Description

For over 10 years Security Ninja has helped thousands site owners like you to feel safe. Run 50+ security tests in an instant & discover issues you didn’t even know existed. Help yourself now with Ninja’s simplicity & ease of use.

NEW: Vulnerability scanner – Warns you if you have known vulnerabilites on your website.

Get started in minutes:

Automatically block 600+ million bad IPs with one click! Security Ninja Pro Cloud Firewall will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site.

Read more about Pro features on the Security Ninja website

Extensions

MainWP – The MainWP Dashboard allows administrators to manage many WordPress websites from a central location.

Install the FREE Security Ninja for MainWP Extension to get an overview of all websites you have installed Security Ninja on!

Security Ninja For MainWP

Security Tests for your website

Vulnerability scanner – warns you of any known vulnerabilities on your website!
Perform over 50+ security tests with one click
Security Ninja does not make any changes – it’s your site, you have full control
check your site for security vulnerabilities, issues & holes
take preventive measures against attacks
don’t let script kiddies hack your site
prevent 0-day exploit attacks
optimize and speed-up your database
every test is explained, documented and instructions provided on how to fix problems
tests include:
- brute-force attack on user accounts to test password strength
- numerous installation parameters tests
- file permissions
- version hiding
- 0-day exploits tests
- debug and auto-update modes tests
- database configuration tests
- Apache and PHP related tests
- WP options tests
complete list of tests:
- Check if Application Passwords feature is enabled (new to WP 5.6)
- Check if WordPress core is up to date
- Check if automatic WordPress core updates are enabled
- Check if plugins are up to date
- Check if there are deactivated plugins
- Check if active plugins have been updated in the last 12 months
- Check if active plugins are compatible with your version of WP
- Check if themes are up to date
- Check if there are any deactivated themes
- Check if full WordPress version info is revealed in page’s meta data
- Check if readme.html file is accessible via HTTP on the default location
- Check if license.txt file is accessible via HTTP on the default location
- Check if REST API links are displayed in page’s meta data
- Check the PHP version is up to date
- Check the MySQL version
- Check if server response headers contain detailed PHP version info
- Check if expose_php PHP directive is turned off
- Check if user with username “admin” and administrator privileges exists
- Check if “anyone can register” option is enabled
- Check user’s password strength with a brute-force attack
- Check for display of unnecessary information on failed login attempts
- Check if database table prefix is the default one
- Check if security keys and salts have proper values
- Check the age of security keys and salts
- Test the strength of WordPress database password
- Check if general debug mode is enabled
- Check if the debug.log file exists
- Check if database debug mode is enabled
- Check if JavaScript debug mode is enabled
- Check if display_errors PHP directive is turned off
- Check if WordPress installation address is the same as the site address
- Check if wp-config.php file has the right permissions (chmod) set
- Check if install.php file is accessible via HTTP on the default location
- Check if upgrade.php file is accessible via HTTP on the default location
- Check if register_globals PHP directive is turned off
- Check if PHP safe mode is disabled
- Check if allow_url_include PHP directive is turned off
- Check if plugins/themes file editor is enabled
- Check if uploads folder is browsable by browsers
- Test if user with ID “1” and administrator role exists
- Check if Windows Live Writer link is present in pages’ header data
- Check if wp-config.php is present on the default location
- Check if MySQL server is connectable from outside with the WP user
- Check if EditURI link is present in pages’ header data
- Check if TimThumb script is used in the active theme
- Check if the server is vulnerable to the Shellshock bug #6271
- Check if the server is vulnerable to the Shellshock bug #7169
- Check if admin interface is delivered via SSL
- Check if MySQL account used by WordPress has too many permissions
- Test if a list of usernames can be fetched by looping through user IDs on http://siteurl.com/?author={ID}
- Check if server response headers contain Strict-Transport-Security
- Check if server response headers contain X-XSS-Protection
- Check if server response headers contain X-Frame-Options
- Check if server response headers contain X-Content-Type-Options
- Check if server response headers contain Content-Security-Policy
- Check if server response headers contain Strict-Transport-Security
- Check if server response headers contain Referrer-Policy
- Check if server response headers contain Feature-Policy
- Check for unwanted files in your root folder you should remove

Security Ninja PRO has extra features: Firewall, Block Suspicious Page Requests, Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, Events Logger & Scheduled Scans.

An all-in-one security solution for any site. With premium support and continuous updates Security Ninja Pro is a perfect tool to keep your site safe. See what the PRO version offers

Add your suggestions to the public roadmap or vote for your favorite new feature.

