# Atlant Security **Enterprise-grade WordPress security by Atlant Security.** WAF, brute-force protection, real-time visitor log, IP blocking, bot detection, malware scanner, 2FA, honeypots, AI crawler control, and post-breach recovery - all in one plugin. --- ## Description Atlant Security is a comprehensive WordPress security plugin that provides enterprise-grade protection through 17 integrated security modules organized in a 5-layer defense architecture. ### 5-Layer Defense Architecture 1. **Pre-WordPress WAF** - Firewall, rate limiter, and IP blocking run before WordPress processes the request. 2. **Application-Aware** - Login security, custom login URL, two-factor authentication, session hardening, cron monitoring, and REST API policies. 3. **Content & Config** - WordPress hardening, security headers, AI crawler management, and honeypot traps. 4. **Outbound & Data** - SSRF prevention, malware scanning (files and database). 5. **Response & Recovery** - Post-breach recovery, notifications, visitor log, and audit log. --- ## Features - 🔥 **Web Application Firewall (WAF)** - 28+ attack pattern families: SQLi, XSS, RCE, LFI, RFI, path traversal, PHP object injection, and WordPress-specific attacks. Block or log-only mode. Triple URL decoding prevents evasion. - 🔐 **Login Security** - progressive lockout (5 min → 30 min → 24 hours), custom login URL, generic error messages to prevent username enumeration, author enumeration blocking - 🔑 **Two-Factor Authentication** - TOTP (Google Authenticator, Authy) and email OTP. Per-role enforcement, 10 recovery codes, 5-minute challenge timeout, replay attack prevention. - 🔑 **Password Policy** - configurable minimum length, character requirements, common password blocking, and passphrase generator - 🤖 **Honeypot Traps** - hidden link traps, fake login pages, comment honeypots, and Contact Form 7 integration. 3-layer safe bot protection ensures legitimate crawlers are never blocked. - 🌍 **IP Management** - manual blocking, automatic bans, whitelist, VirusTotal integration - 🌐 **GeoIP Country Resolution** - MaxMind GeoLite2-Country with pure-PHP MMDB reader, auto-download, and weekly auto-update - 📋 **Real-Time Visitor Log** - every request logged with IP, user agent, country flag, page, and threat classification - 🔍 **Malware Scanner** - 38 malware signatures detect backdoors, webshells (WSO, c99, r57), crypto miners, credit card skimmers, and obfuscated code. Quarantine system with web access blocking. - 🛡️ **Security Headers** - HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORP, COOP. Letter-grade scoring system. - 🔒 **WordPress Hardening** - disable XML-RPC, hide WP version, block REST API user enumeration, block author enumeration, disable file editor, block PHP execution in uploads - 🚨 **Post-Breach Recovery** - 12 emergency actions: terminate sessions, force password reset, rotate secret keys, emergency lockdown, reinstall core, reinstall plugins, audit admin accounts, clear caches, malware scan, disable plugins, and downloadable incident report. - 📊 **Audit Log** - tamper-resistant admin action audit trail - 🔔 **Notifications** - email alerts (HTML formatted, color-coded severity), Slack webhooks, custom JSON webhooks, and daily digest. 5-minute deduplication. - 🕐 **Session Security** - cookie hardening (HttpOnly, Secure, SameSite), session binding via IP + User-Agent fingerprint, concurrent session limits, idle timeout, optional admin bypass - 📡 **Outbound Monitor** - SSRF prevention, blocks requests to private/internal IP ranges including cloud metadata endpoints, domain allowlist with wildcard support, caller detection - ⏱️ **Rate Limiter** - sliding-window rate limiting across 11 endpoint categories: frontend, login, search, feed, REST API, WooCommerce checkout, XML-RPC, and cron - 🤖 **AI Crawler Management** - per-crawler toggles for 20+ known AI/LLM training crawlers (GPTBot, ClaudeBot, Google-Extended, Bytespider, and more), robots.txt integration, 403 enforcement - ⚙️ **REST API Policies** - per-route access control with authentication requirements, HTTP method restrictions, rate limits, and IP whitelists. 5 built-in policies. - 🕰️ **Cron Guard** - wp-cron flood detection, suspicious task monitoring via baseline comparison, system cron migration helper --- ## What Makes Atlant Security Different * **Pre-WordPress WAF** - Blocks attacks via `auto_prepend_file` before WordPress even loads * **Outbound HTTP Monitor** - Detects SSRF attacks and unauthorized outbound connections * **Database Backdoor Scanner** - Scans wp_options and wp_posts for eval(), base64, and hidden backdoors * **Client-Side Bot Detection** - JavaScript challenges and browser fingerprinting catch sophisticated bots * **AI/LLM Crawler Blocking** - Identify and block AI training crawlers scraping your content * **Honeypot Traps** - Hidden links, fake login pages, invisible form fields that only bots trigger * **Cron Guard** - Monitors wp-cron for unauthorized scheduled tasks planted by malware * **Post-Breach Recovery** - Guided recovery toolkit with 12 emergency actions in one place * **Session Fingerprint Binding** - Binds sessions to IP + User-Agent so stolen cookies are useless * **Real-Time Visitor Dashboard** - Live visitor feed updated every 15 seconds * **Smart Password Policy** - Minimum length, complexity, common-password blocking, and passphrase support * **Granular REST API Policies** - Per-endpoint control, not just a global on/off switch * **Safe Mode Override** - One constant in wp-config.php disables all blocking features instantly * **Deactivation Data Control** - Choose to keep or wipe all security data when deactivating * **Zero phone-home** - No telemetry, no tracking, no external API calls, fully GDPR-compliant --- ## Requirements - WordPress 6.0 or higher - PHP 8.0 or higher --- ## Installation 1. Upload the `atlant-security` folder to `/wp-content/plugins/` 2. Activate the plugin through the **Plugins** menu in WordPress 3. Navigate to **Atlant Security** in the admin sidebar to access the dashboard 4. Optionally run the **Setup Wizard** from the sidebar to configure core security settings quickly The Setup Wizard configures your WAF, login protection, hardening, visitor logging, and notifications. You can run it at any time from the inner sidebar navigation. ### Safe Mode If you ever get locked out of your site, add this line to `wp-config.php`: ```php define( 'ASWP_SAFE_MODE', true ); ``` This disables all blocking features (custom login URL, IP blocking, WAF, rate limiting) while keeping the admin interface accessible so you can fix settings. --- ## Frequently Asked Questions **Will this slow down my site?** No. The WAF runs at `init` priority 0 with optimized pattern matching. Rate limiting uses APCu when available for microsecond lookups. The visitor log is a single lightweight INSERT per request. **The WAF is blocking my page builder (Elementor, Divi)** Switch WAF to **Log Only** mode, reproduce the issue, then check the **Audit Log** for the triggered rule. Page builders may trigger false positives due to base64-encoded content in their save payloads. **Users keep getting logged out unexpectedly** This is caused by Session Binding with IP binding enabled. Go to **Session Security** and disable "Bind to IP" while keeping "Bind to User-Agent" enabled. Mobile and VPN users frequently change IPs. You can also enable "Exempt Administrators" to bypass all session restrictions for admin users. **I locked myself out with the Custom Login URL** Add `define( 'ASWP_SAFE_MODE', true );` to your `wp-config.php`. This disables all blocking features while keeping the admin accessible. Alternatively, rename the plugin folder via FTP to `atlant-security-disabled`, log in normally, rename it back, then whitelist your IP. **Email notifications are not arriving** WordPress default `wp_mail()` uses PHP mail() which many hosts block. Install an SMTP plugin like **WP Mail SMTP** or **FluentSMTP** to route emails through a proper mail provider. **The malware scan is running slowly** Reduce "Files per Batch" to 20-30 on shared hosting. The scanner processes files in AJAX batches to avoid timeouts. Files larger than 5 MB are automatically skipped. **How does the honeypot protect legitimate crawlers?** Three layers of protection: (1) Trap URLs are added as Disallow rules in robots.txt, (2) hidden links use rel="nofollow", and (3) 35+ known-good bot user agents (Googlebot, Bingbot, etc.) are pattern-matched and receive a 404 instead of a ban. AI crawlers marked "allowed" in your settings are also protected. **What happens to my data when I deactivate the plugin?** Nothing is deleted on deactivation. When you delete the plugin, a dialog asks whether to keep or remove all data. You can also control this in Settings → "Delete data on uninstall". --- ## Changelog ### 1.1.2 - Added: About page with 5-Layer Defense Architecture, competitive features list, attack vector coverage, and plugin information - Improved: Dashboard decluttered - informational panels moved to About page for a cleaner operational view - Improved: About page lists 15 unique competitive features with descriptions - Fixed: Setup wizard no longer auto-redirects on plugin activation or reactivation - Fixed: Setup wizard accessible from sidebar navigation at any time ### 1.1.1 - Improved: Visitor log table uses percentage-based column widths for fluid layout across screen sizes - Improved: Filter bar and results info bar spacing tightened - Fixed: Setup wizard admin notice removed - no longer floats above page layout ### 1.1.0 - Improved: Stat cards compacted - smaller icons, tighter padding, reduced font sizes - Improved: Page header, grid column, and IP list padding reduced for denser layout - Fixed: Session timeout now correctly respects "Exempt Administrators" setting for idle timeout and session fingerprint binding (was only checked for concurrent session limits) - Fixed: Session security settings description updated to reflect full admin bypass scope ### 1.0.9 - Improved: Inner sidebar width reduced from 240px to 200px with tighter item padding - Improved: Table headers shortened (IP Address → IP, Country → flag only, etc.) - Improved: Top IPs widget uses compact 24x24px icon buttons instead of full-width buttons - Improved: Dashboard grid right column uses responsive minmax sizing - Improved: Page content padding and table cell