描述
MJP Security Tools is a focused hardening plugin that does four things well:
- XSS Database Scanner — scans every table for
<script>,<iframe>,onclick,javascript:and other injection patterns - POST Request Log — records all POST data (passwords masked) with IP, user agent, and URL for CSRF/audit detection
- Failed Login Log — tracks every failed login attempt with username, IP, and timestamp
- File Permission Checker — verifies WordPress root files and directories have safe permissions, checks for missing
index.htmlfiles and SVN working copies
What this plugin does NOT do (because WordPress core already handles it):
- SSL enforcement — use
FORCE_SSL_ADMINor let WordPress 5.7+ auto-redirect - Password strength — WordPress core enforces strong passwords since 4.3
- Login rate limiting — use a dedicated plugin like Limit Login Attempts Reloaded
- Version number hiding — marginal benefit, not worth the complexity
Upgrading from v1.x:
- The admin page has moved from jQuery UI tabs to native WordPress nav tabs
- SSL forcing, password enforcement, login throttling, version hiding, admin username changing, database prefix randomization, password reset, and .htaccess generation have been removed — WordPress core and dedicated security plugins handle these better
- PHP sessions replaced with WP transients for flash messages
- Log data is now stored as JSON instead of serialized PHP
- The Javacrypt client-side crypt(3) script has been removed
安装
- Upload the
mjp-security-pluginfolder to/wp-content/plugins/ - Activate through the Plugins menu
- Go to Tools > MJP Security Tools
常见问题
-
What happened to all the other features?
-
WordPress 6.x handles SSL, password strength, and many security basics natively. Rather than duplicating core functionality, v2.0.0 focuses on the four features that WordPress does NOT provide out of the box: XSS scanning, POST logging, failed login logging, and file permission checking.
-
Is this a replacement for Wordfence/iThemes?
-
No — those are comprehensive security suites. MJP Security Tools is a lightweight auditing companion that provides specific database scanning and logging features.
评价
此插件暂无评价。
贡献者及开发者
更新日志
2.0.0
- Rewrite: focused on 4 core features — XSS scanner, POST log, failed login log, file permissions
- Removed: SSL forcing, password enforcement, login throttling, version hiding (handled by WP core)
- Removed: Admin username changer, DB prefix randomizer, password reset all users, .htaccess generator
- Removed: jQuery UI 1.8.10 dependency and Javacrypt crypt(3) JavaScript (~500 lines)
- Removed: PHP sessions — uses WP transients for flash messages
- New: Native WordPress nav-tab interface (no jQuery UI)
- New: Dedicated CSS/JS assets instead of inline styles and CDN links
- New: Clear log buttons for POST and failed login logs
- New: Log data stored as JSON instead of serialized PHP
- New: File permission scan limited to 2 levels deep (prevents timeout on large installs)
- Fixed: HTML parse error in admin template (missing
>on div tag) - Fixed: Admin page uses dedicated slug instead of
__FILE__ - Changed: Requires WordPress 6.0+
1.2.1
- Fixed PHP 8.1 deprecation: get_option() returning false passed to substr()
1.2.0
- PHP 8.x compatibility fixes
- Replaced deprecated functions and constants
- Tested with WP 6.9.1
1.1
- Tested in WP 3.3.2
1.0
- First Release