
Security Ninja Pro – WordPress Security Made Easy
/Year

Comprehensive WordPress Security and Penetration Testing
Security Ninja Pro delivers an efficient approach to securing your WordPress installations by providing an exhaustive suite of diagnostic tests, scanning tools, and real-time defensive barriers. Built to act like an automated ethical hacker, the plugin uncovers vulnerabilities before malicious actors can exploit them. Instead of simply modifying critical core files blindly, this plugin empowers site administrators with detailed insights into potential entry points, clear configuration guidance, and automated remediation options.
What Security Ninja Pro Does
The primary function of the plugin is to run a battery of over 40 distinct security checks to establish a rigorous baseline for your website. It analyzes file permissions, evaluates database safety, scrutinizes hidden configuration variables, and searches for exposed system logs. Beyond diagnostic testing, it implements proactive defenses, including an active web application firewall, a cloud-based IP reputation filter, a malware scanner, and a thorough user activity logging system that tracks all configuration modifications, file modifications, and authentication attempts.
Who Is This Protection For?
This security tool is built for a wide range of web professionals who manage single or multiple WordPress properties:
- Website owners seeking a transparent overview of their security vulnerabilities without needing deep technical expertise.
- Agencies and freelancers managing client sites who require automated scheduling, email reports, and white-label capabilities.
- E-commerce storefronts handling sensitive user records and payment data where downtime or compromises affect business continuity.
- Developers who want to avoid bulky security frameworks that degrade server performance.
Key Capabilities and Security Architecture
Security Ninja Pro uses a modular framework that allows you to activate only the structural components your site requires, reducing resource consumption while maximizing server defense:
- One-Click Vulnerability Repair: Instantly corrects configurations that fail the main test suite, saving hours of manual file editing and configuration adjustment.
- Cloud Firewall Integration: Filters incoming HTTP traffic based on an aggregate database of known malicious IPs, blocking brute-force attacks, localized country-specific threats, and malicious query strings.
- Core and Malware Scanner: Validates the integrity of native WordPress core files against official checksums while scanning theme and plugin directories for backdoors, injected scripts, and rogue code structures.
- Comprehensive Event Logger: Records an audit trail of user activities, layout edits, plugin updates, or authentication anomalies, ensuring compliance and accountability.
- Two-Factor Authentication (2FA): Enforces secondary verification for administrative or privileged roles to neutralize credential theft and password stuffing.
Practical WordPress Use Cases
In practice, the plugin addresses several real-world security challenges commonly faced by WordPress operators. For instance, if an e-commerce site experiences a sudden influx of automated account creation attempts or spam queries, enabling the Cloud Firewall with 404 Guard helps mitigate the traffic spikes automatically. When managing corporate multi-author blogs, the Event Logger ensures that every draft modification, profile change, or plugin installation is traceable to a specific user account. Additionally, agency operators use the Scheduled Scanner to automatically inspect corporate portfolios every week, distributing a clear status report via email directly to stakeholders.
Setup and Environmental Compatibility
The installation process is accelerated by an integrated setup wizard that executes automatically upon activation, assisting you through the initial evaluation, firewall routing, and logger deployment. The plugin operates efficiently alongside standard web hosting architectures, avoiding performance bottlenecks on shared hosting, virtual private servers, or dedicated environments. To prevent class collision issues, the system isolates its dependencies cleanly, maintaining stability even when run in conjunction with extensive e-commerce ecosystems or highly optimized caching configurations.
Why Choose Security Ninja Pro on WPPick?
Acquiring this security solution through WPPick ensures access to a clean, installable product package free of arbitrary software limitations or restricted interfaces. This allows you to scale your site deployments, protect client properties cost-effectively, and utilize the full power of advanced components like malware scanners, database updates, and cloud firewalls without administrative overhead. You maintain full oversight of your defensive parameters, ensuring that security remains fully functional, under your direct control, and unburdened by recurring licensing complications.
Latest Version Context
The software is maintained continuously to align with changing server standards and emerging security vectors. Detailed release notes are not available from the provided sources for version 5.289 specifically, but recent updates across the development lifecycle focus heavily on tightening cloud firewall exemptions, refining two-factor authentication fallback behavior for protected roles, resolving path matching for non-standard permalinks, and enhancing the self-healing mechanisms of the scheduled background scanner to ensure uninterrupted diagnostic tasks.
Frequently Asked Questions
Will running 40+ security tests slow down my website performance?
No. The security tests are designed to run on-demand or during scheduled off-peak windows. They query internal configuration baselines and file attributes rather than creating continuous processing loops, ensuring your visitor loading speeds remain unaffected.
How does the Cloud Firewall differ from standard security rules?
