SecuPress Free — WordPress Security



Protect your WordPress with malware scans; block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin. SecuPress is GDPR compliant.

What’s the difference between free and pro version?
If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.

Here are some of our most popular features:

  • Anti Brute Force login
  • Blocked IPs
  • Firewall
  • Security alerts (1)
  • Malware Scan (1)
  • Block country by geolocation (1)

We have included some features you won’t find in most WordPress security plugins:

  • Protection of Security Keys
  • Block visits from Bad Bots
  • Vulnerable Plugins & Themes detection (1)
  • Security Reports in PDF format (1)

You can check out Frequently Asked Questions or get in touch with our support. Want to know all about SecuPress? You can read our documentation here:

How will you know it works?
Well, we have a dedicated security scanner that will give you a clear security grade and report for your website. This way, you’ll know exactly what to fix.

WordPress Features

Security Audit
SecuPress is the only plugin with a full scanner able to fix the issues for you. And when it requires a decision from you, it will ask you before proceeding. With this feature, you can check 35 security points in 5 minutes and let us take care of the rest.

Once done, you get a security grade that gives you a clear idea of what your security level is. You can export this analysis in PDF format to share with others (clients or colleagues) (1).

Users & Login
This feature is the easiest way to make sure your users’ data is protected and to keep their accounts from being compromised. With this feature you can limit the number of bad login attempts, ban non-existing usernames login attempts and set a non-login time slot. SecuPress also makes sure you can avoid double logins and control your sessions.

SecuPress also adds a 2FA (Two Factor Authentication) because it’s almost a mandatory feature when it comes to WordPress security!

The plugin also gives you greater user and password control as you can set:

  • Password lifetimes for your users.
  • Enforce strong password use.
  • Forbid the use of vague usernames like www or admin.

Tired of bots finding your WordPress login page? Finally, don’t let bots find your login page, just move it with the famous Move Login plugin, now included in SecuPress.

Plugins and Themes
SecuPress helps you detect themes and plugins that are vulnerable or that have been tampered with to include malicious code. If you install one of these, your security module will send out an email alert and give you a warning in WordPress.

SecuPress takes security further by limiting plugin activation, deactivation, installation and removal in your production (live) website. Plugin and theme uploads via .zip files will be on lockdown as well to block off this easy hacking route.

WordPress Core
SecuPress reinforces the WordPress Core to keep it safe. The security plugin optimizes what’s under the hood to secure the config file by setting the proper parameters.

Sensitive Data
SecuPress secures content in many ways:

  • The plugin secures WordPress Endpoints and APIs by blocking bad requests for XML-RPC or REST API.
  • It blocks bad bots with its Robots Blackhole feature.
  • It provides an anti-hotlink feature to preserve your bandwidth.
  • The plugin packs 7 anti-disclose security modules to make sure no precious information is available to hackers in your PHP or WordPress itself.
  • Profile and SecuPress settings pages are password protected to keep sensitive information away from prying eyes.


  • SecuPress is one of the most efficient WordPress bouncer you’ll ever see!
  • The plugin blocks malicious incoming requests.
  • It blocks bad User Agents (no bad crawlers allowed).
  • Bad requests methods also get the boot in a single click.
  • URLs are kept in check: no bad URL contents.
  • SQL injection scanners are kept out as well.
  • Brute force attempts are stopped in their tracks.
  • GeoIP Blocking by country gives you more control over your traffic.

Malware Scan
SecuPress has a unique malware scan developed by our security experts. It hunts down bad files and provides you with an easy step-by-step report that lets you take action. It looks into:

  • Bad files in your FTP.
  • Your uploads folder for dangerous files.
  • Potential phishing attempts via index.php loads.

We know firsthand how painful it is to pick up the pieces after an attack damages your WordPress. SecuPress preserves your data to help you avoid lost content or settings if your website comes under attack. The plugin backs up your database and files and lets you download them to guarantee you peace of mind.

