SecuPress Free — WordPress Security



Protect your WordPress with malware scans; block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin.

What’s the difference between free and pro version?
If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.

Here are some of our most popular features:

  • Anti Brute Force login
  • Blocked IPs
  • Firewall
  • Security alerts (1)
  • Malware Scan (1)
  • Block country by geolocation (1)

We have included some features you won’t find in most WordPress security plugins:

  • Protection of Security Keys
  • Block visits from Bad Bots
  • Vulnerable Plugins & Themes detection (1)
  • Security Reports in PDF format (1)

You can check out Frequently Asked Questions or get in touch with our support. Want to know all about SecuPress? You can read our documentation here:

How will you know it works?
Well, we have a dedicated security scanner that will give you a clear security grade and report for your website. This way, you’ll know exactly what to fix.

WordPress Features

Security Audit
SecuPress is the only plugin with a full scanner able to fix the issues for you. And when it requires a decision from you, it will ask you before proceeding. With this feature, you can check 35 security points in 5 minutes and let us take care of the rest.

Once done, you get a security grade that gives you a clear idea of what your security level is. You can export this analysis in PDF format to share with others (clients or colleagues) (1).

Users & Login
This feature is the easiest way to make sure your users’ data is protected and to keep their accounts from being compromised. With this feature you can limit the number of bad login attempts, ban non-existing usernames login attempts and set a non-login time slot. SecuPress also makes sure you can avoid double logins and control your sessions.

SecuPress also adds a 2FA (Two Factor Authentication) because it’s almost a mandatory feature when it comes to WordPress security!

The plugin also gives you greater user and password control as you can set:

  • Password lifetimes for your users.
  • Enforce strong password use.
  • Forbid the use of vague usernames like www or admin.

Tired of bots finding your WordPress login page? Finally, don’t let bots find your login page, just move it with the famous Move Login plugin, now included in SecuPress.

Plugins and Themes
SecuPress helps you detect themes and plugins that are vulnerable or that have been tampered with to include malicious code. If you install one of these, your security module will send out an email alert and give you a warning in WordPress.

SecuPress takes security further by limiting plugin activation, deactivation, installation and removal in your production (live) website. Plugin and theme uploads via .zip files will be on lockdown as well to block off this easy hacking route.

WordPress Core
SecuPress reinforces the WordPress Core to keep it safe. The security plugin optimizes what’s under the hood to secure the config file by setting the proper parameters.

Sensitive Data
SecuPress secures content in many ways:

  • The plugin secures WordPress Endpoints and APIs by blocking bad requests for XML-RPC or REST API.
  • It blocks bad bots with its Robots Blackhole feature.
  • It provides an anti-hotlink feature to preserve your bandwidth.
  • The plugin packs 7 anti-disclose security modules to make sure no precious information is available to hackers in your PHP or WordPress itself.
  • Profile and SecuPress settings pages are password protected to keep sensitive information away from prying eyes.


  • SecuPress is the most efficient WordPress bouncer you’ll ever see!
  • The plugin blocks malicious incoming requests.
  • It blocks bad User Agents (no bad crawlers allowed).
  • Bad requests methods also get the boot in a single click.
  • URLs are kept in check: no bad URL contents or URLs that are too long allowed.
  • SQL injection scanners are kept out as well.
  • Brute force attempts are stopped in their tracks.
  • GeoIP Blocking by country gives you more control over your traffic.

Malware Scan
SecuPress has a unique malware scan developed by our security experts. It hunts down bad files and provides you with an easy step-by-step report that lets you take action. It looks into:

  • Bad files in your FTP.
  • Your uploads folder for dangerous files.
  • Potential phishing attempts via index.php loads.

We know firsthand how painful it is to pick up the pieces after an attack damages your WordPress. SecuPress preserves your data to help you avoid lost content or settings if your website comes under attack. The plugin backs up your database and files and lets you download them to guarantee you peace of mind.

Anti Spam
Did you know that 60% of the traffic on the Internet is generated by bots? Most of them happen to be spam bots. We developed our own anti-spam system that works quietly in the background. Just activate it and enjoy a spam free experience.

