SecuPress Free — WordPress Security


Edit May, 23rd: SecuPress is GDPR compliant !


Protect your WordPress with malware scans; block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin.

What’s the difference between free and pro version?
If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.

Here are some of our most popular features:

  • Anti Brute Force login
  • Blocked IPs
  • Firewall
  • Security alerts (1)
  • Malware Scan (1)
  • Block country by geolocation (1)

We have included some features you won’t find in most WordPress security plugins:

  • Protection of Security Keys
  • Block visits from Bad Bots
  • Vulnerable Plugins & Themes detection (1)
  • Security Reports in PDF format (1)

You can check out Frequently Asked Questions or get in touch with our support. Want to know all about SecuPress? You can read our documentation here:

How will you know it works?
Well, we have a dedicated security scanner that will give you a clear security grade and report for your website. This way, you’ll know exactly what to fix.

WordPress Features

Security Audit
SecuPress is the only plugin with a full scanner able to fix the issues for you. And when it requires a decision from you, it will ask you before proceeding. With this feature, you can check 35 security points in 5 minutes and let us take care of the rest.

Once done, you get a security grade that gives you a clear idea of what your security level is. You can export this analysis in PDF format to share with others (clients or colleagues) (1).

Users & Login
This feature is the easiest way to make sure your users’ data is protected and to keep their accounts from being compromised. With this feature you can limit the number of bad login attempts, ban non-existing usernames login attempts and set a non-login time slot. SecuPress also makes sure you can avoid double logins and control your sessions.

SecuPress also adds a 2FA (Two Factor Authentication) because it’s almost a mandatory feature when it comes to WordPress security!

The plugin also gives you greater user and password control as you can set:

  • Password lifetimes for your users.
  • Enforce strong password use.
  • Forbid the use of vague usernames like www or admin.

Tired of bots finding your WordPress login page? Finally, don’t let bots find your login page, just move it with the famous Move Login plugin, now included in SecuPress.

Plugins and Themes
SecuPress helps you detect themes and plugins that are vulnerable or that have been tampered with to include malicious code. If you install one of these, your security module will send out an email alert and give you a warning in WordPress.

SecuPress takes security further by limiting plugin activation, deactivation, installation and removal in your production (live) website. Plugin and theme uploads via .zip files will be on lockdown as well to block off this easy hacking route.

WordPress Core
SecuPress reinforces the WordPress Core to keep it safe. The security plugin optimizes what’s under the hood to secure the config file by setting the proper parameters.

Sensitive Data
SecuPress secures content in many ways:

  • The plugin secures WordPress Endpoints and APIs by blocking bad requests for XML-RPC or REST API.
  • It blocks bad bots with its Robots Blackhole feature.
  • It provides an anti-hotlink feature to preserve your bandwidth.
  • The plugin packs 7 anti-disclose security modules to make sure no precious information is available to hackers in your PHP or WordPress itself.
  • Profile and SecuPress settings pages are password protected to keep sensitive information away from prying eyes.


  • SecuPress is one of the most efficient WordPress bouncer you’ll ever see!
  • The plugin blocks malicious incoming requests.
  • It blocks bad User Agents (no bad crawlers allowed).
  • Bad requests methods also get the boot in a single click.
  • URLs are kept in check: no bad URL contents.
  • SQL injection scanners are kept out as well.
  • Brute force attempts are stopped in their tracks.
  • GeoIP Blocking by country gives you more control over your traffic.

Malware Scan
SecuPress has a unique malware scan developed by our security experts. It hunts down bad files and provides you with an easy step-by-step report that lets you take action. It looks into:

  • Bad files in your FTP.
  • Your uploads folder for dangerous files.
  • Potential phishing attempts via index.php loads.

We know firsthand how painful it is to pick up the pieces after an attack damages your WordPress. SecuPress preserves your data to help you avoid lost content or settings if your website comes under attack. The plugin backs up your database and files and lets you download them to guarantee you peace of mind.

Anti Spam
Did you know that 60% of the traffic on the Internet is generated by bots? Most of them happen to be spam bots. We developed our own anti-spam system that works quietly in the background. Just activate it and enjoy a spam free experience.

Alerts are an essential tool when your website is under attack. When something important happens on your website, SecuPress will send you an alert via email. We’re working on alerts via SMS, Slack & Twitter as well.

