前言介紹
- 這款 WordPress 外掛「Vigilante – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…」是 2026-02-10 上架。
- 目前有 30 個安裝啟用數。
- 上一次更新是 2026-02-24,距離現在已有 1 天。
- 外掛最低要求 WordPress 6.2 以上版本才可以安裝。
- 外掛要求網站主機運作至少需要 PHP 版本 7.4 以上。
- 尚未有人給過這款外掛評分。
- 還沒有人在論壇上發問,可能目前使用數不多,還沒有什麼大問題。
外掛協作開發者
外掛標籤
2FA | login | firewall | security | protection |
內容簡介
<html>
<h2>WordPress 安全外掛 Vigilante 總結</h2>
<p> Vigilante 提供企業級 WordPress 安全功能,完全免費。沒有高級版本、升級推銷,也沒有隱藏在付費牆後面的功能。</p>
<ul>
<li> 保護您的網站使用完整的安全套件:防火牆、雙因素驗證、阻擋暴力破解、安全標頭、文件完整性監控、使用者管理和活動日誌。</li>
<li>啟動後,Vigilante 立即應用基本的安全措施,包括防火牆規則、安全標頭、登入監控等。</li>
<li>提供一個按鈕的安全預設,可立即啟用不同等級的安全設置。</li>
</ul>
<h3>問題與答案</h3>
<ol>
<li><strong>什麼是 Vigilante 提供的核心安全功能?</strong>
<ul>
<li>雙因素驗證(2FA)。</li>
<li>防火牆保護。</li>
<li>登入安全。</li>
<li>使用者安全。</li>
<li>安全標頭。</li>
<li>文件完整性監控。</li>
<li>活動日誌追蹤。</li>
</ul>
</li>
<li><strong>如何即時保護您的 WordPress 網站?</strong>
<ul>
<li>一旦啟動 Vigilante 外掛,它將立即應用基本的安全措施,如防火牆規則、安全標頭和登入監控。</li>
</ul>
</li>
<li><strong>什麼是一鍵式安全預設?</strong>
<ul>
<li>可選擇標準或最大安全設置,方便快速保護網站。</li>
<li>標準設置適用於大多數網站,而最大安全設置則針對高安全性網站提供更嚴格的設置。</li>
</ul>
</li>
<li><strong>Vigilante 的兩因素驗證提供了哪些功能?</strong>
<ul>
<li>透過郵件發送一次性驗證碼。</li>
<li>信任設備功能,可跳過已認知設備 30 天的驗證手續。</li>
<li>可根據角色強制啟用驗證。</li>
</ul>
</li>
</ol>
</html>
原文外掛簡介
Premium Security, Zero Cost
Vigilante provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.
Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, user management, activity logging, under attack mode and much more.
Instant Protection
Once activated, Vigilante immediately applies essential security measures:
Firewall rules against common attacks (SQL injection, XSS, file inclusion)
Security headers for browser protection
Login attempt monitoring
XML-RPC blocking
WordPress version hiding
Sensitive file protection (.htaccess, wp-config.php)
Automatic backup of your existing configuration files
One-Click Security Presets
Choose a preset and get protected instantly:
Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.
Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.
You can always customize individual settings after applying a preset.
Under Attack Mode
Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:
JavaScript challenge – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely
Aggressive rate limiting – Requests limited to 30 per minute with 15-minute blocks for offenders
HTTP method restriction – Only GET, POST, and HEAD allowed. PUT, DELETE, PATCH, OPTIONS, and TRACE are blocked
Empty user agent blocking – Requests without a user agent header are rejected
Full XML-RPC lockdown – All XML-RPC access is blocked during the attack
REST API restriction – Only authenticated users can access the REST API
Auto-deactivation – Mode automatically turns off after 4 hours so you never forget it’s on
Email notifications – Get notified when the mode is activated and deactivated
HMAC-signed cookies – Verified visitors receive a cryptographically signed cookie so they only see the challenge once
Under Attack mode works independently from your preset configuration. Your regular security settings are preserved and restored when the mode deactivates.
