Vigilant – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…

Changelog

1.5.1

  • Improved: Plugin rebranded to “Vigilant” for better international naming
  • Improved: New brand icon and banners

1.5.0

  • New: Authenticator app (TOTP) two-factor authentication – RFC 6238 compliant
  • New: Method selector – choose between email codes or authenticator app per site
  • New: QR code setup in user profile with verification step
  • New: Backup codes for TOTP – 10 emergency codes generated on setup
  • New: Grace period for TOTP setup (configurable 0-30 days)
  • New: Admin TOTP reset tool – search and reset users who lost authenticator access
  • New: Grace period dashboard notice reminding users to set up their authenticator app
  • New: Dedicated TOTP database table with encrypted secrets (AES-256-CBC)
  • New: HTML styled emails for verification codes and activation notifications
  • New: Admin password change alert in user security monitoring
  • New: Login URL change notification with auto-send and manual button
  • New: 2FA settings UI with visual method selector cards

  • Fix: Admin login notification now fires for all administrator logins

  • Fix: Plugin deactivation email was never sent
  • Improved: File integrity scan patterns stored externally for better hosting compatibility

1.4.2

  • Improved: Pagination for activity log (server-side, 20 items per page with AJAX navigation)
  • Improved: Pagination for file integrity scan results (suspicious, extra, and modified files)
  • Improved: Pagination for ignored files, blocked IPs, and active sessions lists
  • Improved: All paginated tables show item count and range indicator, with navigation arrows when needed
  • Improved: Pagination updates dynamically when items are removed (ignore file, unblock IP, revoke session)

1.4.1

  • Improved: All firewall block messages are now fully translatable (46 strings added to translation system)
  • Improved: Session limits default behavior changed to “Close oldest session” (recommended) instead of “Block new login”
  • Improved: Default WordPress memory limit increased to 1024 MB
  • Added: 2048 MB option for WordPress memory limit

1.4.0

  • New: Email notification levels – choose between all issues, suspicious only, or disabled
  • New: Excluded file extensions setting to reduce false positives (e.g., .log, .pot, .po, .mo)
  • New: Excluded paths UI – configure which directories to skip during scans
  • New: Ignore list – dismiss individual files from scan results and email notifications
  • New: Extra file detection in plugins and themes (PHP files not in official WordPress.org packages)
  • New: Plugins and themes without checksums are now scanned for suspicious code patterns
  • New: Two-level detection system – strict mode for plugins (obfuscation combos only), standard mode for uploads (broad pattern matching)
  • New: Extra files with suspicious code automatically escalate to the Suspicious category
  • New: String concatenation obfuscation detection (e.g., building dangerous function names from split strings)
  • New: Double extension detection in uploads directory (e.g., file.php.jpg)
  • New: .htaccess detection in uploads directory
  • New: HTML formatted email notifications with severity sections and summary stats
  • New: Enhanced suspicious code pattern detection (hex2bin, create_function, hex-encoded strings, chr() obfuscation, eval+decode combos)
  • Fix: Missing Scan Themes checkbox in settings UI
  • Fix: Plugins without available checksums were completely skipped, including suspicious file detection
  • Improved: Scan results tables now include Ignore buttons for each file
  • Improved: Scan scope checkboxes grouped in a single fieldset for clarity

1.3.2

  • Fixed: File integrity email notifications failing with “No recipient forward path” error when notification email field was empty

1.3.1

  • Fix: All admin JavaScript strings are now fully translatable (activity log popup, scan results, password reset, session management, user approval, preset badges, and more)
  • Fix: File integrity email notifications now work for both manual and scheduled scans
  • Fix: Duplicate scheduled file integrity scans removed (respects configured frequency)
  • Improved: Email notification on file changes is now enabled by default

1.3.0

  • New: User-Agent whitelist – exclude services like ManageWP, MainWP, UptimeRobot from firewall checks
  • New: User-Agent blacklist – block requests by User-Agent string with partial matching
  • New: HTTP request method column in activity log (GET, POST, PUT, DELETE, etc.)
  • New: Request method filter in activity log
  • New: Quick action buttons in log detail popup to add IPs or User-Agents to firewall lists
  • New: IP lookup links to AbuseIPDB directly from log entries
  • Improved: Log detail popup redesigned with grouped sections (Request, Client, Extra Data)
  • Improved: CSV export now includes request method column

1.2.3

  • Fix: IP whitelist and blacklist entries were merged into a single line after page reload, preventing exclusions from working correctly
  • Fix: Automatic migration repairs previously corrupted IP lists on update

1.2.2

  • Improved: New plugin suggestion added.

