ArmorLite is a free, lightweight WordPress security plugin built for performance. Firewall with 600+ built-in patterns, brute force protection, bot detection, security headers, and login monitoring. No bloat, no unnecessary database queries, no external API calls during normal operation.

Free Features

• Firewall — Pure PHP string-matching firewall with 600+ built-in patterns covering SQL injection, XSS, path traversal, shell access, and more. Five categories (Request URI, Query String, User Agent, Referrer, IP Address). Three matching modes: contains, ends-with, and path-only. Pattern manager with per-pattern toggle and hit counts.
• Brute Force Protection — Session-based login tracking with automatic IP lockouts after configurable failed attempts. Login activity log with IP, location, status badges, and usernames tried. 7-day log retention.
• Bot Protection — Automated bot detection for login, registration, and password reset forms using honeypot fields, timestamp validation, and JavaScript token verification. Blocks bots before they can attempt brute force attacks.
• Security Headers — Four managed headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, X-XSS-Protection) with dual delivery via PHP and .htaccess. Header probe system avoids duplicates.
• IP Whitelist — Whitelist trusted IPs to bypass all security checks including brute force lockouts and firewall blocking.
• Obfuscation — Author slug randomization to prevent user enumeration and email obfuscation to protect addresses from scrapers.
• Dashboard — Real-time stats, blocks over time chart, protection status cards, and WordPress dashboard widget.
• XML-RPC & REST API Protection — Disable XML-RPC and protect the REST API from user enumeration.
• Firewall Log — View blocked requests with IP, matched rule, request URI, and timestamps. 7-day log retention.
• Tools — Health checks with database integrity verification, one-click table repair, and debug mode.

Upgrade to ArmorPro

Need more protection? ArmorPro adds:

• WAF Engine (blocks attacks before WordPress loads)
• Two-Factor Authentication (TOTP) with backup codes
• Passkey Authentication (Face ID, Touch ID, Windows Hello)
• Custom Login URL (hide wp-login.php)
• IP Blacklist with auto-blacklist for repeat offenders
• Country Blocking with GeoIP
• HSTS, Content-Security-Policy, and Permissions-Policy headers
• Email Notifications and digest summaries
• Extended log retention (90 days)
• Custom firewall patterns
• Export/import settings

Learn more about ArmorPro

External Services

This plugin connects to external third-party services in the following situations:

Anonymous Usage Data (Optional)

This plugin can optionally share anonymous usage data to help improve ArmorLite. This is disabled by default and requires explicit opt-in from the Settings page.

• When it is called: Daily heartbeat (if opted in)
• Data sent: WordPress version, PHP version, active plugin features (no personal data)
• Service: https://api.srworks.co
• Privacy: https://srworks.co/privacy

No personal data is collected or stored by this service.

Privacy Policy

ArmorLite stores the following data locally in your WordPress database:

• IP addresses of visitors who trigger security rules or attempt to log in
• Timestamps of security events
• Usernames used in login attempts

This data is stored to help you monitor and protect your website. You can clear all logs at any time from the Tools tab. When the plugin is uninstalled, all data is automatically deleted.

No visitor data is sent to external services during normal operation. Anonymous usage data sharing is optional and disabled by default.

Support

Need help with ArmorLite? Have a feature request or found a bug?

Visit our support page: https://srworks.co/contact

Credits

Firewall patterns inspired by the work of Jeff Starr at Perishable Press (https://perishablepress.com). Used under GPLv2.

Charts powered by Chart.js (https://www.chartjs.org), MIT License.

Tooltips powered by Tippy.js (https://atomiks.github.io/tippyjs), MIT License.