Alerts are an essential tool when your website is under attack. When something important happens on your website, SecuPress will send you an alert via email. We’re working on alerts via SMS, Slack & Twitter as well.

You also receive a daily report that provides a debrief of the attempted attack and all the activities blocked by SecuPress.

Scheduled Security Tasks
SecuPress can run 3 separate scheduled tasks for you. It’s like having a security patrol on your WordPress.

Scheduled Scanner: SecuPress scans your website to detect any issues. After the scan is complete, you get a report in your inbox outlining any actions you have to take to protect your website.
Scheduled Backup: our team knows that everyone at one time or another forgets to back things up. We made it an automatic task to help ensure you always can recover from an attack with your content safe.
Scheduled Malware Scan: this security feature scans your website at regular intervals to hunt down any malware that may have gotten into your WordPress.

SecuPress will keep a log of important security activities and 404 pages triggered by users, bots or even Chuck Norris. This lets you keep an eye on what’s going on in your WordPress at any time. You can also control banned IPs from this option.

(1) Available in the Pro Version.

(SecuPress est une extension de sécurité WordPress)


  • All modules from SecuPress
  • A module page (here is Users & Login)
  • The first scan
  • The 1st step: result of the scan
  • The 2nd step: choose what to automatically fix
  • SecuPress is fixing issue for you
  • The 3rd step: manual fix, when you have to decide something
  • The 4th step: final report, you can export it as PDF (1)


It’s important to delete all other security plugins before activating SecuPress.

  1. Upload the plugin files to the /wp-content/plugins/secupress directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Use the SecuPress->Settings screen to configure the plugin.

Preguntas frecuentes

Installation Instructions

It’s important to delete all other security plugins before activating SecuPress.

  1. Upload the plugin files to the /wp-content/plugins/secupress directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Use the SecuPress->Settings screen to configure the plugin.
What does SecuPress do, exactly?

SecuPress is a plugin for WordPress sites which enables better security without sacrificing usability. It’s easy to use for you and hard to hack for pirates. First, SecuPress will scan your site, looking for vulnerabilities and provide a report detailing how to harden your WordPress. possible security improvements. The majority of recommendations are easy to implement by checking a box; very few will require a manual setup.

What makes SecuPress better than any other security plugin?

SecuPress protects your website on multiple fronts: anti spam, double authentication. The best feature for users remains how easy to use this plugin is. You don’t need to be an experienced technician to use and secure your WordPress like an expert!

Our security alarms hosted on our servers supply daily data about the most recent vulnerable plugins and themes. This allows you to always be aware and safe.

Is SecuPress compatible with multisites installation?

Yes, SecuPress can be activated for all your sub-sites, just activate it from your main network site.

Is SecuPress compatible with all web hosters?

Yes, SecuPress is compatible with all web hosters like WP Serveur, OVH, Siteground, BlueHost, PlanetHoster, WP Engine, O2Switch or GoDaddy? If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all caching plugins like WP Rocket, W3 Total Cache, WP Super Cache?

Yes, SecuPress is compatible with all WordPress caching plugins. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all multilingual plugins like PolyLang, WPML, qTranslate?

Yes, SecuPress is compatible with all multilingual WordPress plugins. If you have an issue, please get in touch with us and let us know!

Is SecuPress compatible with all server engines like Apache, Ngnix, IIS7?

Yes, SecuPress is compatible with all server engines. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with other security plugins like WordFence, iThemes Security, Bullet Proof Security?

The answer is no. SecuPress is not compatible with another security plugin. Just like two caching plugins do not make your website faster, two security plugins do not make your WordPress more secure. Security rules tend to be overwritten or conflict with other rules if two security plugins are installed. This can cause errors on your website and is not recommended.


Protection et ergonomie parfaites !

Après avoir testé pas mal de modules (Sucuri entre autres), Secupress s’avère le plus performant, le plus complet et le plus simple à prendre en main grâce à une ergonomie vraiment superbe.
Félicitations aux développeurs !!