You also receive a daily report that provides a debrief of the attempted attack and all the activities blocked by SecuPress.

Scheduled Security Tasks
SecuPress can run 3 separate scheduled tasks for you. It’s like having a security patrol on your WordPress.

Scheduled Scanner: SecuPress scans your website to detect any issues. After the scan is complete, you get a report in your inbox outlining any actions you have to take to protect your website.
Scheduled Backup: our team knows that everyone at one time or another forgets to back things up. We made it an automatic task to help ensure you always can recover from an attack with your content safe.
Scheduled Malware Scan: this security feature scans your website at regular intervals to hunt down any malware that may have gotten into your WordPress.

SecuPress will keep a log of important security activities and 404 pages triggered by users, bots or even Chuck Norris. This lets you keep an eye on what’s going on in your WordPress at any time. You can also control banned IPs from this option.

(1) Available in the Pro Version.

(SecuPress est une extension de sécurité WordPress française)


  • All modules from SecuPress
  • A module page (here is Users & Login)
  • The first scan
  • The 1st step: result of the scan
  • The 2nd step: choose what to automatically fix (1)
  • SecuPress is fixing issue for you
  • The 3rd step: manual fix, when you have to decide something
  • The 4th step: final report, you can export it as PDF (1)


It’s important to delete all other security plugins before activating SecuPress.

  1. Upload the plugin files to the /wp-content/plugins/secupress directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‚Plugins‘ screen in WordPress.
  3. Use the SecuPress->Settings screen to configure the plugin.


What does SecuPress do, exactly?

SecuPress is a plugin for WordPress sites which enables better security without sacrificing usability. It’s easy to use for you and hard to hack for pirates. First, SecuPress will scan your site, looking for vulnerabilities and provide a report detailing how to harden your WordPress. possible security improvements. The majority of recommendations are easy to implement by checking a box; very few will require a manual setup.

What makes SecuPress better than any other security plugin?

SecuPress protects your website on multiple fronts: anti spam, double authentication. The best feature for users remains how easy to use this plugin is. You don’t need to be an experienced technician to use and secure your WordPress like an expert!

Our security alarms hosted on our servers supply daily data about the most recent vulnerable plugins and themes. This allows you to always be aware and safe.

Is SecuPress compatible with multisites installation?

Yes, SecuPress can be activated for all your sub-sites, just activate it from your main network site.

Is SecuPress compatible with all web hosters?

Yes, SecuPress is compatible with all web hosters like WP Serveur, OVH, Siteground, BlueHost, PlanetHoster, WP Engine, O2Switch or GoDaddy? If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all caching plugins like WP Rocket, W3 Total Cache, WP Super Cache?

Yes, SecuPress is compatible with all WordPress caching plugins. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all multilingual plugins like PolyLang, WPML, qTranslate?

Yes, SecuPress is compatible with all multilingual WordPress plugins. If you have an issue, please get in touch with us and let us know!

Is SecuPress compatible with all server engines like Apache, Nginx, IIS7?

Yes, SecuPress is compatible with all server engines. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with other security plugins like WordFence, iThemes Security, Bullet Proof Security?

The answer is no. SecuPress is not compatible with another security plugin. Just like two caching plugins do not make your website faster, two security plugins do not make your WordPress more secure. Security rules tend to be overwritten or conflict with other rules if two security plugins are installed. This can cause errors on your website and is not recommended.


The best security plugin I have seen

I tried several security plugins before settling on SecuPress. It is capable, secures my site, lets me see which IPs are attacking my site. The other security plugins I found were either too expensive or far too high an impact on performance. For me SecuPress is perfect and security is very important to me - highly recommended and the support was great too.

À recommander.

Le SAV est très compétent, rapide et patient avec les débutants. Interface facile de prise en main. Je recommande.

Pas de support

Secupress abandonné ? j'ai tenté de joindre leur support à plusieurs reprises mais en vain. Dommage le plugin était plutot propre.

Secupress serait-il abandonné ?