Anti Spam
Did you know that 60% of the traffic on the Internet is generated by bots? Most of them happen to be spam bots. We developed our own anti-spam system that works quietly in the background. Just activate it and enjoy a spam free experience.

Alerts are an essential tool when your website is under attack. When something important happens on your website, SecuPress will send you an alert via email. We’re working on alerts via SMS, Slack & Twitter as well.

You also receive a daily report that provides a debrief of the attempted attack and all the activities blocked by SecuPress.

Scheduled Security Tasks
SecuPress can run 3 separate scheduled tasks for you. It’s like having a security patrol on your WordPress.

Scheduled Scanner: SecuPress scans your website to detect any issues. After the scan is complete, you get a report in your inbox outlining any actions you have to take to protect your website.
Scheduled Backup: our team knows that everyone at one time or another forgets to back things up. We made it an automatic task to help ensure you always can recover from an attack with your content safe.
Scheduled Malware Scan: this security feature scans your website at regular intervals to hunt down any malware that may have gotten into your WordPress.

SecuPress will keep a log of important security activities and 404 pages triggered by users, bots or even Chuck Norris. This lets you keep an eye on what’s going on in your WordPress at any time. You can also control banned IPs from this option.

(1) Available in the Pro Version.

(SecuPress est une extension de sécurité WordPress française)


  • All modules from SecuPress
  • A module page (here is Users & Login)
  • The first scan
  • The 1st step: result of the scan
  • The 2nd step: choose what to automatically fix (1)
  • SecuPress is fixing issue for you
  • The 3rd step: manual fix, when you have to decide something
  • The 4th step: final report, you can export it as PDF (1)


It’s important to delete all other security plugins before activating SecuPress.

  1. Upload the plugin files to the /wp-content/plugins/secupress directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Use the SecuPress->Settings screen to configure the plugin.


What does SecuPress do, exactly?

SecuPress is a plugin for WordPress sites which enables better security without sacrificing usability. It’s easy to use for you and hard to hack for pirates. First, SecuPress will scan your site, looking for vulnerabilities and provide a report detailing how to harden your WordPress. possible security improvements. The majority of recommendations are easy to implement by checking a box; very few will require a manual setup.

What makes SecuPress better than any other security plugin?

SecuPress protects your website on multiple fronts: anti spam, double authentication. The best feature for users remains how easy to use this plugin is. You don’t need to be an experienced technician to use and secure your WordPress like an expert!

Our security alarms hosted on our servers supply daily data about the most recent vulnerable plugins and themes. This allows you to always be aware and safe.

Is SecuPress compatible with multisites installation?

Yes, SecuPress can be activated for all your sub-sites, just activate it from your main network site.

Is SecuPress compatible with all web hosters?

Yes, SecuPress is compatible with all web hosters like WP Serveur, OVH, Siteground, BlueHost, PlanetHoster, WP Engine, O2Switch or GoDaddy? If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all caching plugins like WP Rocket, W3 Total Cache, WP Super Cache?

Yes, SecuPress is compatible with all WordPress caching plugins. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with all multilingual plugins like PolyLang, WPML, qTranslate?

Yes, SecuPress is compatible with all multilingual WordPress plugins. If you have an issue, please get in touch with us and let us know!

Is SecuPress compatible with all server engines like Apache, Nginx, IIS7?

Yes, SecuPress is compatible with all server engines. If you encounter an issue, do not hesitate to contact our support team.

Is SecuPress compatible with other security plugins like WordFence, iThemes Security, Bullet Proof Security?

The answer is no. SecuPress is not compatible with another security plugin. Just like two caching plugins do not make your website faster, two security plugins do not make your WordPress more secure. Security rules tend to be overwritten or conflict with other rules if two security plugins are installed. This can cause errors on your website and is not recommended.


