Security Ninja – Secure Firewall & Secure Malware Scanner


This plugin can be downloaded for free without any paid subscription from the official WordPress repository.

Get started in minutes:

For over 10 years Security Ninja has helped thousands site owners like you to feel safe. Run 50+ security tests in an instant & discover issues you didn’t even know existed. Help yourself now with Ninja’s simplicity & ease of use.

NEW: Vulnerability scanner – Warns you if you have known vulnerabilites on your website.

Automatically block 600+ million bad IPs with one click! Security Ninja Pro Cloud Firewall will help you stay one step ahead of bad guys by using the collective know-how of millions of attacked sites, and ban bad guys before they even open your site.

Read more about Pro features on the Security Ninja website


  • MainWP – The MainWP Dashboard allows administrators to manage many WordPress websites from a central location.

Install the FREE Security Ninja for MainWP Extension to get an overview of all websites you have installed Security Ninja on!

Security Ninja For MainWP

Security Tests for your website

  • Vulnerability scanner – warns you of any known vulnerabilities on your website!
  • Perform over 50+ security tests with one click
  • Security Ninja does not make any changes – it’s your site, you have full control
  • check your site for security vulnerabilities, issues & holes
  • take preventive measures against attacks
  • don’t let script kiddies hack your site
  • prevent 0-day exploit attacks
  • optimize and speed-up your database
  • every test is explained, documented and instructions provided on how to fix problems
  • tests include:
    • brute-force attack on user accounts to test password strength
    • numerous installation parameters tests
    • file permissions
    • version hiding
    • 0-day exploits tests
    • debug and auto-update modes tests
    • database configuration tests
    • Apache and PHP related tests
    • WP options tests
  • complete list of tests:
    • Check if Application Passwords feature is enabled (new to WP 5.6)
    • Check if WordPress core is up to date
    • Check if automatic WordPress core updates are enabled
    • Check if plugins are up to date
    • Check if there are deactivated plugins
    • Check if active plugins have been updated in the last 12 months
    • Check if active plugins are compatible with your version of WP
    • Check if themes are up to date
    • Check if there are any deactivated themes
    • Check if full WordPress version info is revealed in page’s meta data
    • Check if readme.html file is accessible via HTTP on the default location
    • Check if license.txt file is accessible via HTTP on the default location
    • Check if REST API links are displayed in page’s meta data
    • Check the PHP version is up to date
    • Check the MySQL version
    • Check if server response headers contain detailed PHP version info
    • Check if expose_php PHP directive is turned off
    • Check if user with username “admin” and administrator privileges exists
    • Check if “anyone can register” option is enabled
    • Check user’s password strength with a brute-force attack
    • Check for display of unnecessary information on failed login attempts
    • Check if database table prefix is the default one
    • Check if security keys and salts have proper values
    • Check the age of security keys and salts
    • Test the strength of WordPress database password
    • Check if general debug mode is enabled
    • Check if the debug.log file exists
    • Check if database debug mode is enabled
    • Check if JavaScript debug mode is enabled
    • Check if display_errors PHP directive is turned off
    • Check if WordPress installation address is the same as the site address
    • Check if wp-config.php file has the right permissions (chmod) set
    • Check if install.php file is accessible via HTTP on the default location
    • Check if upgrade.php file is accessible via HTTP on the default location
    • Check if register_globals PHP directive is turned off
    • Check if PHP safe mode is disabled
    • Check if allow_url_include PHP directive is turned off
    • Check if plugins/themes file editor is enabled
    • Check if uploads folder is browsable by browsers
    • Test if user with ID “1” and administrator role exists
    • Check if Windows Live Writer link is present in pages’ header data
    • Check if wp-config.php is present on the default location
    • Check if MySQL server is connectable from outside with the WP user
    • Check if EditURI link is present in pages’ header data
    • Check if TimThumb script is used in the active theme
    • Check if the server is vulnerable to the Shellshock bug #6271
    • Check if the server is vulnerable to the Shellshock bug #7169
    • Check if admin interface is delivered via SSL
    • Check if MySQL account used by WordPress has too many permissions
    • Test if a list of usernames can be fetched by looping through user IDs on{ID}
    • Check if server response headers contain Strict-Transport-Security
    • Check if server response headers contain X-XSS-Protection
    • Check if server response headers contain X-Frame-Options
    • Check if server response headers contain X-Content-Type-Options
    • Check if server response headers contain Content-Security-Policy
    • Check if server response headers contain Strict-Transport-Security
    • Check if server response headers contain Referrer-Policy
    • Check if server response headers contain Feature-Policy
    • Check for unwanted files in your root folder you should remove

