MJP Security Tools is a plugin designed to fix a lot of WordPress security issues, as well as providing extra support.
| Author: | zackdesign (profile at wordpress.org) |
| WordPress version required: | 6.0 |
| WordPress version tested: | 6.9.1 |
| Plugin version: | 2.0.0 |
| Added to WordPress repository: | 07-06-2010 |
| Last updated: | 23-02-2026 |
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | https://zackdesign.biz/ |
| Total downloads: | 2 862 |
| Active installs: | 10+ |
 Click to start download |
|
MJP Security Tools is a focused hardening plugin that does four things well:
- XSS Database Scanner — scans every table for
<script>,<iframe>,onclick,javascript:and other injection patterns - POST Request Log — records all POST data (passwords masked) with IP, user agent, and URL for CSRF/audit detection
- Failed Login Log — tracks every failed login attempt with username, IP, and timestamp
- File Permission Checker — verifies WordPress root files and directories have safe permissions, checks for missing
index.htmlfiles and SVN working copies
What this plugin does NOT do (because WordPress core already handles it):
- SSL enforcement — use
FORCE_SSL_ADMINor let WordPress 5.7+ auto-redirect - Password strength — WordPress core enforces strong passwords since 4.3
- Login rate limiting — use a dedicated plugin like Limit Login Attempts Reloaded
- Version number hiding — marginal benefit, not worth the complexity
Upgrading from v1.x:
- The admin page has moved from jQuery UI tabs to native WordPress nav tabs
- SSL forcing, password enforcement, login throttling, version hiding, admin username changing, database prefix randomization, password reset, and .htaccess generation have been removed — WordPress core and dedicated security plugins handle these better
- PHP sessions replaced with WP transients for flash messages
- Log data is now stored as JSON instead of serialized PHP
- The Javacrypt client-side crypt(3) script has been removed
FAQ
ChangeLog