🎉 Use coupon MYXERO to enjoy 20% recurring discount on any plan. View Pricing
XeroWP
Login Armor
Login Armor

Login Armor

0/5 (0 ratings) 20 active installs Updated May 5, 2026
Activity LogBrute Forcehide loginlimit loginlogin security
Download v2.1.11 Plugin Website
Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.

Quick tour of all eight modules - Hide Login, Hardening, 2FA setup with QR code, Incidents drill-down, Activity Log, Events, and Overview dashboard.

Eight security layers. One lightweight plugin. Zero compromise.

Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way.

Stop juggling Wordfence’s bloat, Solid Security’s upsells, and Limit Login Attempts’ gaps. Login Armor delivers eight independent modules in under one megabyte, with the discipline of an enterprise plugin and the licensing of free software.

Why Login Armor

  • No upsells, ever. No “premium” tier, no “Pro” buttons greyed out in your admin. Every feature is GPL.
  • No external services to sign up for. No API keys, no remote dashboards, no third-party telemetry. Two optional integrations (Have I Been Pwned for breach detection, Slack/Discord/webhook for notifications) only fire when you explicitly enable them.
  • Built to be invisible. Sub-megabyte ZIP, lazy-loaded modules, indexed queries. The plugin’s footprint stays under 2 ms on a normal login flow.
  • Multisite-aware, PHP 8.1-native. Network-activate on a fleet, configure per-site, manage from the shell with a complete WP-CLI command suite.
  • Production-grade defaults. Every toggle ships with the value an experienced admin would pick anyway. Zero-config gets you 80 percent of the protection.

Eight independent modules

1. Hide Login – Replace wp-login.php with a custom slug. Anyone hitting the old URL gets a 404 from your theme – no leakage that WordPress is even installed. Compatible with multisite, password-protected posts, reverse proxies, and password recovery flows. The branded pre-activation modal lets you pick or generate the slug before flipping the switch, and emails it to you so you can’t lock yourself out.

2. Brute Force Protection – Cascading lockouts after repeated failed logins. Locked attackers see a branded 429 landing page with a live countdown. Repeated lockouts escalate to a 24-hour ban. Lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, so attackers can’t pivot. Subnet blocking handles distributed attacks. Trusted X-Forwarded-For for sites behind Cloudflare or a load balancer.

3. Hardening – Thirteen one-click toggles across surface reduction, credential hardening, and request filtering. Disable XML-RPC, the theme/plugin file editor, the WordPress version exposure (including ?ver= on assets, even for WP 6.5+ ES modules), application passwords, author enumeration, and more. Block reserved usernames with Unicode-confusable detection. Add an invisible login honeypot. Block PHP execution in uploads and directory listing via atomic-write .htaccess rules.

4. Two-Factor Authentication – Enterprise-grade 2FA in three flavours: TOTP via any authenticator app (Google Authenticator, Authy, 1Password, Bitwarden), one-time codes by email, and printable backup codes. Trusted devices remembered for thirty days so you only verify once per browser. A recovery flow lets a user reset their second factor by email when the authenticator is lost, without a support ticket. Per-role enforcement, configurable grace period, and a session-aware logout.

5. Detection and Incidents – A real-time detection engine groups raw events into six attack patterns: brute force, credential stuffing, distributed scan, post-compromise activity, lockout cascade, and protocol abuse. Each incident has a drill-down view with timeline, source IPs, target users, severity, user-agent fingerprint, and one-click resolution actions (reset password, block subnet, mark resolved).

6. Activity Log – Compliance-ready audit trail of admin actions: plugin installs, settings changes, role updates, user creation, content publishing, theme switches, 2FA enrollment events. Filter, search and export to CSV with configurable retention. Seven logger domains, all togglable independently.

7. Login Page Security Headers – Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy and X-Content-Type-Options on wp-login.php and the lockout page. Two presets (standard and strict) with an optional CSP report-uri.

8. Breach Check – Detect users logging in with a password that appears in public data breach corpora, using privacy-preserving k-anonymity lookups against Have I Been Pwned. Only the first 5 hex characters of a SHA-1 prefix leave the server, the password and full hash never travel. Optional opt-in email lookup against XposedOrNot. Fail-soft: a HIBP outage never blocks login.

