For over 9 years Security Ninja has helped thousands site owners like you to feel safe. Run 50+ security tests in an instant & discover issues you didn’t even know existed. Help yourself now with Ninja’s simplicity & ease of use.
NEW: Vulnerability scanner – Warns you if you have plugins with known vulnerabilities installed.
Automatically block 600+ million bad IPs with one click! Security Ninja Pro Cloud Firewall will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site.
Read more about Pro features on the Security Ninja website
- perform 50+ security tests with one click
- Security Ninja does not make any changes – it’s your site, you have full control
- check your site for security vulnerabilities, issues & holes
- take preventive measures against attacks
- don’t let script kiddies hack your site
- prevent 0-day exploit attacks
- optimize and speed-up your database
- every test is explained, documented and instructions provided on how to fix problems
- tests include:
- brute-force attack on user accounts to test password strength
- numerous installation parameters tests
- file permissions
- version hiding
- 0-day exploits tests
- debug and auto-update modes tests
- database configuration tests
- Apache and PHP related tests
- WP options tests
- complete list of tests:
- Check if WordPress core is up to date
- Check if automatic WordPress core updates are enabled
- Check if plugins are up to date
- Check if there are deactivated plugins
- Check if active plugins have been updated in the last 12 months
- Check if active plugins are compatible with your version of WP
- Check if themes are up to date
- Check if there are any deactivated themes
- Check if full WordPress version info is revealed in page’s meta data
- Check if readme.html file is accessible via HTTP on the default location
- Check if license.txt file is accessible via HTTP on the default location
- Check if REST API links are displayed in page’s meta data
- Check the PHP version
- Check the MySQL version
- Check if server response headers contain detailed PHP version info
- Check if expose_php PHP directive is turned off
- Check if user with username “admin” and administrator privileges exists
- Check if “anyone can register” option is enabled
- Check user’s password strength with a brute-force attack
- Check for display of unnecessary information on failed login attempts
- Check if database table prefix is the default one
- Check if security keys and salts have proper values
- Check the age of security keys and salts
- Test the strength of WordPress database password
- Check if general debug mode is enabled
- Check if the debug.log file exists
- Check if database debug mode is enabled
- Check if JavaScript debug mode is enabled
- Check if display_errors PHP directive is turned off
- Check if WordPress installation address is the same as the site address
- Check if wp-config.php file has the right permissions (chmod) set
- Check if install.php file is accessible via HTTP on the default location
- Check if upgrade.php file is accessible via HTTP on the default location
- Check if register_globals PHP directive is turned off
- Check if PHP safe mode is disabled
- Check if allow_url_include PHP directive is turned off
- Check if plugins/themes file editor is enabled
- Check if uploads folder is browsable by browsers
- Test if user with ID “1” and administrator role exists
- Check if Windows Live Writer link is present in pages’ header data
- Check if wp-config.php is present on the default location
- Check if MySQL server is connectable from outside with the WP user
- Check if EditURI link is present in pages’ header data
- Check if TimThumb script is used in the active theme
- Check if the server is vulnerable to the Shellshock bug #6271
- Check if the server is vulnerable to the Shellshock bug #7169
- Check if admin interface is delivered via SSL
- Check if MySQL account used by WordPress has too many permissions
- Test if a list of usernames can be fetched by looping through user IDs on http://siteurl.com/?author={ID}
- Check if server response headers contain Strict-Transport-Security
- Check if server response headers contain X-XSS-Protection
- Check if server response headers contain X-Frame-Options
- Check if server response headers contain X-Content-Type-Options
- Check if server response headers contain Content-Security-Policy
- Check if server response headers contain Strict-Transport-Security
- Check if server response headers contain Referrer-Policy
- Check if server response headers contain Feature-Policy
- Check for unwanted files in your root folder you should remove
Security Ninja PRO has extra features: Firewall, Block Suspicious Page Requests, Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, Events Logger & Scheduled Scans.
An all-in-one security solution for any site. With premium support and continuous updates Security Ninja Pro is a perfect tool to keep your site safe. See what the PRO version offers
Add your suggestions to the public roadmap or vote for your favorite new feature.
