Join WPMU DEV and secure your site with

Defender Pro

Keep your site safe from hackers! Brute force attacks and malicious bots are no match for Defender's mighty WordPress security shields and cloaking technology.

Defender's regular security scans, vulnerability reports, audit logs, 2-factor authentication, safety recommendations, blacklist monitoring, IP lockout device, simple security tweaks, core, plugin and theme code checker and login masking are too much for even the most wily villain.
Downloads 1,097,463
Active Installs 127,630
Ultra Compatible
Version 2.2.7

Changelog / Translations

Version 2.2.7

  • Fix: Audit Logging sometime triggers a fatal error on some setups.


Version 2.2.7
  • Fix: Audit Logging sometime triggers a fatal error on some setups.

Version 2.2.6
  • Improvement: Frequency of Security Tweak notifications reduced to 7 days
  • Fix: GeoIP now compatible with new MaxMind policy
  • Fix: Mask login URL now allow URL with an extension
  • Fix: Lockout notification email now displays correct time unit
  • Fix: Get started screen appears only where required
  • Fix: Manage your email preferences & unsubscribe email link now works
  • Fix: Strict Transport Security Header now shows subdomain option on the root domain
  • Fix: On login lockout, Defender doesn't block IP permanently
  • Fix: Mask login won't block admin links from email
  • Other minor enhancements and fixes

Version 2.2.5
  • Fix: Displaying Defender pages after activating the plugin.

Version 2.2.4
  • Fix: Security tweaks self ping cause performance issues.

Version 2.2.3
  • Improvement: Increased the frequency of Security Tweak notifications from daily to weekly.
  • Fix: Two-Factor activate/deactivate not working as expected.
  • Fix: Defender IP Lockouts was blocking Hub services.
  • Fix: Error when bulk deletes lockout logs, without selecting any.
  • Fix: Active Translation in General Settings was not using the language that had been set.
  • Fix: The first time you setup the Blacklist location, it doesn't save.
  • Fix: Security Keys tweaks showing decimals in status.
  • Fix: Enforcing Security Header tweaks revert when you refresh the page.
  • Fix: Lockout duration in email notification now reflects the right setting instead of always in seconds.
  • Fix: Missing logs from the Audit logging screen.
  • Remove: WordPress REST API security tweak. This feature was causing many sites to break basic functionality so we've decided to remove it.
  • Other minor enhancements and fixes

Version 2.2.2
  • Feature: New security tweaks: Security headers.
  • Feature: New security tweak: Block WordPress Rest API.
  • Feature: New security tweak: Prevent user enumeration.
  • Feature: Ability to talk with HUB for syncing Defender settings.
  • Improvement: Add ability to ban by filename/extension.
  • Improvement: Allow user to change the retention period of Audit Logs in Defender.
  • Improvement: Add the ability for an admin to unblock a temporarily blocked IP.
  • Improvement: Add 'Your current time' to Reporting tabs.
  • Fix: Email link still goes to wp-admin instead of masked one, if use Defender Mask Login.
  • Fix: Css z-index issue with Quick setup modal.
  • Fix: Use hostname instead of wp-defender in authenticator app.
  • Fix: Minor grammar and UX improvements.
  • Fix: Upgrading from the older version disables the settings in the mask-login.

Version 2.1.4
  • Fix: Mask Login cause issue when visiting /wp-admin/network/sites.php