What others say about the plugin

<a href=”https://wpmayor.com/security-ninja-review-wordpress-security-plugin/>WP Mayor: “Easy-to-Use WordPress Security Plugin”
WPLift
WPExplorer
WP Loop
Bitcatcha.com
WebHostingSecretRevealed
Ravi Singh
Tutorials 7
onlinedecoded.com

Pro

Try out the Pro version on your own FREE test site: Click here => https://app.instawp.io/launch?t=security-ninja-5139

License info

jQuery Cookie Plugin, Copyright 2013 Klaus Hartl
The vulnerability scanner uses data from the National Vulnerability Database – NVD
This product includes IP2Location LITE data available from https://lite.ip2location.com.
This plugin uses the Persist Admin notice Dismissals by Collins Agbonghama @collizo4sky

Screenshots

Fast & easy to understand interface
Security Ninja test results are simple and easy to read
Every test has a detailed explanation and instructions on how to fix the problem
Vulnerable plugins list with details and recommendations - prevent known problems in plugin.

Installation

Installing from WordPress

Open WordPress admin, go to Plugins, click Add New
Enter “Security Ninja” in search and hit Enter
Plugin will show up as the first on the list, click “Install Now”
Activate & go to Tools – Security Ninja to make your site more secure

Installing Manually

Download the plugin.
Unzip it and upload to wp-content/plugin/
Open WordPress admin – Plugins and click “Activate” next to the plugin
Activate & go to Security Ninja to make your site more secure

FAQ

Who is this plugin for?

For anyone who wants to make their site more secure and prevent downtime due to hackers

Will this plugin slow my site down?

Absolutely not. You may experience a slight slow down while tests are being run but that takes less than a minute.

Will it work on my theme?

Sure! Security Ninja works with all themes.

What changes will Security Ninja make to my site?

None! Security Ninja will just give you the test results and suggest corrective measures with precise instruction. It will not make any changes to your site.

Is this plugin safe to use?

Of course. It’s a reporting-only tool. It doesn’t make any changes to your site.

Is this plugin legal to use?

Yes. It’s your site you can do whatever you want with it. Running tests on other people’s sites is illegal but Security Ninja can only perform tests on the WordPress page it’s installed on.

It’s not working!!!

We did our very best to make Security Ninja compatible with all plugins and themes, but problems can still happen.

Check out the community support – head over to the support forum open a new thread, and we’ll help you ASAP.

Reviews

jrostinmagnin 11 Januari 2023

Resolves problem with log visitors very useful The problem was resolved within a day. Very good support

james030 3 Januari 2023

Very useful!

komiklokal 23 Jun 2022 1 reply

I use ninja, and all my problems were solved

patrickvieljeux 30 Januari 2022

very good tool. simple and efficient. justwhat i needed.

helmuthm 30 November 2021

I've been using this plugin for some years now - it's simply excellent 🙂

Jeroen 21 September 2021 1 reply

For me this plugin does what it is supposed to do. Really helps me keep my Wordpress safe and up-to-date.

Read all 91 reviews

Contributors & Developers

“Security Ninja – Secure Firewall & Secure Malware Scanner” adalah perisian sumber terbuka. Orang-orang berikut telah menyumbang kepada pemalam ini.

“Security Ninja – Secure Firewall & Secure Malware Scanner” telah diterjemahkan ke dalam 7 penempatan. Terima kasih kepada para penterjemah untuk terjemahan mereka.

Translate “Security Ninja – Secure Firewall & Secure Malware Scanner” into your language.

Berminat dalam pembangunan?

Layari kod, periksa repositori SVN, atau langgani log pembangunan dengan RSS.

Changelog

5.158

More details for debugging API connection issues.
Visitor log visual updates.
Updated Freemius SDK to 2.5.7

5.157.1

Hotfix for referencing a wrong class name after moving to PHP namespaces in 5.157

5.157

Speed: Plugin options are no longer autoloaded. Older users might notice an improvement in website speed – Thank you Parag.
Fix: When deleting an unwanted file via Core Scanner, the message reported an error even when file was successfully deleted.
Fix: Malware scan could fail due to unexpected output in JavaScript.
Improved visual layout problem in Events Logger.
Improved visual layout in the visitor log
General code improvements and cleaning.
Worked on PHP 8.2 compatibility – almost complete.

