1,000+
July 3, 2026
February 11, 2026
Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls.
Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, closed plugin detection, malware detection, user management, security audit logging, under attack mode and much more.
Once activated, Vigilant immediately applies firewall rules against common attacks (SQL injection, XSS, file inclusion), security headers, login attempt monitoring, XML-RPC blocking, WordPress version hiding and sensitive file protection (.htaccess, wp-config.php), after automatically backing up your existing configuration files.
Choose a preset and get protected instantly:
Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation.
Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups.
You can always customize individual settings after applying a preset.
Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly:
Under Attack mode works independently from your preset configuration. Your regular settings are preserved and restored when the mode deactivates.
Add a second verification step to your WordPress login:
Block malicious requests before they reach WordPress:
Stop unauthorized access attempts:
Comprehensive user account protection:
?author=N URLs so WordPress doesn’t redirect them to /author/USERNAME/ and leak the login slugAchieve Grade A security ratings:
Server: header is neutralized and X-Powered-By and other fingerprinting headers are stripped from responsesDetect unauthorized changes to your files and compromised plugins:
Track everything happening on your site:
Audit Alerts – get an email when the audit log points to something worth your attention, off by default and configured under Security Audit:
On-demand security audit built into the Dashboard. No external services, no accounts, no API keys – everything runs on your server:
wp_ table prefix, admin username, administrators without 2FA enrolled, module status, recent audit errors, last File Integrity scan result and whether audit alerts are configuredLayered protection at the WordPress level – admin, content, head, feeds and database:
wp_ table prefix and one-click rename tool with full backup before the changeControl API access to your site:
/wp-json/wp/v2/usersUtilities included:
Your existing .htaccess, wp-config.php and robots.txt are automatically backed up before any modifications. Backups are stored in the WordPress database, never as files under the web root, and verified with MD5 checksums.
When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites.
Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront – no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, on-demand Security Check with weekly regression alerts, and more. All free, all maintained, all following WordPress coding standards.
We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each offers in its free version and where Vigilant fills the gaps.
Need private support or custom development?
Do you need one-on-one help, priority troubleshooting, or a custom feature, integration, or tweak built specifically for your site? I offer private support and custom development. Just contact me and tell me what you need.
Need help or have suggestions?
Love the plugin? Please leave us a 5-star review and help spread the word!
We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.
/wp-content/plugins/vigilante/ or install directly from the WordPress plugin repositoryRequirements:
No. Vigilant is optimized for performance. The firewall uses efficient pattern matching, database queries are cached with transients, and .htaccess rules execute at server level before PHP even loads.
Vigilant immediately backs up your existing .htaccess and wp-config.php to the database, then applies default security settings. All modules are enabled with balanced defaults suitable for most sites.
All security modifications are automatically reverted. The .htaccess rules are removed, wp-config.php constants are restored to their original values, and scheduled tasks are cleared. Your site returns to its pre-Vigilant state.
Vigilant supports two 2FA methods. With the authenticator app (TOTP), you scan a QR code in your profile to link an app like Google Authenticator or Authy, then enter a 6-digit code from the app on every login. With email codes, you receive a one-time code via email after entering your password. If enabled by the site administrator, you can mark your device as trusted to skip 2FA for 30 days.
When you set up TOTP, Vigilant generates 10 backup codes. You can use any of them as a one-time replacement for the authenticator code. If you run out of backup codes, an administrator can reset your TOTP from the plugin settings.
Check your spam folder first. You can click “Resend code” on the verification form. Codes expire after 10 minutes by default. If issues persist, an administrator can temporarily disable 2FA from the plugin settings.
Yes. Go to Login Security > Two-Factor Authentication and change the verification method. If notifications are enabled, affected users will receive an email explaining the new method and how to set it up.
By default, 2FA is enforced for administrators and editors. You can customize which roles require 2FA in the Login Security settings, and exclude specific users individually.
Access your site via FTP/SFTP and either rename the plugin folder to disable it temporarily, or delete the vigilante_login_attempts table rows for your IP address in the database.
