New instant settings search, cleaner Security Audit popup with whitelist\/blacklist badges, database backup counter shows total size. Server Protection moved from the Firewall tab to Security Headers. Existing settings are migrated automatically. Full version history now lives in changelog.txt<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":8},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3482619,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3482619,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500-es.jpg":{"filename":"banner-1544x500-es.jpg","revision":3482692,"resolution":"1544x500","location":"assets","locale":"es"},"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3482619,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250-es.jpg":{"filename":"banner-772x250-es.jpg","revision":3482692,"resolution":"772x250","location":"assets","locale":"es"},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3482619,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{"blueprint.json":{"filename":"blueprint.json","revision":3510828,"resolution":false,"location":"assets","locale":"","contents":"{\"$schema\":\"https:\\\/\\\/playground.wordpress.net\\\/blueprint-schema.json\",\"preferredVersions\":{\"php\":\"latest\",\"wp\":\"latest\"},\"phpExtensionBundles\":[\"kitchen-sink\"],\"features\":{\"networking\":true},\"steps\":[{\"step\":\"login\",\"username\":\"admin\",\"password\":\"password\"},{\"step\":\"installPlugin\",\"pluginData\":{\"resource\":\"wordpress.org\\\/plugins\",\"slug\":\"vigilante\"},\"options\":{\"activate\":true}}],\"landingPage\":\"\\\/wp-admin\\\/plugins.php\"}"}},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.1.1","1.10.0","1.10.1","1.11.0","1.11.1","1.12.0","1.12.1","1.12.2","1.13.0","1.13.1","1.14.0","1.14.1","1.2.0","1.2.1","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.6.0","1.6.1","1.7.0","1.7.1","1.7.2","1.8.0","1.9.0","2.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1-es.jpg":{"filename":"screenshot-1-es.jpg","revision":3462521,"resolution":"1","location":"assets","locale":"es"},"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3462521,"resolution":"1","location":"assets","locale":""},"screenshot-2-es.jpg":{"filename":"screenshot-2-es.jpg","revision":3459795,"resolution":"2","location":"assets","locale":"es"},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3459795,"resolution":"2","location":"assets","locale":""},"screenshot-3-es.jpg":{"filename":"screenshot-3-es.jpg","revision":3459795,"resolution":"3","location":"assets","locale":"es"},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3459795,"resolution":"3","location":"assets","locale":""},"screenshot-4-es.jpg":{"filename":"screenshot-4-es.jpg","revision":3459795,"resolution":"4","location":"assets","locale":"es"},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3459795,"resolution":"4","location":"assets","locale":""},"screenshot-5-es.jpg":{"filename":"screenshot-5-es.jpg","revision":3459795,"resolution":"5","location":"assets","locale":"es"},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3459795,"resolution":"5","location":"assets","locale":""},"screenshot-6-es.jpg":{"filename":"screenshot-6-es.jpg","revision":3459795,"resolution":"6","location":"assets","locale":"es"},"screenshot-6.jpg":{"filename":"screenshot-6.jpg","revision":3459795,"resolution":"6","location":"assets","locale":""},"screenshot-7-es.jpg":{"filename":"screenshot-7-es.jpg","revision":3460226,"resolution":"7","location":"assets","locale":"es"},"screenshot-7.jpg":{"filename":"screenshot-7.jpg","revision":3460038,"resolution":"7","location":"assets","locale":""},"screenshot-8-es.jpg":{"filename":"screenshot-8-es.jpg","revision":3459795,"resolution":"8","location":"assets","locale":"es"},"screenshot-8.jpg":{"filename":"screenshot-8.jpg","revision":3459795,"resolution":"8","location":"assets","locale":""}},"screenshots":{"1":"Security Dashboard - Security score, module controls, and preset selection","2":"Two-Factor Authentication - Second verification step during login","3":"Login Security - Brute force protection, 2FA, lockouts, and custom login URL","4":"User Security - Complete user protection tools and settings","5":"Password Expiration - Force periodic password changes with history","6":"Registration Approval and Session Limits - Control new users and concurrent logins","7":"File Integrity - Scanner settings and verification results","8":"Security Audit - Filterable event viewer with export option","9":"Database Backup - Download full or partial database backups with table