WordPress
Predax Security
Real-time IP threat detection for WordPress. Block malicious logins, spam registrations, and bot traffic before they reach your site — powered by the Predax API.
Free in the official WordPress Plugin Directory — install and auto-update straight from WP Admin → Plugins → Add New.
What's new in v1.10.0
- Username-enumeration blocking — stops
?author=Nprobes and the REST users endpoint from leaking usernames to attackers, closing the reconnaissance step before a brute-force attempt. - XML-RPC hardening & firewall auto-ban — neutralise pingback DDoS reflection and
system.multicallbrute-force amplification, and automatically ban IPs that trip the firewall repeatedly. - Live API usage meter — the dashboard now shows your real monthly IP-check usage against your plan's quota, and warns you before (and when) the limit is reached instead of pausing silently.
- Fail-fast resilience — a circuit breaker fails open instantly if the API is ever slow or unreachable, so your site's speed is never held hostage by a security check.
The dashboard is also more honest: if visitor screening is off, it says "Partially Active" and offers a one-click enable — no more guessing why a rule isn't firing.
Inside your WordPress admin
Real screenshots from the plugin — the live security dashboard and the settings panel.


Features
Security Dashboard
NEWA dedicated dashboard is now the plugin's landing page. Real-time blocking activity chart, protection status banner, firewall summary, top targeted paths, threat type breakdown, and country analysis — all queried from the existing threat log, no schema changes.
Anti-bot protection suite
JavaScript challenge, comment honeypot, browser fingerprint scoring, and request pattern analysis work together to detect and block headless bots — even ones with valid-looking IPs.
Google reCAPTCHA v3
Score-based reCAPTCHA v3 on login and registration forms. Configurable threshold with fail-open on network errors so legitimate users are never locked out by a Google outage.
Known bot verification
Reverse + forward DNS verification for 8 major bot operators (Googlebot, Bingbot, DuckDuckBot, YandexBot, and more). Flag or block spoofed user-agents pretending to be search engines.
Honeypot URL traps
Configurable trap URLs (wp-admin.php, xmlrpc-backup.php, and 6 other defaults). Any visitor that touches one is instantly blocked or blacklisted — they could only have found it by scanning.
HTTP security headers
One-click HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Harden your WordPress install against clickjacking, MIME sniffing, and cross-origin attacks.
WordPress hardening toggles
Disable XML-RPC, hide the WordPress version from source, and disable the file editor — all from a single settings section. Close the most commonly abused attack surfaces without editing wp-config.php.
404 threshold blocking
Configurable count and time window. Visitors hitting too many missing pages in a short window (a classic vulnerability-scanning signal) get temp-blocked or permanently blacklisted.
One-click OAuth connect
Click "Connect with Predax" in the setup wizard and the plugin links your site instantly — no API key to copy or paste. Uses OAuth2 Authorization Code flow with PKCE for secure authentication.
Setup wizard
Guided 3-step setup appears on first activation. Pick a protection preset (Recommended / Strict / Monitor Only) and the plugin configures all the right defaults for you.
Web Application Firewall (WAF)
Signature-based WAF detects SQL injection, XSS, path traversal, file probes, command injection, and known scanner tools — before any authentication logic runs. Toggle independently from the risk score threshold.
Community Threat Network
When your site blocks a high-risk IP, that intelligence propagates to all other Predax-protected sites within seconds via the community score. Benefit from collective blocking without any extra setup.
Shortcodes for your visitors
[predax_lookup] renders an AJAX IP lookup widget on any page. [predax_badge] shows a "Protected by Predax" badge with live block count — useful for landing pages and footer trust signals.
Login, registration & comment protection
Score every login attempt, new registration, and comment submission. Block or monitor IPs above your chosen risk threshold, with automatic blacklisting after failed login thresholds.
All-visitor IP protection
Optionally enable page-level protection to check every visitor's IP on site entry — not just logins. Results are cached per IP for one hour to avoid unnecessary API calls.
VPN, proxy & Tor detection
Per-signal Off / Monitor / Block radio controls for VPN, proxy, Tor, and datacenter IPs. Monitor mode logs the visit without blocking — useful for tuning before enforcing.
XML-RPC & REST API protection
Extend IP blocking to the WordPress XML-RPC endpoint and REST API — common vectors for brute-force attacks and scrapers. Results are cached so API quota is not affected.
Custom branded block page
Replace the default WordPress error screen with a custom dark-themed block page. Set your own title, message, and a contact link so blocked users know how to reach you.
Disposable email blocking
Prevent spam signups by rejecting or flagging registrations from known throwaway email providers (mailinator, yopmail, trashmail, and ~50 others). No external API call required.
WP-CLI management
Manage Predax from the command line: wp predax status, whitelist/blacklist add or remove IPs, view the threat log, and test any IP directly from your terminal.
Settings import / export
Export your entire configuration to a JSON file and import it on another site. Useful for staging-to-production migrations or spinning up multiple protected WordPress installs.
Country & region geo-blocking
Allow or deny access based on country or region. Blocking applies to all protected entry points: login, registration, comments, and visitor protection.
How is this different from Wordfence?
They solve different problems — and work well together. Scanner-based plugins look at what a request does once it reaches your site. Predax looks at who is connecting, before they do anything.
Scanner-based plugins
Wordfence, Solid Security, and similar
- Scan files for malware after it lands
- Match requests against firewall rule signatures
- React to known attack patterns
Predax Security
IP intelligence, in real time
- Identifies VPNs, proxies, Tor, and datacenter IPs the moment they connect
- Blocks high-risk visitors before they attempt a login, registration, or scan
- Backed by a continuously updated commercial threat database
Run them together: many sites pair Predax with a scanner-based plugin. Predax filters out the anonymous, high-risk traffic at the door; the scanner watches whatever gets through. No conflicts — Predax hooks into login, registration, comments, and page entry, not the file system.
Installation
- 1In your WordPress admin, go to Plugins → Add New and search for "Predax Security"
- 2Click Install Now on the Predax Security plugin, then Activate
- 3A new Predax Security menu appears in your WP Admin sidebar (shield icon)
- 4Open the setup wizard, paste your free API key, and click Test Connection
- 5Pick a protection preset (Recommended / Strict / Monitor Only), or set Block / Monitor / Off per entry point — login, registration, comments, and visitors
Recommended settings
Login: Block at threshold 65, auto-blacklist after 5 failed attempts
Registration: Block threshold 50 to catch most bots
Comments: Block mode — stop spam bots from posting on your site
VPN / Proxy: Block both by default for tightest protection; use Monitor if your audience uses corporate VPNs
Visitor protection: Enable — checks every page visit against the threat database for maximum coverage
Geo-blocking: Enable only if you serve specific regions to avoid blocking legitimate users
Where to find settings
After activation, a new Predax Security menu appears in your WordPress admin sidebar (shield icon). It has two pages:
Predax Security → Settings
API key, protection modes (Block/Monitor/Off) per entry point, risk thresholds, WAF toggle, visitor protection, geo-blocking, custom block page, disposable email action, import/export, and whitelist/blacklist.
Predax Security → Threat Log
Sortable table of blocked and flagged IPs with risk scores, threat types, WAF trigger reasons, timestamps, paths, and export to CSV.
A dashboard widget also appears on the main WP Admin Dashboard showing recent threat activity at a glance.
Ready to secure your WordPress site?
Get your free API key and start blocking threats in under 5 minutes.