The firewall is configured to allow normal WordPress operations, including the block editor, REST API, and popular page builders. If you experience issues, you can whitelist specific IPs or adjust rate limiting thresholds.
While Vigilant works standalone, running multiple security plugins can cause conflicts. We recommend testing in a staging environment first if you need to combine security solutions.
Yes. Vigilant is compatible with popular caching plugins. The firewall runs before cache layers, and .htaccess rules don’t interfere with caching mechanisms.
Yes. Vigilant includes compatibility settings for WooCommerce. The REST API security module automatically allows WooCommerce endpoints, and the firewall won’t block payment gateway connections.
Use the built-in header testing tool in the Security Headers tab, or visit securityheaders.com with your site URL to get a security grade.
Security Check is an on-demand audit built into the Dashboard. It runs 40+ checks across 6 categories (SSL/TLS, HTTP headers, WordPress exposure, access and authentication, sensitive files, and internal checks) and returns a 0–100 score with an A–E grade. Unlike external online scanners, it runs entirely on your server and has access to 14 exclusive internal checks: PHP end-of-life status, pending updates, closed/removed plugins, file permissions, default salts detection, administrators without 2FA enrolled, and more.
No. All checks run on your server. The only external traffic is three DNS-only lookups against public blacklists (Spamhaus, Barracuda, SpamCop) for the reputation category — these are standard DNS queries with no authentication, no API keys, and no payload beyond your site’s IP address. If you disable the reputation category, Security Check makes zero external network calls.
Run it manually after any significant change (plugin update, server migration, new user role configuration). For ongoing monitoring, enable the weekly automatic scan from the widget. You’ll only receive an email if the score drops by 10 points or more, or if a new critical check starts failing — so no spam from routine scans.
You can require users to change their passwords after a set number of days (30, 60, 90, etc.). Users receive warnings before expiration and are forced to change their password on next login when it expires. Password history prevents reusing recent passwords.
When enabled, new user registrations require manual approval by an administrator before the account becomes active. Pending users cannot log in until approved. You can configure auto-rejection after a set number of days.
New users must verify their email address by clicking a link before their account becomes active. This prevents fake registrations and ensures valid contact information.
You can limit how many concurrent sessions each user can have. When the limit is reached, either the new login is blocked or the oldest session is terminated, depending on your configuration.
Yes. The security audit log can be exported to CSV format for external analysis or compliance reporting. You can also filter logs by event type, user, or date range before exporting.
The scanner compares WordPress core files, plugin files, and theme files against official checksums from WordPress.org. Plugins and themes without available checksums are also scanned using strict obfuscation pattern detection. The uploads directory is scanned for PHP files, double extensions, and .htaccess files. Extra PHP files not present in original distributions are detected and, if they contain suspicious code, automatically flagged as suspicious.
You can configure automatic scans to run daily or weekly. You can also run manual scans at any time. Email notifications support three levels: all issues, suspicious files only, or disabled.
Standard applies balanced settings suitable for most sites. Maximum applies stricter rules: lower rate limits, tighter CSP policies, required admin notifications, session limits, and more aggressive hardening. Maximum may require adjustments for sites with complex functionality.
Configuration backups (.htaccess, wp-config.php, robots.txt) are stored in the WordPress database, not as files under the web root, so they can never be served over HTTP. A database backup you download is generated as a temporary ZIP with an unguessable name and removed right after the download.
Under Attack mode is an emergency feature you can activate when your site is experiencing an active attack. It adds a JavaScript challenge that real browsers solve automatically in a few seconds, while bots and automated scripts are blocked completely. It also applies aggressive rate limiting, blocks restricted HTTP methods, and restricts API access.
No. Logged-in users, admin pages, cron jobs, AJAX requests, and the login page are all excluded from the JavaScript challenge. Only unauthenticated frontend visitors see the verification page.
It automatically deactivates after 4 hours. You will also receive an email notification when it activates and deactivates.
No. It operates independently from your preset configuration (Standard or Maximum). Your regular settings are untouched and continue working normally after Under Attack mode deactivates.
Go to Vigilant > Tools > Database Backup. Select which tables to include (or leave all selected), then click Download. The backup is generated as a temporary ZIP with an unguessable name, streamed to your browser and deleted from the server immediately after the download.