24 de marzo, 2021
La garantie d'un site sans souci. J'ai plus de vingt sites qui l'utilise et c'est très rassurant. Merci Julio 🙂
9 de febrero, 2021
I've been using SecuPress for the past year and even became a Pro subscriber for the additional features. First impressions are great, I loved the user interface, simplicity, ease of use, awesome! But what I hate is the fact that I'm not sure how much can I trust this plugin. I'm using Wordfence for work websites. What I love about Wordfence is that these guys are on the top of their game, busy bees in a bee hive. Often there's something new, a new update, the plugin is being looked after and it gives me a good feeling of security. If things go pear shape, these guys will help me out. Unfortunately I don't get the same vibes with SecuPress. The plugin seems abandoned. There hasn't been a single update in months. There's been lots happening with WP development lately, we've got WP 5.6+ that came with a few changes to the security, yet the last update of SecuPress was over 7 months ago. It seems to be more of a school project rather than something to be taken seriously. Website security is a big deal. I don't think I get that with SecuPress. Moving onto a different security plugin for now. Happy to give it another try if anything will change.
Leer la 84 reseñas

Colaboradores y desarrolladores

«SecuPress Free — WordPress Security» es un software de código abierto. Las siguientes personas han colaborado con este plugin.


«SecuPress Free — WordPress Security» ha sido traducidos a 3 idioma local. Gracias a los traductores por sus contribuciones.

Traduce «SecuPress Free — WordPress Security» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios


  • 12 April 2021
  • Fix#913: user_can can lead to fatal error (see
  • Fix: undefined functions (free version only)
  • Fix: role was not translated in the alerts


  • 06 April 2021
  • Improvement: Add Jetpack SSO as supported 2FA
  • Improvement: Add a few forbidden names in “bad login IDs” module
  • Fix: Emails for PasswordLess were not sent or sent in spam. (WP 5.7.1 will also fix this)
  • Fix: Export Mode not read correctly
  • Fix: 3 undefined index PHP warning
  • Fix: 2 possible PHP fatal error (but won’t break the front site)
  • Fix: Move Login with WP running in a subdir was broken since 2.0


  • 29 March 2021
  • New#905: Expert Mode has been added as a simple checkbox (but already available since 1.4.6 – 9 august 2018 ;p so, “new” feature)
  • Improvement#885: Extend allowed request methods
  • Improvement#893: Test if file exists be fore being tagged as PHP404 to prevent false positives
  • Improvement#894: Better HTTPS tests
  • Improvement#896: Emails from SecuPress will now come from the admin email address instead of noreply@ (the WP filter hook wp_mail_from is still usable)
  • Improvement#901: New way to propose deactivation on incompatible plugins + force deactivation on plugins that directly enters in conflict
  • Improvement#906: ?wp_lang param was not usable on moved login pages
  • Fix#897: A Grade was not accessible even with all the tests OK
  • Fix#898: WordPress Site Health page is back!
  • Fix#900: Undefined Index on step4
  • Fix#902: Update WP_Background_Process Lib
  • Fix#904: Locked Default Role was not deactivable
  • Fix#903: Database Prefix Rename feature didn’t renamed the checked tables
  • Fix#907: Alerts Emails contains HTML tags


  • 05 March 2021
  • New#318: Malware Scan on DataBase
  • New#332: WordPress Core > Change DB Prefix Manually
  • New#399: WordPress Core > Renew you security keys in one click
  • New#531,769: Revamp the Malware Scan Module: better detection, more detection (and remove the delete file button, sorry)
  • New#575: Addon Module Page
  • New#791: WordPress Wore > Lock admin_email, default_role, membership settings from WP
  • New#821: Your Grade can not get a “+”, and the A Grade is more accessible
  • New#823: Sensitive Data > Prevent 404 guessing
  • New#825: PHP8 Compatibility
  • New#828: WordPress Core > Lock home_url and site_url
  • New#863: Main Scanner > You can now scan a specific item
  • New#866: fr_BE and fr_CA will get the fr_FR translations (until a real one exists)
  • New#870: New php constant SECUPRESS_ALLOW_GEOIP_ACCESS to bypass geoip auto blocking
  • New#872: FireWall > Block Bad referers

  • Improvement#184: Add the total of scanners when displayed (like 22/35)