selection"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[9211,1174,1184,6464,600],"plugin_category":[38,54],"plugin_contributors":[245779,133550],"plugin_business_model":[],"class_list":["post-280110","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-firewall","plugin_tags-malware","plugin_tags-scanner","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-ayudawp","plugin_contributors-fernandot","plugin_committers-ayudawp","plugin_committers-fernandot","plugin_support_reps-ayudawp"],"banners":{"banner":"https:\/\/ps.w.org\/vigilante\/assets\/banner-772x250.jpg?rev=3482619","banner_2x":"https:\/\/ps.w.org\/vigilante\/assets\/banner-1544x500.jpg?rev=3482619","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/vigilante\/assets\/icon-128x128.png?rev=3482619","icon_2x":"https:\/\/ps.w.org\/vigilante\/assets\/icon-256x256.png?rev=3482619","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-1.jpg?rev=3462521","caption":"Security Dashboard - Security score, module controls, and preset selection"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-2.jpg?rev=3459795","caption":"Two-Factor Authentication - Second verification step during login"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-3.jpg?rev=3459795","caption":"Login Security - Brute force protection, 2FA, lockouts, and custom login URL"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-4.jpg?rev=3459795","caption":"User Security - Complete user protection tools and settings"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-5.jpg?rev=3459795","caption":"Password Expiration - Force periodic password changes with history"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-6.jpg?rev=3459795","caption":"Registration Approval and Session Limits - Control new users and concurrent logins"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-7.jpg?rev=3460038","caption":"File Integrity - Scanner settings and verification results"},{"src":"https:\/\/ps.w.org\/vigilante\/assets\/screenshot-8.jpg?rev=3459795","caption":"Security Audit - Filterable event viewer with export option"}],"raw_content":"\n
Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.<\/p>\n\n
Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, malware detection, user management, security audit logging, under attack mode and much more.<\/p>\n\n
Once activated, Vigilant immediately applies essential security measures:<\/p>\n\n
Choose a preset and get protected instantly:<\/p>\n\n
Standard<\/strong> - Balanced security suitable for most websites. Enables all modules with sensible defaults that won't interfere with normal site operation.<\/p>\n\n Maximum Security<\/strong> - Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.<\/p>\n\n You can always customize individual settings after applying a preset.<\/p>\n\n Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:<\/p>\n\n Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates.<\/p>\n\n Two-Factor Authentication (2FA)<\/strong><\/p>\n\n Add a second verification step to your WordPress login. Choose the method that works best for your team:<\/p>\n\n Firewall Protection<\/strong><\/p>\n\n Block malicious requests before they reach WordPress:<\/p>\n\n Login Security<\/strong><\/p>\n\n Stop unauthorized access attempts:<\/p>\n\n User Security<\/strong><\/p>\n\n Comprehensive user account protection:<\/p>\n\n Security Headers<\/strong><\/p>\n\n Achieve Grade A security ratings:<\/p>\n\n File Integrity Monitoring<\/strong><\/p>\n\n Detect unauthorized changes to your files:<\/p>\n\n Security Audit<\/strong><\/p>\n\n Track everything happening on your site:<\/p>\n\n WordPress Hardening<\/strong><\/p>\n\n Additional security measures:<\/p>\n\n REST API Security<\/strong><\/p>\n\n Control API access to your site:<\/p>\n\n Utilities included:<\/p>\n\n Automatic Backup System<\/strong><\/p>\n\n Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content\/vigilante-backups\/, persisting through plugin updates.<\/p>\n\n Clean Rollback<\/strong><\/p>\n\n When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.<\/p>\n\n Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront \u2014 no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, and more. All free, all maintained, all following WordPress coding standards.<\/p>\n\n If your current security plugin asks you to pay for features that should be basic, take a look at what Vigilant offers out of the box.<\/p>\n\n We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each plugin offers in its free version and where Vigilant fills the gaps.<\/p>\n\n → View the full comparison<\/a><\/p>\n\n Need help or have suggestions?<\/p>\n\n Love the plugin? Please leave us a 5-star review and help spread the word!<\/p>\n\n We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.<\/p>\n\n\n Requirements:<\/strong><\/p>\n\n No. Vigilant is optimized for performance. The firewall uses efficient pattern matching, database queries are cached with transients, and .htaccess rules execute at server level before PHP even loads.