Integrations/WordPress
WordPress

WordPress

Predax Security

Real-time IP threat detection for WordPress. Block malicious logins, spam registrations, and bot traffic before they reach your site — powered by the Predax API.

Free pluginWordPress 5.8+PHP 7.4+v1.10.0
Install from WordPress.org

Free in the official WordPress Plugin Directory — install and auto-update straight from WP Admin → Plugins → Add New.

What's new in v1.10.0

  • Username-enumeration blocking — stops ?author=N probes and the REST users endpoint from leaking usernames to attackers, closing the reconnaissance step before a brute-force attempt.
  • XML-RPC hardening & firewall auto-ban — neutralise pingback DDoS reflection and system.multicall brute-force amplification, and automatically ban IPs that trip the firewall repeatedly.
  • Live API usage meter — the dashboard now shows your real monthly IP-check usage against your plan's quota, and warns you before (and when) the limit is reached instead of pausing silently.
  • Fail-fast resilience — a circuit breaker fails open instantly if the API is ever slow or unreachable, so your site's speed is never held hostage by a security check.

The dashboard is also more honest: if visitor screening is off, it says "Partially Active" and offers a one-click enable — no more guessing why a rule isn't firing.

Inside your WordPress admin

Real screenshots from the plugin — the live security dashboard and the settings panel.

yoursite.com/wp-admin/admin.php?page=ipsentry-security
Predax Security dashboard in WordPress admin showing threat detection score, blocking activity chart, firewall summary, and recent blocks
The security dashboard — protection status, blocking activity, threat breakdown, and recent blocks at a glance.
yoursite.com/wp-admin/admin.php?page=ipsentry-settings
Predax Security settings page showing API key, risk threshold slider with presets, and per-signal VPN, proxy, Tor, and datacenter detection modes
Settings — risk threshold presets and per-signal Block / Monitor / Off modes for VPN, proxy, Tor, and datacenter traffic.

Features

Security Dashboard

NEW

A dedicated dashboard is now the plugin's landing page. Real-time blocking activity chart, protection status banner, firewall summary, top targeted paths, threat type breakdown, and country analysis — all queried from the existing threat log, no schema changes.

Anti-bot protection suite

JavaScript challenge, comment honeypot, browser fingerprint scoring, and request pattern analysis work together to detect and block headless bots — even ones with valid-looking IPs.

Google reCAPTCHA v3

Score-based reCAPTCHA v3 on login and registration forms. Configurable threshold with fail-open on network errors so legitimate users are never locked out by a Google outage.

Known bot verification

Reverse + forward DNS verification for 8 major bot operators (Googlebot, Bingbot, DuckDuckBot, YandexBot, and more). Flag or block spoofed user-agents pretending to be search engines.

Honeypot URL traps

Configurable trap URLs (wp-admin.php, xmlrpc-backup.php, and 6 other defaults). Any visitor that touches one is instantly blocked or blacklisted — they could only have found it by scanning.

HTTP security headers

One-click HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Harden your WordPress install against clickjacking, MIME sniffing, and cross-origin attacks.

WordPress hardening toggles

Disable XML-RPC, hide the WordPress version from source, and disable the file editor — all from a single settings section. Close the most commonly abused attack surfaces without editing wp-config.php.

404 threshold blocking

Configurable count and time window. Visitors hitting too many missing pages in a short window (a classic vulnerability-scanning signal) get temp-blocked or permanently blacklisted.

One-click OAuth connect

Click "Connect with Predax" in the setup wizard and the plugin links your site instantly — no API key to copy or paste. Uses OAuth2 Authorization Code flow with PKCE for secure authentication.

Setup wizard

Guided 3-step setup appears on first activation. Pick a protection preset (Recommended / Strict / Monitor Only) and the plugin configures all the right defaults for you.

Web Application Firewall (WAF)

Signature-based WAF detects SQL injection, XSS, path traversal, file probes, command injection, and known scanner tools — before any authentication logic runs. Toggle independently from the risk score threshold.

Community Threat Network

When your site blocks a high-risk IP, that intelligence propagates to all other Predax-protected sites within seconds via the community score. Benefit from collective blocking without any extra setup.