  • Improvement#187,292,783: Better uninstallation of the whole plugin (wp-config & htaccess content, mu-plugins)
  • Improvement#194,220,395,482,579,775,789,809,812,840,842,871: Better wording, i18n, explanations, remove “Cheatin’uh?”, remove whitelist/blacklist, remove masculinity terms in french because snowflakes + do not ever use WP text domain and keep our trad at home
  • Improvement#229: Add links to related modules in schedules page
  • Improvement#740: Reset button with JS confirmation (but at the same time, remove the button for now, see blog post)
  • Improvement#752: Better report email subject
  • Improvement#753: Remove the obsolete Block SQLi option
  • Improvement#754: Stop main scanner after 3 minutes
  • Improvement#778: Remove the date by month in security keys to prevent too many disconnection and prevent some bad dev based on thoses keys to mess up (plese do not relay on these keys, use wp_salt()…)
  • Improvement#781: Better anti hotlink to prevent possible 404 urls on our fake image + allow google image
  • Improvement#782: Change recommandations for PHP Version to be more flexible
  • Improvement#786: Add “wp-config-sample.php” to old WordPress files
  • Improvement#796: Add the found IP in filter secupress.ip.default_ip
  • Improvement#800: Import settings will now import htaccess modifications (based on activated modules, not in the exported file)
  • Improvement#808: return HTTP response code matching the data passed to secupress_die (props @jeherve)
  • Improvement#815: Hide all login errors instead of a list
  • Improvement#822: Grade is included in the email subject
  • Improvement#827: Email only if grade has changed and is worst
  • Improvement#831: Remove license.txt, wp-config-sample.php, readme.html from being missing files in malware scanner
  • Improvement#834: Remove notices about wp-config.php and .htaccess not writable
  • Improvement#835: Remove SCRIPT_DEBUG from wp-config scanner
  • Improvement#837: Better secupress.plugin.passwordless_email_message replacements
  • Improvement#855: Empty User-Agent is not a bad one anymore
  • Improvement#860: On module (de)activation, rescan the test if present
  • Improvement#861: Do a JS check on captcha module to be sure it can be activated
  • Improvement#862: If a scanner gone bad, send it to alerts
  • Improvement#865: Remove the “ask old password” option

  • Fix#362: SecuPress tables tagged as unknown when autofix the DB prefix switch

  • Fix#471: Remove unwanted columns in Logs pages
  • Fix#499: .htaccess path was not correct with ABSPATH
  • Fix#547: Remove “www.” in domain for antihotlink (for multisite subdomains)
  • Fix#746: Notice: “listMessage is not a constant”
  • Fix#762: Fix displaying wrong confirmation message when addind multiple IP to (dis)allow
  • Fix#767: Notice: “Undefined index: SERVER_PORT/HTTP_HOST in core/functions/common.php on line 797/800”
  • Fix#774: Remove the warning emoji in move login message
  • Fix#779: Email confirmation is present at each connection when move login is activated
  • Fix#784: Cannot use move login when pro is installed but not activated with the license
  • Fix#788: Settings link in plugins page is not correct with white label
  • Fix#792: Update doc links with https
  • Fix#793: Update Support for 2FA 3rd party
  • Fix#798: Google Bot was blocked due to a bad method query
  • Fix#801: Block double slashed users route from REST API
  • Fix#802: Remove old obsolete devs from <2.0 (recovery_email, support)
  • Fix#804: Double auth still displays 2 fields
  • Fix#814: API Keys can’t be hidden anymore
  • Fix#817: AntiSpam let any comment pass, sometimes…
  • Fix#818: If WooCommerce, do not scan login errors
  • Fix#819: Fatal error on GeoIP update (in background, your site was not harmed)
  • Fix#824: Display strange chars in Grade
  • Fix#830: Notice: “Undefined index: move-login_custom_page_url”
  • Fix#838: Move Login password page won’t work
  • Fix#855: Do not display SecuPress in admin footer and if hide WordPress version active, hide it in admin footer too

  • Security Fix#844: A visitor can ban any IP


  • Remove an old input that should not be here.