WordPress.org

Монгол

WordPress авах
WordPress.org

Plugin Directory

HT Security

HT Security

By WPFastSec
Download

Description

HT Security is a complete security suite for WordPress, offering multiple layers of protection for your website.

Important – External Service:
This plugin queries the National Vulnerability Database (NVD) API to check for known CVE vulnerabilities. Requests are made to:
* API URL: https://services.nvd.nist.gov/rest/json/cves/2.0
* Terms of Use: https://nvd.nist.gov/general/legal-disclaimer
* Privacy Policy: https://www.nist.gov/privacy-policy
* Frequency: Automatic check every 12 hours or manual on-demand
* Data sent: Name and version of WordPress/installed plugins (no personal data is sent)

The NVD API query is essential for the plugin’s CVE vulnerability detection functionality.

Key Features

  • Security Headers – HSTS, X-Frame-Options, Content-Security-Policy, and more
  • Login Alerts – Email notifications for successful and failed login attempts with rate limiting
  • Core Integrity Check – Verify WordPress core files against official checksums with 24h cache
  • CVE Vulnerability Detection – Check WordPress Core and active plugins against NVD database
  • User Enumeration Protection – Block user enumeration via REST API and author parameters
  • Maintenance Mode – Maintenance mode with authorized IP whitelist (IPv4, IPv6, CIDR support)
  • File Permissions Audit – Audit and automatic correction of critical file permissions
  • Plugin Security Indicators – Visual badges on plugins page showing vulnerability status

CVE Detection Features

  • Integration with NVD (National Vulnerability Database) API 2.0
  • Check WordPress Core and active plugins for known vulnerabilities
  • Intelligent batch processing with rate limiting
  • 8 layers of anti-false-positive validation
  • Vulnerability badges on plugins page (enable/disable option)
  • Dismissible alerts per user
  • Email notification when vulnerabilities are detected
  • Automatic check every 12 hours
  • NVD API Key support (increased rate limit)

Security Improvements in v1.5.0

  • IP Spoofing Fix – Properly detects real IP behind Cloudflare, proxies, and load balancers
  • Capability Check Fix – Authorization verified before processing
  • Rate Limiting by IP – More granular rate limiting for login alerts
  • Input Validation – Maximum length validation for feedback form

Supported Languages

  • English (US) – 100%
  • English (UK) – 100%
  • Português do Brasil – 100%
  • Português de Portugal – 100%
  • Español – 100%

License

This plugin is licensed under the GNU General Public License v2.0 or later. For more information, visit https://www.gnu.org/licenses/gpl-2.0.html.

Screenshots

  • Plugin settings page with all security options
  • CVE vulnerability check results

Installation

  1. Upload the ht-security folder to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Go to ‘Settings > HT Security’ to configure

FAQ

When does the plugin send emails?

Successful logins, failed logins, and when CVE vulnerabilities are detected (if CVE alerts option is enabled).

Can I disable the security headers?

Yes, through the settings page.

Does the plugin check WordPress Core integrity?

Yes, since version 1.1.0 we added this functionality to provide clear security visibility for administrators.

How does CVE vulnerability detection work?

The plugin queries the NVD (National Vulnerability Database) to check for known vulnerabilities in WordPress Core and active plugins. The check runs automatically every 12 hours and can also be run manually.

Do I need an NVD API Key?

It’s not required, but recommended. Without an API Key, the rate limit is 5 requests per 30 seconds. With a free API Key, it increases to 50 requests per 30 seconds, making checks much faster.

Can vulnerability badges be disabled?

Yes! In HT Security settings there’s an option to disable badges on the plugins page. The top alert will continue to work.

How do dismissible alerts work?

You can close alerts on the plugins page by clicking the X. They won’t reappear until the next vulnerability check. The dismissed state is saved per user.

How does user enumeration blocking work?

The plugin blocks attempts to list users through the REST API and redirects via author parameters.

Does maintenance mode affect administrators?

No, logged-in administrators can continue accessing the site normally.

Does automatic permission correction always work?

It depends on server settings. In some cases, manual correction via FTP/SSH may be necessary.

Does the anti-false-positive system work well?

Yes! We implemented 8 layers of validation: name validation, version validation, generic term filtering, addon detection, license variant detection, word matching, word count ratio, and more. This eliminates over 99% of false positives.

Will new features be added?

Yes, we’re constantly improving the plugin with new features and security enhancements.

Reviews

Read all 1 review

Contributors & Developers

“HT Security” is open source software. The following people have contributed to this plugin.