5.156

Checked WP 6.2 compatibility
Updated Freemius SDK to 2.5.6

5.155

NEW: Added details about blocked visitors on dashboard widget.
FIX: Notice that detected low memory incorrectly on systems with no limit memory setting (-1)
FIX: Warning notices regarding undefined array keys in the event logger. Thank you Jean-Claude 🙂

5.154

FIX: PHP warning the first time the settings in the vulnerabilites module was updated.
Updated the “Application Passwords” test to include info on how to disable the feature. Thank you @lsbk 🙂
New: More details in email report, user IP and improved layout. Thank you Kevin for the suggestion.
New: You can now email events log reports to more than one recipient. Thank you Kevin.

5.153

FIX: The two Shellshock tests would fail on some servers. Thank you Jeroen and Oliver.
FIX: A bug in the visitor log details when there is a lot of info to display.
FIX: The “Enable background plugin updates” notice was shown everywhere. Thank you Ian for pointing out.
Enable background plugin updates notice is now hidden forever when dismissed.
Change default time to store visitors to 7 days (much better for big sites with a lot of traffic)
Fix bug with unexpected results for tests to show up.
FIX: Remove unused code for plugins not updated for a while. Thank you.
“Outdated plugins” module completely removed for now to be reworked.
FIX: Scheduled Scanner tests with Core Scanner sometimes failed. Error found and fixed.
Updated language files for translators, thank you 🙂

5.152

Fix for not cleaning up old files when downloading vulnerable plugin list. Thank you @michaing.
Fix for visitor log not working properly on some installations. Thank you Jean-Claude.
Fix for bug in events logger related to comments. Thank you Thomas.
Fix for descriptions not showing properly for some vulnerabilites.
Upgrading phpseclib/phpseclib (2.0.40 => 2.0.41)
Language files updated.

5.151

New: Updated visitor log styling and the log now filters out requests not relevant to show, eg. favicon.ico
You can also filter additional requests by using the new filter documented here:
Filter visitor log URLs in Security Ninja
Fix: Problems reported with blocking regular visitors.

5.150

WP 6.1.1 compatibility.
Improved visitor log visuals and logging.
Updated language files. Volounteer translators are translating the plugin and making it easier to use in Bulgarian, German, Spanish (Colombia), Spanish (Ecuador), Spanish (Spain), Spanish (Venezuela). Thank you translators 🙂
New: Remove settings when deactivating. Now you can choose if the plugin database and settings should be removed when deactivating the plugin. Per default this is not enabled to help with debugging. Thank you Thomas 🙂

5.149

WP 6.1 compatibility.

5.148

Prettified the interface
Minor improvements to translated strings. Language files updated.
Added more events from WooCommerce to the Events Logger – more detailed activity.

5.147

Fix: PHP notice on some installations showing update status notification.
Fix: IP Range CIDR matching – improved matching of IP ranges.
Improve memory usage and reduce unnecessary details and options that load automatically = Faster plugin.
Update Freemius SDK to 2.4.5

5.146

FIX: Firewall blocked exports – Thank you Kevin 🙂
FIX: Restore upgrade.php on sites where missing.

5.145

Improved MainWP integration with Secret Access URL.
Improved database usage.
Updated documentation in plugin and on website for Permissions Policy (used to be called Feature Policy) security headers. Thank you Oliver 🙂

5.144

Fix: PHP error on some installs – Thank you @fakkel and @computerbuddha.
New: Expand all details for security tests. Thank you Alauddin.
Fix: Typo in warning messages.

5.143

Improve vulnerabilities interface and text.
New: Detected vulnerabilities list update when website
finishes update routines.
Fix: PHP notice on tests page.
Fix: PHP notice on vulnerabilities page.
Fix: Whitelabel – missing name replacements several places. Thank you Jay.
Fix: PHP pruning visitor log in some cases.
Fix: Plugin name was showing up even if whitelabel feature enabled. Thank you Jay.
Fix: Not detecting themes properly.
Compatibility check with WordPress 6.0
Updated language files.

5.142

Fix: PHP notice when amount of vulnerabilities change.
Fix: Error if multiple Strict-Transport-Security headers are used – Thank you Jay.
Fix: PHP notice in auto-fixer module, thank you Jay.
Fix: When renaming the login URL the default page now returns 404. Thank you Alauddin.