What others say about the plugin
License info
Installing from WordPress
- Open WordPress admin, go to Plugins, click Add New
- Enter “Security Ninja” in search and hit Enter
- Plugin will show up as the first on the list, click “Install Now”
- Activate & go to Tools – Security Ninja to make your site more secure
Installing Manually
- Download the plugin.
- Unzip it and upload to wp-content/plugin/
- Open WordPress admin – Plugins and click “Activate” next to the plugin
- Activate & go to Security Ninja to make your site more secure
Who is this plugin for?
For anyone who wants to make their site more secure and prevent downtime due to hackers
Will this plugin slow my site down?
Absolutely not. You may experience a slight slow down while tests are being run but that takes less than a minute.
Will it work on my theme?
Sure! Security Ninja works with all themes.
What changes will Security Ninja make to my site?
None! Security Ninja will just give you the test results and suggest corrective measures with precise instruction. It will not make any changes to your site.
Is this plugin safe to use?
Of course. It’s a reporting-only tool. It doesn’t make any changes to your site.
Is this plugin legal to use?
Yes. It’s your site you can do whatever you want with it. Running tests on other people’s sites is illegal but Security Ninja can only perform tests on the WordPress page it’s installed on.
It’s not working!!! Arrrrrrrrr
We did our very best to make Security Ninja compatible with all plugins and themes, but problems can still happen. Here are a few places to get help:
You can also check out the community support – head over to the support forum open a new thread, and we’ll help you ASAP.
“Security Ninja – WordPress Security Plugin” is open source software. The following people have contributed to this plugin.
Contributors
5.103
- 2020/05/06
- Updated malware scanner patterns – Thank you Cathal for submitting sample.
- Update: Showing when malware patterns were last updated on malware tab.
- Fix: Layout of suggestions under “Details” were improved.
- Fix: Bug where results for “Check if active plugins are compatible with your version of WP” were empty – Thank you @lsbk
- 161,873 downloads
5.102
- 2020/04/29
- Updated list of vulnerable plugins.
- Added more user agents to block – Thank you Laurent.
- Fixed bug with importing settings – Thank you Thomas.
- Tested up to newly released WP 5.4.1
- 159,186 downloads
5.101
- 2020/04/19
- Downgrade IP2location library to 8.1.1 – Fixes problem with library requiring PHP 7.1
- 156,477 downloads
5.100
- 2020/04/18
- Fix: Removed syslog logging to file. Many users had problems with the
- Improved welcome page for new installations.
- Improved layout on settings page, fixing markup mistakes.
- Updated language files.
- Code cleanup and security hardening.
- 155,476 downloads
5.99
- 2020/04/13
- Added Nginx examples to security headers – Thank you Dzul.
- Security hardening.
- PRO: Event logging can now be turned on and off – Thank you Matt.
- 153,294 downloads
5.98
- 2020/04/08
- Security hardening the automatic fixers.
- Added name to vulnerability warning.
- Added warning to “Check if database table prefix is the default one” test – Thank you Martin.
- Reworked the fix for changing database table prefix. Thank you Martin.
- 151,318 downloads
5.97
- 2020/03/13
- Fix: The “filter test by status” not working properly if status changed. If you ran a test, fixed a failed test and ran again, the test would not change status.
- Fix: Removed the “pointer” introducion in favor of the new “welcome page” for new users.
- Added a link to the welcome page in the sidebar if you want to view it.
- Vulnerabilities: More details for each vulnerability.
- 147,072 downloads
5.96
- 2020/03/08
- NEW: Quick filter tests – Failed tests, tests with warnings or those tests that are OK.
- NEW: Quickly see how many vulnerabilities you have in the tab view.
- Improved admin view layout and styling.
- Vulnerabilities – Easier to visually scan recommendations – hiding clutter in interface.
- Fix – PHP Notice in some cases – Thank you Mike 🙂
- 144,961 downloads
5.95
- 2020/03/06
- Added more details to the wp-config.php test – Thanks @lsbk.
- Work on following WordPress Coding Standards.
- Minor change in the WP constants test.
- Moved the malware definitions API to a faster location.
- Code cleanup.