Je confirme l’absence de réponse

J’ai aussi acheté la version pro, spécialement pour la méthode PasswordLess.
Je l’ai installé mais cela ne fonctionne pas.
3 mails sans réponse.
J’espère que c’est un problème passager…
Je vous donne des nouvelles à +

Quelle blague…

En voyant toutes les bonnes reviews, je pensais que la qualité serait au RDV. Il semble y avoir eu un soucis lors de mon achat et je ne peux toujours pas utiliser le plugin en version PRO. Résultat cela fait plus d’un mois que j’envois des emails régulièrement en parlant tout seul et toujours aucune réponse. Ma carte a déjà été débitée, j’imagine que me répondre ne doit plus les intéresser. Vraiment navrant de constater un manque de respect pareil des clients.

super extention

Travail fantastique, alors que mon site était sous attaque et faisait tomber le serveur j’ai pu avec securepress le remettre en ligne et il tient depuis malgré les rigolos qui attaquent par DOS
1000 bravo !


Les créateurs de sites web ne sont jamais assez sensibles à la sécurité. Pourtant c’est primordial. J’ai découvert Secupress, une extension de sécurité, depuis quelque temps déjà et pour tous les sites que je crée j’installe Secupress. Facile et intuitive à configurer, l’extension assure vraiment. Bravo… Le support est également très réactif et très pro. Merci

Leer todas las 52 reseñas

Colaboradores y desarrolladores

“SecuPress Free — WordPress Security” es un software de código abierto. Las siguientes personas han colaborado con este plugin.


“SecuPress Free — WordPress Security” ha sido traducido a 2 idiomas. Gracias a los traductores por sus colaboraciones.

Traduce “SecuPress Free — WordPress Security” a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN , o suscríbete al log de desarrollo por RSS .

Registro de cambios


  • 04 september 2017
  • Fix#522: zxcvbn lib contained a not fixed bug, I did.
  • Fix#524: Move login was blocking the home page


  • 01 september 2017
  • Improvement #516, #518, #519: Move login hides now the postpass url, the register url is now different and has its own setting, /!\ now our Move Login is not compatible anymore with “SF Move Login” from GregLone, thank you buddy!
  • Improvement: You can now unlock yourself from the move login page by filling a field with your email. You’ll find the (forgotten) new login page url, and a second link to deactivate the module.
  • Improvement: The Move login will not redirect on a /404 page, but will fail with a message.
  • Fix: Remove the module file from “bad url length”, should be deleted in 1.3.1


  • 02 august 2017
  • Improvement #512: Remove the recovery email notice, you won’t need to fill this anymore
  • Improvement #507: Lighter Move Login module with less options, no .htaccess/web.config/ngnix.conf modifications but more decisions and less bugs instead of endless bugs.
  • Improvement #506: Remove the scan and fix for empty user agent (not efficient enough in 2017, too much false positive)
  • Improvement #505: Remove the scan and fix for too long URLs (not efficient enough in 2017, too much false positive)
  • Improvement #488: New bad user agent (Gecko/2009032609 Firefox), thanks to Fabrice from
  • Improvement #481: Better message (less sarcastic, yes) when you lock yourself out.
  • Fix #504: On some servers, $_SERVER[‘SERVER_ADDR’] does not exists, well, ok.
  • Fix #502: Move login was not cool with PasswordLess
  • Fix #501: Some multisites websites could not validate their licence.
  • Fix #473: Captcha always returned “human verification fail” when autofill from browser is enabled.


  • 13 june 2017
  • New: You can now set your PRO licence key in the settings page without installing the PRO version. This will replace your free version by the PRO one, quietly.
  • Improvement #448: Better detection of user’s right for DB scan
  • Improvement #308: Sometimes after a scan (step 1), some results are still tagged as “new”, you should encounter less cases.
  • Fix #469: customize.php redirects to the login page (thanks to @wpmarmite)
  • Fix #451: Fatal error on WP <4.2.11 when sending emails
  • Fix #414: PHP7 errors


  • 18 april 2017
  • Improvement: removed the monthly plans from the “Get Pro” page and improved a few things.