Faut-il changer de plugin de sécurité car un plugin de sécurité qui n'a plus de mise à jour depuis 6 mois est un comble !!! Secupress serait-il abandonné ? Plus aucune réponse aux messages via le support d'aide de la version Pro ! 🙁
Lies alle 72 Rezensionen

Mitwirkende & Entwickler

„SecuPress Free — WordPress Security“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:


„SecuPress Free — WordPress Security“ wurde in 2 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.

Übersetze „SecuPress Free — WordPress Security“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.


  • 2 may 2019

  • My bad, almost all modules were marked as „pro“, never asked that x) All is back like in 1.4.7 😉


  • 30 april 2019

  • Fix#686: (again) The scanner for „bad user agent header“ could not read the correct value, Grade A was not possible, it’s back in the game!

  • Improvement#697: Update the PHP minimum values. Bye 5.x, welcome 7.x
  • Improvement: Remove the „page protect“ module, we don’t need this protection finally.
  • Improvement: Various CSS and PHP improvements.


  • 26 september 2018

  • New#689: Dark Mode compatibility! Check (merge in core proposed)

  • Improvement#680: Add all „debug“ and „.log“ files to the „anti disclose readme/changelog“ feature
  • Improvement#683: Add 2 filters on captcha messages to replace the default „Yes i‘m a human“ and „Session expired“. See secupress.plugins.login-captcha.checkbox.text and secupress.plugins.login-captcha.error.text
  • Improvement#684: Better 64 bits check.
  • Improvement#685: Better „stop user enumeration“ on Rest API, (JSON return instead of diying)
  • Improvement#679: Compatibility with PHP7 for a vendor package (PDF)
  • Improvement#686: Remove the HTML tags check from „bad user-agents“ feature. Too many false positive since WP 4.9.8 😐
  • Fix#691: GeoIP was returning false since 1.4.5 because of the bad prepare format.


  • 9 august 2018

  • New#668: Add support for as a 2FA plugin

  • New#676: SecuPress Expert Mode. You can set a SECUPRESS_MODE constant on „expert“ to hide descriptions and help all over the plugin to have a clear interface.
  • Improvement#663: GeoIP module can now bypass real seo bots! So you can block USA but still got Google on your website for example.
  • Improvement#665: Backups are now done using offset, this means that there is more chance to finish instead of dying.
  • Improvement#670: GeoIP database will update everyday automatically using a cron. You and your visitors won’t fell the update. Why everyday? Because everyday IPs are changing (in fact, every second… but I didn’t want to be so mean). This will prevent false positives and false negatives from your visitors, bots, crons.
  • Improvement#671: Strip URLs from UA before check bad UA to prevent false positives.
  • Improvement#672: Better compatibility for secupress_get_main_url compat()`.
  • Improvement#675: Add a checkbox for login errors module to allow its deactivation.
  • Fix#660: Fix the JARVIS encounter in a bad SecuPress settings link.
  • Fix#661: SECUPRESS_HIDE_API_KEY was not hiding the key anymore, ironic.
  • Fix#664: Fatal error: Uncaught Error: Call to undefined function secupress_global_settings_activate_pro_license() in /secupress-pro/core/core.php:227
  • Fix#667: WP Cron Fatal error: Uncaught Error: Call to undefined function secupress_scanit() in /secupress-pro/inc/modules/schedules/plugins/inc/php/class-secupress-background-process-schedules-scan.php:47
  • Fix#673: MoveLogin with nginx sais you have to „remove“ rules instead of adding them. Funny or not.

  • 27 june 2018

  • New: Hotfix a non patched vulnerability in WordPress Core, read more at


  • 18 june 2018

  • New#659: You can now set a scanner speed on scanner page, just below the scanner button. This is designed to resolve some server issue that does not love/allow too much (ajax) requests at the same time (30+ in 1 sec by default to 0,25sec or 1 per sec now).