5.141

New: Filter for whitelisting custom files and folder for malware scanner. wpsecurityninja.com/docs/filters-hooks/securityninja_whitelist/
Wizard: Auto update plugin enabled per default.
The autofix is back and improved – Easy fixes for many of the security tests.
Fix for the “Remove unnecessary themes”. Thank you Jay.
Fix whitelisting folders and files in malware scanner
Fix for Russian language websites. Opt-in dialogue failed. Thank you Mikhail 🙂

5.140

Improved MainWP integration.
Improved auto-updates integration.
Fix: Logging database tables sometimes not created before plugin tried to log something.

5.139

NEW – Notice to easily enable automatic background updates.
Wizard – automatically sends email with unblock URL to administrator currently logged in.
FIX – PHP Notice missing database table when deactivating and reactivating.
Updated the description of the Content Security Policy, thank you Reza.
Code preparation for integration with MainWP! 😀
Cleanup JS code.

5.138

Improved test “Check if automatic WordPress core updates are enabled.” with better explanation – thank you Reza.
Removed clutter in interface.
Fixed potential bug in installation script.
Updated firewall with new rules.
Tested up to WP 5.9.2

5.137

Removed events logger step from wizard – it is automatically enabled.
Improved the Wizard layout and process.
Fix bug in event log, thank you Eelco.

5.136

Security Tests – Improved layout changes, “Details” link moved.
Security Tests – Fixed the test for unnecessary themes. Thank you Jay 🙂
Fix – Opt in reset link.
Visitor Log: Rearrange details for each request, easier to get an overview.
Event logging is always on, helps detect patterns, eg. failed logins and repeated attacks spread over longer periods of time.
Retired old database optimizer module.
Removed syslog feature from events module.
Cleanup old code.
Minor improvements to event logger page styling.

5.135

Core Scanner – Now with “Delete all” button.
Security fix.

5.134

Rename login – when activated shows same message as set in the settings for blocked pages.
Fix – Firewall rename login module was deactivated in settings.
Fix – First time activation goes to main page.

5.133

Fix for empty table name when updating.
Code tightening and 3rd party library updates.
Tested WP 5.9.1

5.132

Disable “Rename login URL” feature when the firewall module is disabled. Thank you Alauddin.
Updated IP detection functionality – fix for firewall issues.

5.131

Fix for firewall – thank you Barry 🙂

5.130

Fixes to firewall issues reported on some websites. Sorry to those affected.
Pro: New feature, automatically remove unwanted files – Enable on Fixes page.
Pro: Improved event logging detecting user in some cases.
Pro: Fixed problem loading the wizard on some websites.
Pro: More details in “Event logger” – see raw data for more events.

5.129

Improved test interface, less clicks needed.
Pro: New feature, enforce secure cookies on your website. Easy 1-click fix.
Improved PHP 8 compatibility
Updated 3rd party libraries.
Tested up to WP 5.9

5.126

NEW – Rename login. Hide your login page from automated scripts.
NEW – Core Scanner now runs automatically every day. No need to manually scan the core WordPress files. This now happens automatically for you 🙂
NEW – Added applebot.apple.com to verifyable crawlers.
NEW – Whitelisting IPs for WP Rocket and Broken Link Checker services.
Updated 3rd party libraries.
Tested up to WP 5.8.2

5.125

Version skipped.

5.124

FIX – Made the notice about updated vulnerability list dismissable.
FIX – Minor bug in test if Admin SSL is enforced – Thank you Christopher.
FIX – Updated malware scanner to fix false positive – Thank you Benjamin.
NEW – Added petalsearch.com to list of validated crawlers – Thank you Thomas.
Language files updated.

5.123

NEW: Improved firewall with better search engine crawler detection – Thank you Thomas.
FIX: Missing details when logging a failed login – Thank you Eric.

5.122

Fix – High memory usage when activating plugin – getting vulnerabilities could stop activating the plugin. Thank you Patrick for the help locating this!
Fix – Internal links
Fix – Wizard CSS layout was not properly loading

5.121

Fix: Vulnerabilities – Small display error when showing how many vulnerabilities added in last update.
Fix: Vulnerabilities – Memory issue converting data on some servers, thank you John.
Improved visitor logging, faster code.

5.120

New: Get email warning if any vulnerabilities are detected on your website!
Fix: Some visits were not properly logged, thank you Thomas, John and others for reporting.
New: Improved reporting of blocked IPs -> Faster plugin 🙂
New: Our global IP network of blocked IPs is now out of beta -> More protection for your website.
New: Notice shows new vulnerabilities added since last update.
Improved the visitor log -> Only updates when the browser window is in focus, less work for your server.
Updated language files. Thanks to all the translators for their hard work! 🙂

5.119

Tested up to WP 5.7.2
Minor PHP fixes.
Updated language file.
New – Visitor log with live updates (Pro)
Improve IP reporting network functionality (Pro)
Improve firewall rules (Pro)
Fix – PHP notice regarding wizard (Pro)
Fix – Removed visitor logs on Firewall tab (Pro)
Fix – Firewall visitor log mistakenly reported administrators as blocked, eventhough they were not (Pro)
Fix – Visitor log not including WP_AJAX requests (Pro)
Fix – Visitor log not including cron jobs.

