[WordPress] 外掛分享: WordSec

首頁外掛目錄 › WordSec
WordPress 外掛 WordSec 的封面圖片
全新外掛
安裝啟用
尚無評分
剛更新
最後更新
問題解決
WordPress 6.9+ PHP 7.4+ v1.0.3 上架:2026-07-15

內容簡介

WordSec 是一款先進的 WordPress 安全與威脅情報平台,專為需要企業級保護的安全團隊與網站擁有者設計。它整合了八個模組,提供即時安全警報及全面的防護,確保網站安全無虞。

【主要功能】
• 網頁應用防火牆,提供即時請求檢查
• 七階段掃描系統,檢測惡意程式
• 角色基礎的雙重身份驗證,增強登入安全
• 實時流量監控,回放歷史請求
• 完整的活動追蹤與審計日誌
• 插件與佈景主題的供應鏈監控

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.0.3) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「WordSec」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

WordSec is an advanced WordPress security and threat intelligence platform, built for modern security teams and site owners who need enterprise-grade protection. Eight integrated modules, from a Web Application Firewall to real-time security alerts, work together behind a single modern dashboard, and your live security score is always in view. Every module can be enabled or disabled independently, so you get exactly the protection your site needs without paying for it in performance.
Firewall
Inspect every request, write your own rules, and harden WordPress with one-click toggles.
* Multi-condition custom rule builder with regex and wildcard matching
* Built-in rules across the major attack categories (SQL injection, XSS, path traversal, PHP and command injection, and more)
* WAF learning and active modes, bot blocking and security headers
* 25+ one-click hardening toggles for wp-config access, author enumeration, REST API and more
* Optional Extended Protection: pre-WordPress request inspection via an auto_prepend_file bootstrap (explicit opt-in, fully reverted when disabled or on deactivation)
* Endpoint rate limiting, XML-RPC protection and detailed firewall logs
Scanner
A seven-stage scanning system that examines files, the database and scheduled tasks.
* malware detection rules (synced from the WordSec service) based content scanning
* WordPress core, plugin and theme file-integrity verification (via the WordPress.org API)
* Scheduled scans with batch processing to avoid timeouts
* One-click quarantine and restore, with complete scan history
Login Security
Stop credential attacks before they start.
* Role-based two-factor authentication (RFC 6238 TOTP), no external library required
* Three CAPTCHA providers (reCAPTCHA, hCaptcha, Cloudflare Turnstile) plus a built-in math CAPTCHA
* Brute-force protection with progressive lockout and honeypot traps
* Leaked-password checking (Have I Been Pwned, k-anonymity) and Argon2 password enforcement
* Session management and a custom login page designer
Live Traffic
Watch your traffic in real time, then replay it historically.
* Real-time request logging (IP, URI, method, status, response time)
* Safe request and response inspection with automatic bot detection
* Exclusion filtering by role, IP, country or URI, with CSV export
Blocking

Country and continent allow or block lists
Single IP and CIDR range blocking, temporary or permanent, with allow-list support
Automatic abuse protection and endpoint rate limiting
Custom block messages

Supply Chain

Reputation scoring for every installed plugin and theme
Known-vulnerability alerts (data from the WordSec service) for core, plugins, themes and PHP
Abandoned plugin and theme detection
Update-integrity verification with automatic backups and a full SBOM inventory

Audit Log

Complete activity tracking across 11 object types and 14 actions
Content changes, plugin, theme and setting changes, and more
Fast filtering and one-click export

Alarm

36 event types across six categories
Delivery by Email, Telegram or Slack
Basic, Advanced and Full alert modes

WordSec is fully functional out of the box. Every feature (WAF, malware and file-integrity scanning, login security, two-factor authentication, hardening, IP and country blocking, audit log, supply-chain monitoring and alarms) runs locally on your server with no license key and no restrictions. Optionally, the WordSec service at wordsec.net supplies continuously-updated threat-intelligence data that cannot be produced locally: managed WAF rule sets, the full malware signature feed, IP-reputation lists, the GeoIP database, the disposable-email domain list and known-vulnerability records. Connecting the service is optional; the local features work with or without it, simply using whatever data is available. Every external service and the data it receives is documented in the “External services” section below.
External services
WordSec is designed to run locally, and with no license key it makes no outbound requests to the WordSec service. Core request filtering and file scanning run on your server. The services listed below are contacted only for the specific features described, and most of them only when you explicitly enable that feature (or, for the WordSec API, only after you activate a license key). This section documents every third-party service the plugin can connect to and the data each one receives.
WordSec API (api.wordsec.net)
WordSec runs free without a license, in which case it does not contact this service at all. A free license is available to everyone; once you activate a key the plugin communicates with the WordSec service for two distinct purposes:

Required service calls (only while a license key is active): license activation and validation, and threat-data updates (firewall rules, malware signatures, IP reputation lists, GeoIP data, the disposable-email domain list and known-vulnerability data). These enable the cloud-backed features and cannot be performed locally; with no key, none of these calls are made. The local enforcement code for these features (the WAF engine, the malware scanner, the IP-blocking filters and the signup-restriction filter) is always present and active; without an up-to-date feed it simply has no threat-intelligence data to check requests against.

* When: on activation/validation and on scheduled threat-data update checks.
* Data sent: your site URL and license key (used to authenticate you and bind the license to this site) and, for update checks, the current versions of your installed threat-data feeds.

Optional usage/environment telemetry (OPT-IN, OFF by default): an anonymous once-daily snapshot used to improve WordSec. It is only sent after you explicitly enable “Share usage & environment data” (at license activation or in Settings → Advanced → Usage Data) and can be turned off again at any time.

* When: once daily, only while the opt-in is enabled.
* Data sent: a non-personal snapshot of the site environment (server, WordPress, PHP and database versions, the list of active plugins and themes) and aggregate WordSec feature-usage and security statistics. No passwords, database credentials, secret keys or e-mail addresses are ever sent.

Terms of Service: https://wordsec.net/terms
Privacy Policy: https://wordsec.net/privacy