  • Improvement#649: Change the behavior of the scanner for minimum role. It’s not ‚Subscriber‘ anymore but ‚Not Administrator‘, so you can now set your default role on „Customer“ or whatever without being tagged as „bad“.
  • Improvement#655: The new „confirmaction“ links on WP 4.9.6 were showing the new moved login page. It will now show a „confirmaction“ shortcut when move login is active.
  • Improvement#657: Remove the „Ask for support“ on each scan result in step 3, nobody was using them.
  • Fix#626: Block Fake SEO Bots won’t block Facebook share anymore.
  • Fix#640: Import file was tagged as „empty“, not anymore.
  • Fix#641,#647: Some module were impossible to activate/check, it’s now ok.
  • Fix#642: Warning: count(): Parameter must be an array or an object that implements Countable in /secupress/inc/functions/common.php on line 1288
  • Fix#643: The „Add my license“ link is now correct.
  • Fix#644: GeoIPs database will now work on 32 bits servers (INT MAX issue).
  • Fix#645: GeoIPs database has been updated to perfectly match countries, and won’t block an unknown country now.
  • Fix#646: Warning: shell_exec() has been disabled for security reasons in /secupress/inc/functions/ip.php on line 229
  • Fix#648: Fatal error: Cannot redeclare secupress_remove_comment_feature_add_packed_plugin() (previously declared in secupress-pro/core/modules/antispam/callbacks.php on line 64
  • Fix#650: Fatal error: Uncaught Error: Call to undefined function secupress_pro_settings_white_label_callback() in /secupress/inc/modules/welcome/callbacks.php on line 27
  • Fix #651: Move login and subfolder love/hate again.
  • Fix #654: Warning: fileperms(): stat failed for /index.php in /secupress/inc/functions/files.php on line 29
  • Fix #656: The scanner step 3 was not showing all the possible fixes.


  • 23 may 2018

  • GDPR Compliance!

  • New Dashboard: The first module page is now a dashboard, you can see your licence info here now.
  • New: You can now reset the SecuPress settings or just module per module.
  • Improvement#628: GeoIP Database has been updated with new IPs
  • Improvement#630: Force strong password is now available on reset form too.
  • Fix#614: Exported settings file doesn’t contains the whitelabeled name, this will prevent the impossibility to import this file on another website whitout the same whitelabel name.
  • Fix#617: Warning: shell_exec() has been disabled for security reasons in /secupress-pro/core/functions/ip.php on line 229
  • Fix#620: PHP Fatal error: Uncaught Error: Call to undefined function secupress_global_settings_activate_pro_license() in /secupress-pro/core/core.php:227
  • Fix#622: Warning: count(): Parameter must be an array or an object that implements Countable in /secupress/functions/common.php on line 1288
  • Fix#625: Remove „Wget“ from bad User Agents
  • Fix#626: Facebook share post parser was blocked by block fake bot module
  • Fix#627: GooglePageSpeed too
  • Fix#628: GeoIP will not block anymore an unknow IP address (country not found)


  • 9 may 2018

  • New#605: New feature added in Sessions Control module: Send a reset link to users

  • Improvement#599: UI was not full width
  • Improvement#600: Checkboxes in step 2 seems enabled
  • Improvement#602: Compat with
  • Improvement#609: Remove the notices „These options are disabled…“
  • Improvement: Remove every check about WP being under 4.0
  • Fix#597: Fatal error when updating using folder overwrite (FTP for example)
  • Fix#598: GooglePageSpeed is blocked by Fake SEO Bots module
  • Fix#601: 404 on PHP should block but not ban
  • Fix#606: regex of fake bots‘ user agents was too large
  • Fix#607: Alerts were always sent every 15mn, even with a higher number
  • Fix#608: Fix „Warning: set_time_limit() has been disabled for security reasons“


  • 23 april 2018

  • Improvement#587: Remove SecuPress main logo on whitelabel (there is still some, wait!)

  • Improvement#589: API Key is hidden behind ••••• chars.
  • Improvement#592: Add a Facebook link when grade is A to share the result.
  • Fix#587: CSS missing when whitelabel is on.
  • Fix#588: Move Login died when it should not.
  • Fix#591: Block Fake Bots should not block real bots, right?
  • Fix#595: Fatal error when blocking User Enumeration on REST API
  • Fix#596: Security Fix: The new moved login page could be guessed because of a redirect due to a lack of „die()“, there is no more whitelist condition now. Thanks to Aymen Borgi.


