JR Security Hardening and Login Protection

by reinajhon46

Description

JR Security Hardening and Login Protection secures your WordPress installation at the application level with one-click hardening modules. Designed to be secure by default and Cloudflare compatible.

Included modules:

Disable XML-RPC — Full block (filter + hard block) to prevent brute force attacks and pingback DDoS.
Hide WordPress version — Removes version from generator meta and CSS/JS assets.
Disable file editor — Prevents theme and plugin editing from the admin panel (DISALLOW_FILE_EDIT).
Disable emojis — Removes WordPress emoji scripts and styles, improving performance.
Block user enumeration (?author= and /author/) — Dual-layer protection against username discovery.
Block REST enumeration (wp-json users) — Prevents enumeration via the WordPress REST API.
Block sensitive paths/files — Blocks access to readme.html, license.txt, .env, .git, composer.json, etc. (only what passes through WordPress).
Security headers — X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, HSTS (HTTPS only) and removal of technology-revealing headers.
Login protection — Rate limiting by IP and by user+IP with configurable temporary lockout.
IP whitelist — Excludes trusted IPs from rate limiting to avoid accidental lockouts.
Email notification — Receive an email when an IP is locked out due to too many failed login attempts.
Activity log — Security event logging in a dedicated database table with configurable retention and automatic cleanup via cron.
Ready-to-use server rules — Code for Apache (.htaccess) and Nginx to block static files that WordPress cannot reach.

Smart IP detection:

Native support for Cloudflare (CF-Connecting-IP).
Option to trust X-Forwarded-For / X-Real-IP behind trusted proxies.
Fallback to REMOTE_ADDR.

Clean uninstall:

When the plugin is deleted, all options, the events table and transients are removed. No data is left behind in your database.

Installation

Upload the jr-security-hardening-login-protection folder to /wp-content/plugins/.
Activate the plugin from the WordPress “Plugins” menu.
Go to Settings JR Security and configure the modules.
For full static file protection, apply the server rules shown in the “Server” tab.

Faq

Does this plugin replace a server-level firewall?

No. This plugin protects what goes through WordPress. For static files like /readme.html, you need server-level rules (Apache/Nginx). The plugin includes those rules ready to copy and paste in the “Server” tab.

Does it work with Cloudflare?

Yes. It automatically detects the visitor’s real IP via CF-Connecting-IP. If you use another proxy, you can enable “Trust proxy headers” in the settings.

What if I lock myself out?

Lockouts use WordPress transients and expire automatically based on the configured hours. You can also add your IP to the whitelist from settings, or temporarily deactivate the plugin via FTP/SSH by renaming the folder.

Can I use this plugin with other security plugins?

Yes, but avoid duplicating functionality. If another plugin already disables XML-RPC or adds headers, disable those modules here to avoid conflicts.

Are settings lost when deactivating the plugin?

No. Settings are preserved when deactivating. They are only deleted when uninstalling the plugin completely.

Why is ?author= enumeration not blocked?

If you are logged in as an administrator, the plugin does NOT block the author page — this is normal behavior. To test, use an incognito window without a WordPress session.

Reviews

Changelog

1.0.0

First release.
Modules: XML-RPC, WP version, file editor, emojis, user enumeration (?author= and /author/), REST enumeration, sensitive paths, security headers, login protection, IP whitelist, email notification, activity log, server rules.
IP detection with Cloudflare support (CF-Connecting-IP), X-Forwarded-For/X-Real-IP and REMOTE_ADDR.
Admin panel with tabs: Dashboard, Hardening, Login, Logs, Server.
Automatic log cleanup via WP Cron with configurable retention.
Clean uninstall (options, events table, transients).