Security Ninja PRO has extra features: Firewall, Block Suspicious Page Requests, Country Blocking, Core Scanner, Malware Scanner, Auto Fixer for some of the tests, Events Logger & Scheduled Scans.

An all-in-one security solution for any site. With premium support and continuous updates Security Ninja Pro is a perfect tool to keep your site safe. See what the PRO version offers


Try out the Pro version on your own FREE test site: Click here =>

What others say about the plugin

License info


  • Fast & easy to understand interface
  • Security Ninja test results are simple and easy to read
  • Every test has a detailed explanation and instructions on how to fix the problem
  • Vulnerable plugins list with details and recommendations - prevent known problems in plugin.


Installing from WordPress

  1. Open WordPress admin, go to Plugins, click Add New
  2. Enter “Security Ninja” in search and hit Enter
  3. Plugin will show up as the first on the list, click “Install Now”
  4. Activate & go to Tools – Security Ninja to make your site more secure

Installing Manually

  1. Download the plugin.
  2. Unzip it and upload to wp-content/plugin/
  3. Open WordPress admin – Plugins and click “Activate” next to the plugin
  4. Activate & go to Security Ninja to make your site more secure


Who is this plugin for?

For anyone who wants to make their site more secure and prevent downtime due to hackers

Will this plugin slow my site down?

Absolutely not. You may experience a slight slow down while tests are being run but that takes less than a minute.

Will it work on my theme?

Sure! Security Ninja works with all themes.

What changes will Security Ninja make to my site?

None! Security Ninja will just give you the test results and suggest corrective measures with precise instruction. It will not make any changes to your site.

Is this plugin safe to use?

Of course. It’s a reporting-only tool. It doesn’t make any changes to your site.

Is this plugin legal to use?

Yes. It’s your site you can do whatever you want with it. Running tests on other people’s sites is illegal but Security Ninja can only perform tests on the WordPress page it’s installed on.

It’s not working!!!

We did our very best to make Security Ninja compatible with all plugins and themes, but problems can still happen.

Check out the community support – head over to the support forum open a new thread, and we’ll help you ASAP.


Read all 93 reviews

Contributors & Developers

“Security Ninja – Secure Firewall & Secure Malware Scanner” is open source software. The following people have contributed to this plugin.


“Security Ninja – Secure Firewall & Secure Malware Scanner” has been translated into 7 locales. Thank you to the translators for their contributions.

Translate “Security Ninja – Secure Firewall & Secure Malware Scanner” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Fixed: Resolved an issue where the installation date display error occurred if the initial date saving process was unsuccessful. Special thanks to Alberto for highlighting this.


  • Enhancement: Now meticulously tracking each user’s last login moment without depending on previously stored session data. Thank you Kittipot.
  • Improvement: Streamlined events log by retaining only IP addresses and User Agent details for logged-in users.
  • Fix: Sometimes not saving firewall settings properly. Thank you Ben.
  • Fix: Removed – Some unnecessary JavaScript was loaded outside of the plugin admin pages. Thank you Lars.
  • Update Freemius SDK to 2.6.2
  • Added IP in sidebar for firewall events.


  • Fix for the “Check if REST API is enabled”. Thank you Dorel.


  • Improved MainWP integration for MainWP users.
  • Improved integration with SN Vulnerability API server – GZ compression.
  • Improved “Remove unwanted files” fix to look for and delete even more files.
  • Fix for exporting – Thank you Dorel.
  • Fix for “Username enumeration” test – Thank you Dorel.
  • Added 10+ knowledgebase articles on
  • Updated 3rd party libraries.


  • Update the events log pruning routines.
  • Code cleanup


  • FIX: Clicking “Details” button in the events log. Now you can see all details properly. Thank you Tom.