  • 18 april 2018
  • Improvement#583: Better PHP Version detection and warning (php 7 is now the best recommanded one)
  • Improvement: Easy Login scan will now detect correctly 15 2FA plugins, not only our PasswordLess module.
  • Fix#581: You can now correctly disconnect if you’re using Move Login Page.
  • Fix#582: You can now correctly save the malware scan option page.
  • Fix#586: Possible 503 error : „The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.“


  • 11 april 2018
  • New: PHP required version is now 5.4 (and will grow at each major version)
  • New: WordPress required version is now 4.0 (and will grow at each major version)
  • New#490: Block User Enumeration Feature
  • New#551: Ban 404 on .php Files Feature
  • New#544: API Key is hidden by default, you can also hide the full block using the new constant SECUPRESS_HIDE_API_KEY (will be set to true if SECUPRESS_API_EMAIL and SECUPRESS_API_KEY are set)
  • New#557: New constants SECUPRESS_API_EMAIL and SECUPRESS_API_KEY to overridde data from settings
  • New#558: New filter secupress.pre_scan.$class to shortcut any scanner
  • New#564: Block Fake SEO Bots Feature
  • New#562: New filter secupress.get_email to change the email when sending
  • New#567: New filter secupress.nginx.notice to prevent Nginx notices to pop
  • New#572: New filter secupress.settings.load_plugin.$plugin to prevent a full block of settings to be displayed
  • New#572: New filter secupress.settings.field.$args['name'] to hide an option from a setting block
  • New#576: New scan 404 on .php files
  • New: Pro version is now required to auto-fix issues on step 2 in the scanner
  • Improvement#242: When Pro is active, you’ll see a small yellow Ezio (the eagle) logo on each pro feature, so you know what is a pro feature.
  • Improvement#401: Remove outdated scanners and features : REST API Blocking, Non Login Time Slot, DirectoryIndex, no need that now.
  • Improvement#480: Change the way we display the anti sqli scanner code, more lorem, more ipsum, less random
  • Improvement#541: Change the way we load Move Login to prevent any „404 management“ plugin to generate conflict
  • Improvement#550: Move Login will now let the priority to „WPS Hide Login“ and „SF Move Login“
  • Improvement#553: Move Login will now redirect into the dashboard if the user is logged in
  • Improvement#563: Do not log banned IPs
  • Improvement#569: Let the possibility to go to step2 without launching a new scan
  • Improvement#570: Revamp of the „Get Pro“ page (use an external link instead haha)
  • Improvement#571: Remove the hardcoded ads, add more help instead + you can still disable the full bar using the filter secupress.no_sidebar or just future ads with secupress.no_sideads
  • Improvement#573: Add a 3rdparty.php file to have a better detection of 2FA plugins installed, and better compat with hosts like WPServeur and O2Switch
  • Fix#470: Some messages could be in 2 different languages in the scan results
  • Fix#533: Move Login was not acting correctly when subfoldered
  • Fix#543: ManageWP couldn’t always correctly access the plugins list, now it’s ok
  • Fix#545: Move Login new page was disclosed by wp-signup.php page
  • Fix#559: Notice: Undefined index: move-login_login-access in /secupress/modules/users-login/callbacks.php on line 246
  • Fix#565: GEOIp was not blocking all countries correctly
  • Fix#566: Anti Bruteforce Front was not blocking all requests correctly
  • Fix#568: Remove the Captcha hidden field, too much false negatives


  • 04 september 2017
  • Fix#522: zxcvbn lib contained a not fixed bug, I did.
  • Fix#524: Move login was blocking the home page


  • 01 september 2017
  • Improvement #516, #518, #519: Move login hides now the postpass url, the register url is now different and has its own setting, /!\ now our Move Login is not compatible anymore with „SF Move Login“ from GregLone, thank you buddy!
  • Improvement: You can now unlock yourself from the move login page by filling a field with your email. You’ll find the (forgotten) new login page url, and a second link to deactivate the module.
  • Improvement: The Move login will not redirect on a /404 page, but will fail with a message.
  • Fix: Remove the module file from „bad url length“, should be deleted in 1.3.1


  • 02 august 2017
  • Improvement #512: Remove the recovery email notice, you won’t need to fill this anymore
  • Improvement #507: Lighter Move Login module with less options, no .htaccess/web.config/nginx.conf modifications but more decisions and less bugs instead of endless bugs.
  • Improvement #506: Remove the scan and fix for empty user agent (not efficient enough in 2017, too much false positive)
  • Improvement #505: Remove the scan and fix for too long URLs (not efficient enough in 2017, too much false positive)
  • Improvement #488: New bad user agent (Gecko/2009032609 Firefox), thanks to Fabrice from
  • Improvement #481: Better message (less sarcastic, yes) when you lock yourself out.
  • Fix #504: On some servers, $_SERVER[‚SERVER_ADDR‘] does not exists, well, ok.
  • Fix #502: Move login was not cool with PasswordLess
  • Fix #501: Some multisites websites could not validate their licence.
  • Fix #473: Captcha always returned „human verification fail“ when autofill from browser is enabled.