Core Security Features
Two-Factor Authentication (2FA)
Add email-based verification to your WordPress login:
One-time verification codes sent via email
Trusted devices feature – skip 2FA on recognized devices for 30 days
Role-based enforcement – require 2FA for administrators, editors, or any role
Easy code resend functionality
Configurable code expiry and attempt limits
Firewall Protection
Block malicious requests before they reach WordPress:
SQL injection blocking
XSS (Cross-Site Scripting) attack prevention
File inclusion protection (LFI/RFI)
Directory traversal blocking
Bad bot detection and blocking
Rate limiting against DDoS and brute force
IP whitelist and blacklist management
HTTP method restriction
Login Security
Stop unauthorized access attempts:
Limit login attempts with configurable thresholds
Progressive lockouts – longer blocks for repeat offenders
Custom login URL – hide wp-login.php from bots
Hide login error messages – don’t reveal valid usernames
XML-RPC disable – block this common attack vector
Application passwords control
Admin login notifications via email
IP whitelist for trusted locations
User Security
Comprehensive user account protection:
Block insecure usernames (admin, test, root, etc.)
Force strong passwords with minimum length
Password expiration with configurable intervals
Password history – prevent reusing old passwords
Force password reset for all users (post-hack recovery)
Session limits – control concurrent logins per user
Session management – view and revoke active sessions
Email verification for new registrations
Registration approval workflow – manually approve new users
Admin account monitoring – alerts for new admins, email changes, privilege escalation
Security Headers
Achieve Grade A security ratings:
Content Security Policy (CSP) with visual builder
HSTS (HTTP Strict Transport Security) with preload option
X-Frame-Options – prevent clickjacking
X-Content-Type-Options – prevent MIME sniffing
Referrer Policy control
Permissions Policy (camera, microphone, geolocation)
Cross-Origin policies (COEP, COOP, CORP)
HTTPS enforcer with automatic mixed content fix
Built-in header testing tool
File Integrity Monitoring
Detect unauthorized changes to your files:
WordPress core verification against official checksums
Plugin file monitoring
Theme file checking
Uploads directory scanning for PHP files
Suspicious code pattern detection (eval, base64_decode, shell_exec)
Scheduled automatic scans (hourly, daily, weekly)
Email alerts when changes are detected
Excluded paths configuration
Activity Log
Track everything happening on your site:
Successful and failed login attempts
Two-factor authentication events
User account changes (creation, deletion, role changes)
Content modifications (posts, pages)
Plugin and theme activations/deactivations
Security events and blocked threats
Configurable retention period
Export logs to CSV
Filter by event type, user, or date
WordPress Hardening
Additional security measures:
wp-config.php security constants (DISALLOW_FILE_EDIT, etc.)
Database prefix security check and one-click change tool
Comment spam protection with honeypot fields
Disable pingbacks and trackbacks
Close comments on old posts
WordPress head cleanup (remove version, RSD, WLW links)
Feed management and security
REST API Security
Control API access to your site:
Three access modes: public, authenticated only, or selective
Block user enumeration via REST API
Protect sensitive endpoints
Maintain compatibility with popular plugins (WooCommerce, Contact Form 7, Elementor)
Security Tools
Utilities included:
Database Backup – Download a full or partial database backup as ZIP with table selection
Database Prefix Change – Change the default wp_ prefix to a random secure prefix
Export/Import Settings – Transfer your configuration between sites
Manual Backup – Create backups of .htaccess and wp-config.php on demand
Reset to Defaults – Start fresh with one click
Safe by Design
Automatic Backup System
Your existing .htaccess, wp-config.php, and robots.txt are automatically backed up before any modifications. Backups include integrity verification (MD5 checksums) and are stored safely in wp-content/vigilante-backups/, persisting through plugin updates.
Clean Rollback
When you deactivate Vigilante, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.
Support
Need help or have suggestions?
Official website
WordPress support forum
YouTube channel
Documentation and tutorials
Love the plugin? Please leave us a 5-star review and help spread the word!
