XO Security is a plugin to enhance login related security.
This plugin does not write to .htaccess file. Besides Apache, LiteSpeed, Nginx and IIS also work.
- Record login log.
- Limit login attempts.
- Login Alert.
- Add Captcha to the login form and comment form.
- Change the URL of the login page.
- Disable login by mail address.
- Disable login by user name.
- Change login error message.
- Disable XML-RPC and XML-RPC Pingback.
- Disable REST API.
- Change REST API URL prefix.
- Disable author archive page.
- Remove comment author class of comments list.
- Remove the username from the oEmbed response data.
- WooCommerce login page protection.
- Anti-spam comment.
- Hide WordPress version information.
- Edit the author slug.
- Disable RSS and Atom feeds.
WordPress multisite considerations
If you set the login page separately for the main site and the subsite, you will not be able to use the password loss function of the subsite. We recommend that you set the login page to be common to all sites.
- Upload the
XO-Securityfolder to the
- Activate the plugin through the Plugins menu in WordPress.
- Go to “Settings” -> “XO Security” and customize behaviour as needed.
Login page is not displayed.
Please initialize the settings.
- In wp_options table, the value of the option_name field (column) is to remove the record of “xo_security_options”.
- If you have set the login page, please delete the file.
The CAPTCHA is not displayed.
Please install mbstring and GD module.
Contributors & Developers
“XO Security” is open source software. The following people have contributed to this plugin.Contributors
“XO Security” has been translated into 1 locale. Thank you to the translators for their contributions.
Translate “XO Security” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
- Added a function to optimize database table.
- Code refactoring to meet WordPress PHP Coding Standards.
- Supported WordPress 6.2.
- Supported SQLite.
- Removed password field from login log.
- Fixed a bug that CAPTCHA may not be displayed in PHP 8.1.
- Removed site information from the status screen.
- Added support for MySQL 5.5.13 and earlier versions.
- Fixed a bug that the login log may not be recorded in some environments.
- Added xo_security_loginlog_checkbox filter hook.
- Added a function to mark spam comment email addresses as spam.
- Added escaping to multiple translate texts for enhanced security.
- Bumped the minimum required version of WordPress to 4.9.
- Improved performance.
- Added the ability to remove username from the oEmbed response data.
- Fixed a bug where the author slug (Nicename) could not be edited.
- Added an option to set a common login page for all WordPress multisite sites.
- Enhanced WordPress multisite support.
- Fixed a bug that the post list page for each creator on the admin screen is not displayed when the creator archive page is disabled.
- Fixed a bug that login may fail when using CAPTCHA.
- Fixed the html of the setting screen after it was incorrect.
- Omitted the lazy loading attribute of CAPTCHA in the login form.
- Fixed a vulnerability in Authenticated (author +) Time-based SQL Injection. (Thanks to Kenta Yoshida)
- Added the ability to choose whether spam comments should be blocked, marked as spam and saved, or put in the trash.
- Fixed a bug that an error message may be displayed on the admin screen during a new installation.
- Fixed a bug in login log recording.
- Added an option to set the default display method of the login log.
- Fixed a bug where CAPTCHA was ignored and login was possible when PHP session was not available. (Thanks to Jazz@ifNoob)
- In the case of WordPress multisite, the log is recorded for each site.
- Added the ability to disable RSS and Atom feeds.
- Added the editing function of the author slug.
- Disabled auto-completion for CAPTCHA input fields.
- Added the ability to hide WordPress version information.
- Added the ability to block spam comment.
- Restructured the settings page.
- Added the function to customize the login form.
- Changed to remove the standard sitemap user provider when disabling the author archive.
- Added login type column to login log.
- Added the option to select the method of acquiring the IP address.
- Added a feature to disable login by user name and enable login by email only.
- Fixed a bug that could slow down the display of the admin page. (Thanks to mocchii)
- Added function to display site information.
- Added option to change login error message.
- Added option to disable login by mail address.
- Fixed XSS vulnerability.
- Initial release.