  • 13 june 2017
  • New: You can now set your PRO licence key in the settings page without installing the PRO version. This will replace your free version by the PRO one, quietly.
  • Improvement #448: Better detection of user’s right for DB scan
  • Improvement #308: Sometimes after a scan (step 1), some results are still tagged as „new“, you should encounter less cases.
  • Fix #469: customize.php redirects to the login page (thanks to @wpmarmite)
  • Fix #451: Fatal error on WP <4.2.11 when sending emails
  • Fix #414: PHP7 errors


  • 18 april 2017
  • Improvement: removed the monthly plans from the „Get Pro“ page and improved a few things.

  • 06 april 2017
  • Improvement #450: use a new API for the „Get Pro“ page, to fetch prices.


  • 05 april 2017
  • Improvement #445: display the missing „Rate us“ box in the settings page.
  • Improvements #387 and #449: changed a few things in the „Get Pro“ page, mainly focused on the monthly plans.
  • Fix #447: prevented Move Login to change & characters into &amp; in filtered URLs, it may cause problems when used as a redirection target.

  • 19 march 2017
  • Fix #424: a htaccess server error appeared if you were using WP <4.7 with „readme file protection module“.


  • 16 march 2017
  • Improvement #413: improved PHP and WP version check on activation.
  • Improvement #408: improved Move Login settings. Now you HAVE to specify a new login URL: no default value anymore, no forgotten URL anymore. Also, your new URLs can be seen while you type in 🙂
  • Improvement #397: improved the theme/plugin installation/upload sub-modules: even white-listed IPs are blocked now.
  • Fix #402: in some cases, the scan testing the readme.html direct access was testing a wrong URL.
  • Fix #111: added the IP address to the hardcoded white-list. It should prevent some cron processes to be blocked (because of an empty User Agent for example).


  • 28 february 2017
  • Improvement #382: if the salt keys scan still reports problems after the MU plugin is created, it will still try to fix it.
  • Fix #282: links in email messages should now be fine.
  • Fix #170: the notice saying the .htaccess file is not writable now is displayed only if the file exists.
  • Tested with php 7.1.
  • Various small fixes and improvements.

  • 21 february 2017
  • Fix #391: whenever an IP address is banned, the message was displayed to everybody.


  • 20 february 2017
  • Improvement #370: in the scanner, each scan has now its own documentation 📖. The „Read the documentation“ links can be found at step 3, the Manual Operations.
  • Improvement #357: for the „Too Long URL“ protection, requests made with wp_request_***() to self are not blocked anymore.
  • Fix #373: fixed a bug that allowed a specifically forged URL to cheat the „Too Long URL“ protection.
  • Fix #367: fixed a PHP notice Missing argument 2 for SecuPress_Action_Log::pre_process_action_wp_login().
  • Fix #363: fixed a possible failure on step 2 of the scanner (Auto-Fix).
  • Fix #352: revamp the whole „Auto Update“ scan and protection, mainly focusing on the constant definitions.
  • Fix #347: the Twitter bird now can sing correctly.
  • Fix #343: when some scans display a message „Unable to determine…“, a link to activate manually the protection should be displaying. Some were missing.
  • Fix #329: the directory listing scan now reports a „Good“ status if folders display an empty page with HTTP code 200.


  • 27 january 2017
  • Fix #355: fixed a „recursion“ that caused some scans to return a „bad“ status while the corresponding protections were working ¯(°_o)/¯
  • Fix #351: fixed license invalidation on multisite or multilingual sites.
  • Fix #346: fixed a PHP warning about vsprintf() in the scanner page.
  • Fix #345: don’t manipulate headers if they have been already sent.
  • Fix #313: fixed one of our easter eggs. 😬
  • Fix #256: in the wp-config.php file, don’t comment a constant that is already commented or the sky will fall.
  • Fix #46, #154, #328, #348: fixed the whole chmod scan. Some fixes made in version 1.0.3 dramagically disappeared at some point, we bring them back: chmod values are correct again, test for the web.config file is back (if applicable). In the scan result, the list of files/folders were incomplete. In the scan result, folders are not called files anymore. Test for .htaccess and web.config existence instead of testing for Apache / IIS7.


