Description

Aria Security Suite is a modular, production-ready security plugin for WordPress. It delivers enterprise-level protection layers that work standalone on your server — and can optionally connect to your own Enterprise Security API for centralized WAF decisions, integrity checks, and reporting.

Built with clean PHP architecture (PSR-4), a modern AJAX admin experience, and privacy-first defaults: no outbound calls until you configure and enable each feature.

Why Aria Security Suite?

All-in-one protection — firewall, login hardening, malware scanning, honeypots, session control, and live traffic monitoring in one plugin.
Zero performance penalty — heavy scans and log sync run in the background via WP-Cron or Action Scheduler.
Privacy by design — cloud API, Cloudflare, geo lookups, vulnerability scanning, and webhooks are opt-in only.
Actionable security score — grades your site A–F with clear recommendations.
Developer-friendly — modular codebase, REST API endpoints, HMAC-signed API client, and GPL-licensed.

Setup & Dashboard

3-step Onboarding Wizard — choose Basic, Medium, or Strict presets in seconds.
Security Grade Score (0–100) — real-time posture analysis with actionable tips.
Dashboard Widget & Admin Bar — security status at a glance from any admin screen.
Modern AJAX UI — fast, reload-free settings with responsive design.

Login & Authentication

Hide Login Page — replace wp-login.php with a custom secret URL.
Passwordless Login (Magic Links) — secure email-based one-time login tokens.
Two-Factor Authentication (2FA) — API-integrated second factor for admin accounts.
Session Manager — view and remotely destroy active sessions across devices.
Device Fingerprinting — recognize trusted admin devices.
Brute-Force Protection — rate limiting and automatic IP bans on failed logins.

Firewall & Network (WAF)

Web Application Firewall — local rules plus optional offload to Enterprise API.
Cloudflare Integration — push banned IPs to Cloudflare edge firewall (CDN level).
Geo-Blocking — block traffic by country with 24-hour local IP cache.
PHP Execution Blocker — prevent PHP execution in uploads via .htaccess / web.config.
User-Agent Filtering — block known malicious bots and scanners.
XML-RPC Control — disable xmlrpc.php to stop pingback and brute-force vectors.

Scanners & Integrity

Heuristic Malware Scanner — background scan for suspicious patterns (eval, base64_decode, obfuscated code).
File Integrity Monitor — detect unauthorized changes to core WordPress files.
Hash Scanner — verify file hashes against known-good baselines.
Vulnerability Scanner — optional cloud comparison of installed plugin versions (explicit opt-in).

Spam & Intrusion Prevention

Invisible Honeypots — registration, comments, login, and Contact Form 7 — no CAPTCHA needed.
Behavioral Analysis — detect anomalous request patterns.
Global Ban Sync — share ban lists when connected to Enterprise API.

Monitoring, Logging & Alerts

Live Traffic Monitoring — real-time request log with IP, path, status codes, and user-agents (Wordfence-style).
SQL Query Analyzer — surface slow or suspicious database queries.
Log Rotation — automatic cleanup with configurable retention.
Webhooks — instant alerts to Slack, Telegram, or custom JSON endpoints.
Central Reporting — signed log export to your Enterprise API.
Encrypted Backup Requests — trigger cloud backups from the admin panel.

Hardening & Headers

Security Headers — CSP, X-Frame-Options, X-Content-Type-Options, and more.
Table Prefix Advisor — guidance for safer database prefixes.
Crypto Vault — secure storage for API secrets and sensitive options.

Optional Enterprise API

Connect your own API endpoint for WAF offload, heartbeat health checks, hash verification, ban reporting, quota lookups, and vulnerability intelligence. Credentials are stored encrypted; every request is signed with HMAC-SHA256.

Developers: Alireza Aminazdeh · syeedalireza
Websites: aryait.net · ariacoder.ir

External services

This plugin may connect to third-party or external services only when you explicitly enable and configure the related feature. No outbound tracking or data collection occurs by default.

Enterprise Security API (optional)

When you enter an API Base URL, Site ID, and Secret Key under API & Connection, the plugin can send signed requests to your configured Enterprise Security API for features such as WAF decisions, heartbeat health checks, hash integrity verification, ban reporting, quota lookups, and (if opted in) vulnerability scanning.

Data sent: Request metadata (IP, path, HTTP method, user-agent, query parameter names), security event logs, file hashes, and—only when the Vulnerability Scanner opt-in is enabled—installed plugin slugs and versions.

When: Only after credentials are saved and the relevant feature is turned on. Heartbeat runs on WP-Cron when the API is configured. Plugin inventory is sent only when the Vulnerability Scanner opt-in is enabled.

Service provider: Your own Enterprise Security API endpoint (URL you provide). You are responsible for that service’s terms and privacy policy.

Cloudflare API (optional)

When Cloudflare integration is enabled and you provide a Zone ID and API token, the plugin calls the Cloudflare API to create firewall access rules that block malicious IP addresses at the CDN edge.