<\/p><\/dd>\n Vigilant immediately creates a backup of your existing .htaccess and wp-config.php files, then applies default security settings. All modules are enabled with balanced defaults suitable for most sites.<\/p><\/dd>\n All security modifications are automatically reverted. The .htaccess rules are removed, wp-config.php constants are restored to their original values, and scheduled tasks are cleared. Your site returns to its pre-Vigilant state.<\/p><\/dd>\n Vigilant supports two 2FA methods. With the authenticator app<\/strong> (TOTP), you scan a QR code in your profile to link an app like Google Authenticator or Authy, then enter a 6-digit code from the app on every login. With email codes<\/strong>, you receive a one-time code via email after entering your password. If enabled by the site administrator, you can mark your device as trusted to skip 2FA for 30 days.<\/p><\/dd>\n When you set up TOTP, Vigilant generates 10 backup codes. You can use any of them as a one-time replacement for the authenticator code. If you run out of backup codes, an administrator can reset your TOTP from the plugin settings.<\/p><\/dd>\n Check your spam folder first. You can click \"Resend code\" on the verification form. Codes expire after 10 minutes by default. If issues persist, an administrator can temporarily disable 2FA from the plugin settings.<\/p><\/dd>\n Yes. Go to Login Security > Two-Factor Authentication and change the verification method. If notifications are enabled, affected users will receive an email explaining the new method and how to set it up.<\/p><\/dd>\n By default, 2FA is enforced for administrators and editors. You can customize which roles require 2FA in the Login Security settings, and exclude specific users individually.<\/p><\/dd>\n Access your site via FTP\/SFTP and either rename the plugin folder to disable it temporarily, or delete the The firewall is configured to allow normal WordPress operations, including the block editor, REST API, and popular page builders. If you experience issues, you can whitelist specific IPs or adjust rate limiting thresholds.<\/p><\/dd>\n While Vigilant works standalone, running multiple security plugins can cause conflicts. We recommend testing in a staging environment first if you need to combine security solutions.<\/p><\/dd>\n Yes. Vigilant is compatible with popular caching plugins. The firewall runs before cache layers, and .htaccess rules don't interfere with caching mechanisms.<\/p><\/dd>\n Yes. Vigilant includes compatibility settings for WooCommerce. The REST API security module automatically allows WooCommerce endpoints, and the firewall won't block payment gateway connections.<\/p><\/dd>\n Use the built-in header testing tool in the Security Headers tab, or visit securityheaders.com with your site URL to get a security grade.<\/p><\/dd>\n You can require users to change their passwords after a set number of days (30, 60, 90, etc.). Users receive warnings before expiration and are forced to change their password on next login when it expires. Password history prevents reusing recent passwords.<\/p><\/dd>\n When enabled, new user registrations require manual approval by an administrator before the account becomes active. Pending users cannot log in until approved. You can configure auto-rejection after a set number of days.<\/p><\/dd>\n New users must verify their email address by clicking a link before their account becomes active. This prevents fake registrations and ensures valid contact information.<\/p><\/dd>\n You can limit how many concurrent sessions each user can have. When the limit is reached, either the new login is blocked or the oldest session is terminated, depending on your configuration.<\/p><\/dd>\n Yes. The security audit log can be exported to CSV format for external analysis or compliance reporting. You can also filter logs by event type, user, or date range before exporting.<\/p><\/dd>\n The scanner compares WordPress core files, plugin files, and theme files against official checksums from WordPress.org. Plugins and themes without available checksums are also scanned using strict obfuscation pattern detection. The uploads directory is scanned for PHP files, double extensions, and .htaccess files. Extra PHP files not present in original distributions are detected and, if they contain suspicious code, automatically flagged as suspicious.<\/p><\/dd>\n You can configure automatic scans to run daily or weekly. You can also run manual scans at any time. Email notifications support three levels: all issues, suspicious files only, or disabled.<\/p><\/dd>\n Standard applies balanced settings suitable for most sites. Maximum applies stricter rules: lower rate limits, tighter CSP policies, required admin notifications, session limits, and more aggressive hardening. Maximum may require adjustments for sites with complex functionality.