Shortcodes for your visitors

[predax_lookup] renders an AJAX IP lookup widget on any page. [predax_badge] shows a "Protected by Predax" badge with live block count — useful for landing pages and footer trust signals.

Login, registration & comment protection

Score every login attempt, new registration, and comment submission. Block or monitor IPs above your chosen risk threshold, with automatic blacklisting after failed login thresholds.

All-visitor IP protection

Optionally enable page-level protection to check every visitor's IP on site entry — not just logins. Results are cached per IP for one hour to avoid unnecessary API calls.

VPN, proxy & Tor detection

Per-signal Off / Monitor / Block radio controls for VPN, proxy, Tor, and datacenter IPs. Monitor mode logs the visit without blocking — useful for tuning before enforcing.

XML-RPC & REST API protection

Extend IP blocking to the WordPress XML-RPC endpoint and REST API — common vectors for brute-force attacks and scrapers. Results are cached so API quota is not affected.

Custom branded block page

Replace the default WordPress error screen with a custom dark-themed block page. Set your own title, message, and a contact link so blocked users know how to reach you.

Disposable email blocking

Prevent spam signups by rejecting or flagging registrations from known throwaway email providers (mailinator, yopmail, trashmail, and ~50 others). No external API call required.

WP-CLI management

Manage Predax from the command line: wp predax status, whitelist/blacklist add or remove IPs, view the threat log, and test any IP directly from your terminal.

Settings import / export

Export your entire configuration to a JSON file and import it on another site. Useful for staging-to-production migrations or spinning up multiple protected WordPress installs.

Country & region geo-blocking

Allow or deny access based on country or region. Blocking applies to all protected entry points: login, registration, comments, and visitor protection.

How is this different from Wordfence?

They solve different problems — and work well together. Scanner-based plugins look at what a request does once it reaches your site. Predax looks at who is connecting, before they do anything.

Scanner-based plugins

Wordfence, Solid Security, and similar

  • Scan files for malware after it lands
  • Match requests against firewall rule signatures
  • React to known attack patterns

Predax Security

IP intelligence, in real time

  • Identifies VPNs, proxies, Tor, and datacenter IPs the moment they connect
  • Blocks high-risk visitors before they attempt a login, registration, or scan
  • Backed by a continuously updated commercial threat database

Run them together: many sites pair Predax with a scanner-based plugin. Predax filters out the anonymous, high-risk traffic at the door; the scanner watches whatever gets through. No conflicts — Predax hooks into login, registration, comments, and page entry, not the file system.

Installation

  1. 1In your WordPress admin, go to Plugins → Add New and search for "Predax Security"
  2. 2Click Install Now on the Predax Security plugin, then Activate
  3. 3A new Predax Security menu appears in your WP Admin sidebar (shield icon)
  4. 4Open the setup wizard, paste your free API key, and click Test Connection
  5. 5Pick a protection preset (Recommended / Strict / Monitor Only), or set Block / Monitor / Off per entry point — login, registration, comments, and visitors

Recommended settings

Login: Block at threshold 65, auto-blacklist after 5 failed attempts

Registration: Block threshold 50 to catch most bots

Comments: Block mode — stop spam bots from posting on your site

VPN / Proxy: Block both by default for tightest protection; use Monitor if your audience uses corporate VPNs

Visitor protection: Enable — checks every page visit against the threat database for maximum coverage

Geo-blocking: Enable only if you serve specific regions to avoid blocking legitimate users

Where to find settings

After activation, a new Predax Security menu appears in your WordPress admin sidebar (shield icon). It has two pages:

Predax Security → Settings

API key, protection modes (Block/Monitor/Off) per entry point, risk thresholds, WAF toggle, visitor protection, geo-blocking, custom block page, disposable email action, import/export, and whitelist/blacklist.

Predax Security → Threat Log

Sortable table of blocked and flagged IPs with risk scores, threat types, WAF trigger reasons, timestamps, paths, and export to CSV.

A dashboard widget also appears on the main WP Admin Dashboard showing recent threat activity at a glance.

Ready to secure your WordPress site?

Get your free API key and start blocking threats in under 5 minutes.