Title: FP Site Security Author: Joseph Mendez Published: June 16, 2026 Last modified: June 16, 2026 --- Search plugins ![](https://ps.w.org/firstpage-site-security/assets/banner-772x250.png?rev=3574077) ![](https://ps.w.org/firstpage-site-security/assets/icon-256x256.png?rev=3574077) # FP Site Security By [Joseph Mendez](https://profiles.wordpress.org/joshme21/) [Download](https://downloads.wordpress.org/plugin/firstpage-site-security.1.0.8.zip) * [Details](https://wordpress.org/plugins/firstpage-site-security/#description) * [Reviews](https://wordpress.org/plugins/firstpage-site-security/#reviews) * [Installation](https://wordpress.org/plugins/firstpage-site-security/#installation) * [Development](https://wordpress.org/plugins/firstpage-site-security/#developers) [Support](https://wordpress.org/support/plugin/firstpage-site-security/) ## Description FP Site Security is a self-contained WordPress security plugin. It runs entirely on your own site — no external dashboards, no license servers, no cloud sync. Features: * Login protection — brute-force lockout, optional TOTP two-factor authentication * Firewall — built-in rules and request blocking * DDoS rate limiting * Near-real-time malware scanning with signature and heuristic detection * File integrity monitoring * Optional WordPress.org checksum verification * Optional outdated plugin/theme/core checks * Quarantine and guided cleanup * Local + scheduled backups * Activity log and reports * Admin email alerts ### External services This plugin connects to a small number of third-party services. All of them are optional and only contacted when you turn them on, supply credentials, or opt in to a feature that explicitly depends on that service. **WordPress.org (checksum and update verification, optional)** — Only contacted if you enable WordPress.org verification lookups in the plugin settings. When enabled, the plugin requests WordPress core checksums and update metadata from `api.wordpress. org`. No personal data is sent. wordpress.org Privacy: https://wordpress.org/about/ privacy/. **Google reCAPTCHA (optional)** — Only contacted if you enable reCAPTCHA on login/ register/password-reset and supply your own site keys. The plugin loads `https:// www.google.com/recaptcha/api.js` on the login page and submits responses to `https:// www.google.com/recaptcha/api/siteverify`. Google reCAPTCHA Terms: https://policies. google.com/terms — Privacy: https://policies.google.com/privacy. **Slack (optional)** — Only contacted if you enable Slack notifications and configure a webhook URL. Security events are posted to the webhook you supply. **Sentry (optional)** — Only contacted if you enable Sentry notifications and configure a Sentry DSN. Critical events are posted to the Sentry endpoint encoded in your DSN. ### Filesystem scope The plugin only writes to the database and a small set of clearly named directories under `wp-content/uploads/`. It never asks users to edit plugin files, and it does not store runtime data in its own plugin folder. Every write below is gated behind an admin nonce or a WordPress cron event — there is no path that an unauthenticated visitor can use to write to disk. * `wp-content/uploads/firssise-backups/` — created by the local-backup feature when scheduled or manual backups are run. Contains the generated `.zip` archives. Backups are NOT removed on uninstall (that’s your data); delete the folder manually if you don’t want them. * `wp-content/uploads/firssise-logs/` — internal error log written by the plugin’s own error-capture handlers when the “Monitor PHP error log” option is enabled. The directory gets a blank `index.html` and a restrictive `.htaccess` file when supported by the server. * Quarantine records are stored in the WordPress database. Flagged files are deleted from disk when quarantined instead of being copied into the plugin directory or a public uploads subfolder. The plugin reads many other paths (WordPress core files, other plugins, themes, uploads) for integrity scanning and malware detection, but it does not write to them. ## Installation 1. Upload the `firstpage-site-security` folder to `/wp-content/plugins/` 2. Activate the plugin through the Plugins screen in WordPress 3. Configure it from the FP Security menu in the WordPress admin ## FAQ ### What does this plugin actually do? It hardens login (brute-force lockout, optional two-factor), runs a built-in firewall with country and IP blocklists, scans your files for malware signatures and integrity changes, offers optional WordPress.org checksum and update verification when you opt in, takes scheduled local backups, and sends you alerts when something looks wrong. ### Is anything required to use it? Do I need an account? No. Activate the plugin and the defaults turn on login protection, the firewall, and local file integrity monitoring. WordPress.org verification lookups are off by default and must be enabled explicitly. There’s no signup, no API key, and no paid tier. ### Does the plugin send any data off my site? By default it does not send visitor IP addresses to third-party geo-location services. Country-based checks only work when your stack already provides country data locally, such as the `CF-IPCountry` header from Cloudflare, an equivalent server-side header, or the optional PHP GeoIP extension. Slack, Sentry, Google reCAPTCHA, and WordPress. org verification requests are all feature-driven and only occur when the relevant feature is enabled or used. ### Will it work behind Cloudflare or another reverse proxy? Yes, but you need to opt in. By default the plugin trusts only `REMOTE_ADDR`, so behind a proxy every visitor will look like the proxy IP. To honor `CF-Connecting- IP` / `X-Forwarded-For`, set the `trust_proxy_headers` option to `1` and add your proxy IPs to `trusted_proxy_ips` (comma- or whitespace-separated). With WP-CLI: ` wp option patch update firssise_options trust_proxy_headers 1` and `wp option patch update firssise_options trusted_proxy_ips "203.0.113.10, 203.0.113.11"`. Without an allowlist, forwarded headers are spoofable and the firewall would be trivial to bypass. ### How do I enable two-factor authentication? In the WordPress admin, go to **FP Security Security Login Security**. Scroll to the “Two-factor authentication” section, scan the QR code with any TOTP app ( Google Authenticator, 1Password, Authy, Bitwarden), enter the 6-digit code in the“ Verify code” field to confirm, and save. TOTP will be required on every subsequent login for that user. ### I got locked out. How do I get back in? The plugin generates an emergency unlock token on activation, stored in the `firssise_options` row of `wp_options`. Three ways to retrieve it: 1. **WP-CLI:** `wp option get firssise_options --format=json` and copy the `emergency_unlock_token` value. 