Version 2.1.3
  • Feature: Security tweaks will send reminder when no tweaks were actioned after activation
  • Improvement: Scanning will be more catchy, especially with code using eval function, however that can lead to more false positive, please consider to check with our support before delete the file.
  • Fix: Bring back the tooltips system
  • Fix: Audit filter links doesn't reflect the right results if open in new tab
  • Fix: Filtering issue type in scanning now show correct results.
  • Fix: Scanning notification keep sending when the setting turn to "off"
  • Fix: User IP in IP Lockout->Blacklist now show the correct IP.
  • Fix: Bring back the subject customization field in Scanning email config.
  • Fix: Manage Login Duration wont make user to login twice anymore.
  • Fix: Audit filtering by user now working properly
  • Fix: We change the Audit logging items' color from red to more neutral.
  • Fix: Ad Widget won't be show in vulnerability list by accident anymore
  • Fix: Bottom bulk selector in Scanning page now work properly
  • Fix: Deprecate warning from the function strpos() in php 7.3
  • Fix: Sync issues with HUB will be more consistent.
  • Fix: Mask login doesn't work properly if Wordpress get installed in a sub-folder
  • Fix: Conflict with Avada theme which making scanning stuck
  • Fix: Gracefully handle error when php dom extension does not install
  • Fix: Prevent factory reset revert database prefix into wp_ even though it was not set by Defender.
  • Fix: Prevent slashes added in email template
  • Fix: Minor grammar and UX improvements.

Version 2.1.2
  • Feature: Defender Pro now supports the WPMU DEV Dashboard’s white label feature.
  • Feature: You can now perform a factory reset of Defender’s settings via the Settings screen, as well as control what happens to data when the plugin is uninstalled.
  • Improvement: Defender File Scanning no longer identifies robots.txt as a potentially harmful file.
  • Improvement: We’ve turned off autocomplete on the two-factor authentication field so that previous codes don’t show up.
  • Fix: Fixed a conflict with Defender where the 404 lockout feature would lock out users who tried to access old Hummingbird cache files.
  • Fix: You can now view date ranges greater than 7 days for IP Lockout logs
  • Fix: Minor grammar and UX improvements.

  • Fix: Two-Factor Authentication QR code not being displayed on new device registration.

Version 2.1.1
  • Fix: Prevent Information Disclosure corrupts htaccess code

Version 2.1
  • New: Geo-based IP blocking. Completely block incoming traffic from specific countries to gain full control over who can and can’t access your site.
  • New: Upgraded design components and improved user experience across the board.
  • Fix: Corrupt .htaccess rules generated by Defender weren’t able to be re-applied when adding them a second time.
  • Fix: Users can no longer get past login masking when using double slashes.
  • Fix: Javascript errors prevented adding recipients to notifications and editing templates.
  • Fix: Blacklist monitoring could not be enabled on some sites.
  • Fix: Parse error on installations running PHP 5.3.
  • Improvement: Removed activation redirection and tooltips on first activation.
  • Other minor enhancements and fixes

Version 2.0.1
  • Fix: permanent ban on 404 lockouts now sends correct email.
  • Fix: IP lockout logs not showing correct results/order on different pages.
  • Fix: IP lockout logs showing wrong badge for 404 lockouts.
  • Fix: 2FA not working properly when using Sensei plugin.
  • Other minor enhancements and fixes.

Version 2
  • New: added tweak “Disable XML-RPC”
  • Improvement: Two factor authentication can now be force enabled by role.
  • Improvement: Masking URL description.
  • Fix: Compatibility with Appointments+ login when Mask Login is enabled.
  • Fix: /login/ will be blocked instead of redirecting to right login URL
  • Fix: new site registration email login URL will now show right Login URL instead of the original one when Mask URL is enabled.
  • Fix: Accessibility issue when activating 2FA.
  • Changes: Show Admin Pointer on initial Defender activation, and removing the redirect behavior.
  • Other minor enhancements and fixes

Version 1.9.1
  • Fix: Mask Login Area description text is misleading
  • Fix: wp-admin link of sub-sites in networks link to wrong admin URL
  • Fix: Prevent Information Disclosure & Prevent PHP Execution show false error message when first applied
  • Fix: Dashboard reporting section mis-alignment
  • Other minor enhancements and fixes

Version 1.9
  • New: Ability to edit default two-factor authentication email notifications
  • New: Added Privacy Policy in privacy guideline page
  • Improvements for lockout logs interface
  • Improvement: Smarter report default time.
  • Fix: Defender auto redirect issue when bulk activating plugins
  • Fix: saving 404 redirect URL issue
  • Fix: Some layouts are shifted on mobile devices
  • Other minor enhancements and fixes

Version 1.8
  • New: Hide the default WordPress login URLs with the new Mask Login Area feature, giving you enhanced protection from hackers and bots.
  • New: Ability to force two-factor authentication for all users.
  • Fix: Fixed a bug where file scanning would detect wp-config.php as suspicious.
  • Fix: Fixed an issue where the lockout pages could be cached by external cache engines.