Have I Been Pwned (api.pwnedpasswords.com)
Used by the optional leaked-password check to detect whether a password appears in known data breaches, using k-anonymity.
* When: when a user sets or submits a password and the leaked-password check is enabled.
* Data sent: only the first 5 characters of the SHA-1 hash of the password. The password itself and its full hash never leave your site.
* Terms & Privacy: https://haveibeenpwned.com/Privacy
WordPress.org API (api.wordpress.org, downloads.wordpress.org, wordpress.org, core.svn.wordpress.org)
Used to verify WordPress core, plugin and theme file integrity, to look up public plugin/theme information (plugins_api/themes_api) for the supply-chain reputation scores and update-integrity checks, and — only when you click “Repair” on a scanner finding — to download the original copy of a modified core/plugin/theme file so it can be restored. Repair downloads come from downloads.wordpress.org (plugin/theme zips), wordpress.org (core release zips) and core.svn.wordpress.org (single core files).
* When: during malware/integrity scans and supply-chain reputation checks, and on an explicit repair action.
* Data sent: the WordPress core version, site locale, and the slugs/versions of the plugins/themes being checked.
* Terms & Privacy: https://wordpress.org/about/privacy/
RDAP (rdap.org)
Used by the WHOIS/RDAP lookup tool on the Tools page to show ownership information for an IP address or domain you inspect.
* When: only when you run the WHOIS/RDAP lookup tool.
* Data sent: the IP address or domain you chose to look up.
* Terms & Privacy: https://about.rdap.org/
ipify (api.ipify.org)
Used by the Tools page blacklist checker and the server-info tool to determine your server’s own public IP address.
* When: only when you run the “Blacklist Check” or “Server IPs” tool.
* Data sent: a plain request from your server; no site data is included (the service simply echoes the requesting IP).
* Terms & Privacy: https://www.ipify.org/
DNS blocklist providers (Blacklist Check tool)
The Tools page “Blacklist Check” queries DNS-based blocklists (DNSBLs) to tell you whether your server’s public IPv4 address is listed. Each provider receives a standard DNS query containing your server’s IP address in reversed form. Five providers are queried:
* Spamhaus ZEN (zen.spamhaus.org) – https://www.spamhaus.org/privacy-notice/
* SpamCop (bl.spamcop.net), operated by Cisco – https://www.cisco.com/c/en/us/about/legal/privacy-full.html
* Barracuda Reputation Block List (b.barracudacentral.org) – https://www.barracuda.com/company/legal/privacy-policy
* UCEPROTECT Level 1 (dnsbl-1.uceprotect.net) – https://www.uceprotect.net/en/index.php
* PSBL (psbl.surriel.com) – https://psbl.org/
Details:
* When: only when you click “Blacklist Check” on the Tools page.
* Data sent: your server’s public IPv4 address, embedded in each DNS blocklist query.
Telegram Bot API (api.telegram.org)
Optional alarm delivery channel. Active only when you configure your own Telegram bot token and chat ID.
* When: when a security alarm you enabled fires and Telegram delivery is configured.
* Data sent: the alarm message text (event type, site name, relevant IP/user context) to the bot/chat you configured.
* Terms of Service: https://telegram.org/tos
* Privacy Policy: https://telegram.org/privacy
Slack Incoming Webhooks (hooks.slack.com)
Optional alarm delivery channel. Active only when you configure your own Slack incoming-webhook URL.
* When: when a security alarm you enabled fires and Slack delivery is configured.
* Data sent: the alarm message text (event type, site name, relevant IP/user context) to the webhook you configured.
* Terms of Service: https://slack.com/terms-of-service
* Privacy Policy: https://slack.com/privacy-policy
Google reCAPTCHA (www.google.com, www.gstatic.com)
Optional login/registration CAPTCHA. Active only when you select reCAPTCHA and provide your own keys.
* When: on login and registration forms while enabled.
* Loaded remotely: reCAPTCHA requires its widget script (www.google.com/recaptcha/api.js, served with assets from www.gstatic.com) to be loaded from Google in the visitor’s browser; it is enqueued only on those forms and only while reCAPTCHA is the selected provider. Token verification is a server-side call from your site to www.google.com.
* Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address.
* Terms of Service: https://policies.google.com/terms
* Privacy Policy: https://policies.google.com/privacy
hCaptcha (hcaptcha.com, js.hcaptcha.com)
Optional login/registration CAPTCHA. Active only when you select hCaptcha and provide your own keys.
* When: on login and registration forms while enabled.
* Loaded remotely: hCaptcha requires its widget script (js.hcaptcha.com/1/api.js) to be loaded from hCaptcha in the visitor’s browser; it is enqueued only on those forms and only while hCaptcha is the selected provider. Token verification is a server-side call from your site to hcaptcha.com.
* Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address.
* Terms of Service: https://www.hcaptcha.com/terms
* Privacy Policy: https://www.hcaptcha.com/privacy
Cloudflare Turnstile (challenges.cloudflare.com)
Optional login/registration CAPTCHA. Active only when you select Turnstile and provide your own keys.
* When: on login and registration forms while enabled.