5.118

New – Pointer introduction for new users!
Fix Welcome page layout and improved styling

5.117

Fix minor issue in malware scanner
Fix persistent error in WC logging.

5.116

Fix – Event logging not working properly on some WooCommerce shops.

5.115

Fix – Downloading vulnerability list showed error notification on some website configurations.
Fix – Properly overwrite settings in wp-config.php
Fix – General cleanup of code.
Tested up to WP 5.7
New – PRO: Added basic WooCommerce tracking to Events Logger.
PRO: Feature-Policy has been deprecated, it has been renamed to Permissions-Policy. Currently both headers are used temporarily.
Updated 3rd party libraries.
Fix problem on some systems – error when activating firewall – “Undocumented error. Page will automatically reload. Reworked code.
Fixed notice in welcome module when deactivating plugin. Thank you Ebrahim.
Whitelabel now available for 20+ site licenses.
Languages available: Bulgarian, English (US), Spanish (Ecuador), Spanish (Spain), and Spanish (Venezuela). Thanks to all the translators! 😀
225,923 downloads

5.114.1

Quick fix for PHP notice showing up in debug log on some websites.
216,033 downloads

5.114

NEW: Settings for vulnerability module – control what is being checked for and disable the counter in the admin menu.
Improved plugin loading time – Doing more tasks in background.
Pro Changes:
NEW: Wizard – Get started in minutes with a few simple steps – protect your website with ease.
NEW: Introducing IP ban network – all sites reports heavy attacks to a central API to send out block warning to all sites in the network.
NEW: Fixes: Disable WP XML Sitemaps introduced in WordPress 5.5
NEW: Fixes: Enable/disable username enumeration
Import/export works with vulnerability settings.
Improved handling of importing data.
Removed debug page in plugin in favor of “Site Health” included with WP.
213,303 downloads

5.113

Fix: MySQL no longer creates database tables with “MyISAM” as the engine. Uses the site default configuration. Thank you Kien.
Fix: “Test this IP” did not work correctly with IP ranges. Thank you Justin.
Fix: Core Scanner module – now works faster and loads data without reloading the entire plugin page. Improved user interface.
205,441 downloads

5.112

New: Check for Application Password feature introduced in WP 5.6
New: Enable/disable the Application Password feature (Pro)
Fix: PHP notice when downloading and saving vulnerability list.
Tested with WordPress 5.6
201,061 downloads

5.111

Update Freemius to 2.4.1 and other 3rd party libraries.
193,411 downloads

5.110

NEW: Fixes page – Enable/disable security features on your website.
NEW: Set Security Headers values on “Fixes” page.
NEW: Hide PHP Version and Server info.
Improved user interface, made changes to colors and layout.
Tested up to WP 5.5.1
Further work on PHP compatibility – Thank you Barry.
185,502 downloads

5.109

FIX – Nginx example corrected for “Referrer-Policy” from “no-referrer” to the correct “same-origin”. Thank you Mk.
FIX – Nginx example corrected for “Feature-Policy” security header. Thank you Mk.
FIX – “Secure the site” showing up multiple places on plugins page in admin.
Improvement – Better instructions on how to change weak database passwords and removing the autofixer.
Minor cleanup in logging routines.
Fix: Loading outdated plugin list from file instead of from database – caused problem on some servers.
Fix: Wrongly saying “Vulnerabilities found” eventhough no vulns were found.
Fix: Check for wp-config permissions (chmod) failed if the file had been moved. Thank you Mk.
Fix: Minor error showing last blocked logins in sidebar.
Updated 3rd party libraries for better PHP 7.4 compatibility.
182,512 downloads

5.108

FIX: “Secure this site” link under all plugins. Thank you Mk.
FIX: Opening up welcome page for all new plugin installations.
Updating jQuery code due to changes to WordPress 5.5
Tested WP 5.5 compatible.
More detailed description in Firewall for “Hide login errors”.
177,103 downloads

…

Entire changelog can be seen here: changelog