100% Free · No Upsells · No Paywalls
The only WordPress security plugin you’ll ever need to install
Stop juggling 8 different security plugins. Midnay Security Central puts login protection, 2FA, a firewall, activity logging, and more into one clean dashboard.
10
Security Modules
80+
Individual Controls
1
Plugin Install
$0
Forever Free
Everything you need, in one install
- Brute-Force Protection
- Two-Factor Authentication
- Audit Logging
- Web Application Firewall
- HTTP Security Headers
- Session Management
- File Integrity Monitoring
- Security Scanning
Brute-Force & Login Protection
Stop password attacks
before they get in
Most WordPress sites absorb hundreds of automated login attempts every day without you ever knowing. Midnay locks out attackers by IP after repeated failures, adds CAPTCHA to every login entry point, and gives you a real-time view of what’s happening.
- Attackers get locked out after repeated failures, and you choose the exact threshold
- Cloudflare Turnstile and Google reCAPTCHA stop bots before they reach your login form
- Your own IP stays safe from lockouts, even when you mistype your password repeatedly
- Every login attempt is logged clearly, so you can review successful, failed, and blocked access
Login Protection
Active lockout monitoring
Lockouts in last 24h
24
CAPTCHA provider
Cloudflare Turnstile
Max attempts before lockout
5
Lockout duration
30 min
Admin email on lockout
Two-Factor Authentication
A stolen password
still isn’t enough to get in
Even if a password is compromised, MFA means the attacker still can’t log in. Midnay supports biometric passkeys, authenticator apps, and email codes – all from the same settings page, enforced per user role.
- Users can sign in with Face ID, Touch ID, or Windows Hello without any extra app
- Works with Google Authenticator, Authy, 1Password, and other TOTP apps your team already uses
- Require MFA only for admins and editors, while leaving lower-risk user roles untouched
- Trusted devices can skip repeated verification, so your team is not slowed down every day
Multi-Factor Authentication
Enrollment by role
Biometric passkeys (Face ID / Touch ID)
Authenticator app (TOTP)
Email OTP
Per-role enforcement
Trusted device memory
Admin reset per user
Audit Logging & Activity Monitoring
Know exactly what happened
and who did it
When something goes wrong on a WordPress site – a post disappears, a plugin gets deactivated, a user’s role changes – you need to know who did it and when. Midnay’s activity log captures it all, permanently.
- Every user action is logged, including logins, content changes, plugin installs, and settings edits
- See exactly what changed with the old value and new value shown side by side
- Get an email as soon as a critical event happens, even before you open the dashboard
- WooCommerce orders, coupons, and product changes are tracked, not just WordPress core events
Activity Log
Recent events
⬤ CRITICAL admin password changed
2m ago
⬤ WARNING plugin deactivated: akismet
11m ago
⬤ INFO user logged in: editor@site.com
23m ago
⬤ INFO post published: “Q2 Review”
1h ago
Retention period
90 days
Export (CSV & HTML)
Everything above is free. No trial period, no premium tier to unlock, no credit card. Just install and turn on what you need.
Web Application Firewall
Block bad traffic before WordPress even loads
Most attacks never reach a vulnerable plugin – they’re caught at the door. Midnay’s WAF inspects every request before WordPress boots, blocking SQL injection, XSS, path traversal, and bad bots with no server configuration required.
- Start in monitor mode first, then switch to block mode when you are ready
- Unknown bots are blocked automatically, reducing spam, scraping, and noisy traffic at the source
- Rate limits stop any one IP from hammering your server and overwhelming site resources
- Every blocked request is logged with the IP, URL, and the rule that triggered it
WAF Lite
Request firewall
Mode
Blocking
Requests blocked today
37
SQL injection detection
Per-role enforcement
Trusted device memory
Admin reset per user
120 req/min
HTTP Security Headers
Harden your site’s defences without touching a config file
Security headers tell browsers how to behave when loading your site – blocking clickjacking, stopping MIME sniffing, enforcing HTTPS. Normally you’d need server access to set them. With Midnay, it’s a toggle in the WordPress admin.