Contributors

Translate “HT Security” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.5.0

  • NEW: CSP Custom Module (Advanced)
    • Custom Content-Security-Policy configuration
    • 4 preset modes: Strict, Moderate, WordPress Optimized, Custom
    • Report-Only mode for testing without blocking
    • Disabled by default to avoid breaking existing sites
    • Custom directives for all CSP directives (default-src, script-src, etc.)
  • NEW: WordPress Version Vulnerability Check
    • Automatic detection of vulnerable WordPress versions
    • Visual alert on plugin settings page with severity breakdown
    • Email notification when vulnerable version detected (enabled by default)
    • Direct link to update WordPress
    • Checks enabled by default
  • CRITICAL Security Fix: IP Spoofing Vulnerability (CWE-290)
    • Added htsec_get_user_ip() function to detect real IP behind Cloudflare, proxies, and load balancers
    • Support for CF_CONNECTING_IP, X-Forwarded-For, X-Real-IP headers with fallback
  • CRITICAL Security Fix: Capability Check Order (CWE-862)
    • Permission verification now occurs BEFORE processing in file permissions module
  • Improved: Rate Limiting by IP
    • Login alerts rate limiting is now per-IP for better granularity
  • Added: Input Length Validation
    • Maximum 5000 characters validation for feedback form
  • Fixed: Deprecated Function
    • Replaced current_time('timestamp') with time() (deprecated since WP 5.3)
  • Added: API Response Validation
    • Validate NVD API response before processing
  • Added: AJAX Capability Check
    • Added capability check in plugin indicators AJAX handler
  • Improved: Internationalization
    • 153 strings translated in 5 languages (pt_BR, pt_PT, en_US, en_GB, es_ES)
    • All .mo files compiled
  • Removed: Legacy Code
    • Removed ht-security-antigo folder
  • Updated: WordPress Compatibility
    • Tested up to WordPress 6.9.4

1.4.0

  • Added: Complete CVE Check Module
    • Integration with NVD API 2.0
    • Check WordPress Core and active plugins
    • Batch processing with rate limiting
  • Added: Internationalization (i18n)
    • Support for pt_BR, pt_PT, en_US, en_GB, es_ES
  • Added: IP Validation with CIDR Support
    • IPv4, IPv6, and CIDR notation support in Maintenance Mode
  • Added: Rate Limiting for Login Alerts
    • 1 email per 5 minutes per type per IP
  • Added: Core Check Cache
    • 24h transient cache with manual refresh button
  • Improved: Documentation
    • Complete documentation in /docs directory

1.3.3

  • CRITICAL Improvement: License Variant Detection
    • Fixed: FREE plugins no longer report PRO vulnerabilities
    • Detection of variants with parentheses: “Plugin (PRO)”, “Plugin (Premium)”
    • Detection of variants with brackets: “Plugin [PRO]”, “Plugin [Lite]”
    • Correct blocking when CVE mentions variant but plugin doesn’t have it
  • Complete Code Refactoring
    • Code modularized in 9 files by functionality
    • Organization in /includes/ directory following WordPress standards
    • Better separation of concerns
    • PHPDoc documentation in all modules

1.3.2

  • CVE Check Accuracy Fix
    • Security badges now come DISABLED by default
    • User needs to enable manually in Settings > HT Security

1.3.1

  • New Feature: Feedback System
  • CRITICAL Fix: Improved Anti-False-Positive System
    • 8 Validation Filters implemented
    • Eliminated false positives like AMP vs Ampache, Elementor Pro vs Essential Addons
    • 99.9% accuracy in real CVE detection

1.3.0

  • Main Feature: CVE Vulnerability Detection System
    • Complete integration with NVD API 2.0
    • Automatic check every 12 hours
    • Severity badges (CRITICAL, HIGH, MEDIUM, LOW)
  • Intelligent Batch Processing
    • Rate limiting: 5 requests/30s without API Key
    • Rate limiting: 50 requests/30s with NVD API Key
  • Anti-False-Positive System (4 Layers)
    • Software name validation
    • Version validation
    • Generic term filtering
    • Addon/extension detection

1.2.0

  • User enumeration blocking via REST API and author parameters
  • Maintenance mode with authorized IP whitelist
  • File permissions audit with automatic correction

1.1.1

  • HSTS correction patch

1.1.0

  • WordPress Core verification for site administrators

1.0.0

  • First stable release with main features:
    • Security headers (HSTS, X-Frame-Options, CSP)
    • Login alert system with email notifications
    • Simple settings page

Meta

Ratings

5 out of 5 stars.

Add my review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum