Description
Nexura Security is a complete, all-in-one WordPress security plugin that protects your website from hackers, malware, and brute-force attacks — completely free.
Whether you run a personal blog, an online store, or a business website, Nexura Security gives you enterprise-level protection without slowing your site down.
⚡ Why Choose Nexura Security?
Looking for a lightweight, faster alternative to Wordfence, Sucuri, or MalCare? Tired of heavy security plugins that slow down your site and bloat your database?
Nexura Security is different:
- Zero Database Bloat — Uses smart micro-batching so scans run quietly in the background without slowing down your server.
- Easy to Use — One-click setup. No technical knowledge required.
- 100% Free Core — All essential security features are included at no cost.
🛡️ Free Features (Included with This Plugin)
🔍 Deep Malware Scanner
Automatically scans your entire WordPress installation — themes, plugins, uploads, and core files — for hidden backdoors, obfuscated PHP code, suspicious JavaScript, and known malware patterns. Clean infected files with a single click.
📂 WordPress Core File Integrity Monitor
Compares your WordPress core files against clean, official versions to detect any unauthorized changes. If a hacker modifies wp-login.php, wp-config.php, or any other core file, you will know instantly.
📁 Root Directory Integrity Checker
Detects suspicious and unknown files dropped directly into your WordPress root folder — a common technique used by attackers to plant backdoors and web shells.
🔐 Two-Factor Authentication (2FA)
Add an extra layer of protection to your admin login. Works with Google Authenticator, Authy, Microsoft Authenticator, or any TOTP-compatible app. Includes QR code setup.
🔗 Passwordless Magic Link Login
Allow trusted users to log in via a secure, time-limited link sent to their email — no password required.
🚫 Brute-Force Attack Protection
Automatically blocks IP addresses after too many failed login attempts. Configurable lockout duration and attempt limits.
🔑 Pwned Password Checker
When users set or change their passwords, the plugin securely checks against the HaveIBeenPwned database to make sure the password has not been exposed in a data breach. Uses k-Anonymity — your full password is never sent anywhere.
🤖 Anti-Spam & Bot Protection
Protects your comment forms, login pages, and registration pages from automated spam bots using Cloudflare Turnstile or Google reCAPTCHA integration.
🌍 Cloud-Based Threat Intelligence
Syncs with the Nexura Threat Intel Cloud to receive up-to-date malicious IP blocklists and attack signatures, keeping your firewall rules current.
🛠️ Security Hardening (One-Click)
Apply best-practice WordPress security settings with one click:
- Disable the built-in file editor (prevents hackers from editing your files from the dashboard)
- Block PHP execution in the uploads folder
- Disable directory listing
- Block XML-RPC (stops brute-force attacks via XML-RPC)
🛠️ Extended WAF & Core Auto-Restore
Uses an advanced .htaccess auto_prepend_file directive to load the Web Application Firewall before WordPress even boots. If a hacker deletes critical WordPress core files (like wp-settings.php or wp-login.php), this feature automatically downloads a fresh copy of WordPress from the official WordPress.org API in the background and instantly restores the missing files — keeping your site online without manual intervention.
🚑 Fatal Error Auto-Heal
Utilizes the official WordPress Drop-in pattern (wp-content/fatal-error-handler.php) to catch PHP fatal errors before they crash your entire site. If a newly installed plugin or theme causes a “White Screen of Death,” Nexura automatically detects the faulty plugin, safely disables it, and reloads the page.
🗄️ Database Security Scanner
Scans your WordPress database for hidden administrator accounts and suspicious configurations that may have been injected by attackers.
💾 Database Backup
Create a quick backup of your database before performing any cleanup or changes — so you can always roll back.
📊 Real-Time Upload Scanning
Every file uploaded through WordPress (media, plugins, themes) is automatically scanned for malware before it reaches your server.
🔍 Google Safe Browsing Check
Verifies whether your website has been flagged by Google as containing malware or phishing content.
🌟 Pro Features (Upgrade to Unlock)
Want to go further? Nexura Security Pro adds powerful automation and advanced protection:
- Web Application Firewall (WAF) — Blocks SQLi/XSS/Bot attacks and loads before WordPress to stop threats at the lowest server level using
auto_prepend_file. - Tokenizer-Based Smart Scanner — Uses PHP’s
token_get_all()to detect zero-day backdoors that evade regex-based scanners. - Automated Malware Cleanup — Automatically strips malware injections and restores your files without manual intervention.
- WordPress Core Auto-Restore — Downloads clean copies of modified core files directly from WordPress.org and replaces them using atomic (crash-safe) file writes.
- File Quarantine — Moves suspicious files to a secure, locked quarantine zone where they cannot execute.