padding reduced globally ### 1.0.8 - Fixed: Visitor log column widths - JS table-resize no longer overrides CSS-defined column classes - Fixed: Added CSS column width classes to all table headers (visitor log + dashboard live visitors) - Fixed: Dashboard live visitors table shows flag only (removed redundant country code text) ### 1.0.7 - Added: Inner sidebar navigation (Nexus SEO style) - all plugin pages accessible from a persistent left panel - Added: WordPress sidebar shows single "Atlant Security" entry instead of 23 submenu items - Added: Sidebar brand header with logo, active page highlighting, version footer - Added: Responsive sidebar - collapses to horizontal nav on screens below 1024px - Fixed: Plugin footer now renders inside page layout instead of WP's admin footer area - Fixed: "Sorry, you are not allowed to access this page" error caused by removing WordPress $submenu entries - now uses CSS-based hiding to preserve permission checks ### 1.0.6 - Improved: All plugin admin pages now send no-cache headers to prevent stale data from caching plugins - Fixed: Top Pages widget CSS class mismatch causing broken styling - Fixed: Top IPs widget now excludes whitelisted IPs from the list ### 1.0.5 - Fixed: decodeEntities function scoping bug in admin.js causing HTML entity rendering issues ### 1.0.4 - Added: GeoIP country resolution - MaxMind GeoLite2-Country integration with pure-PHP MMDB reader, auto-download, weekly auto-update, and dedicated admin page with test lookup - Added: Custom Login URL module - move wp-login.php to a custom slug with automatic redirect of the default login page - Added: Password Policy module - configurable minimum length, character requirements, common password blocking, and passphrase generator - Added: Force SSL Admin as a plugin-managed setting (defines FORCE_SSL_ADMIN constant at runtime) - Added: Auto-Update Plugins and Auto-Update Themes toggles in Settings and Hardening checklist - Improved: Admin sidebar pages reordered alphabetically for easier navigation - Improved: Post-Breach Command Center layout - lockdown status widget moved into Critical Actions grid - Improved: Hardening checklist - Force SSL Admin now toggleable from the checklist (was "Manual fix required") - Fixed: Post-Breach page SQL queries referenced nonexistent table name (aswp_ip_blocks → aswp_blocked_ips) - Fixed: Post-Breach blocked IP count query used wrong column names (expires_at → permanent/blocked_until) - Fixed: Database migration duplicate-key error that broke all AJAX endpoints (visitor log, dashboard widgets) - Fixed: Settings loss on plugin reactivation - WAF mode, auto-blocks, and setup wizard no longer reset - Fixed: Timezone mismatch between stat cards and live visitors (gmdate/NOW vs current_time) - Fixed: Text domain loaded too early warning on WordPress 6.7+ (moved to init hook) - Fixed: Plugin deletion wiped all data - uninstall now requires explicit opt-in via deactivation dialog or Settings toggle - Fixed: ALTER TABLE ADD INDEX SQL errors corrupting AJAX JSON responses when WP_DEBUG_DISPLAY is on - Fixed: Consistent timezone handling across all 12 modules - Fixed: Correlated subquery in update_blocked_counts cron job - replaced with single JOIN - Fixed: Daily digest cron hook not cleared on plugin deactivation - Fixed: GeoIP database directory cleanup in uninstall.php - Internal: Complete codebase prefix migration from fwwp_ to aswp_ with automatic database migration on upgrade ### 1.0.3 - Added: Honeypot module with hidden link trap, fake login page, comment honeypot, CF7 integration - Added: 3-layer safe bot protection for honeypots (robots.txt, nofollow, UA detection) - Added: Security Headers admin page with letter-grade scoring - Added: Two-Factor Authentication admin page with TOTP and Email OTP - Added: Notifications admin page (Email, Slack, Webhook, Daily Digest) - Fixed: Top IPs widget now shows VirusTotal link, Block button, and Details button - Fixed: IP Detail Modal - added max-height, scroll, wider layout - Fixed: Blocked IPs now correctly log 403 status code instead of 200 - Fixed: TwoFA role handling for comma-separated role strings ### 1.0.2 - Added: 5 new security modules - AI Crawlers, REST API Policies, Session Security, Outbound Monitor, Cron Guard - Added: 5 new admin pages with full settings UI for each module - Improved: Dashboard with live visitors auto-refresh, traffic chart, top IPs/pages widgets ### 1.0.1 - Added: Setup Wizard with 7-step guided configuration - Added: IP Detail Modal on Dashboard - Improved: Dashboard stat cards, browser distribution chart - Fixed: Setup wizard pagination and button responsiveness ### 1.0.0 - Initial release with 17 security modules - Web Application Firewall with 28+ attack pattern rules - Brute force protection with progressive lockout - Malware scanner (file and database) - Post-breach recovery toolkit (12 actions) - IP blocking and whitelisting - Visitor log with filtering and pagination - Admin audit log - WordPress hardening (6 toggles) - Rate limiter (11 endpoint categories) - Real-time security dashboard --- ## Credits Built by [Atlant Security](https://atlantsecurity.com) - enterprise WordPress security specialists.