🎉 Use coupon MYXERO to enjoy 20% recurring discount on any plan. View Pricing
XeroWP
NHR Secure – Login Security, Firewall, 2FA & Audit Log
NHR Secure – Login Security, Firewall, 2FA & Audit Log

NHR Secure – Login Security, Firewall, 2FA & Audit Log

0/5 (0 ratings) — active installs Updated Feb 7, 2026
2FADebug loghide adminlogin protectionsecurity
Download v1.3.1 Plugin Website
Failed login attempts are blocked.

Failed login attempts are blocked.

Keep your WordPress site safe with minimal effort. NHR Secure helps you:

  • Hide or protect your admin area from unauthorized access.
  • Limit login attempts to prevent brute-force attacks.
  • Hide debug logs to prevent sensitive information disclosure.
  • Add 2FA to your WordPress site.
  • Scan core files, plugins, and themes for known vulnerabilities.
  • Monitor site health with one-click security recommendations.
  • Protect against SQL injection, XSS, and LFI attacks.
  • Block malicious IPs and entire countries.

Features at a glance:

🔒 Limit Login Attempts

Stop brute-force attacks by temporarily blocking IPs after repeated failed login attempts.
– Configurable attempt limit (1-20, default: 5)
– Blocks based on IP + Username combination
– Auto-unblock after 2 hours

🔐 Custom Login Page

Hide wp-login.php and use a custom login URL.
– Default custom URL: /hidden-access-52w
– Blocks direct access to wp-login.php and wp-admin for guests

🛡️ Protect Debug Log File

Blocks direct access to /wp-content/debug.log
– Returns 403 Forbidden for all users

⚙️ Modern Settings Page

Configure everything from a beautiful React-powered interface.
– Located under Tools NHR Secure
Dark Mode support for comfortable viewing
– Enable/disable each feature

🔐 Two-Factor Authentication (2FA)

Enable two-factor authentication for users.
– Support for Authenticator Apps and Email OTP
Enforce 2FA for specific user roles (e.g., Administrators)
Recovery Codes for emergency access
– QR code setup for Authenticator Apps

🛡️ Vulnerability Checker

Automatically scan your installed plugins, themes, and WordPress core against a known vulnerability database.
– Daily automatic scans
– Alerts for critical security issues
– Check file integrity

🖥️ User Session Management

Monitor and control active user sessions to prevent unauthorized access.
View Active Sessions: See IP, location, device, and login time for all logged-in users.
Remote Logout: Instantly log out suspicious sessions or all other devices.
Idle Timeout: Automatically log out inactive users after a set period.

🧱 Hardening & Firewall

Essential security hardening to lock down your WordPress site.
Disable XML-RPC: Prevent remote attacks and brute-force attempts.
Disable File Editor: Stop file modifications from the dashboard.
Hide WP Version: Obscure your WordPress version from attackers.
Block User-Agents: Prevent bad bots and scrapers from accessing your site.
Disable User Enumeration: Stop attackers from harvesting usernames via REST API.

📝 Activity Audit Log

Keep a record of important security events on your site.
– Tracks logins, failed attempts, file changes, and settings updates.
– View user, IP, and event details.
– Configurable log retention policy.

🏥 Security Health Check & One-Click Secure

Get an instant overview of your site’s security posture.
Security Score: View your overall protection percentage and grade (A+ to F).
Health Dashboard: See which security features are active and which need attention.
One-Click Secure: Apply recommended security settings instantly.
11 Security Checks: Comprehensive analysis of your security status.

🛡️ Advanced Firewall (IPS)

Proactive intrusion prevention system that blocks malicious requests in real-time.
SQL Injection Protection: Detect and block SQLi attacks automatically.
XSS Prevention: Stop cross-site scripting attempts.
LFI Protection: Prevent local file inclusion attacks.
Pattern Matching: Advanced regex-based detection for common attack vectors.
Automatic Blocking: Suspicious requests are blocked before they reach WordPress.

🌍 IP & Country Management

Control access to your site with granular IP and geographic filtering.
IP Whitelist: Allow trusted IPs to bypass all security filters.
IP Blacklist: Block malicious IPs permanently from your site.
CIDR Support: Use CIDR notation for blocking entire IP ranges (e.g., 192.168.1.0/24).
Country Blocking: Block access from 90+ countries using GeoIP lookup.
Smart Caching: GeoIP lookups are cached for 24 hours for optimal performance.
Private IP Detection: Automatically skip local/private IPs.

⚡ Lightweight & Minimal

Designed to deliver maximum security with minimal code. No bloat, no complexity.
– Compatible with most WordPress themes and plugins.

External Services

This plugin utilizes the WPVulnerability API to check for vulnerabilities.
Service: WPVulnerability
Data: Only plugin slugs and versions are sent. No personal data is collected.