NHR Secure – Login Security, Firewall, 2FA & Audit Log

Keep your WordPress site safe with minimal effort. NHR Secure helps you:

• Hide or protect your admin area from unauthorized access.
• Limit login attempts to prevent brute-force attacks.
• Hide debug logs to prevent sensitive information disclosure.
• Add 2FA to your WordPress site.
• Scan core files, plugins, and themes for known vulnerabilities.
• Monitor site health with one-click security recommendations.
• Protect against SQL injection, XSS, and LFI attacks.
• Block malicious IPs and entire countries.

Features at a glance:

🔒 Limit Login Attempts

Stop brute-force attacks by temporarily blocking IPs after repeated failed login attempts.
– Configurable attempt limit (1-20, default: 5)
– Blocks based on IP + Username combination
– Auto-unblock after 2 hours

🔐 Custom Login Page

Hide wp-login.php and use a custom login URL.
– Default custom URL: /hidden-access-52w
– Blocks direct access to wp-login.php and wp-admin for guests

🛡️ Protect Debug Log File

Blocks direct access to /wp-content/debug.log
– Returns 403 Forbidden for all users

⚙️ Modern Settings Page

Configure everything from a beautiful React-powered interface.
– Located under Tools → NHR Secure
– Dark Mode support for comfortable viewing
– Enable/disable each feature

🔐 Two-Factor Authentication (2FA)

Enable two-factor authentication for users.
– Support for Authenticator Apps and Email OTP
– Enforce 2FA for specific user roles (e.g., Administrators)
– Recovery Codes for emergency access
– QR code setup for Authenticator Apps

🛡️ Vulnerability Checker

Automatically scan your installed plugins, themes, and WordPress core against a known vulnerability database.
– Daily automatic scans
– Alerts for critical security issues
– Check file integrity

🖥️ User Session Management

Monitor and control active user sessions to prevent unauthorized access.
– View Active Sessions: See IP, location, device, and login time for all logged-in users.
– Remote Logout: Instantly log out suspicious sessions or all other devices.
– Idle Timeout: Automatically log out inactive users after a set period.

🧱 Hardening & Firewall

Essential security hardening to lock down your WordPress site.
– Disable XML-RPC: Prevent remote attacks and brute-force attempts.
– Disable File Editor: Stop file modifications from the dashboard.
– Hide WP Version: Obscure your WordPress version from attackers.
– Block User-Agents: Prevent bad bots and scrapers from accessing your site.
– Disable User Enumeration: Stop attackers from harvesting usernames via REST API.

📝 Activity Audit Log

Keep a record of important security events on your site.
– Tracks logins, failed attempts, file changes, and settings updates.
– View user, IP, and event details.
– Configurable log retention policy.

🏥 Security Health Check & One-Click Secure

Get an instant overview of your site’s security posture.
– Security Score: View your overall protection percentage and grade (A+ to F).
– Health Dashboard: See which security features are active and which need attention.
– One-Click Secure: Apply recommended security settings instantly.
– 11 Security Checks: Comprehensive analysis of your security status.

🛡️ Advanced Firewall (IPS)

Proactive intrusion prevention system that blocks malicious requests in real-time.
– SQL Injection Protection: Detect and block SQLi attacks automatically.
– XSS Prevention: Stop cross-site scripting attempts.
– LFI Protection: Prevent local file inclusion attacks.
– Pattern Matching: Advanced regex-based detection for common attack vectors.
– Automatic Blocking: Suspicious requests are blocked before they reach WordPress.

🌍 IP & Country Management

Control access to your site with granular IP and geographic filtering.
– IP Whitelist: Allow trusted IPs to bypass all security filters.
– IP Blacklist: Block malicious IPs permanently from your site.
– CIDR Support: Use CIDR notation for blocking entire IP ranges (e.g., 192.168.1.0/24).
– Country Blocking: Block access from 90+ countries using GeoIP lookup.
– Smart Caching: GeoIP lookups are cached for 24 hours for optimal performance.
– Private IP Detection: Automatically skip local/private IPs.

⚡ Lightweight & Minimal

Designed to deliver maximum security with minimal code. No bloat, no complexity.
– Compatible with most WordPress themes and plugins.

External Services

This plugin utilizes the WPVulnerability API to check for vulnerabilities.
– Service: WPVulnerability
– Data: Only plugin slugs and versions are sent. No personal data is collected.

1. Upload the nhrrob-secure plugin folder to your /wp-content/plugins/ directory.
2. Activate the plugin through the ‘Plugins’ menu in WordPress.
3. Navigate to Tools → NHR Secure to configure settings.