Data sent: IP addresses of blocked visitors and a short note identifying the block source.

When: Only after you enable Cloudflare integration and supply credentials, and only when a local security rule triggers an IP ban.

Service provider: Cloudflare, Inc. — Terms of Use, Privacy Policy.

ip-api.com (optional)

When Geo-Blocking is enabled and you configure blocked countries, the plugin queries ip-api.com to resolve a visitor’s country code from their IP address.

Data sent: The visitor’s IP address.

When: Only when Geo-Blocking is enabled, a country block list is configured, and the country for an IP is not already cached locally (results are cached for 24 hours).

Service provider: ip-api.com — Terms & Legal, Privacy Policy.

User-configured webhooks (optional)

When you add Slack, Telegram, or generic webhook URLs under Alerts & Notifications, the plugin POSTs JSON alert payloads to those URLs when security events occur.

Data sent: Alert severity, message text, and contextual fields (e.g., IP address, event type).

When: Only after you save a webhook URL and a qualifying security event fires.

Service provider: The third-party service behind the URL you provide (e.g., Slack, Telegram). See their respective terms and privacy policies.

Installation

Upload the aria-security-suite folder to /wp-content/plugins/.
Activate the plugin through the Plugins menu in WordPress.
Complete the Onboarding Wizard (opens automatically on first activation).
Review your Security Score on the dashboard and apply recommended fixes.
(Optional) Enter API Base URL, Site ID, and Secret Key under Connection & API for cloud features.

MU-Plugin early load (optional)

Copy extras/aria-security-suite-mu-loader.php to wp-content/mu-plugins/ to load protection before regular plugins. Do not activate the plugin twice.

Action Scheduler (recommended)

For more reliable background jobs than WP-Cron alone:

composer require woocommerce/action-scheduler

FAQ

Does this plugin slow down my site?: No. Malware scanning, log synchronization, and integrity checks run in the background using WP-Cron or Action Scheduler. Your front-end TTFB is unaffected.
Is my data sent anywhere without permission?: No. Remote API calls, vulnerability scanning, Cloudflare blocking, geo lookups, and webhooks are all opt-in and remain off until you configure and enable them.
How does Cloudflare integration work?: When the local firewall detects a malicious IP (brute-force, honeypot trigger, etc.), it can automatically push a block rule to Cloudflare — but only if you have enabled integration and provided API credentials.
What if I forget my hidden login URL?: Rename the plugin folder via FTP/SFTP to disable it, or look up the ariasesu_hide_login_slug option in the wp_options table.
Does it work without the Enterprise API?: Yes. Firewall, hide login, honeypots, malware scanner, session manager, traffic monitoring, and most features work fully standalone.
Is it compatible with multisite?: The plugin is designed for single-site installs. Multisite support may be added in a future release.
How is the Security Score calculated?: The score analyzes enabled protections (2FA, hide login, headers, firewall rules, etc.) and known misconfigurations, then maps the result to a letter grade A–F.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Aria Security Suite” is open source software. The following people have contributed to this plugin.

Alireza Aminzadeh

Translate “Aria Security Suite” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.2.5

Initial public release on WordPress.org Plugin Directory.
Updated readme and documentation for repository guidelines.
Tested up to WordPress 6.7.

1.2.4

Updated: Tested up to WordPress 6.7.

1.2.3

Fixed: Vulnerability scanner no longer phones home unless API is configured and the feature is explicitly opted in (off by default).
Fixed: Removed writing .htaccess into wp-includes (WordPress.org policy).
Fixed: Input sanitization for $_SERVER and admin proxy header settings.
Fixed: Correct WordPress directory APIs (WP_PLUGIN_DIR, get_theme_root(), wp_upload_dir()).
Added: composer.json included in plugin distribution package.
Added: External services documentation in readme.
Added: Dedicated honeypot login stylesheet (no inline CSS).
Improved: API client refuses requests when credentials are not configured.
Improved: Admin and front-end UI styles moved from inline markup to enqueued CSS files.

1.2.2

Fixed: WordPress Plugin Check compliance — database queries now use safe table-name concatenation instead of interpolated placeholders.
Fixed: Global variable prefixes in uninstall routine aligned with plugin naming conventions.
Improved: Distribution packaging excludes development-only files.

1.2.1

Maintenance and stability improvements.

1.2.0

Added: Live Traffic Monitoring dashboard.
Added: Security Score grading system.
Added: Dashboard Widget and Admin Bar integration.
Added: AJAX-based 3-step Onboarding Wizard.
Added: Hide Login Page, Passwordless login, Session Management.
Added: Heuristic Malware Scanner, Cloudflare integration, Geo-blocking.
Added: PHP execution blocking in uploads, Contact Form 7 honeypot.
Updated: Modern AJAX admin UI.

1.1.0

Initial release of the Enterprise API Client.
WAF offload, HMAC signing, Hash scanner, Remote Logging.