The Cloud Firewall intercepts incoming traffic using real-time IP reputation checks before it interacts with your core theme or database structures. This blocks automated malicious queries, brute-force bots, and targeted script injections prior to script execution.
Can the plugin fix my security issues automatically?
Yes. The Quick Filter system isolates fixable vulnerabilities discovered during your scans. For these specific rows, a one-click auto-fix routine runs immediately, updating permissions or updating configuration structures without requiring manual code edits.
What happens if a core file scan flags a legitimate modification?
If a custom file or expected modification is highlighted by the core scanner, you can utilize the built-in whitelist functionality to approve the file. This filters the item from subsequent reports while preserving alert systems for unverified code changes.
I. Download Limits & Account Benefits
- Free Downloads: Each email address receives 3 downloads per day for free products
- Upgrade Benefits: Purchase any paid product to increase your daily download limit by 3 for each paid product
- No Account Required: You can download immediately by receiving the download link via email
- Account Recommended: Create an account for easier access to your order history and direct update downloads
II. Understanding GPL vs Official Versions
Important: The products available on WPPick are GPL-licensed versions, which differ from official developer versions. Before purchasing, please read our comprehensive guide: Understanding GPL & Official Differences at WPPick
Key Points:
- GPL versions may not include premium support from original developers
- Updates may be delayed compared to official releases
- Some premium features might have limitations
- Always consider your specific needs and support requirements
III. Support & Assistance
We’re here to help through multiple channels:
- Email Support: Direct email assistance for all inquiries
- Live Chat: Real-time support during business hours
- Comprehensive Documentation: Detailed guides and tutorials
IV. Order Tracking
Access your complete purchase history and download links anytime: Order History
V. Account Access
New to WPPick? Login or Create Account to manage your downloads and orders efficiently.
VI. Refund Protection
We stand behind our products with a clear refund policy. Review our terms: Refund Policy
VII. Privacy & Security
Your data security is our priority. Learn how we protect your information: Privacy Policy
VII. Terms of Service
Understanding our service terms ensures a smooth experience: Terms of Use
Quick Tips for Best Experience
- Verify Compatibility: Check plugin/theme compatibility with your WordPress version
- Backup First: Always backup your site before installing new plugins or themes
- Test Environment: Consider testing on a staging site first
- Stay Updated: Regularly check for updates in your account dashboard
- Read Documentation: Review any included documentation for optimal setup
Need Help?
If you have questions about downloads, licensing, or need technical assistance, don’t hesitate to contact our support team. We’re committed to ensuring you have the best possible experience with WPPick products.
Ready to get started? Your download adventure begins with just one click!
- Overview tab - AI Security Advisor card, next best actions, what changed since your last AI review, and quick action links to key modules.
- Security Advisor - Suggested next steps and "what changed since last report" panels use scan snapshots without an extra AI call.
- Cloud Firewall (Pro) - MonSpark uptime monitoring IPs are included in the built-in automatic whitelist (always on; no checkbox required). Thank you Heath.
- Malware Scanner (Pro) - Flags suspicious plugin and theme folder structure when wordpress.org checksums are unavailable (review recommended, separate from malware signatures).
- AI Security Advisor - Database upgrade on update adds the snapshot column to existing AI report tables so comparisons work on upgraded sites.
- 2FA (Pro) - Email code verification works when you press Verify or Enter.
- AI Security Advisor - Your selected AI connector applies when you generate a report.
- Setup wizard - Opens automatically on first install only.
- Cloud Firewall - Filter Suspicious Queries no longer false-positives on s2Member loader URLs.
- 2FA (Pro) - Login verification updates apply immediately after plugin updates.
- 2FA (Pro) - Administrator is pre-selected under Required Roles when 2FA is not yet enabled; clearer grace period help for required roles.
- AI Security Advisor - Model selection follows WordPress AI Client settings.
- Cloud Firewall (Pro) - Added more WP Compress service IPs to the built-in automatic whitelist (always on; no checkbox required).
- Core Scanner - Detects unexpected files in the WordPress root and hidden dotfiles in wp-admin and wp-includes.
- Malware Scanner (Pro) - Clearer integrity messaging; structural findings included in issue counts, whitelist, scheduled reports, and AI advisor context.
- Core Scanner - OS metadata files (e.g. .DS_Store) are excluded from scan results.
- Core Scanner - Severity levels (critical, warning, notice) with guidance for phpinfo and dev-tool files; table-based results UI.
- Core Scanner - Live scan results without page reload; summary stats; Overview Core Integrity widget.
- White Label (Pro) - Security Advisor and Overview use your white label plugin name in the UI and AI reports. Thank you Davina.
- Visitor Log (Pro) - Cleaner Refresh button on the visitor log page.