1.2.1

  • Improved: wp-config.php constant insertion now correctly placed before “That’s all, stop editing” comment, with support for translated wp-config files

1.2.0

  • New: Database backup download tool with table selection (Tools tab)
  • New: Database prefix change with random secure prefix generation (WP Hardening tab)

1.1.1

  • Fix: HTTP method restriction no longer blocks PUT and DELETE, allowing REST API requests from plugins like SiteGround Optimizer to work correctly.

1.1.0

  • New: Under Attack mode – Emergency JavaScript challenge protection with one-click activation
  • New: Automatic browser verification with proof-of-work challenge for frontend visitors
  • New: HMAC-signed verification cookies to prevent cookie forgery
  • New: Aggressive rate limiting (30 req/min) and HTTP method restriction during attacks
  • New: Auto-deactivation after 4 hours with email notifications
  • New: REST API and XML-RPC lockdown during Under Attack mode
  • New: Non-dismissible admin notice with link to dashboard while mode is active

1.0.4

  • Fixed: File Integrity scan results are now fully translatable
  • Fixed: File Integrity scanner now reliably detects suspicious files in uploads
  • Improved: Uploads directory is now scanned first for faster malware detection
  • Improved: Scan time limit increased from 25 to 60 seconds for thorough scanning
  • Improved: File limit in uploads scan increased from 2,000 to 10,000 files

1.0.3

  • Fixed: Security Headers test button and results are now fully translatable
  • Improved: Custom plugin icon now displayed in settings page header
  • Improved: Activation notice now includes shield dashicon

1.0.2

  • Improved: Settings page now uses full available width for better tab display

1.0.1

  • Fixed: REST API compatibility with plugins using PUT/DELETE methods
  • Fixed: wp-config.php constant insertion now works correctly on non-English WordPress installations
  • Fixed: WP Hardening options now properly apply when unchecking (disabling) settings
  • Fixed: Custom configuration detection now triggers when changing any section settings
  • Fixed: Corrupted UTF-8 characters in activity log messages and CSS
  • Improved: Custom login URL now automatically enables wp-login.php redirect to 404
  • Improved: Session limits no longer exclude administrators by default for better security
  • Improved: Dashboard “Custom Configuration” badge now uses more visible orange color
  • Improved: htaccess HTTP method restrictions now exclude REST API endpoints

1.0.0

  • Initial release
  • Two-factor authentication via email with trusted device support
  • Role-based 2FA enforcement
  • Advanced PHP-based firewall with SQL injection, XSS, and file inclusion protection
  • Rate limiting with configurable thresholds
  • IP whitelist and blacklist management
  • Complete security headers implementation (CSP, HSTS, X-Frame-Options, Permissions Policy)
  • Built-in security header testing tool
  • HTTPS enforcer with mixed content detection
  • Login security with brute force protection and progressive lockouts
  • Custom login URL support
  • XML-RPC and application passwords control
  • User security with insecure username blocking
  • Strong password enforcement with minimum length
  • Password expiration with history tracking
  • Force password reset for all users
  • Session management and concurrent session limits
  • Email verification for new registrations
  • Registration approval workflow
  • Admin account monitoring and alerts
  • WordPress hardening (wp-config constants, comment security, head cleanup)
  • Feed management and security
  • REST API security with selective endpoint protection
  • User enumeration prevention
  • Activity log with configurable event tracking
  • Log export to CSV and filtering
  • File integrity monitoring against WordPress.org checksums
  • Two-level suspicious code detection (strict for plugins, broad for uploads)
  • Extra file and obfuscation detection in plugins and themes
  • Scheduled scans with HTML email notifications and severity levels
  • Settings export and import
  • Manual backup creation tool
  • Two configuration presets (Standard, Maximum Security)
  • Automatic backup and restoration system
  • Clean rollback on deactivation
  • Full admin interface with tabbed settings

Plugin Website
Visit website

Version:
1.5.1
Last Updated
March 14, 2026
Active Installs
90
Requires
WordPress 6.2
Tested Up To
WordPress 6.9.4
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.