Version 1.7.6
  • Fix: Defender now can recognize and verify Bing Bot for whitelisting
  • Fix: Lockout page now will use site title instead of the text 'WP Defender'
  • Other minor enhancements and fixes

Version 1.7.5
  • Fix: Report status missing in Hub Security tab
  • Fix: Some themes/plugins shown as a vulnerability but no info available
  • Other minor enhancements and fixes

  • Fix: Remove debug data
  • Fix: Issue with Hub

  • Added: Endpoint API so HUB can work with Defender natively through WPMU DEV Dashboard plugin

Version 1.7.4
  • Fix: Conflict with Jetpack where Defender 2FA module would not detect if Jetpack 2FA was disabled.
  • Fix: Visitor would get a 404 lockout if landing on a page with many dead links.
  • Improvement: When an user is deleted, audit logging now display the user's login instead of only UID.
  • Other minor enhancements/fixes

Version 1.7.3
  • Fix: Two-factor authentication can be bypassed by user with no role.
  • Improvement: Enhanced two-factor authentication protection across multisites.

Version 1.7.2
  • Improvement: Improvement: IPv6 support for both whitelisting and blacklisting, requires IPv6 support on the server.
  • Improvement: Better UI/UX for Two-factor authentication.
  • Fix: Security tweak "Prevent PHP Execution" and "Protect Information" now support Apache 2.4 htaccess rules.
  • Other minor enhancements/fixes

Version 1.7.1
  • Improvement: Audit logging logs will be stored up to 1 year, query range can be set up to 3 months
  • Improvement: Option to set a cooldown period for lockout notifications.
  • Added: widget for 2 factors authentication
  • Fix: Defender does not detect the right IP when CloudFlare is being used
  • Fix: Conflict with TM Photo Gallery Plugin
  • Other minor enhancements/fixes

Version 1.7
  • New: Now you can enable 2 factors authentication with Defender and Google Authenticator app, support for iOS and Android
  • New: We can define how long the "Remember me" can take affect, via a new Security Tweak, called "Manage Login Duration"
  • Improvement: IP Lockout logs now have separate tables, better for performance.
  • Fix: Ignore a file in Scanning section sometimes coming back after couple of scans.
  • Other minor enhancements/fixes

Version 1.6.2
  • New: CSV export for Audit Logging.
  • Improvement: Email reports now have unsubscribe link, and link to Reports where email reports can be turned off.
  • Fix: Typo in Audit email.
  • Other minor enhancements/fixes

Version 1.6.1
  • Improvement: Improved IP Lockout performance.
  • Fix: Audit logging detects wrong WordPress version when upgrade
  • Fix: "Update old security keys" doesn't move to resolved list after processed
  • Fix: When emptying IP Lockout logs cause timeout error.
  • Fix: Typos in some places
  • Other minor enhancements/fixes

Version 1.6
  • Improvement: Allow users to select and apply rules to other server type in Prevent PHP Execution and Prevent Information Disclosure.
  • Fix: Sometimes HUB status doesn't sync with WordPress site.
  • Other minor enhancements/fixes

Version 1.5
  • New: You can now add exceptions for specific PHP files in the PHP Execution Security Tweak.
  • Improvement: Filtering all log types now uses URLs instead of ajax only, meaning you can link to a filtered log easily.
  • Improvement: Various user experience updates across the plugin interface to make using Defender even easier.
  • Fix: Lockout Logs now display from newest to oldest.
  • Fix: Lockout Logs pagination now works correctly.
  • Fix: Inconsistencies in the IP Lockouts stats across the plugin.
  • Fix: Sending Audit Logging reports to multiple recipients would address all recipients as the first user's name.
  • Fix: Grammar and typos in some modals and error messages.
  • Fix: If Defender finds a vulnerability in WordPress's core, the text would indicate running an update would fix the issue though no update was actually available yet.