- Custom Login URL — Hide
wp-login.phpandwp-adminbehind a secret URL to stop 99% of automated brute-force bots. - HTTP Security Headers — Add Content-Security-Policy, HSTS, X-Frame-Options, Permissions-Policy, and more with presets (Recommended, Strict, or Custom).
- REST API Security — Block user enumeration and restrict unauthenticated REST API access.
- WooCommerce Security — Anti-card-testing protection for checkout pages and account takeover prevention.
- Vulnerability Audit — Instantly detect outdated plugins, themes, and core versions with known vulnerabilities.
- Database Optimizer — Clean up post revisions, transients, orphaned metadata, and optimize database tables.
- Storage Cleanup Scanner (Enterprise) — Safely detect and remove unused images, PDFs, and orphan files from your uploads directory to save disk space and improve backup speed.
- Plugin Conflict Cleaner — Safely remove database leftovers from old or conflicting security plugins.
- Security Trust Badge — Display a “Protected by Nexura Security” seal on your website to build visitor trust.
- 📡 Active Monitoring — Real-time visitor tracking dashboard with live stats, 4 interactive charts (Traffic Trend, Browser, Device, OS), auto-refreshing visitor table, and bot detection.
- 📌 Visitor Stats Shortcodes — 5 beautiful shortcodes (
[nexura_visitors],[nexura_stats],[nexura_live],[nexura_popular],[nexura_page_views]) to display visitor stats anywhere on your site with premium glassmorphism design and Nexura branding. - Scheduled Automatic Scans — Set scans to run every 2 hours, daily, weekly, or monthly — fully automatic.
- Advanced Audit Logs — Detailed logs of every security event, login, file change, and admin action.
- Priority Support — Get direct help from our security team.
🔗 Third-Party Services & External API Connections
To provide comprehensive security, Nexura Security connects to several trusted third-party services. No connections are made automatically — each feature must be enabled by you in the plugin settings. Here is a complete list of external services this plugin may connect to:
1. Cloudflare Turnstile
Used for: Human verification (CAPTCHA) on login, registration, and comment forms to block spam bots.
Data sent: Visitor’s browser fingerprint and interaction data (processed by Cloudflare, not stored by us).
When: Only when you enable Turnstile integration in the Anti-Spam settings.
Service links: Cloudflare Privacy Policy | Cloudflare Terms
2. Google reCAPTCHA
Used for: Alternative CAPTCHA option for blocking automated bots on login and registration pages.
Data sent: Visitor’s browser data and interaction signals (processed by Google).
When: Only when you enable Google reCAPTCHA in the Anti-Spam settings.
Service links: Google Privacy Policy | Google Terms
3. HaveIBeenPwned API (Pwned Passwords)
Used for: Checking whether a user’s password has appeared in known data breaches.
Data sent: Only the first 5 characters of a SHA-1 hash of the password (k-Anonymity model). Your actual password is NEVER sent.
When: Only when the Pwned Passwords feature is enabled and a user sets or changes their password.
Service links: HaveIBeenPwned Privacy Policy | API Terms
4. Google Safe Browsing API
Used for: Checking whether your website URL has been flagged by Google as containing malware or phishing.
Data sent: Your website’s URL.
When: Only when you manually trigger a Safe Browsing check from the dashboard.
Service links: Google Privacy Policy | Safe Browsing Terms
5. VirusTotal API
Used for: Scanning file hashes against 70+ antivirus engines to detect malware.
Data sent: Only the SHA-256 cryptographic hash of the file. The actual file is NEVER uploaded.
When: Only during a manual malware scan when unknown files are detected.
Service links: VirusTotal Privacy Policy | VirusTotal Terms
6. Nexura Threat Intel Cloud (sgs-db-worker.sentinel-guard-security.workers.dev)
Used for: Syncing the latest WAF rules, malicious IP blocklists, and malware detection signatures with your site. Also used for anonymous threat reporting to help protect the community.
Data sent: Blocked attacker IP addresses and blocked payload patterns (anonymized). No personal user data is ever collected.
When: When the Global Threat Intelligence feature is enabled in settings.
Service links: Nexura Privacy Policy | Nexura Terms
7. WordPress.org API
Used for: Downloading official WordPress core file checksums for integrity scans, and downloading the latest WordPress core ZIP file for the Core Auto-Restore WAF feature.
Data sent: Your WordPress version number.
When: During core file integrity checks, or automatically in the background if Core Auto-Restore is enabled.
Service links: WordPress Privacy Policy
8. FlagCDN (flagpedia.net)
Used for: Displaying country flag icons next to IP addresses in the Blocked IPs table for visual identification.
