Skip to content

SquidShield WP: Free Open Source One-Click WordPress Security by SquidSec

SquidShield WP: Free Open Source One-Click WordPress Security by SquidSec

Hey everyone, Mr. The Plague here from SquidSec. We just shipped a WordPress security plugin you can install, activate, and leave running without a long setup tour.

Today we are announcing SquidShield WP: free, open-source WordPress security from SquidSec. The code is on GitHub at github.com/DotNetRussell/SquidShield-WP. The idea is simple:

One-click security. Free and open source.

SquidShield WP

Why another WordPress security plugin?

WordPress still powers a large share of the public web. Attackers know that. They spray SQLi and XSS at admin-ajax, hammer wp-login.php, scrape usernames from the REST API, drop webshells in uploads, and fingerprint sites from leftover readme.html and plugin license files.

A lot of security suites lean on upsells, cloud lock-in, or dashboards so dense that small teams never finish setup. Others force you to stack half a dozen single-purpose plugins (login lockout, reCAPTCHA, XML-RPC kill switch, fingerprint cleanup) and hope they do not fight each other. SquidShield takes a different route: one-click, secure by default, free and open source under SquidSec. One plugin covers the stack. You can read every rule and signature we ship.

What SquidShield WP does

On activation, it turns on the protection profile most sites need on day one: firewall, login lockouts, scans, hardening, and fingerprint cleanup. The table below calls out the jobs people usually hire separate plugins for, so you know you are not losing fail2ban-style lockouts, login CAPTCHA, automatic readme/license cleanup, or the rest when you consolidate.

AreaWhat it doesReplaces
One-click secure defaultsActivate once and the full protection profile turns on (WooCommerce-aware when needed). First-run scans, FIM baseline, and safe auto-clean start in the background.Multi-plugin “security suite” setup wizards and long first-run tours.
Brute-force lockoutsFailed-login tracking per IP (and optional username), temporary lockouts, audit log events.fail2ban-style WP login blockers, Limit Login Attempts, “ban after N fails” plugins.
Login CAPTCHAOptional reCAPTCHA v2 or Turnstile on wp-login.php. Imports existing SquidSec / Login No Captcha keys when present.Standalone login reCAPTCHA / Turnstile plugins (incl. older SquidSec login-recaptcha).
Login hardening + 2FAGeneric login errors (no username oracle). Optional custom login slug. TOTP 2FA with backup codes and role enforcement / grace period.Hide-login-errors tweaks, rename-login plugins, basic 2FA plugins.
User enumerationBlocks REST, author archives, ?author= probes, oEmbed author leaks, and user sitemaps that list account names.Anti-enumeration plugins and one-off mu-plugin snippets.
XML-RPCFull disable, or pingbacks-only hardening if something still needs XML-RPC.XML-RPC kill plugins and custom xmlrpc.php blocks.
WAF + virtual patchesBlocks SQLi, XSS, RCE, LFI, and bad uploads. Version-aware virtual patches for known plugin CVEs. Custom rules supported.Lightweight WAF plugins and hand-written request-filter snippets.
Rate limits + IP listsRate limits on login, admin-ajax, REST, and XML-RPC. Allowlist / blocklist CIDRs. Optional geo-block (off by default).Request rate-limit plugins, IP ban plugins, basic geo-block tools.
Malware + FIMSignature malware scans (plugins, themes, mu-plugins, uploads) on a schedule. File integrity baselines and hourly change checks. Quarantine / delete helpers from the UI.Standalone malware scanners and basic file-change monitors.
Vulns + misconfigPlugin risk scoring against bundled vuln data. Misconfiguration checks (file editor, debug flags, and similar).Entry-level vulnerability scanners and security audit checklists.
Sensitive files + uploadsFinds and can quarantine junk like config backups and dumps. Blocks direct hits on sensitive paths. Best-effort PHP-in-uploads hardening via .htaccess.Sensitive-file scanners and uploads hardening snippets.
Fingerprint cleanupAutomatically deletes public readme, license, and changelog fingerprint files from core, plugins, and themes. Runs on Shield install, after plugin/theme/core updates, on plugin activate, and after theme switch so new packages cannot re-leak versions.Manual “delete readme.html” cleanups and one-shot fingerprint plugins that do not re-run on updates.
Admin hardeningDisables theme/plugin file editor, strips WP version noise / generator tags, security headers, restricts application passwords for non-admins. Optional open-registration block.Hardening mu-plugins and security-header plugins.
Anomaly detectionWatches for odd request patterns beyond single WAF signatures.Bolt-on anomaly / behavior modules in heavier suites.
Alerts + daily reportEmail, webhook, and Slack alerts on security events. Optional daily digest. Full audit log (logins, plugin/theme changes, blocks).Separate alert/log plugins glued onto a security stack.
Visibility + APIPlain-language protection dashboard, WordPress admin dashboard card, REST API for operators, pentest mode (log only, do not block) when you are testing.Opaque “security suite” dashboards and ad-hoc operator APIs.