Plus

  • Notifications by email, Slack, Discord, or generic webhook with built-in SSRF-safe URL validation, severity threshold and rate limiting.
  • WP-CLI command suitewp login-armor reset-slug, unblock, whitelist, incidents resolve, purge-logs, 2fa reset, 2fa devices, hardening blacklist. Full scripted operations and emergency recovery from the shell.
  • Dashboard widget – at-a-glance protection status from any admin page, with a 14-day sparkline and the six headline metrics.

Built by

Login Armor is built and maintained by WPFormation, a French WordPress agency obsessed with sites that are clean, fast, and audit-ready. We use this plugin on every site we ship.

GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies.

Huit couches de securite. Un seul plugin leger. Zero compromis.

Login Armor est une stack complete de securite WordPress concue pour les agences, les freelances et les pros qui livrent des sites prets a passer un audit. Pas de version premium, pas de tableau de bord marketing integre, pas de telemetrie. Chaque module tourne en local, embarque des reglages par defaut securises, et reste discret.

Fini de jongler entre la lourdeur de Wordfence, les fenetres d’upsell de Solid Security et les angles morts de Limit Login Attempts. Login Armor regroupe huit modules independants en moins d’un mega-octet, avec la rigueur d’un plugin entreprise et la licence d’un logiciel libre.

Pourquoi Login Armor

  • Aucun upsell, jamais. Pas de niveau “premium”, pas de boutons “Pro” grises dans votre admin. Tout est en GPL.
  • Aucun service externe a activer. Pas de cle API, pas de tableau distant, pas de telemetrie tierce. Les deux integrations optionnelles (Have I Been Pwned pour la detection de fuites, Slack ou Discord ou webhook pour les notifications) ne se declenchent que si vous les activez explicitement.
  • Concu pour etre invisible. ZIP de moins d’un mega, modules charges a la demande, requetes indexees. L’empreinte sur un flux de connexion normal reste sous 2 ms.
  • Compatible multisite, natif PHP 8.1. Activation reseau possible sur une flotte, configuration par site, pilotage depuis la ligne de commande via une suite WP-CLI complete.
  • Reglages par defaut prets pour la production. Chaque bascule arrive avec la valeur qu’un admin experimente choisirait. Sans configuration, vous avez deja 80 % de la protection.

Huit modules independants

1. Masquer la connexion : remplace wp-login.php par une URL personnalisee. Toute tentative sur l’ancienne URL renvoie une 404 du theme, sans reveler la presence de WordPress. Compatible multisite, articles proteges par mot de passe, reverse proxies, et flux de recuperation de mot de passe. La modale de pre-activation vous laisse choisir ou generer le slug avant d’activer le module, et vous l’envoie par e-mail pour eviter tout verrouillage.

2. Protection contre la force brute : verrouillages en cascade apres plusieurs echecs. Les attaquants verrouilles voient une page 429 brandee avec un compte a rebours en direct. Les verrouillages repetes montent a un bannissement de 24 h. Les pages lostpassword, register, XML-RPC et l’endpoint REST users sont egalement bloques pour les IPs verrouillees, pour empecher le pivot. Blocage de sous-reseaux pour les attaques distribuees. Support de X-Forwarded-For pour les sites derriere Cloudflare ou un load balancer.

3. Renforcement : treize bascules en un clic, regroupees en reduction de surface, durcissement des identifiants et filtrage des requetes. Desactivation de XML-RPC, de l’editeur de fichiers theme/extension, de l’exposition de la version WordPress (y compris le ?ver= sur les assets, meme les modules ES de WP 6.5+), des mots de passe applicatifs, de l’enumeration des auteurs. Blocage des identifiants reserves avec detection des homoglyphes Unicode. Pot de miel invisible sur le formulaire de connexion. Blocage de l’execution PHP dans wp-content/uploads/ et desactivation du listing de repertoires via des regles .htaccess ecrites en mode atomique.