Data sent: Country code (derived from IP). No personal data is sent.
When: Only when viewing the Blocked IPs page in the admin dashboard.
Service links: FlagCDN Privacy Policy | FlagCDN Terms
9. Freemius SDK
Used for: Plugin licensing, activation, opt-in analytics, and in-dashboard upgrade flow for the Pro version.
Data sent: Site URL, WordPress version, plugin version, admin email (only if user opts in during activation).
When: On plugin activation (opt-in dialog) and when checking license status.
Service links: Freemius Privacy Policy | Freemius Terms
📜 Privacy Policy & Terms of Use
We believe in complete transparency about how your data is handled.
What We Collect:
Nexura Security does NOT collect any personal data from your website visitors. We do not track your users, we do not sell any data, and we do not place any tracking cookies.
What We May Report:
When the Web Application Firewall blocks a malicious attack, the attacker’s IP address and the type of blocked payload may be anonymously reported to the Nexura Threat Intel Cloud. This helps protect other WordPress websites using Nexura Security. You can disable this feature at any time in the plugin settings under “Global Threat Intelligence.”
Your Data, Your Control:
All scan results, logs, and settings are stored locally in your own WordPress database. Nothing is sent to any external server unless you explicitly enable a cloud feature.
Compliance:
Our data handling practices comply with GDPR (EU), CCPA (California), and other major international privacy regulations. By installing and activating this plugin, you agree to the usage of the third-party services listed above when you choose to enable them.
Full Policy: Privacy Policy | Terms & Conditions
External services
This plugin connects to the following external services. Each connection is clearly documented below with the data transmitted, the conditions under which it occurs, and links to the relevant terms and privacy policy.
1. Nexura Threat Intel Cloud
Used for: Syncing malware detection signatures, WAF rules, and malicious IP blocklists. Also used for anonymous threat reporting to protect the wider WordPress community.
Data sent:
– SHA-256 file hashes (for reputation lookup)
– Blocked attacker IP addresses (anonymized)
– Blocked payload patterns (anonymized)
– No personal user data is ever collected
When: Only when the administrator enables the “Global Threat Intelligence” feature in plugin settings. Disabled by default.
Service provider: Nexura Security (sgs-db-worker.sentinel-guard-security.workers.dev)
Privacy Policy: https://nexurasecurity.com/privacy-policy.html
Terms of Service: https://nexurasecurity.com/terms-conditions.html
2. Nexura Threat Intel Cloud — Cloud Hash Scanner (Pro)
Used for: Submitting file SHA-256 hashes to the Nexura cloud to check whether each file is known-clean or requires deeper analysis.
Data sent:
– MD5 hashes of scanned files
– No file contents, no personal data
When: Only when the administrator enables “Cloud Scanner” in Pro settings AND initiates a manual scan. Disabled by default.
Service provider: Nexura Security (sgs-db-worker.sentinel-guard-security.workers.dev)
Privacy Policy: https://nexurasecurity.com/privacy-policy.html
Terms of Service: https://nexurasecurity.com/terms-conditions.html
3. Nexura Threat Intel Cloud — Cloud Deep Scan (Pro)
Used for: Submitting the content of files whose hashes are unknown to the cloud for deeper malware analysis.
Data sent:
– Base64-encoded file contents of flagged files only
– File path (for reporting purposes)
When: Only when “Cloud Scanner” is enabled in Pro settings and a hash lookup returns an unknown result during a manual scan. Disabled by default.
Service provider: Nexura Security (sgs-db-worker.sentinel-guard-security.workers.dev)
Privacy Policy: https://nexurasecurity.com/privacy-policy.html
Terms of Service: https://nexurasecurity.com/terms-conditions.html
4. Have I Been Pwned (HaveIBeenPwned API)
Used for: Checking whether a user’s password has appeared in known public data breaches.
Data sent:
– Only the first 5 characters of a SHA-1 hash of the password (k-Anonymity model)
– Your actual password is NEVER sent in any form
When: Only when the administrator enables the “Pwned Password Checker” feature AND a user sets or changes their password.
Service provider: Have I Been Pwned (haveibeenpwned.com)
Privacy Policy: https://haveibeenpwned.com/Privacy
Terms of Service: https://haveibeenpwned.com/API/v3#Terms
5. Google Safe Browsing API
Used for: Checking whether your website URL has been flagged by Google as containing malware or phishing content.
Data sent:
– Your website’s public URL
When: Only when the administrator manually triggers a Safe Browsing check from the Nexura dashboard.
Service provider: Google LLC
Privacy Policy: https://policies.google.com/privacy
Terms of Service: https://developers.google.com/safe-browsing/terms
6. WordPress.org API
Used for: Downloading the latest WordPress core ZIP for the Core Auto-Restore feature when critical core files are detected missing.