  • 18 january 2017
  • Happy new year! 🎉
  • Improvement #336: prevent a rare PHP warning: array_count_values() can only count string and integer values! that could mess with the scan results.
  • Improvement #322: CSS animations are no more on Logs page, interacting with them is now easier.
  • Fix #342: in the Malware Scan module, the „Save All Changes“ button under the Directory Index option was disabled.


  • 20 december 2016
  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections can now be activated and deactivated separately as needed ( ゚д゚)
  • New: some scans were slightly modified, so here is a new one that will test only the ShellShock vulnerability ヽ(´ー`)人(´∇`)人(`Д´)ノ
  • New: if a scan displays a „Not able to access your front page“ message, it brings you the possibility to activate the protection anyway.
  • Improvement #118: in the scanner’s manual fixes, the „Ignore this step“ button is more understandable.
  • Improvement #147: in logs and alerts, no more „UAHE“, „BUC“, or any other obscur codes when a request is blocked, only a human readable sentence.
  • Improvement #199: the User Agent blacklist is now case sensitive.
  • Improvement #274: if you use a „Coming Soon“ or „Maintenance“ page, manual scans have now a small drill and can get through it and will no longer trigger a „Not able to access your front page“ message for this reason.
  • Improvement #286: updated the „no longer in directory“ and „not updated over 2 years“ plugins lists.
  • Improvement #289: the scan message related to the constant COOKIEHASH is more accurate.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are not blocked.
  • Improvement #297: the checkbox to activate the protection to deny access to malicious file extensions in the uploads folder now displays rewrite rules if the configuration file is not writable.
  • Improvement #324: tell cache plugins not to cache our blocking messages nor the login pages.
  • Improvement: prevent our icons to be overridden by other plugins or themes.
  • Fix #264: the scanner related to the admin user wouldn’t fix anything in a specific case. Nothing is better than a whip sometimes.
  • Fix #265: fixed a message displayed by the chmod scan. In some cases it was speaking nonsense about files / and /.
  • Fix #281: „Ask for old password“ and „Strong Passwords“ are now besties ( ^^)o自自o(^^ )
  • Fix #285: typo in a IfModule (-‸ლ)
  • Fix #291: the fix related to the WordPress version disclosure ate the rewrite rules on Nginx. So we made it give them back (that was kind of scary).


  • 07 november 2016
  • Improvement #258: Remove the blog_id and website URL in the new salt keys to avoid having to log in on each website on a multisite, was just annoying.
  • Improvement #259: Better hook usage to allow any cache plugin (like WP Rocket of course) to ignore login page.
  • Improvement #195: Better Move Login rules on Nginx. And better rules in general for all modules.
  • Fix #262: Some firewall sub-modules are not working in front-end, the functions were not in the right file 😐
  • Fix #252: X-Powered by header was not hidden on Nginx.
  • Fix #250: WPML still appeared as a „bad plugin removed from repo“, well, the whitelist filter was not used.


  • 25 october 2016
  • Just prices update.


  • 22 october 2016
  • Improvement #216: The button „Ask for support“ is now always present on scanner step 3.
  • Improvement + #205: typos, and missing text domain.
  • Fix #186: Add description and author to the COOKIEHASH MU plugin.
  • Fix #204: When fixing the last thing in step 3, redirect to step 4.
  • Fix #207: Table prefix fix won’t show up on step 3.
  • Fix #219: PDF Export not exporting anything, wow.
  • Fix #224: In scanner JS, HTML entities were in status text.
  • Fix #227: Notice on affected role section Undefined index: double-auth_affected_role in /inc/admin/functions/modules.php on line 555.
  • Fix #232: Bad request methods scan returned false negatives status.


  • 19 october 2016
  • New: Design revamp for modules homepage.


