Description
Iron Security is the ultimate WordPress security plugin built to secure and harden your website with essential protection features. Whether you’re a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access.
With a user-friendly interface and effective tools like custom login URL, HTTP security headers, Iron Security is the all-in-one solution for WordPress security.
🔐 Key Features
General Hardening
– Disable XML-RPC API
– Disable REST API
– Hide WordPress version
– Block AI crawlers from crawling your website
– Disable file editor
– Enable plugin & core auto-updates
Login & Authentication Security
– Custom admin area URL
– Limit login attempts & Lockout User From Authentications
– Limit the number of administrators
– Session timeout for idle users
– Change default Admin ID
– Block user enumeration
Files & Directory Protection
– Block PHP file uploads
– Prevent direct file access
HTTP Security Headers
– X-Content-Type-Options
– X-Frame-Options
– X-XSS-Protection
– Strict-Transport-Security (HSTS)
– Referrer-Policy
– Content-Security-Policy (CSP)
– Permissions-Policy
Easy to Use
– Clean and intuitive admin panel
– Lightweight and optimized for performance
– Compatible with major themes and plugins
Iron Security is perfect for anyone looking for a security plugin for WordPress that offers practical protection features without bloating your site.
Credits
Developed by WPIron
License
This plugin is licensed under the GPLv2 or later.
Screenshots
screenshot-1.png 
screenshot-2.png 
screenshot-3.png 
screenshot-4.png 
screenshot-5.png 
screenshot-6.png 
screenshot-7.png 
screenshot-8.png
Installation
- Upload the plugin files to the
/wp-content/plugins/iron-securitydirectory, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the ‘Plugins’ screen in WordPress.
- Go to the Iron Security menu in the admin dashboard to configure your settings.
FAQ
-
What makes Iron Security different from other WordPress security plugins?
-
Iron Security is designed to be lightweight, fast, and focused on practical features that matter most for securing your WordPress site.
-
Is Iron Security suitable for beginners?
-
Yes! Iron Security comes with an intuitive dashboard and clear explanations for each option. Whether you’re a WordPress beginner or an experienced developer, you’ll find it easy to use and configure.
-
How does the custom login URL help protect my site?
-
Changing the default
/wp-adminor/wp-login.phpURL makes it harder for bots and attackers to find your login page, reducing brute force attempts. You can set your own unique login slug in a few clicks from the plugin settings. -
What happens when a user exceeds the allowed login attempts?
-
If a user exceeds the allowed number of login attempts, their IP will be temporarily blocked based on your configured lockout settings. You can customize the number of allowed attempts, lockout duration, and view attempt logs.
-
How does the Admin ID protection work?
-
By default, WordPress assigns user ID 1 to the first admin account — a known vulnerability targeted by bots. Iron Security lets you assign a different ID to your admin account, making it harder to guess and exploit.
-
Does Iron Security block XML-RPC and REST API? Why?
-
Yes, you can optionally disable XML-RPC and REST API — two common attack vectors. XML-RPC is often used in DDoS and brute force attacks, while REST API may expose user data. Disabling them improves security, especially if you don’t use them.
-
What are HTTP security headers and why should I enable them?
-
HTTP security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security provide an extra layer of browser-based protection. They help prevent XSS, clickjacking, and other code injection attacks. Iron Security lets you enable them easily from the dashboard.
-
Will Iron Security slow down my website?
-
Not at all. The plugin is built to be lightweight and uses efficient code practices. It doesn’t run background scans or heavy processes, so your site’s performance remains unaffected.
-
Can I use Iron Security on WooCommerce stores?
-
Absolutely. Iron Security is fully compatible with WooCommerce and protects your login area, admin panel, and core files without affecting your store’s functionality.
-
Where can I get support or report a bug?
-
You can submit issues or ask for help via the support forum on WordPress.org or by contacting us directly at https://wpiron.com.
-
How often is Iron Security updated?
-
We actively maintain and improve Iron Security. You can expect regular updates for new features, security patches, and WordPress compatibility improvements.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Iron Security – WordPress Security Plugin” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Iron Security – WordPress Security Plugin” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.2.9
- Fix warnings & Small errors
2.2.8
- Update
2.2.7
- Fix IP Spoofing possibility
- Limit login attempts – Lockout user
2.2.6
- Fix Session timeout login message
- Added blocking of AI crawlers
2.2.5
- Fix errors of htaccess of File & Directory protection
2.2.4
- Fixed Fatal Error when editing pages
- Fixed styling issues with whole admin panel
2.2.3
- Fixed Readme
2.2.2
- Made Support window
- Fixed all other issues we had
2.2.0
- Added HTTP Security Headers
- Enhanced UI/UX for admin panel
- Bug fixes and performance improvements
2.1.0
- Added file and directory protection options
- Improved session timeout management
2.0.0
- Login and authentication section introduced
- Custom admin URL, 2FA, and login limiter added
1.1.3
- Fixed issues for WordPress.org plugin review
1.1.2
- Fixed issues for WordPress.org plugin review
1.1.1
- Fixed issues for WordPress.org plugin review
1.1.0
- Initial plugin build