Version 1.4.2
  • Improvement: The plugin interface will now stretch to utilize extra screen space on larger screens.
  • Fix: Audit Logging was getting its days mixed up in the summary area. You’ll now see the correct day of the week.
  • Fix: We squashed a bug that was causing files scans to sometimes report false positive files after WordPress core upgrades.
  • Fix: A conflict with Jetpack was causing scans to stall, which we have now fixed up.
  • Fix: In some cases File Scanning reports wouldn't actually stop sending if you disabled them. It now obeys commands.
  • Fix: Google's bot was being blocked by IP Lockouts but now it's free to crawl and index as it pleases.
  • Fix: We removed redundant “cancel” buttons on settings pages. You probably won’t even notice!
  • Fix: We’ve added live stats so now there’s no need to wait around in anticipation while running files scan actions.
  • Fix: Stats weren’t displaying the right numbers after actioning security tweaks, but it’s all good now.
  • Fix: Pagination on the Audit Logging logs page now works like you would expect it to.
  • Fix: Files detected in File Scanning now have metrics with their file sizes.
  • Fix: We’ve fixed styling issues with toggles.
  • Fix: We removed the” Resolve bulk update” option from File Scanning. It wasn’t really a valid action.
  • Fix: Incomplete icons in the Dashboard reports area have been updated.
  • Fix: We’ve removed redirection from the dashboard to the File Scanning page are after preforming a file scan so now you shouldn’t feel lost.
  • Fix: Lots of other small stuff, like minor cosmetic and grammar fixes.

Version 1.4.1
  • Fix: Compatibility issue with Getting Started Wizard
  • Fix: Scanning was sometimes slow or getting stuck

Version 1.4
  • New: Meet the brand new Defender! This release focuses on making security for WordPress a better place. We’ve given the UI a refresh and updated the UX, so configuring your security settings is a walk in the park.
  • Fix: A ton of bug fixes & improvements. Yep, vague description! But why bore you with the small stuff when you could be spending time bolstering your site’s security?

Version 1.3
  • Added: Endpoint API so HUB can work with Defender natively through WPMU DEV Dashboard plugin
  • Other minor enhancements/fixes

Version 1.2
  • Added: New Hardening Rule (PHP version)
  • Improvement: Audit Logging now allows date range selection.
  • Improvement: IP Lockouts now allow IP ranges in whitelist/blacklist.
  • Improvement: IP Lockouts now can import/export whitelist/backlist.
  • Fixed: IP Lockouts email notification text on permanent IP ban.

  • Fixed: Cache issue causing multiple requests to API endpoint when scanning suspicious files.

Version 1.1.6
  • Fixed: Collapse Menu button shows bigger font and in all caps
  • Fixed: Missing strings in translation (.pot) file
  • Fixed: Audit logging reports not using correct timezone.
  • Fixed: DB prefix replacing all instances of “wp” if it's used multiple times (ie wp_mytable_wp_subtext)
  • Fixed: Auto ban users who log in with the “admin" username not working.
  • Some other minor enhancements/fixes

Version 1.1.5
  • Added: IP Lockouts. Defender can now protect your login area from brute force attacks, monitor 404 errors and automatically lockout any unwanted behavior. It can also permanently ban specific IP addresses and receive email notifications when lockouts occur.
  • Fixed: Minor bug fixes and improvements.

  • Fixed: Fatal error when PHP extension sockets is not enabled

Version 1.1.4
  • Improvement: Audit logging now detects file changes in WordPress core.
  • Fixed: Updating via WordPress core now syncs better with the Hub.
  • Fixed: Some compatibility fixes for PHP 5.2.