  • Fix for ‘undefined array’ – related to the newly introduced feature where you can change the login error message. Thank you Tom.
  • Fix for emails sent out by vulnerability module even if you had no vulnerabilites.


  • Fix for compatibility with “Stop Spammers Security | Block Spam Users, Comments, Forms” – Thank you @bobf000.


  • Fix – Vulnerability folder creation bug on some installations. Result was that some users could not download vulnerabilities first time the function ran.
  • New: Change the message shown to users when they fail to log in. Default “Something went wrong”


  • Major Update with many improvements
  • New Feature: Users page – Show last time a user logged in. Help identify inactive users. Go to “Users” and check the added column “Last Login”.
  • New: Added inline HelpScout beacon help for free users.
  • Improvement: Better email warnings with more details for any detected vulnerabilites.
  • Improvement: The plugin longer stores vulnerabilites in database, saves to a local file instead. This lowers the memory usage and overall speed.
  • Improvement: The events log now loads after pageload, and makes searching the log much easier and faster.
  • FIX: Upgrade from free to premium error – Fatal error “Cannot redeclare”
  • Improvement: Added details in sidebar for firewall activities.
  • WordPress 6.3.2 compatibility.
  • Improvement: Trimming backup folder /sn-backups/ monthly to keep only latest 15 backups.
  • Fix: Some autofixes not working correctly.
  • Fix: Missing help beacon for some users. Also, we just added over 100+ articles to the inline help.
  • Updated 3rd party libraries.


  • Fix: “Check if Application Passwords are enabled” gave warning eventhough function was disabled. Thank you @tischtennis


  • More details for debugging API connection issues.
  • Visitor log visual updates.
  • Updated Freemius SDK to 2.5.7


  • Hotfix for referencing a wrong class name after moving to PHP namespaces in 5.157


  • Speed: Plugin options are no longer autoloaded. Older users might notice an improvement in website speed – Thank you Parag.
  • Fix: When deleting an unwanted file via Core Scanner, the message reported an error even when file was successfully deleted.
  • Fix: Malware scan could fail due to unexpected output in JavaScript.
  • Improved visual layout problem in Events Logger.
  • Improved visual layout in the visitor log
  • General code improvements and cleaning.
  • Worked on PHP 8.2 compatibility – almost complete.


  • Checked WP 6.2 compatibility
  • Updated Freemius SDK to 2.5.6


  • NEW: Added details about blocked visitors on dashboard widget.
  • FIX: Notice that detected low memory incorrectly on systems with no limit memory setting (-1)
  • FIX: Warning notices regarding undefined array keys in the event logger. Thank you Jean-Claude 🙂


  • FIX: PHP warning the first time the settings in the vulnerabilites module was updated.
  • Updated the “Application Passwords” test to include info on how to disable the feature. Thank you @lsbk 🙂
  • New: More details in email report, user IP and improved layout. Thank you Kevin for the suggestion.
  • New: You can now email events log reports to more than one recipient. Thank you Kevin.


  • FIX: The two Shellshock tests would fail on some servers. Thank you Jeroen and Oliver.
  • FIX: A bug in the visitor log details when there is a lot of info to display.
  • FIX: The “Enable background plugin updates” notice was shown everywhere. Thank you Ian for pointing out.
  • Enable background plugin updates notice is now hidden forever when dismissed.
  • Change default time to store visitors to 7 days (much better for big sites with a lot of traffic)
  • Fix bug with unexpected results for tests to show up.
  • FIX: Remove unused code for plugins not updated for a while. Thank you.
  • “Outdated plugins” module completely removed for now to be reworked.
  • FIX: Scheduled Scanner tests with Core Scanner sometimes failed. Error found and fixed.
  • Updated language files for translators, thank you 🙂


  • Fix for not cleaning up old files when downloading vulnerable plugin list. Thank you @michaing.
  • Fix for visitor log not working properly on some installations. Thank you Jean-Claude.
  • Fix for bug in events logger related to comments. Thank you Thomas.
  • Fix for descriptions not showing properly for some vulnerabilites.
  • Upgrading phpseclib/phpseclib (2.0.40 => 2.0.41)
  • Language files updated.

Entire changelog can be seen here: changelog