<\/p><\/dd>\n Backups are stored in wp-content\/vigilante-backups\/. This location persists through plugin updates. The directory is protected with .htaccess rules to prevent direct access.<\/p><\/dd>\n Under Attack mode is an emergency feature you can activate when your site is experiencing an active attack. It adds a JavaScript challenge that real browsers solve automatically in a few seconds, while bots and automated scripts are blocked completely. It also applies aggressive rate limiting, blocks restricted HTTP methods, and restricts API access.<\/p><\/dd>\n No. Logged-in users, admin pages, cron jobs, AJAX requests, and the login page are all excluded from the JavaScript challenge. Only unauthenticated frontend visitors see the verification page.<\/p><\/dd>\n It automatically deactivates after 4 hours. You will also receive an email notification when it activates and deactivates.<\/p><\/dd>\n No. It operates independently from your preset configuration (Standard or Maximum). Your regular settings are untouched and continue working normally after Under Attack mode deactivates.<\/p><\/dd>\n Go to Vigilant > Tools > Database Backup. Select which tables to include (or leave all selected), then click Download. The backup is generated as a ZIP file containing a SQL dump. No files are stored on the server.<\/p><\/dd>\n WordPress uses wp_ as default table prefix. Changing it to a random prefix adds a layer of protection against SQL injection attacks that target default table names. Go to Vigilant > WP Hardening > Database Hardening. Always create a backup before changing the prefix.<\/p><\/dd>\n Go to Vigilant > Firewall > User-Agent Lists and add the service name (e.g., ManageWP, MainWP, UptimeRobot) to the User-Agent Whitelist. Partial matching is used, so entering \"ManageWP\" will match any User-Agent string containing that keyword.<\/p><\/dd>\n Yes. Go to Vigilant > Settings & Tools > Notification settings. You can add additional email recipients (one per line) and optionally uncheck the WordPress admin email. This is useful for maintenance professionals managing multiple sites who need to receive all security alerts.<\/p><\/dd>\n Yes. Use the Under Attack Mode<\/h3>\n\n
\n
Core Security Features<\/h3>\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Security Tools<\/h3>\n\n
\n
Safe by Design<\/h3>\n\n
Why choose Vigilant?<\/h3>\n\n
How does Vigilant compare?<\/h3>\n\n
Support<\/h3>\n\n
\n
About AyudaWP<\/h3>\n\n
\n
\/wp-content\/plugins\/vigilante\/<\/code> or install directly from the WordPress plugin repository<\/li>\n\n
\n
Will this plugin slow down my site?<\/h3><\/dt>\n
What happens when I activate the plugin?<\/h3><\/dt>\n
What happens when I deactivate the plugin?<\/h3><\/dt>\n
How does two-factor authentication work?<\/h3><\/dt>\n
What if I lose my phone or authenticator app?<\/h3><\/dt>\n
What if I don't receive the 2FA email code?<\/h3><\/dt>\n
Can I switch between email and authenticator app?<\/h3><\/dt>\n
Which user roles require 2FA?<\/h3><\/dt>\n
How do I recover if I'm locked out?<\/h3><\/dt>\n
vigilante_login_attempts<\/code> table rows for your IP address in the database.<\/p><\/dd>\nWill the firewall block legitimate users?<\/h3><\/dt>\n
Can I use this with other security plugins?<\/h3><\/dt>\n
Does this work with caching plugins?<\/h3><\/dt>\n
Does this work with WooCommerce?<\/h3><\/dt>\n
How do I test my security headers?<\/h3><\/dt>\n
What is password expiration?<\/h3><\/dt>\n
What is registration approval?<\/h3><\/dt>\n
What does email verification do?<\/h3><\/dt>\n
How do session limits work?<\/h3><\/dt>\n
Can I export the security audit log?<\/h3><\/dt>\n
What files does the integrity scanner check?<\/h3><\/dt>\n
How often does the file integrity scan run?<\/h3><\/dt>\n
What is the difference between Standard and Maximum presets?<\/h3><\/dt>\n
Where are backups stored?<\/h3><\/dt>\n
What is Under Attack mode?<\/h3><\/dt>\n
Will Under Attack mode affect my logged-in users?<\/h3><\/dt>\n
What if I forget to turn off Under Attack mode?<\/h3><\/dt>\n
Does Under Attack mode change my regular security settings?<\/h3><\/dt>\n
How does the database backup work?<\/h3><\/dt>\n
What does changing the database prefix do?<\/h3><\/dt>\n
How do I exclude management services like ManageWP from the firewall?<\/h3><\/dt>\n
Can I send security notifications to someone other than the site admin?<\/h3><\/dt>\n
Can I customize notification recipients programmatically?<\/h3><\/dt>\n
vigilante_notification_recipients<\/code> filter. It receives and returns an array of email addresses used for all administrative notifications:<\/p>\n\nadd_filter( 'vigilante_notification_recipients', function( $recipients ) {\n $recipients[] = 'security-team@example.com';\n return $recipients;\n} );\n<\/code><\/pre><\/dd>\n\n<\/dl>\n\n\n2.0.0<\/h4>\n\n
\n