Version 1.1.3
  • Improvement: Audit Logging now ajax based.
  • Fixed: minor bug fixes & some UI/UX improvements

Version 1.1.2
  • Improvement: Switched the User dropdown in Audit Logging to load results via AJAX to increase initial load performance.
  • Improvement: Scan results now pre-load information so that you can action fixes faster.
  • Fixed: Removed cronjob events from being tracked in Audit Logging.
  • Fixed: The Audit Logging filter box now stays visible if no results are returned.
  • Fixed: Other small bug fixes and improvements.

Version 1.1.1
  • Added: A warning indicator in WP Admin sidebar to let you know how many security issues are outstanding.
  • Added: The ability to choose to only receive email reports when there are issues with your website.
  • Fixed: Minor bug fixes & improvements

Version 1.1
  • New feature: Audit logging
  • New plugin icon
  • Vulnerability plugins/theme scan result can be ignored
  • Some other minor enhancements/fixes

Version 1.0.8
  • Improve Core Integrity Scan.
  • Improve caching method

Version 1.0.7
  • Improved: Scan schedule.
  • Fix: issue with W3 Total Cache Object Cache

Version 1.0.6
  • Fix: Defender data doesn't sync with HUB correctly
  • Fix: Email report doesn't send properly
  • Some other minor enhancements/fixes

Version 1.0.5
  • Added: Option to choose reminder period for Hardener rule "Update old security keys"
  • Improved: Compatibility with Windows server
  • Improved: Optimized resource usage when scanning

Version 1.0.4
  • Improve scan engine, reduce false positives
  • Improve uninstallation method
  • Add the ability to ignore hardener rules.
  • Improve the performance impact on the site.

Version 1.0.3
  • Optimize scanning
  • Preventing performance issue with some hosts

Version 1.0.2
  • Applied ajax inline updates for plugins/themes
  • One click Prevent PHP execution
  • One click Prevent Information Disclosure
  • Add detail page for core integrity issue, and automate resolution

Version 1.0.1
  • Scanning can auto detect if user is active on scanning page to work based on ajax, or leave to enable background scan
  • Improve condition checking for Prevent Information Disclosure module
  • Improve condition checking for Prevent PHP execution module

Version 1
  • Initial release!
Schedule security scans, vulnerability reports, get safety recommendations and make security tweaks.
  • Recommendation and one-click action steps
  • Plugin, theme and core vulnerability scans
  • Manual and automatic IP lockout system
  • Google blacklist monitoring and alerts
  • Restore and repair changed files
  • 2-Factor Authentification

Scans and reports are awesome, but who do you call to lay the smack-down on hackers?

Defender not only makes suggestions, he’ll give you action steps and stand guard giving you a stronger site.

Block the Bad Guys With Defender


Brute Force Lockout

Limit login attempts to block attackers trying to guess your password.

File Change Detection

Scan plugins, themes and WordPress core files for changes to the code.

404 Lockout

Use 404 detection to stop bots that are scanning for vulnerabilities.


Audit Logs

Keep detailed logs of every user action from file modifications to settings changes.

Email Notifications

Never be left in the dark with customized reports and automate email notifications.

IP Lockout

Trigger timed or permanent site bans with both manual and automatic IP controls.


Security Key Updater

Add another layer of protection by changing security keys on a schedule.

Automated Scans

Keep an eye on your site with regular automated scans and reporting.

Blacklist Monitoring

Checks safe web services and warns you if your site has been flagged as unsafe.


2-Factor Authentication

Use 2-factor authentication to protect your site with both a password and a phone.

Remember Me Checked

Set how long the “Remember me” option will keep users logged in to your site.

Whitelist IP

Make exceptions to lockout rules and prevent administrators from losing access.


Security Tweaks

Add effective security measures with recommendations and one-click hardening.

Hub Security Manager

Monitor security issues, updates and backups for all your sites from the Hub.

Snapshot Backups

Defender includes 10GB of cloud storage and automated Snapshot backups.

Defender finds areas you can improve and makes suggestions for security tweaks.

Pro Security Tweaks

Security isn’t one-size-fits-all, so Defender will analyze your site, make suggestions for security tweaks and provide easy activation for the most effective layered security measures used by the pros.

Defender is the professional security upgrade you’ve been looking for.

Expose hidden code with regular scans.