  • 06 april 2017
  • Improvement #450: use a new API for the “Get Pro” page, to fetch prices.


  • 05 april 2017
  • Improvement #445: display the missing “Rate us” box in the settings page.
  • Improvements #387 and #449: changed a few things in the “Get Pro” page, mainly focused on the monthly plans.
  • Fix #447: prevented Move Login to change & characters into &amp; in filtered URLs, it may cause problems when used as a redirection target.

  • 19 march 2017
  • Fix #424: a htaccess server error appeared if you were using WP <4.7 with “readme file protection module”.


  • 16 march 2017
  • Improvement #413: improved PHP and WP version check on activation.
  • Improvement #408: improved Move Login settings. Now you HAVE to specify a new login URL: no default value anymore, no forgotten URL anymore. Also, your new URLs can be seen while you type in 🙂
  • Improvement #397: improved the theme/plugin installation/upload sub-modules: even white-listed IPs are blocked now.
  • Fix #402: in some cases, the scan testing the readme.html direct access was testing a wrong URL.
  • Fix #111: added the IP address to the hardcoded white-list. It should prevent some cron processes to be blocked (because of an empty User Agent for example).


  • 28 february 2017
  • Improvement #382: if the salt keys scan still reports problems after the MU plugin is created, it will still try to fix it.
  • Fix #282: links in email messages should now be fine.
  • Fix #170: the notice saying the .htaccess file is not writable now is displayed only if the file exists.
  • Tested with php 7.1.
  • Various small fixes and improvements.

  • 21 february 2017
  • Fix #391: whenever an IP address is banned, the message was displayed to everybody.


  • 20 february 2017
  • Improvement #370: in the scanner, each scan has now its own documentation 📖. The “Read the documentation” links can be found at step 3, the Manual Operations.
  • Improvement #357: for the “Too Long URL” protection, requests made with wp_request_***() to self are not blocked anymore.
  • Fix #373: fixed a bug that allowed a specifically forged URL to cheat the “Too Long URL” protection.
  • Fix #367: fixed a PHP notice Missing argument 2 for SecuPress_Action_Log::pre_process_action_wp_login().
  • Fix #363: fixed a possible failure on step 2 of the scanner (Auto-Fix).
  • Fix #352: revamp the whole “Auto Update” scan and protection, mainly focusing on the constant definitions.
  • Fix #347: the Twitter bird now can sing correctly.
  • Fix #343: when some scans display a message “Unable to determine…”, a link to activate manually the protection should be displaying. Some were missing.
  • Fix #329: the directory listing scan now reports a “Good” status if folders display an empty page with HTTP code 200.


  • 27 january 2017
  • Fix #355: fixed a “recursion” that caused some scans to return a “bad” status while the corresponding protections were working ¯(°_o)/¯
  • Fix #351: fixed license invalidation on multisite or multilingual sites.
  • Fix #346: fixed a PHP warning about vsprintf() in the scanner page.
  • Fix #345: don’t manipulate headers if they have been already sent.
  • Fix #313: fixed one of our easter eggs. 😬
  • Fix #256: in the wp-config.php file, don’t comment a constant that is already commented or the sky will fall.
  • Fix #46, #154, #328, #348: fixed the whole chmod scan. Some fixes made in version 1.0.3 dramagically disappeared at some point, we bring them back: chmod values are correct again, test for the web.config file is back (if applicable). In the scan result, the list of files/folders were incomplete. In the scan result, folders are not called files anymore. Test for .htaccess and web.config existence instead of testing for Apache / IIS7.


  • 18 january 2017
  • Happy new year! 🎉
  • Improvement #336: prevent a rare PHP warning: array_count_values() can only count string and integer values! that could mess with the scan results.
  • Improvement #322: CSS animations are no more on Logs page, interacting with them is now easier.
  • Fix #342: in the Malware Scan module, the “Save All Changes” button under the Directory Index option was disabled.


