Description
ArmorLite is a free, lightweight WordPress security plugin built for performance. Firewall with 600+ built-in patterns, brute force protection, bot detection, security headers, and login monitoring. No bloat, no unnecessary database queries, no external API calls during normal operation.
Free Features
- Firewall — Pure PHP string-matching firewall with 600+ built-in patterns covering SQL injection, XSS, path traversal, shell access, and more. Five categories (Request URI, Query String, User Agent, Referrer, IP Address). Three matching modes: contains, ends-with, and path-only. Pattern manager with per-pattern toggle and hit counts.
- Brute Force Protection — Session-based login tracking with automatic IP lockouts after configurable failed attempts. Login activity log with IP, location, status badges, and usernames tried. 7-day log retention.
- Bot Protection — Automated bot detection for login, registration, and password reset forms using honeypot fields, timestamp validation, and JavaScript token verification. Blocks bots before they can attempt brute force attacks.
- Security Headers — Four managed headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, X-XSS-Protection) with dual delivery via PHP and .htaccess. Header probe system avoids duplicates.
- IP Whitelist — Whitelist trusted IPs to bypass all security checks including brute force lockouts and firewall blocking.
- Obfuscation — Author slug randomization to prevent user enumeration and email obfuscation to protect addresses from scrapers.
- Dashboard — Real-time stats, blocks over time chart, protection status cards, and WordPress dashboard widget.
- XML-RPC & REST API Protection — Disable XML-RPC and protect the REST API from user enumeration.
- Firewall Log — View blocked requests with IP, matched rule, request URI, and timestamps. 7-day log retention.
- Tools — Health checks with database integrity verification, one-click table repair, and debug mode.
Upgrade to ArmorPro
Need more protection? ArmorPro adds:
- WAF Engine (blocks attacks before WordPress loads)
- Two-Factor Authentication (TOTP) with backup codes
- Passkey Authentication (Face ID, Touch ID, Windows Hello)
- Custom Login URL (hide wp-login.php)
- IP Blacklist with auto-blacklist for repeat offenders
- Country Blocking with GeoIP
- HSTS, Content-Security-Policy, and Permissions-Policy headers
- Email Notifications and digest summaries
- Extended log retention (90 days)
- Custom firewall patterns
- Export/import settings
External Services
This plugin connects to external third-party services in the following situations:
Anonymous Usage Data (Optional)
This plugin can optionally share anonymous usage data to help improve ArmorLite. This is disabled by default and requires explicit opt-in from the Settings page.
- When it is called: Daily heartbeat (if opted in)
- Data sent: WordPress version, PHP version, active plugin features (no personal data)
- Service: https://api.srworks.co
- Privacy: https://srworks.co/privacy
No personal data is collected or stored by this service.
Privacy Policy
ArmorLite stores the following data locally in your WordPress database:
- IP addresses of visitors who trigger security rules or attempt to log in
- Timestamps of security events
- Usernames used in login attempts
This data is stored to help you monitor and protect your website. You can clear all logs at any time from the Tools tab. When the plugin is uninstalled, all data is automatically deleted.
No visitor data is sent to external services during normal operation. Anonymous usage data sharing is optional and disabled by default.
Support
Need help with ArmorLite? Have a feature request or found a bug?
Visit our support page: https://srworks.co/contact
Credits
Firewall patterns inspired by the work of Jeff Starr at Perishable Press (https://perishablepress.com). Used under GPLv2.
Charts powered by Chart.js (https://www.chartjs.org), MIT License.
Tooltips powered by Tippy.js (https://atomiks.github.io/tippyjs), MIT License.
Installation
- Upload the “srworks-armorlite” folder to “/wp-content/plugins/”
- Activate the plugin through the Plugins menu in WordPress
- Go to ArmorLite in your admin menu to configure settings
- Enable the features you need (firewall, brute force protection, etc.)
That’s it! Your site is now protected.
FAQ
-
Does ArmorLite work with NGINX?
-
Yes! ArmorLite works on any web server including Apache, NGINX, LiteSpeed, and others. The firewall uses pure PHP and requires no server configuration.
-
Will this security plugin slow down my website?
-
No. ArmorLite is designed for performance. The firewall uses fast string matching (stripos) to scan requests early in the WordPress load process. Blocked requests are stopped before WordPress fully loads, actually reducing server load from attacks.
-
How does the brute force protection work?
-
ArmorLite monitors login attempts and tracks failed logins by IP address using session-based tracking. After a configurable number of failures (2, 3, 5, or 10 attempts), the IP is temporarily locked out for a configurable duration (5 minutes to 2 hours).
-
What does the bot protection do?
-
Bot protection adds invisible honeypot fields, timestamp validation, and JavaScript token verification to login, registration, and password reset forms. Automated bots that submit forms without rendering JavaScript or that submit too quickly are blocked before they can attempt brute force attacks.
-
Can I use this with other security plugins?
-
Yes, but there may be overlapping features. We recommend testing thoroughly. ArmorLite is designed to be lightweight and focused, so it generally pairs well with other plugins without conflicts.
-
How do I whitelist my IP address?
-
Go to ArmorLite > Access Control and add your IP to the whitelist. Whitelisted IPs bypass all security checks including brute force lockouts and firewall blocking.
-
What is the difference between ArmorLite and ArmorPro?
-
ArmorLite includes all the essential security features for free: firewall, brute force protection, bot detection, basic security headers, IP whitelist, and login monitoring. ArmorPro adds advanced features like the WAF engine, two-factor authentication, passkey login, custom login URL, country blocking, IP blacklist, advanced security headers, email notifications, and extended log retention. Compare features
-
What data does ArmorLite collect?
-
ArmorLite stores security logs locally in your WordPress database (IP addresses, timestamps, usernames from login attempts). No visitor data is sent to external services. Anonymous usage data sharing is optional and disabled by default.
-
What happens when an IP is blocked?
-
Blocked visitors see a professional “Access Blocked” page with a 403 status code. The page is clean and branded, informing them to contact the site administrator if they believe it’s an error.
-
Is ArmorLite compatible with caching plugins?
-
Yes. ArmorLite works with all major caching plugins including WP Rocket, W3 Total Cache, LiteSpeed Cache, and WP Super Cache. The firewall runs before caching layers and includes proper cache-control headers.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“SRWorks ArmorPro Lite” is open source software. The following people have contributed to this plugin.
Contributors
Translate “SRWorks ArmorPro Lite” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release
- Firewall with 600+ built-in patterns
- Brute force protection with configurable thresholds
- Bot protection (honeypot, timestamp, JS token)
- Security headers (X-Content-Type, X-Frame-Options, Referrer-Policy, X-XSS-Protection)
- IP whitelist
- Author slug and email obfuscation
- XML-RPC and REST API protection
- Login activity log (7-day retention)
- Firewall log (7-day retention)
- Dashboard with stats and chart
- Health checks and database repair