Description
WORDPRESS SECURITY PLUGIN — PROTECTION WITHOUT THE COMPLEXITY
Automated bots probe WordPress logins and forms around the clock. Ultimate Security shuts that down — with two-factor authentication, brute-force lockouts, anti-spam CAPTCHA, a hidden login URL, session controls, and security maintenance tools — all from a clean dashboard you do not need to be a security expert to run.
🛡️ Lightweight. Privacy-first. No bloat.
Why Ultimate Security?
- It just works. Sensible defaults out of the box — turn it on, you are safer in minutes.
- Built for real attacks. Stops the automated login, brute-force and spam traffic that actually hits WordPress sites.
- Zero learning curve. Plain-English settings, a Test Mode to preview rules before they go live.
- Privacy-respecting. No tracking, no data collection. Pro features are clearly labelled.
🔐 Login & Two-Factor Authentication
- Two-Factor Authentication (2FA) — Email one-time codes and authenticator apps via TOTP/HOTP.
- Per-user 2FA with role-based configuration options — Let users enable 2FA and configure which roles should use email or app-based 2FA.
- Brute-force login lockout — Limit failed attempts, auto-lock offenders, auto-reset retries, block specific users, and keep a recovery URL for emergencies.
- Custom login URL — Hide
wp-admin/wp-login.phpbehind a secret address so bots cannot find it. - Strong password policies — Enforce length, complexity, expiry and password history.
- Session control — Limit concurrent logins per user and harden auth cookies.
🤖 Bot & Brute-Force Protection
- Anti-spam CAPTCHA — Google reCAPTCHA v2/v3 and Cloudflare Turnstile.
- Form coverage — Protect WordPress login, registration and lost-password forms; Turnstile also supports comment forms; WooCommerce login/register forms are supported when enabled.
- No-conflict mode — Plays nicely alongside other CAPTCHA setups.
🧱 Security Maintenance & Controls
- Rotate WordPress security keys / salts on demand.
- Use the Update Manager to control WordPress core, plugin and theme update behavior.
- Connect Cloudflare and deploy configurable WAF rule groups from the dashboard.
- Review a basic Security Score with prioritized security checks.
- Advanced hardening toggles, API privacy filtering and scheduled salt rotation are available in Pro.
📊 Monitoring & Tools
- Login Activity snapshot — Review recent successful and failed login activity from the dashboard.
- Basic Security Score — See a scored security posture based on enabled protections.
- Site Health snapshot — WordPress/PHP versions, memory, active plugins and theme at a glance.
- Test Mode — Simulate security rules and review what would have been blocked before enforcing.
- Settings backup & restore — Export/import your configuration as JSON for migrations or disaster recovery.
External Services
This plugin connects to the following third-party services, and only when you explicitly enable the related feature:
Google reCAPTCHA
- When: reCAPTCHA CAPTCHA protection is enabled.
- Data sent: the visitor’s reCAPTCHA response token and your site secret key.
- Endpoint: https://www.google.com/recaptcha/api/siteverify
- Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy
Cloudflare Turnstile
- When: Cloudflare Turnstile CAPTCHA protection is enabled.
- Data sent: the visitor’s Turnstile response token and your site secret key.
- Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify
- Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/
WordPress.org Secret-Key (Salt) API
- When: you request rotation of WordPress security keys/salts.
- Data sent: a request for randomly generated salt strings (no site or user data).
- Endpoint: https://api.wordpress.org/secret-key/1.1/salt/
- Privacy: https://wordpress.org/about/privacy/
WordPress.org Core Version Check
- When: the Update Manager checks for available WordPress core updates.
- Data sent: a standard WordPress core version-check request (no user data).
- Endpoint: https://api.wordpress.org/core/version-check/1.7/
- Privacy: https://wordpress.org/about/privacy/
Cloudflare API
- When: you connect Cloudflare or deploy/view WAF rules.
- Data sent: Cloudflare credentials/token, selected zone/rule data, and Cloudflare API requests needed for verification, deployment and analytics.
- Endpoint: https://api.cloudflare.com/client/v4/
- Terms: https://www.cloudflare.com/website-terms/ — Privacy: https://www.cloudflare.com/privacypolicy/
Screenshots
Installation
Requirements: WordPress 5.8+ and PHP 8.1+. HTTPS is strongly recommended for 2FA and secure sessions.
- In WordPress, go to Plugins Add New and search for «WPUltimateSecurity».
- Click Install Now, then Activate.
- Open the Ultimate Security menu and follow the setup flow.
Quick Start
Recommended first 5 minutes
- Enable 2FA for all administrator accounts.
- Set login attempt limits and a lockout duration.
- Add CAPTCHA (reCAPTCHA or Cloudflare Turnstile) to the login, registration and comment forms.
- Set a custom login URL and save it somewhere safe.
- Review the Security Score, Site Health and Test Mode before enabling stricter rules.