2. **phpMyAdmin / database:** open the `wp_options` table, find `option_name = 'firssise_options'`, and read the serialized array — the token is the value of `emergency_unlock_token`. 3. **Last resort (always works):** rename the plugin folder via SFTP (`firstpage-site- security` `_disabled`) to deactivate the plugin and log in normally. Once you have the token, append it to your login URL: `/wp-login.php?firssise_unlock =YOUR_TOKEN`. That bypasses the lockout for a single login. For repeated lockouts, raise the brute-force threshold in **FP Security Security Login Security**. ### Will scans slow down my site? The default mode is “low resource” — scans run in background cron batches, not on visitor requests. The realtime watcher only fingerprints files modified in the last ten minutes and skips known-large directories like `cache/` and `upgrade/`. On a small or medium site you should not see any measurable impact. ### What happens when the plugin finds something? It records an event in the activity log, raises an admin notice, and (if you’ve enabled them) pushes notifications to Slack, Sentry, or your admin email. From the Findings panel you can quarantine the file or delete it after review. ### Can I run this alongside Wordfence, Sucuri, or another security plugin? You can, but you probably don’t want to — two firewalls fighting over the same hooks tends to cause double-blocking, lockouts, and slow login. The plugin detects common security plugins on activation and shows a one-time admin notice listing what it found so you can pick one. There is no functional conflict, just duplicated work. ### How do I uninstall it cleanly? Deactivate the plugin from the Plugins screen, then delete it. The plugin’s options, transients, and event log are removed by the uninstall hook. Backups stored under` wp-content/uploads/firssise-backups/` are intentionally NOT removed automatically— delete them manually if you don’t want them. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “FP Site Security” is open source software. The following people have contributed to this plugin. Contributors * [ Joseph Mendez ](https://profiles.wordpress.org/joshme21/) [Translate “FP Site Security” into your language.](https://translate.wordpress.org/projects/wp-plugins/firstpage-site-security) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/firstpage-site-security/), check out the [SVN repository](https://plugins.svn.wordpress.org/firstpage-site-security/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/firstpage-site-security/) by [RSS](https://plugins.trac.wordpress.org/log/firstpage-site-security/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.8 * Make Monitoring Settings visible in the admin submenu so scan configuration is easier to find. * Refresh plugin directory branding assets and release metadata for the public launch. #### 1.0.7 * Refine WordPress root and admin path handling for subdirectory installs and shared helper loading. * Finalize compatibility cleanup for WordPress.org review around filesystem path resolution. #### 1.0.6 * Centralize WordPress-aware root and admin include handling in a shared internal helper. * Replace duplicated path-building logic in monitoring, backup, vulnerability, and admin renderer components. #### 1.0.5 * Remove the remaining brittle root-path patterns flagged during WordPress.org review. * Refresh packaging and release metadata for the resubmission build. #### 1.0.4 * Replace the short internal `fps` prefix with the longer `firssise` prefix across classes, hooks, options, transients, and assets for WordPress.org compatibility. * Switch the standalone report stylesheet output to WordPress enqueue/print APIs. * Remove the remaining hardcoded path handling flagged in review and rely on WordPress- aware root/content/admin path helpers. * Remove production `error_reporting()` usage from the runtime error monitor. #### 1.0.3 * Remove the deprecated manual translation loader for WordPress.org-hosted builds. * Tighten backup-manager review compatibility for Plugin Check and current WordPress support. #### 1.0.2 * Rename plugin to Firstpage Site Security with the new `firstpage-site-security` slug. * Remove automatic third-party geo-IP requests and rely on server-provided country data only. * Move login/admin inline assets onto WordPress enqueue APIs. * Improve WordPress path handling for config, plugin, uploads, and root-file checks. * Finalize WordPress.org review cleanup, including local-only packaging and uploads- directory handling. ## Meta * Version **1.0.8** * Last updated **15 hours ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **7.0** * PHP version ** 7.4 or higher ** * Tags * [backups](https://wordpress.org/plugins/tags/backups/)[firewall](https://wordpress.org/plugins/tags/firewall/) [login security](https://wordpress.org/plugins/tags/login-security/)[malware scanner](https://wordpress.org/plugins/tags/malware-scanner/) [security](https://wordpress.org/plugins/tags/security/) * [Advanced View](https://wordpress.org/plugins/firstpage-site-security/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/firstpage-site-security/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/firstpage-site-security/reviews/) ## Contributors * [ Joseph Mendez ](https://profiles.wordpress.org/joshme21/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/firstpage-site-security/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://paypal.me/jose88882020)