- Core Scanner - Summary strip with scan context, status banner, and last-scan metadata; delete or restore individual rows without a full rescan.
- Core Scanner - Findings action buttons match Malware Scanner styling (View File, Diff, Restore, Delete).
- Malware Scanner (Pro) - Issue counter on the Malware tab when suspicious files are found.
- Malware Scanner (Pro) - Summary strip with last-scan context, status banner, and Whitelist all; streamlined results header.
- Malware Scanner (Pro) - Findings use the same table layout as Core Scanner (file, severity, guidance, actions) with location group headers.
- Core Scanner and Malware Scanner - Cleaner findings list layout.
- Cloud Firewall (Pro) - Visitor log retention ("Keep visitor logs for") is now enforced by a daily scheduled cleanup task.
- Cloud Firewall - Manual whitelist entries for localhost (127.0.0.1 / ::1) now reliably exempt requests from cloud reputation blocks; server cron and WP-CLI traffic is no longer blocked during early firewall checks. Non-public IPs are excluded from cloud blacklist matching.
- Cloud Firewall (Pro) - Country blocking now blocks the full site when "Only block these countries from login functionality" is OFF, regardless of the "Prevent Banned IPs from Accessing the Site" setting. Previously, country bans could behave like login-only blocks when that IP setting was OFF.
- Scheduled Scanner (Pro) - Scheduled scans now self-heal. If the scheduled event goes missing (for example after a long scan times out or a cron/optimization plugin clears it), it is recreated automatically instead of requiring you to re-save settings.
- Scheduled Scanner (Pro) - Email reports now show the correct status changes. Status labels (Good / Warning / Failed) and the "improvement" vs "security concern" wording are no longer reversed.
- 2FA (Pro) - After verifying 2FA, the post-login redirect now mirrors WordPress core's capability handling. Users on roles that cannot access wp-admin are sent to an appropriate page instead of the dashboard (which could bounce them to the front page and appear logged out). Thank you Jason.
- Tools (Pro) - "Clear visitor log" button to delete all firewall visitor log entries manually.
- Setup wizard available for all; first install opens the wizard automatically.
- Security Tests Quick Filter - **Fixable** shows tests with one-click auto-fix available.
- Malware Scanner - **Whitelist all** button for currently flagged files (with confirmation).
- Cloud Firewall – The firewall master switch now consistently controls all firewall enforcement (404 Guard, WooCommerce protection, country rules, and cloud IP blocking). Login Protection (brute-force limits, rename login, 2FA, and related messages) continues to operate independently when the firewall is turned off.
- Wizard - single Pro overview on Welcome for free users; removed per-step upgrade buttons.
- Wizard - Events Logger and Vulnerability Scanner activation steps.
- Wizard - Login protection as dedicated Pro step.
- Wizard - Pro badges on footer nav for Login, Fixes, and WooCommerce (hidden for licensed Pro users).
- Wizard - skip wizard from intro; rerun warning only shown after wizard has been completed once.
- Wizard - Dead code cleanup.
- Renamed review-notice dismiss nonce for clarity (`wf_sn_dismiss_review`).
- Apply Fix - after a fix completes, the test row refreshes automatically (spinner stops, status icon and score update, clear success message).
- Tools page - unique form IDs and dedicated nonce fields/actions per form (Update Database, Reset 2FA, Legacy cleanup, Import, Secret URL reset).
- Cloud Firewall - suspicious-query filtering now resolves visitor hostnames only when needed for blocked-hostname rules, with per-IP caching. Thank you Paul.
- Cloud Firewall - Bundled data lists (ManageWP/UptimeRobot/Uptimia service IPs and the country list) are now stored as JSON data files so security scanners no longer flag them as false positives. Thank you Daryl.
- Security Tests - When a test cannot reach your site (e.g. a connection timeout), it now reports a "Warning / could not verify" result instead of a hard failure, so temporary network hiccups no longer look like new security problems.
- Updated bundled dependencies - Freemius WordPress SDK (2.13.1 → 2.13.2), phpseclib (2.0.54 → 2.0.55), and PHP Malware Scanner (1.0.30 → 1.0.31).
- WP Pointer "thank you for installing" tour and dashboard welcome banner (replaced by wizard).
- Unused MainWP remote actions (run_malware_scan, update_vulnerabilities, force_create_tables); malware runs via run_all_tests, tables created on activation/upgrade.
- Change Login URL (Pro) — Works when Cloud Firewall is disabled; only "Change login URL" and the slug need to be enabled under Login Protection.
- Change Login URL (Pro) — `/your-slug/` login URLs work even when permalinks are Plain (fixes 404 when the Preview link used a path-style URL).