- Prevent your site from loading inside iframes on other domains, which helps stop phishing tricks
- Force browsers to use HTTPS automatically, even when a visitor types the older HTTP version
- Hide your WordPress version from the source code, which reduces easy targeting by attackers
- Load sensible defaults instantly, without researching every security header one by one
Security Headers
HTTP response header status
Clickjacking protection (X-Frame-Options)
MIME sniffing prevention
HTTPS enforcement (HSTS)
Referrer-Policy
WP version hidden from source
Content Security Policy
Configured
Session Management
See every active login. Revoke any of them instantly.
Shared hosting accounts, former employees, or a device you’re not sure about – Midnay shows every active session on your site with the IP, browser, and last activity, and lets you end any of them in one click.
- See every logged-in user with their IP address, browser, and recent activity at a glance
- Terminate any suspicious session immediately, with no password reset required
- Log users out after inactivity with different limits for admins, editors, and subscribers
- Limit simultaneous logins per user, and remove the oldest session when the cap is reached
User Session Management
4 active sessions
admin · 192.168.1.1 · Chrome
now
editor · 10.0.0.42 · Firefox
3m
subscriber · 203.x.x.x · Safari
18m
Idle timeout (admin)
60 min
Max concurrent sessions
3
Eight Problems. One Plugin.
Your current security stack, replaced.
Every plugin on this list has a free, built-in equivalent inside Midnay Security Central. Replace them one by one.
| Plugin you might already have | Midnay module that replaces it | Cost |
|---|---|---|
| Limit Login Attempts Reloaded | Login Protection | Free |
| WP 2FA / Two Factor Authentication | Multi-Factor Authentication | Free |
| WP Activity Log / Simple History | Activity Log | Free |
| Wordfence / NinjaFirewall | WAF Lite | Free |
| HTTP Headers / Shield Security | Security Headers | Free |
| WP Session Manager / Inactive Logout | User Session Management | Free |
| WPScan / Security Ninja | Security Scanner (A–F grade) | Free |
| iThemes Security / File Monitor | File & Directory Security | Free |
All Modules
Ten modules. One dashboard.
Each module can be turned on or off independently from its own settings page. Enable only what your site needs.
Security Headers
CSP, HSTS, X-Frame-Options, and more – no server config needed.
Multi-Factor Authentication
Biometric passkeys, TOTP, and email OTP with per-role enforcement.
REST API Security
Block user enumeration, disable XML-RPC, restrict endpoint access.
File & Directory Security
Directory indexing scan, upload restrictions, and file integrity monitoring.
Security Scanner
On-demand audit with an A–F security grade and prioritised fixes.
User Session Management
Live session table, instant revocation, idle timeouts, and concurrent limits.
Activity Log
Complete audit trail across 9 event categories with export and email alerts.
Login Protection
Brute-force lockout, CAPTCHA integration, and real-time attempt log.
WAF Lite
Request firewall blocking bad bots, SQL injection, XSS, and path traversal.
Dashboard
Live security command centre – grade, threats, MFA status, and recent events.
Every setting is clearly labelled
So you always know what’s safe to enable right now, and what deserves a second look.
Safe
Enable freely. No configuration needed and no real risk of breakage.
Careful
Review the settings first. Low risk when configured thoughtfully.
Expert
Requires developer knowledge. Can break integrations if configured incorrectly.
Free Forever
No premium tier. No upsells. Ever.
Every feature on this page – all 80+ controls across 10 modules – is included free. GPL-licensed, no account required, install straight from WordPress.org.
- WordPress 6.5+ & PHP 8.1+
- GPL-2.0 licensed
- WooCommerce support
- Zero page-load impact
- Modules load only when active