FAQ
-
Will this slow down my site?
-
It is built to stay lightweight — security checks run on login and form submission, not on every page view.
-
Do I need any technical or coding knowledge?
-
No. Defaults are safe out of the box and every setting is in plain English with a guided setup flow.
-
I enabled 2FA / a custom login URL and locked myself out. How do I get back in?
-
Disable the plugin to restore default login: via FTP/SFTP rename the folder
/wp-content/plugins/ultimate-security, or over SSH/WP-CLI runwp plugin deactivate ultimate-security. Then log in and reconfigure. -
Does it work with WooCommerce?
-
CAPTCHA and login protection cover WooCommerce login and registration forms where enabled. Checkout CAPTCHA is not currently part of the verified free feature set.
-
Does it work on WordPress Multisite?
-
Yes, it runs on Multisite. Network-wide behaviour depends on how you configure it per site.
-
Does the custom login URL work with caching / CDNs?
-
Yes. Exclude the login path from full-page caching (most caching plugins do this for login/admin automatically) so the secret URL is never served from cache.
-
Will it conflict with other security or CAPTCHA plugins?
-
It can if two plugins do the same job. Pick one plugin per function (one 2FA, one CAPTCHA, one login limiter) and disable the overlapping feature in the other.
-
Is my data private? Does the plugin track me or phone home?
-
No telemetry, no tracking, no usage data collection. It only contacts third-party services you explicitly enable (see External Services below).
-
Is it GDPR-friendly?
-
Yes. The plugin is self-hosted and stores its data in your own database. The only outbound calls are the optional services you turn on (reCAPTCHA, Turnstile, WordPress.org salt API).
-
What happens to my data when I uninstall?
-
You control whether plugin data is removed on uninstall via the plugin’s settings.
-
What is the difference between Free and Pro?
-
Free covers core protection: Email/App 2FA, brute-force lockout, CAPTCHA, custom login URL, password policies, session limits, manual salt rotation, update controls, basic Security Score, Cloudflare WAF rules, Site Health, Test Mode and backup/restore. Pro adds will add more advanced security features once it is released.
-
How do I get support?
-
Use the plugin support forum on WordPress.org, or visit https://www.wpultimatesecurity.com.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Ultimate Security – Login Protection, 2FA, Anti-Spam CAPTCHA, Brute-Force & Security Tools” is open source software. The following people have contributed to this plugin.
Contributors
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.20
- New: Improved Session Management settings including concurrent login limits, session cookie hardening and more,
- New: Cloudflare Turnstile and reCAPTCHA CAPTCHA verifcation when applying their respective keys.
- Improvement: Cloudflare WAF rules function improvement.
- Improvement: Code optimization and performance improvements.
1.0.19
- Fix: 2FA User role was not working properly.
- Fix: Login activity dashboard modal was showing wrong agent.
- Improvement: Better user friendly Server Protection Card Design
- Improvement: Code cleanup and optimization.
1.0.18
- New: One-click Cloudflare WAF rules apply
- New: New Modal for Login activity with detailed information.
- Improvement: Code cleanup and optimization
- Fix: Login redirected URL was showing exisiting login for password reset
1.0.17
- Fix: Minor bug fixes and stability improvements
- Improvement: Code cleanup and optimization
1.0.16
- Improvement: Code improvements to the ovearll plugin making it snappier.
1.0.15
- Improvement: Conflict management between applied settings.
- Improvement: UI improvements to existing settings pages. Making it more intuitive to use.
- Fix: Multiple bug fixes to dashboard. You should get more accurate results now.
- Fix: New deactivation URL was not saving after deactiviting-activating plugin.
1.0.14
- Fix: Email 2FA codes were not being sent properly
- Fix: 2FA code page flickering effect after login
1.0.13
- New: Completely redesigned user interface for better usability
1.0.12
- New: Security Score meter to track your site’s security level
- Improvement: Enhanced modal design for better UI/UX
1.0.11
- Fix: Minor UI bug fixes
1.0.10
- Security: Removed unauthenticated AJAX actions
- Security: REST routes now require admin permission
1.0.9
- Fix: Dashboard emergency deactivation URL display issue
1.0.8
- Improvement: Human-readable values in activity log
- Improvement: Reduced plugin size with optimized code
- Fix: 2FA reset issue for users
- Fix: Password policy not applying to new users
1.0.7
- New: Activity Log feature
- New: Improved dashboard design
- Fix: Nonce validation issues
- Fix: Turnstile not showing on comment forms
1.0.6
- Fix: Custom login setup issues
- Fix: Email 2FA asking for OTP twice
- Fix: Feedback form email delivery
- Improvement: Reorganized menu navigation
- Improvement: Performance optimizations
1.0.5
- Fix: Request logs page display issue
- Fix: URL Guard SQL query display
- Improvement: Performance optimizations
1.0.4
- Redesigned settings page interface