* Loaded remotely: Turnstile requires its widget script (challenges.cloudflare.com/turnstile/v0/api.js) to be loaded from Cloudflare in the visitor’s browser; it is enqueued only on those forms and only while Turnstile is the selected provider. Token verification is a server-side call from your site to challenges.cloudflare.com.
* Data sent: the CAPTCHA response token, your public site key, and the visitor’s IP address.
* Terms of Service: https://www.cloudflare.com/website-terms/
* Privacy Policy: https://www.cloudflare.com/privacypolicy/
ipwhois.io (ipwho.is)
Optional IP geolocation service, disabled by default. All requests go over HTTPS with certificate verification, and none are made until you enable “External IP Lookup Service” in WordSec Settings (Visitor IP Handling section). It is used for three things: (1) resolving a visitor IP’s country when no local GeoIP database is available, (2) resolving a visitor IP’s city for the Live Traffic log when the local database cannot answer, and (3) the “IP details” lookup in Live Traffic (country, region, city, ISP, organization, ASN).
* When: only while the External IP Lookup Service opt-in is enabled — automatically for country/city during traffic logging, and on your click for the IP details lookup.
* Data sent: the IP address being looked up (a visitor’s IP for country/city, or the IP you chose to inspect).
* Terms of Service: https://ipwhois.io/terms
* Privacy Policy: https://ipwhois.io/privacy
VirusTotal (virustotal.com)
Not contacted automatically. The scanner shows a “Check on VirusTotal” link you can click to open VirusTotal in your browser for a given file.
* When: only when you click the link.
* Data sent: the file hash contained in the link URL.
* Terms & Privacy: https://docs.virustotal.com/docs/privacy-policy
Qualys SSL Labs (ssllabs.com)
Not contacted automatically. The Tools page “Check SSL Health” test runs entirely on your own server (it opens a TLS connection to your own domain and reads the certificate). Next to it, a “Deep Scan (SSL Labs)” link opens the Qualys SSL Labs test in a new browser tab; SSL Labs then connects to your site from the outside and grades its TLS configuration. The link carries the “hide results” flag, so the report is not published on the SSL Labs public board.
* When: only when you click the “Deep Scan (SSL Labs)” link.
* Data sent: your site’s domain name, contained in the link URL.
* Terms: https://www.ssllabs.com/about/terms.html
* Privacy: https://www.qualys.com/company/privacy/
Credits
WordSec bundles the third-party libraries listed below. Every library is distributed under a license compatible with WordSec’s own “GPLv2 or later” license. Each bundled library keeps its in-file license banner and/or its upstream license file, and the full original (unminified) source for each is available at the linked project and version.
PHP libraries (`vendor/`)
TCPDF 6.11.3
* License: LGPL-3.0-or-later
* Copyright: Nicola Asuni, Tecnick.com LTD
* Source: https://github.com/tecnickcom/TCPDF
* License file: vendor/tecnickcom/tcpdf/LICENSE.TXT
* Used for: PDF report/export generation
SimpleXLSXGen 1.5.x
* License: MIT
* Copyright: (c) 2020-2022 Sergey Shuchkin
* Source: https://github.com/shuchkin/simplexlsxgen
* License file: vendor/shuchkin/simplexlsxgen/LICENSE
* Used for: XLSX (Excel) export
JavaScript / CSS libraries (`assets/*/vendor/`)
Select2 4.1.0-rc.0
* License: MIT
* Copyright: Kevin Brown, Igor Vaynberg, and the Select2 contributors
* Source: https://github.com/select2/select2
* License text: https://github.com/select2/select2/blob/master/LICENSE.md
* Bundled files: assets/js/vendor/select2.min.js, assets/css/vendor/select2.min.css
ApexCharts 5.16.0
* License: MIT
* Copyright: (c) 2018-2026 ApexCharts
* Source: https://github.com/apexcharts/apexcharts.js
* License text: https://github.com/apexcharts/apexcharts.js/blob/main/LICENSE
* Bundled files: assets/js/vendor/apexcharts.min.js
jsVectorMap 1.7.0
* License: MIT
* Copyright: (c) Mustafa Omar and the jsVectorMap contributors
* Source: https://github.com/themustafaomar/jsvectormap
* License text: https://github.com/themustafaomar/jsvectormap/blob/master/LICENSE
* Bundled files: assets/js/vendor/jsvectormap.min.js, assets/css/vendor/jsvectormap.min.css
* Used for: world map visualizations (Live Traffic / Blocking / Firewall)
World map data (world_mill), registered as the jsVectorMap “world” map
* License: MIT
* Copyright: jvectormap-content contributors; map geometry derived from Natural Earth (public domain)
* Source: https://www.npmjs.com/package/jvectormap-content
* Bundled files: assets/js/vendor/world.js
* Used for: the country geometry rendered by the world map visualizations above
qrcode-generator 1.4.4
* License: MIT
* Copyright: Kazuhiko Arase
* Source: https://github.com/kazuhikoarase/qrcode-generator
* License text: https://github.com/kazuhikoarase/qrcode-generator/blob/master/LICENSE
* Bundled files: assets/js/vendor/qrcode.min.js
Icons / assets
flag-icons (country flag SVGs)
* License: MIT (SVG markup); the flag designs themselves are in the public domain
* Copyright: (c) 2013 Panayiotis Lipiridis
* Source: https://github.com/lipis/flag-icons
* License text: https://github.com/lipis/flag-icons/blob/main/LICENSE
* Bundled files: assets/images/flags/*.svg (country flags, 4×3 viewBox="0 0 640 480")

延伸相關外掛

文章
Filter
Apply Filters
Mastodon