That fingerprint cleanup is easy to miss and easy to undervalue: every plugin or theme update that ships a public readme.txt or license.txt can advertise exact versions to scanners. Shield removes those leak files again after the upgrade finishes, not just once on install.

You do not have to keep a separate fail2ban-for-WordPress plugin, a login CAPTCHA plugin, a readme cleaner, and a hardening mu-plugin running next to Shield for those jobs. If an older SquidSec helper plugin overlapped, deactivate it after Shield is on so only one stack owns login challenges and lockouts.

Inside the admin UI

Here is what operators actually see after activate. No setup tour. Protection status first, advanced tools when you need them.

SquidShield protection status dashboard
Protection dashboard: every automatic layer, on or off, in plain language.
SquidShield protection list and latest activity
Protection list plus latest activity and optional extras like 2FA and email alerts.
SquidShield security activity audit log
Activity log: WAF matches, FIM changes, lockouts, and enumeration probes with export.
SquidShield Issues to fix and hardening wizard
Issues to fix: one-click hardening, sensitive-file cleanup, and misconfig guidance without a shell.
SquidShield WordPress admin dashboard card
WordPress dashboard card so status and recent blocks show up without leaving the main admin.

Built for real operators

The admin UI leads with plain-language protection status: what is active, what needs a click, and recent activity in normal English instead of raw rule IDs. Advanced screens for firewall rules, scanners, 2FA, and the API are still there when you need them. They just are not in your face on day one.

That is what agencies, freelancers, and solo operators usually need: WordPress hardened Monday morning, not after a setup webinar.

How to install SquidShield WP

  1. Open the latest release.
  2. Under Assets, download squidsec-shield-x.y.z.zip (the plugin package, not the Source code archive).
  3. In WordPress: Plugins, Add New, Upload Plugin.
  4. Install, then Activate.

Tip: Uploading the raw Source code zip or a nested zip often causes “The plugin does not have a valid header.” Use the release asset built for WordPress.

From the repository

git clone https://github.com/DotNetRussell/SquidShield-WP.git
cd SquidShield-WP
chmod +x bin/build-release-zip.sh
./bin/build-release-zip.sh
# Upload dist/squidsec-shield-<version>.zip in WP Admin

Requirements

  • WordPress 5.8+
  • PHP 7.4+
  • MySQL or MariaDB as required by your WordPress install

Free, open source, and owned by SquidSec

SquidShield WP is free software under a GPL-compatible license. Rules, virtual patches, and malware signatures ship as JSON you can read and extend. You do not need a commercial scanner license or a paid SaaS WAF to turn baseline protection on.

Star the repo, file issues, and send pull requests if you want to contribute community rules or signatures:

https://github.com/DotNetRussell/SquidShield-WP

What is next

We will keep working on low false-positive WAF rules, signature coverage, and the set-and-forget dashboard. If you run SquidShield on a real site, tell us what blocked cleanly, what still felt too technical, and what broke. That is what drives the roadmap.

Patch your stack, turn on the shield, and stop leaving the front door open because the security plugin needed a sales call first.

Mr. The Plague / SquidSec