4. Authentification a deux facteurs : 2FA prete pour la production avec trois methodes : TOTP via n’importe quelle application authenticator (Google Authenticator, Authy, 1Password, Bitwarden), codes a usage unique par e-mail, codes de secours imprimables. Appareils de confiance memorises pendant trente jours, vous ne validez qu’une fois par navigateur. Une procedure de recuperation laisse l’utilisateur reinitialiser son second facteur par e-mail en cas de perte, sans ouvrir de ticket. Application par role, periode de grace configurable, et deconnexion qui ferme proprement les sessions actives.

5. Detection et incidents : un moteur en temps reel regroupe les evenements bruts en six patterns d’attaque : force brute, credential stuffing, scan distribue, activite post-compromission, cascade de verrouillages et abus protocolaires. Chaque incident dispose d’une vue detaillee : chronologie, IPs sources, comptes cibles, severite, empreinte user-agent et actions de resolution en un clic (reinitialisation de mot de passe, blocage de sous-reseau, marquage resolu).

6. Journal d’activite : piste d’audit conforme des actions admin : installations d’extensions, modifications de reglages, changements de role, creations d’utilisateurs, publications de contenu, changements de theme, evenements 2FA. Filtrage, recherche et export CSV avec retention configurable. Sept domaines de loggers, activables independamment.

7. En-tetes de securite de la page de connexion : Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy et X-Content-Type-Options sur wp-login.php et la page de verrouillage. Deux presets (standard et strict) avec une option de CSP report-uri.

8. Detection de fuites : repere les utilisateurs qui se connectent avec un mot de passe present dans des fuites publiques, via des recherches preservant la vie privee (k-anonymat) sur Have I Been Pwned. Seuls les 5 premiers caracteres hexa d’un prefixe SHA-1 quittent votre serveur ; le mot de passe et le hachage complet ne sortent jamais. Verification e-mail optionnelle (opt-in, desactivee par defaut) via XposedOrNot. Fail-soft : une coupure de HIBP ne bloque jamais la connexion.

En plus

  • Notifications par e-mail, Slack, Discord ou webhook generique, avec validation d’URL anti-SSRF integree, seuil de severite et rate limiting.
  • Suite WP-CLI complete : wp login-armor reset-slug, unblock, whitelist, incidents resolve, purge-logs, 2fa reset, 2fa devices, hardening blacklist. Operations scriptees et recuperation d’urgence depuis la ligne de commande.
  • Widget Tableau de bord : statut de protection en un coup d’oeil depuis n’importe quelle page admin, avec sparkline 14 jours et six metriques cles.

Concu par

Login Armor est concu et maintenu par WPFormation, une agence WordPress francaise obsedee par les sites propres, rapides et audit-ready. On utilise ce plugin sur chaque site qu’on livre.

GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zero dependance.

External Services

Webhook Notifications (optional)

When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks.

Data sent: incident type, severity level, IP address, target username, event count, and site URL.

No data is sent unless the administrator actively enables and configures a notification channel.

Gravatar (Automattic)

The Activity Log tab uses WordPress core’s get_avatar() function to display user avatars. WordPress may send a hashed email address to Gravatar servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars.

Breach Check – Have I Been Pwned (optional)

When the administrator explicitly enables the Breach Check module (LoginArmor > Settings > Breach Check), LoginArmor queries the public Have I Been Pwned Pwned Passwords API on each successful login and on password changes to detect user passwords that appear in public data breach corpora.

Data sent: the first 5 hex characters of a SHA-1 hash of the password (k-anonymity lookup). The full password and its full hash never leave the server. The API cannot determine which password is being checked – it only sees a 5-character prefix that is mathematically shared with ~500-900 other candidate hashes.

No API key or account is required. The endpoint is free and public.

Breach Check – XposedOrNot (optional email sub-toggle)

When the administrator additionally enables the Email check sub-toggle inside the Breach Check module (off by default), LoginArmor queries the public XposedOrNot check-email API on new user creation and on email change to detect email addresses that appear in publicly disclosed data breaches.

Data sent: the user’s email address (URL-encoded) and a plugin-identifying User-Agent string. This is unavoidable for the lookup – there is no k-anonymity variant for email breach checks. Because this call transmits an email address to a third party, it is opt-in and off by default.

No API key or account is required. The endpoint is free and public.