  • 18 october 2016
  • Fix #158 & #179: Affected roles on modules were reset to empty. I prefer a filled field.
  • Fix #159: The error message from files backup talked about DB backup. Go home!
  • Fix #178: The PasswordLess scan will now check if its module is active, and in a near future will really check for any 2FA code.
  • Fix #185: A mysterious „////“ title was present in the french translation, near „WML-RPC“.
  • Fix #190: The module link in the non login time slot scan has now its # to get a correct anchor. Happy sailor.
  • Fix #191: A function was missing, so the PasswordLess scan couldn’t activate its module, now, he can and he’s happy too.
  • Fix #193: The anti-bruteforce scan always said „false“ because we didn’t call him by its real name.
  • Fix #197: When one of our MU plugin was created on plugin deactivation, it triggered a fatal error, it was so fatal that we decided to remove it.


  • 07 october 2016
  • Fix #167: Possibly locked at step 1 with a fake „New scan“ for readme.txt files, you’re not stuck anymore.
  • Fix #166: Various CSS improvements.
  • Fix #171: Scans related to the firewall were always returning a bad status, even if the protections were running.
  • Fix #172: The scan and the protection related to the „Bad request methods“ were not accurate.
  • Fix #176: A SQL warning occurred if you didn’t had logs to delete from 1.0.4, a new IF condition has been added to prevent that.


  • 26 september 2016
  • Improvement #164: Logs are now lighter (without a flame) and can be deleted much faster (still not as fast as WP Rocket, but who can).
  • New #160: Add a filter named secupress.remote_timeout if you got too many „Pending“ status in scanner, add more timeout since cUrl is not always gentle with us ><


  • 14 september 2016
  • Improvement: Commented salt keys (previously fixed) will now be deleted to avoid another error 500 case (in case of, you know).
  • Improvement: The banner button has now a better display on tiny screen.
  • Improvement: Since SecuPress is compatible with WP 3.7 and 3.8, the icons are now compatible too.
  • Improvement: Better bad user-agent blacklist, some were too current and blocked legit users.
  • Fix: User-Agent with more than 255 chars won’t be blocked anymore, too many false positive cases.
  • Fix: The recovery email can now be set even if 2 users got the same email address (don’t ask…).
  • Fix: wp-config.php file permissions was sometimes set on 064 and broke some sites when auto-fix was done.
  • Fix: The PHP version warning was marked as bad for nothing, it will now mark it correctly.


  • 02 september 2016
  • Fix: The PHP Notice: wp_enqueue_script/wp_enqueue_style called incorrectly is now called correctly and won’t disturb you anymore everywhere in your admin area.
  • Fix: The Error 500 caused by commented salt keys will not happen again.
  • Fix: We removed the „ping“ keyword from the bad user-agents since „pingdom“ is not so malicious, isn’t it?
  • Fix: SecuPress couldn’t fix the „admin user“ scan with open registration and no admin account.
  • Fix: The TinyMCE editor is not broken anymore, you can use it normally now \o/


  • 31 august 2016
  • Improvement: Better sorting for Step 3 items.
  • Improvement: Better global wording.
  • Improvement: The fix which delete the deactivated theme will now keep the default theme (using the PHP constant WP_DEFAULT_THEME).
  • Improvement: The fix which propose to delete the parent theme will stop that.
  • Improvement: No more HTML tags in exported txt log files.
  • Fix: The following JavaScript Error „Uncaught ReferenceError: secupressResetManualFix is not defined in secupress-scanner.min.js“ when you visit the scanner page is on vacations, forever.
  • Fix: PHP Warning in class-secupress-scan-bad-vuln-plugins.php, we won’t use $this in a static method anymore, promise.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, ok this one s the last.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php my bad, this one.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php, well, it was the real last one.
  • Fix: Warning in settings.php usage of a protected method is now allowed.
  • Fix: Warning in modules.php because we called secupress_insert_iis7_nodes without the second mandatory argument.
  • Fix: The following PHP Parse error „syntax error, unexpected ‚ai‘ (T_STRING) in mu-plugins/_secupress_deactivation-notice-nginx_remove_rules.php“ won’t show up anymore for French users.
  • Fix: The PHP Fatal Error on activation or deactivation has been killed, not by Batman because you know.


  • 23 august 2016
  • Initial release \o/