WordPress uses wp_ as default table prefix. Changing it to a random prefix adds a layer of protection against SQL injection attacks that target default table names. Go to Vigilant > WP Hardening > Database Hardening. Always create a backup before changing the prefix.
Go to Vigilant > Firewall > User-Agent Lists and add the service name (e.g., ManageWP, MainWP, UptimeRobot) to the User-Agent Whitelist. Partial matching is used, so entering “ManageWP” will match any User-Agent string containing that keyword.
If you also use a custom login URL, add the management dashboard’s IP address to the firewall IP Whitelist as well. Some operations (for example pushing a plugin update from MainWP) reach wp-admin without a WordPress session and with a generic WordPress user agent rather than the service name, so the User-Agent rule alone would not match them. A whitelisted IP is allowed past the hidden login/wp-admin protection (it still has to authenticate).
Yes. Go to Vigilant > Settings & Tools > Notification settings. You can add additional email recipients (one per line) and optionally uncheck the WordPress admin email. This is useful for maintenance professionals managing multiple sites who need to receive all security alerts.
Yes. Use the vigilante_notification_recipients filter. It receives and returns an array of email addresses used for all administrative notifications:
add_filter( 'vigilante_notification_recipients', function( $recipients ) {
$recipients[] = 'security-team@example.com';
return $recipients;
} );
For older changelog entries, please check the changelog.txt file
| Version | Download | Type |
|---|---|---|
| 2.9.2 | Download | Stable |
| 2.9.1 | Download | Stable |
| 2.9.0 | Download | Stable |
| 2.8.0 | Download | Stable |
| 2.7.0 | Download | Stable |
| 2.6.4 | Download | Stable |
| 2.6.3 | Download | Stable |
| 2.6.2 | Download | Stable |
| 2.6.1 | Download | Stable |
| 2.6.0 | Download | Stable |
| 2.5.1 | Download | Stable |
| 2.5.0 | Download | Stable |
| 2.4.1 | Download | Stable |
| 2.4.0 | Download | Stable |
| 2.3.0 | Download | Stable |
| 2.2.0 | Download | Stable |
| 2.1.1 | Download | Stable |
| 2.1.0 | Download | Stable |
| 2.0.0 | Download | Stable |
| 1.14.1 | Download | Stable |
| 1.14.0 | Download | Stable |
| 1.13.1 | Download | Stable |
| 1.13.0 | Download | Stable |
| 1.12.2 | Download | Stable |
| 1.12.1 | Download | Stable |
| 1.12.0 | Download | Stable |
| 1.11.1 | Download | Stable |
| 1.11.0 | Download | Stable |
| 1.10.1 | Download | Stable |
| 1.10.0 | Download | Stable |
| 1.9.0 | Download | Stable |
| 1.8.0 | Download | Stable |
| 1.7.2 | Download | Stable |
| 1.7.1 | Download | Stable |
| 1.7.0 | Download | Stable |
| 1.6.1 | Download | Stable |
| 1.6.0 | Download | Stable |
| 1.5.5 | Download | Stable |
| 1.5.4 | Download | Stable |
| 1.5.3 | Download | Stable |
| 1.5.2 | Download | Stable |
| 1.5.1 | Download | Stable |
| 1.5.0 | Download | Stable |
| 1.4.2 | Download | Stable |
| 1.4.1 | Download | Stable |
| 1.4.0 | Download | Stable |
| 1.3.2 | Download | Stable |
| 1.3.1 | Download | Stable |
| 1.3.0 | Download | Stable |
| 1.2.3 | Download | Stable |
| 1.2.2 | Download | Stable |
| 1.2.1 | Download | Stable |
| 1.2.0 | Download | Stable |
| 1.1.1 | Download | Stable |
| 1.1.0 | Download | Stable |
| 1.0.4 | Download | Stable |
| 1.0.3 | Download | Stable |
| 1.0.2 | Download | Stable |
| 1.0.1 | Download | Stable |
| 1.0.0 | Download | Stable |
| Development | Download | Trunk |