- Change Login URL (Pro) — Reliable path matching for subdirectory installs; fallback serves login if WordPress resolved the request as a 404.
- Change Login URL (Pro) — wp-admin blocking applies to `/wp-admin` with or without a trailing slash.
- Change Login URL (Pro) — Admin Preview shows the same URL the plugin uses (`?slug` on Plain permalinks, `/slug/` otherwise).
- Two-factor authentication (Pro) — When 2FA is enabled but required roles were missing or invalid, login could skip the 2FA step. Security Ninja now falls back to requiring Administrator so the code prompt always appears for protected accounts.
- Saving 2FA status would fail if firewall not enabled. Thank you Vassos.
- Cloud Firewall (Pro) — Clearing all countries in country blocking and saving now actually turns country blocking off. Previously, choosing "none" could leave old selections in place because empty lists were not saved correctly.
- Cloud Firewall — IP whitelist entries written as ranges (CIDR, one per line on IP Management) now apply the same way everywhere: visitor checks, secret recovery links, and automatic whitelist logic no longer treat ranges like plain single IPs only in some code paths.
- Cloud Firewall (Pro) — If a country or cloud block is skipped because the visitor is using a satellite ISP (satellite ASN softening), you'll now see this clearly in the Events log.
- Added a new Tools-page Cleanup button. Securely removes any legacy options or data. Thank you Davina for the idea.
- Cloud Firewall (Pro) — Option to soften country blocking for satellite ISPs like Starlink. Easily enable or adjust under Firewall → Settings for smoother access while keeping strong protection.
- Event Logger – Plugin and theme installs are now logged (previously only updates were recorded). Activate and deactivate events are always logged with a fallback label when plugin name cannot be read.
- Event Logger – Now also logs activated_plugin, deactivated_plugin, add_user_role, and remove_user_role for a fuller audit trail.
- Event Logger – reliability: Event Logger now records settings changes, post updates, plugin activation/deactivation, and user events correctly when the module is enabled. Previously, events could be missing due to licensing checks blocking the write path; logging no longer depends on that for storing events.
- Event Logger – less noise: A single click to update an already-published post now creates one log entry instead of three. Saving a settings page (e.g. General) creates one entry instead of duplicate entries.
- Event Logger – clearer actions: Settings saves are logged with the action "options_saved" and show which settings page was updated (e.g. General, Reading). Internal WordPress hook names like "whitelist_options" are no longer shown in the log.
- Event Logger – Login events are recorded only when a valid user is present, so your log stays accurate when other plugins or tools fire login-related hooks.
- Event Logger – security: Passwords and account activation keys are never stored in the log or shown in event details. User registration and profile update events only store non-sensitive data.
- AI Security Advisor – Get a plain-English security summary and top improvements from your security tests. Uses WordPress 7 AI Connectors (OpenAI, Google, Anthropic); no domains, URLs, or personal data are sent.
- AI Security Advisor – Overview tab shows when your site was last reviewed and a one-line teaser from the latest report, or invites you to run your first review or set up a connector.
- AI Security Advisor – Dashboard widget shows advisor status at a glance (last reviewed, ready for first review, or set up) with a quick link to the Security Advisor page.
- Visitor Logging (Cloud Firewall) – The Visitor Logging subtab now shows how much database space the visitor log uses and how many entries it contains. A "Reset visitor log" button lets you clear all visitor log entries in one click.
- Firewall – Removed the "blocked_kanagawa" blocked-hosts rule. Kanagawa is a Japanese prefecture and the rule caused false positives for legitimate traffic from Japanese ISPs (e.g. OCN). Thank you Masahiro.
- Including email template properly.
- Improvements for 2FA redirect logic.
- 2FA login redirect – After completing 2FA, users (including admins) are now redirected to the dashboard or requested URL instead of the front page. Redirect logic now matches WordPress core: uses wp_validate_redirect() and the login_redirect filter.
- 404 Guard – IPs whose monitoring window has expired are no longer shown in "Being Monitored". Expired count transients are excluded from the list and deleted to avoid DB bloat, so stale entries no longer appear.
- 404 Guard – First 404 from an IP is no longer logged; logging starts from the 2nd 404 onward to reduce log noise. Approaching-threshold, final-warning, and block events are unchanged.
- Visitor Log – Country flag is now shown next to the IP when country is known, matching Event Log behavior. A geolocation fallback is used for older entries where country was not stored.
- Visitor Log – Fixed undefined variable ($allowed_html) when formatting log row details (wp_kses).
- MainWP – Remote "force create database tables" action for incomplete installations.
- Resolved fatal error when Security Ninja and AR for WooCommerce (or other plugins using chillerlan/php-settings-container) were active together; our copy is now loaded early and aliased in admin to prevent duplicate class declaration.