  • 20 december 2016
  • New: up to 12 options for you to control. Directory Index, Directory Listing, PHP modules disclosure, PHP version disclosure, WordPress version disclosure, Bad URL Access, Protect readme files, WooCommerce and WPML version disclosure, File edition constant, Unfiltered HTML constant, Unfiltered uploads constant: all these protections can now be activated and deactivated separately as needed ( ゚д゚)
  • New: some scans were slightly modified, so here is a new one that will test only the ShellShock vulnerability ヽ(´ー`)人(´∇`)人(`Д´)ノ
  • New: if a scan displays a “Not able to access your front page” message, it brings you the possibility to activate the protection anyway.
  • Improvement #118: in the scanner’s manual fixes, the “Ignore this step” button is more understandable.
  • Improvement #147: in logs and alerts, no more “UAHE”, “BUC”, or any other obscur codes when a request is blocked, only a human readable sentence.
  • Improvement #199: the User Agent blacklist is now case sensitive.
  • Improvement #274: if you use a “Coming Soon” or “Maintenance” page, manual scans have now a small drill and can get through it and will no longer trigger a “Not able to access your front page” message for this reason.
  • Improvement #286: updated the “no longer in directory” and “not updated over 2 years” plugins lists.
  • Improvement #289: the scan message related to the constant COOKIEHASH is more accurate.
  • Improvement #290: whitelisted IPs don’t trigger alerts and logs when they are not blocked.
  • Improvement #297: the checkbox to activate the protection to deny access to malicious file extensions in the uploads folder now displays rewrite rules if the configuration file is not writable.
  • Improvement #324: tell cache plugins not to cache our blocking messages nor the login pages.
  • Improvement: prevent our icons to be overridden by other plugins or themes.
  • Fix #264: the scanner related to the admin user wouldn’t fix anything in a specific case. Nothing is better than a whip sometimes.
  • Fix #265: fixed a message displayed by the chmod scan. In some cases it was speaking nonsense about files / and /.
  • Fix #281: “Ask for old password” and “Strong Passwords” are now besties ( ^^)o自自o(^^ )
  • Fix #285: typo in a IfModule (-‸ლ)
  • Fix #291: the fix related to the WordPress version disclosure ate the rewrite rules on Nginx. So we made it give them back (that was kind of scary).


  • 07 november 2016
  • Improvement #258: Remove the blog_id and website URL in the new salt keys to avoid having to log in on each website on a multisite, was just annoying.
  • Improvement #259: Better hook usage to allow any cache plugin (like WP Rocket of course) to ignore login page.
  • Improvement #195: Better Move Login rules on Ngnix. And better rules in general for all modules.
  • Fix #262: Some firewall sub-modules are not working in front-end, the functions were not in the right file 😐
  • Fix #252: X-Powered by header was not hidden on Ngnix. Ngnix my friend…
  • Fix #250: WPML still appeared as a “bad plugin removed from repo”, well, the whitelist filter was not used.


  • 25 october 2016
  • Just prices update.


  • 22 october 2016
  • Improvement #216: The button “Ask for support” is now always present on scanner step 3.
  • Improvement + #205: typos, and missing text domain.
  • Fix #186: Add description and author to the COOKIEHASH MU plugin.
  • Fix #204: When fixing the last thing in step 3, redirect to step 4.
  • Fix #207: Table prefix fix won’t show up on step 3.
  • Fix #219: PDF Export not exporting anything, wow.
  • Fix #224: In scanner JS, HTML entities were in status text.
  • Fix #227: Notice on affected role section Undefined index: double-auth_affected_role in /inc/admin/functions/modules.php on line 555.
  • Fix #232: Bad request methods scan returned false negatives status.


  • 19 october 2016
  • New: Design revamp for modules homepage.