About AyudaWP
We are specialists in WordPress security, SEO, and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「Vigilante – 100% Free Security Suite: Firewall, 2FA, Login, Headers, Scanner…」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
1.0.0 | 1.0.1 | 1.0.2 | 1.0.3 | 1.0.4 | 1.1.0 | 1.1.1 | 1.2.0 | 1.2.1 | trunk |
延伸相關外掛(你可能也想知道)
WPS Hide Login 》中文, WPS Hide Login 是一個非常輕量的外掛,讓您輕鬆且安全地更改登入表單頁面的網址。它不會真正地重命名或更改核心檔案,也不會添加重寫規則。它只是攔截...。
Security Optimizer – The All-In-One Protection Plugin 》透過精心挑選且易於配置的功能,SiteGround Security 外掛提供了您所需的一切來保護您的網站並預防多種威脅,例如暴力破解攻擊、登錄錯誤、資料外洩等等。, ...。
Loginizer 》Loginizer 是一個 WordPress 外掛,可幫助您對抗暴力攻擊,當 IP 地址達到最大重試次數時,該外掛會阻止其登錄。您可以使用 Loginizer 將 IP 地址列入黑名單...。
Limit Login Attempts 》此外掛可限制正常登入及使用驗證 cookies 登入的次數。, WordPress 預設允許使用者無限次數嘗試登入,無論是透過登入頁面或是傳送特殊 cookies 皆可。這讓密...。
LoginPress | wp-login Custom Login Page Customizer 》LoginPress 外掛提供了很多自訂欄位,可以更改 WordPress 登入頁面的版面配置。您可以完全修改登入頁面的外觀和感覺,即使是登入錯誤訊息、忘記密碼錯誤訊息...。
WPS Limit Login 》繁體中文, 限制通過登錄頁面和使用權限Cookie可能的登錄嘗試次數。, WordPress 默認情況下允許通過登錄頁面或發送特殊 Cookie 的方式進行無限制的登錄嘗試。...。
Login Lockdown & Protection 》Login LockDown 記錄每次失敗的登入嘗試的 IP 位址和時間戳記。如果在短時間內來自相同 IP 範圍的嘗試次數超過一定數量,那麼該 IP 位址的所有登入請求都會被...。
WP Ghost (Hide My WP Ghost) – Security & Firewall 》Hide My WP Ghost 是一個 WordPress 安全外掛,透過強大且易於使用的功能,提供最佳的安全解決方案。它可以在不改變任何目錄或檔案的情況下,將網站的安全性...。
Custom Login Page Customizer 》Custom Login Page Customizer 外掛可讓您輕鬆地從 WordPress Customizer 自訂您的登入頁面!在儲存之前,您可以預覽自訂的登入頁面變更!太棒了,對吧?, , ...。
WP fail2ban – Advanced Security 》Fail2ban是您可以實施來保護 WordPress 網站的最簡單和最有效的安全措施之一。, WP fail2ban 提供 WordPress 與 fail2ban 之間的連接:, Oct 17 20:59:54 foo...。
All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. 》Change wp-admin login 是一個輕量級的外掛程式,可讓您輕鬆且安全地更改 wp-admin,讓它變成您想要的東西。它不會重新命名或更改核心檔案,只是攔截頁面請求...。
WP Hide & Security Enhancer 》WP-Hide 推出了最簡單的方法,完全隱藏 WordPress 核心文件、登錄頁面、佈景主題和外掛程式的路徑,使其不會顯示在前端,這是 Site Security 的一個巨大改進...。
Theme My Login 》曾經希望您的 WordPress 登入頁面與網站的其餘部分相匹配嗎?現在您的願望成真了!「Theme My Login」讓您可以繞過預設的 WordPress 標誌登入頁面,該頁面與...。
Login No Captcha reCAPTCHA 》此外掛新增了 Google 無人類驗證功能的勾選框,可應用於您的 WordPress 和 Woocommerce 登錄、忘記密碼及使用者註冊頁面,讓人類使用者輕鬆透過勾選框登入,...。
WP-Members Membership Plugin 》8211; allows you to restrict file downloads to registered users only, with customizable download links., MailChimp Integration – integrates W...。