Data sent:
– No personal data. A standard HTTPS GET request is made to https://wordpress.org/latest.zip.
When: Automatically and only when the WAF detects that one or more critical WordPress core files (wp-load.php, wp-login.php, wp-settings.php, index.php) are missing — indicating the site is in a crash state. All temporary files are written to the server’s system temp directory (sys_get_temp_dir()), not to the uploads folder.
Service provider: WordPress.org
Privacy Policy: https://wordpress.org/about/privacy/
7. Cloudflare Turnstile
Used for: Human verification (CAPTCHA) on login, registration, and comment forms to block spam bots.
Data sent:
– Visitor browser fingerprint and interaction data (processed by Cloudflare; not stored by this plugin)
When: Only when the administrator enables the Turnstile integration in the Anti-Spam settings.
Service provider: Cloudflare, Inc.
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Terms of Service: https://www.cloudflare.com/website-terms/
8. Google reCAPTCHA
Used for: Alternative CAPTCHA option for blocking automated bots on login and registration pages.
Data sent:
– Visitor browser data and interaction signals (processed by Google)
When: Only when the administrator enables Google reCAPTCHA in the Anti-Spam settings.
Service provider: Google LLC
Privacy Policy: https://policies.google.com/privacy
Terms of Service: https://policies.google.com/terms
9. Freemius
Used for: Plugin licensing, activation, optional opt-in analytics, and in-dashboard upgrade flow for the Pro version.
Data sent:
– Site URL, WordPress version, plugin version, admin email (only if user opts in during activation dialog)
When: On plugin activation (opt-in dialog shown) and when checking license status.
Service provider: Freemius Ltd.
Privacy Policy: https://freemius.com/privacy/
Terms of Service: https://freemius.com/terms/
10. Google.com (Time Synchronization for 2FA)
Used for: Fetching the current server time from Google’s HTTP Date header to improve TOTP (Time-based One-Time Password) accuracy for Two-Factor Authentication. Only the HTTP response headers are used — no …
Screenshots







Installation
- Go to Plugins Add New in your WordPress dashboard.
- Search for “Nexura Security”.
- Click Install Now, then click Activate.
- Navigate to the Nexura Security menu in your sidebar to run your first security scan.
Or, if installing manually:
- Download the plugin zip file.
- Upload it via Plugins Add New Upload Plugin.
- Activate the plugin.
FAQ
-
Is Nexura Security really free?
-
Yes! All the core security features — malware scanning, file integrity monitoring, 2FA, brute-force protection, hardening, and more — are completely free. The Pro version adds advanced automation features for users who need even more protection.
-
Can it clean a hacked WordPress site?
-
Yes. The built-in malware scanner detects backdoors, obfuscated code, and known malware patterns. You can remove detected threats with a single click. For automated cleanup and core file restoration, upgrade to Pro.
-
Will it slow down my website?
-
No. Nexura Security uses a micro-batching architecture that runs scans quietly in the background. Your website visitors will not experience any slowdown.
-
Does it work with WooCommerce?
-
Yes. The free version protects WooCommerce sites just like any WordPress site. The Pro version adds WooCommerce-specific features like checkout fraud protection and account takeover prevention.
-
Does it send my data to external servers?
-
Only when you explicitly enable a cloud feature (like Threat Intelligence or Pwned Passwords). All connections are documented in the Third-Party Services section above. By default, everything stays on your own server.
-
Is it compatible with other security plugins?
-
Nexura Security is designed to be a complete standalone solution. Running multiple security plugins simultaneously is not recommended as it can cause conflicts. If you are switching from another plugin, Nexura Pro includes a Plugin Conflict Cleaner to safely remove leftover data.
-
What PHP version do I need?
-
PHP 7.4 or higher is required. PHP 8.0+ is recommended for optimal performance.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Nexura Security” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Nexura Security” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release.
- Deep recursive malware scanner with micro-batching architecture.
- WordPress core file integrity monitoring.
- Root directory integrity checker.
- Two-Factor Authentication (2FA) with TOTP support.
- Passwordless Magic Link login.
- Brute-force attack protection with IP lockout.
- Pwned Password checking via HaveIBeenPwned API.
- Anti-spam protection with Cloudflare Turnstile and Google reCAPTCHA.
- Cloud-based Threat Intelligence sync.
- Google Safe Browsing integration.
- One-click security hardening (file editor, directory listing, PHP execution, XML-RPC).
- Database security scanner for hidden admin accounts.
- Database backup tool.
- Real-time upload scanning.
- Session management.