Theme & Plugin Code Checker

Defender also checks for known issues with themes and plugins you have installed and scans for suspicious behavior in your system files.

Now you can remove the weak points in your system before hackers can get to them.

Get notified of core file changes and restore order with a click.

Let Defender Do The Crime Fighting

Defender scans the dark alleys of your site to find suspicious code in WordPress and alerts you when something doesn’t look right.

If a core file is corrupt Defender brings order. Restore files to their original state with a click.

Keep tabs on everything that happens on your site!

Audit Logging

Tired of mysterious breakages or inexplicable slowness on your site? With Defender keeping watch, you’ll know the cause – every time. Defender lets you keep and quickly search a detailed logs of comments, posts, login attempts, plugin installs, and well, pretty much everything.

Use blacklist monitoring to help keep a trusted brand.

Blacklist Monitoring

Defender checks safe web services and warns you if your site has been flagged as unsafe.

Be the first to know if your domain is blacklisted so you can act fast and reinstate your site – before you lose visitors or break trust.

Protect your site from brute force attacks.

IP Lockout

Brute force attacks are no match for Defender’s IP Lockout system. Trigger timed or permanent site bans for repeated 404s or failed login attempts. Run quick lockout audits with filterable logs. Protect your site with both manual and automatic IP ban and whitelist control.

  • Defender's interface is very intuitive with warnings that are very helpful.
  • Worth every penny! Plugins like Defender and Snapshot are one of a kind.
    Andre M.
  • I found other pro security plugins a bit too fiddly for my taste...I’m delighted with Defender.
  • This is the sort of security data I’ve always wished all my websites and web apps had.
  • So once again, my WPMU DEV membership pays huge dividends. Defender is awesome! Huge thanks.
    DigiBlueArc - DezinerBlogs
  • Defender Recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on that one.
    David Oswald - Founder @
Mask your login screen with a custom URL.

Login Screen Masking

Make it harder for bots to find your login screen with a unique slug. Say goodbye to the default login URL.

As an added bonus, moving your login screen lets you further whitelabel your client sites!

Stay ahead of security with customized alert settings and notifications.

“Warning: I Sense a Disturbance”

Customize your alert settings. Send security updates, lockout notification emails, custom 2-factor emails, scheduled reports and audit logs to any one – an admin or  a team of people. Use regular security reports and alerts to help keep your site running fast and safe.

Backup and restore from any point with Snapshot.

Cloud Backups with Snapshot

Security and automated cloud backups – it’s the ultimate Super Duo. Activate Snapshot and you’ll never need to worry about a hack again.

Just restore to a clean install while you patch vulnerabilities.

Getting Started:

The complete Defender Pro setup guide is now located in the newly designed documentation section of our website. Access the full Defender Pro tutorial now, complete with improved navigation and upgraded learning tools:

Defender Pro Usage Documentation


Defender Pro is covered by the WPMU DEV Guarantee

WPMU DEV Guarantee

We guarantee that...

  • Defender Pro will work as advertised
  • You will receive 24/7 365 expert support for any problem
  • If you cancel your FREE trial, you can keep Defender Pro
  • Defender Pro is secure, always updated and well coded

Money back guarantee!

While you have 7 days, no obligations risk-free trial of WPMU DEV if you become a paid member and are dissatisfied with any of the above we'll refund you, no questions asked.

Defender Features

Get peace-of-mind with a more secure site.

  • Analyze site security
  • Security tweak recommendations
  • Resolve issues with a click
  • Manual and automatic IP lockout
  • Filterable IP logs
  • Scan core files for changes
  • 2-Factor Authentification
  • Customize 2-factor email
  • Vulnerability scans
  • Schedule scans
  • Repair/restore changed files
  • Choose file types to scan
  • Skip files based on file size
  • Receive email reports
  • Set report recipients
  • Google blacklist monitoring
  • Automated backups
  • Full website backups
  • Cloud backups
  • Site interactions with logging
Defender Pro in your language
  • English (South Africa)
  • French (France)
  • German
  • View all