  • 18 october 2016
  • Fix #158 & #179: Affected roles on modules were reset to empty. I prefer a filled field.
  • Fix #159: The error message from files backup talked about DB backup. Go home!
  • Fix #178: The PasswordLess scan will now check if its module is active, and in a near future will really check for any 2FA code.
  • Fix #185: A mysterious “////” title was present in the french translation, near “WML-RPC”.
  • Fix #190: The module link in the non login time slot scan has now its # to get a correct anchor. Happy sailor.
  • Fix #191: A function was missing, so the PasswordLess scan couldn’t activate its module, now, he can and he’s happy too.
  • Fix #193: The anti-bruteforce scan always said “false” because we didn’t call him by its real name.
  • Fix #197: When one of our MU plugin was created on plugin deactivation, it triggered a fatal error, it was so fatal that we decided to remove it.


  • 07 october 2016
  • Fix #167: Possibly locked at step 1 with a fake “New scan” for readme.txt files, you’re not stuck anymore.
  • Fix #166: Various CSS improvements.
  • Fix #171: Scans related to the firewall were always returning a bad status, even if the protections were running.
  • Fix #172: The scan and the protection related to the “Bad request methods” were not accurate.
  • Fix #176: A SQL warning occurred if you didn’t had logs to delete from 1.0.4, a new IF condition has been added to prevent that.


  • 26 september 2016
  • Improvement #164: Logs are now lighter (without a flame) and can be deleted much faster (still not as fast as WP Rocket, but who can).
  • New #160: Add a filter named secupress.remote_timeout if you got too many “Pending” status in scanner, add more timeout since cUrl is not always gentle with us ><


  • 14 september 2016
  • Improvement: Commented salt keys (previously fixed) will now be deleted to avoid another error 500 case (in case of, you know).
  • Improvement: The banner button has now a better display on tiny screen.
  • Improvement: Since SecuPress is compatible with WP 3.7 and 3.8, the icons are now compatible too.
  • Improvement: Better bad user-agent blacklist, some were too current and blocked legit users.
  • Fix: User-Agent with more than 255 chars won’t be blocked anymore, too many false positive cases.
  • Fix: The recovery email can now be set even if 2 users got the same email address (don’t ask…).
  • Fix: wp-config.php file permissions was sometimes set on 064 and broke some sites when auto-fix was done.
  • Fix: The PHP version warning was marked as bad for nothing, it will now mark it correctly.


  • 02 september 2016
  • Fix: The PHP Notice: wp_enqueue_script/wp_enqueue_style called incorrectly is now called correctly and won’t disturb you anymore everywhere in your admin area.
  • Fix: The Error 500 caused by commented salt keys will not happen again.
  • Fix: We removed the “ping” keyword from the bad user-agents since “pingdom” is not so malicious, isn’t it?
  • Fix: SecuPress couldn’t fix the “admin user” scan with open registration and no admin account.
  • Fix: The TinyMCE editor is not broken anymore, you can use it normally now \o/


  • 31 august 2016
  • Improvement: Better sorting for Step 3 items.
  • Improvement: Better global wording.
  • Improvement: The fix which delete the deactivated theme will now keep the default theme (using the PHP constant WP_DEFAULT_THEME).
  • Improvement: The fix which propose to delete the parent theme will stop that.
  • Improvement: No more HTML tags in exported txt log files.
  • Fix: The following JavaScript Error “Uncaught ReferenceError: secupressResetManualFix is not defined in secupress-scanner.min.js” when you visit the scanner page is on vacations, forever.
  • Fix: PHP Warning in class-secupress-scan-bad-vuln-plugins.php, we won’t use $this in a static method anymore, promise.
  • Fix: Warning in class-secupress-scan-bad-vuln-plugins.php, ok this one s the last.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php my bad, this one.
  • Fix: Warning in class-secupress-scan-bad-old-plugins.php, well, it was the real last one.
  • Fix: Warning in settings.php usage of a protected method is now allowed.
  • Fix: Warning in modules.php because we called secupress_insert_iis7_nodes without the second mandatory argument.
  • Fix: The following PHP Parse error “syntax error, unexpected ‘ai’ (T_STRING) in mu-plugins/_secupress_deactivation-notice-nginx_remove_rules.php” won’t show up anymore for French users.
  • Fix: The PHP Fatal Error on activation or deactivation has been killed, not by Batman because you know.


  • 23 august 2016
  • Initial release \o/