- Plugin has been tested up to WordPress 5.4
- 143,732 downloads
5.94
- 2020/03/05
- FIX: Security Tests – Fixed the test for wp-config.php file permissions – thank you @lsbk 🙂
- Updated language files.
- Work on following WordPress Coding Standards.
- 142,778 downloads
5.93
- 2020/03/04
- FIX: Fatal error happened in some situations – “Call to undefined method”.
- Improved the welcome page.
- 141,800 downloads
5.92
- 2020/03/02
- NEW: Plugin onboarding – welcome page for new users.
- Fix: PHP notice when blocking some visitors.
- Security hardening and working on WordPress coding standards.
- 140,243 downloads
5.91
- 2020/02/22
- Fix: Vulnerability warning did not load properly on all admin pages.
- Fix: “Thank you for installing” pointer was reset when updating. Thank you Thomas for helping getting this fixed.
- Code cleanup.
- Updated language files.
- 137,665 downloads
5.90
- 2020/02/19
- New: Sitewide warnings for when vulnerabilities are detected. Warnings can be dismissed for 24 hours.
- Security Tests: Added more dangerous filenames to look for.
- More code refactoring to follow WordPress Standards.
- 136,037 downloads
5.89
- 2020/02/17
- Code cleanup – Removing unused code.
- Refactoring code to better follow WordPress Standards.
- 134,362 downloads
5.88
- 2020/02/13
- NEW: Quick overview Dashboard Widget – Get a quick overview of your security status.
- Improvement – Load required composer component libraries with a unique namespace to prevent clashes with other plugins including same libraries.
- Fix: Cloud Firewall – Error saving GeoIP in WordPress Multisite configuration. Thank you Roy.
- Updated language files.
- 132,555 downloads
5.87
- 2020/02/07
- NEW: Test for “Referrer-Policy” security header. Thank you Jonathan.
- NEW: Test for “Feature-Policy” security header. Thank you Jonathan.
- Fix: The instructions to completely disable XML-RPC was wrong, thank you Ivan for spotting this!
- Fix: Typos in some of the security header test descriptions and details.
- Fix: Not using whitelabel name in emails. Thank you Ivan.
- Fix: Only load pointers if the whitelabel feature is not enabled. Thank you Ivan.
- Tightening and optimizing code.
- Updated language file.
- 130,473 downloads
5.86
- 2020/02/05
- New: Check if the debug.log file exists and advice how to block it.
- New: Check if the REST API is enabled. Thank you Cuong.
- New: More details if a test fails about what went wrong.
- Fix: If opening details window about a test and the test have not been run yet, the spinner stayed looping forever.
- Fix: Some completed tests might have extra details and they were missing.
- Fix: Not removing all settings when deactivating the plugin.
- Typo – “incompatibile” -> “incompatible”.
- 128,964 downloads
5.85
- 2020/02/02
- New: See when last time a test was run and for how long when you click corresponding “Details” button.
- Improvement: Do not remove settings when deactivating plugin temporarily, remove when uninstalling plugin. Thank you Cuong.
- Improvement: Added polyfill for BC Math PHP extension which might not be installed per default in all server configurations.
- 127,333 downloads
5.84
- 2020/01/30
- Testing: Security test rewrite – Testing is much faster now.
- Testing: You can now select individual tests to run.
- Testing: Live updates, no page refresh needed.
- Fix: Updated firewall country blocking to work with IP2Location, replacing MaxMinds GeoLite2.
- Fix: WordPress Export tool blocked when username enumeration block was enabled. Thank you Cuong.
- Fix: Minor warnings in HTML output on Whitelabel tab.
- 125,794 downloads
5.83
- 2020/01/28
- Fixed wording in the two tests for the Shellshock bug. Thank you Ivan.
- New email template for issues with Outlook email rendering.
- 124,228 downloads
5.82
- 2020/01/23
- Vulnerability list now also checks WordPress version and shows known vulnerabilities.
- Vulnerability scanner: Improved recommendations and visuals.
- 122,400 downloads
5.81
- 2020/01/20
- Improved Vulnerabilities module.
- 120,713 downloads
Entire changelog can be seen here: changelog