button, LoginArmor asks WordPress to send a prompt to the AI connector that the administrator configured in their own WordPress<\/strong> (for example OpenAI, Anthropic or Google, depending on the connector). LoginArmor itself stores no API key and contacts no endpoint directly: the request, the provider and the cost are owned by the site's own AI connector.<\/p>\n\nWebhook Notifications (optional)<\/h4>\n\n
\n
Gravatar (Automattic)<\/h4>\n\n
get_avatar()<\/code> function to display user avatars. WordPress may send a hashed email address to Gravatar<\/a> servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars.<\/p>\n\n\n
Breach Check - Have I Been Pwned (optional)<\/h4>\n\n
\n
login-armor<\/code> directory to \/wp-content\/plugins\/<\/code><\/li>\nSetting up Hide Login<\/h4>\n\n
\n
my-login<\/code>)<\/li>\nRecovering access<\/h4>\n\n
\n
login_armor_hide_slug<\/code> row from the wp_options<\/code> table<\/li>\nwp option delete login_armor_hide_slug<\/code><\/li>\n<\/ul>\n\n\n\n
Will it lock me out of my own site?<\/h3><\/dt>\n
wp-cli<\/code> fallback so you can reset anything from SSH.<\/p><\/dd>\nDoes it slow my site down?<\/h3><\/dt>\n
Is it compatible with Cloudflare \/ reverse proxies?<\/h3><\/dt>\n
X-Forwarded-For<\/code> headers; you pick the header in Settings.<\/p><\/dd>\nDoes it work with multisite?<\/h3><\/dt>\n
Can I use LoginArmor alongside Wordfence \/ iThemes Security \/ Solid Security?<\/h3><\/dt>\n
Where is the data stored?<\/h3><\/dt>\n
How do I migrate my configuration?<\/h3><\/dt>\n
Is there a pro version?<\/h3><\/dt>\n
Where can I report bugs or request features?<\/h3><\/dt>\n