What OLOsecurity is
OLOsecurity is an all-in-one WordPress security plugin: firewall, antivirus, access management with 2FA, audit and cleanup in a single panel, Sentinel, 8 operational tabs.
The core choice: 100% local processing. Analysis, signatures and logs stay on your server; no traffic is shipped to third-party clouds to be "analyzed". No third-party datasets are bundled in the plugin: feeds are downloaded on demand by your site. GDPR made simple.
GPL code, verifiable line by line. WP Plugin Check: 0 errors / 0 warnings.
Firewall · mini-WAF
- OWASP rules by family: SQL injection, XSS, path traversal, LFI/RCE, enabled in groups.
- IP reputation from public lists + advanced blocking rules.
- Rate limiting on anomalous requests.
- Geo-blocking IPv4 and IPv6 by country.
- Trusted proxies: recognition of Cloudflare and local networks to evaluate
X-Forwarded-Forcorrectly.
Accessi & 2FA
- Anti brute-force: attempt limits, timed lockout, permanent auto-blocklist for repeat IPs, allowlist/blocklist.
- TOTP 2FA: QR setup, recovery codes, email fallback, admin reset.
- Breached passwords: HIBP check with k-anonymity: the password never leaves the server.
- CAPTCHA and user-enumeration blocking.
- Fake-crawler detection: FCrDNS check: whoever pretends to be Googlebot gets unmasked.
- Optional hardening: XML-RPC, security headers, version hiding,
DISALLOW_FILE_EDIT, PHP upload blocking, .htaccess protection.
Scanner · three passes
- Integrity / checksums: trust-on-first-use baseline; core, plugin and theme comparison against wordpress.org; detects modified files.
- Deep heuristics: walks PHP files (skips non-executables) with 5 strong heuristics tuned against false positives; a masked double extension (e.g.
.jpg.php) is treated as a near-certain webshell. - Malware signatures: MD5/SHA256 hash pass over the signature feed: O(1) lookups, negligible cost.
Performance: ~11,000 PHP files in ~2–3 seconds on a typical site; on hosts with timeouts, chunked mode with resume. CVE feed for installed plugins and themes, daily cron updates, indexes with autoload OFF.
Recovery & log
- Guided cleanup after an attack: one-click core repair from the official version, plugin/theme reinstall from wordpress.org with automatic backup.
- Reversible quarantine of suspicious files.
- Salt regeneration and an incident report ready to hand over.
- Audit log "who/what/when" on a dedicated table, filterable, CSV export, 90-day retention.
- Monitoring: real-time traffic, event chart, disk-space monitor, email digest, webhooks.
Data sheet
| Type | All-in-one WordPress security plugin · Sentinel panel, 8 tabs |
| Requirements | WordPress 5.9+ (tested up to WP 7.0) · PHP 7.4+ |
| Processing | 100% local, no traffic to third-party clouds |
| Firewall | Mini-WAF: regole OWASP per famiglia, reputazione IP, rate limiting, geo-blocco IPv4/IPv6 |
| Access | Anti brute-force, TOTP 2FA + recovery, HIBP k-anonymity, CAPTCHA, FCrDNS |
| Scanner | Checksums vs wordpress.org · 5 anti-webshell heuristics · MD5/SHA256 O(1) hashes |
| Performance | ~11,000 PHP files in ~2–3 s · chunked mode with resume |
| Feedon-demand · opt-in | maldet/rfxn.com, InterServer (~76,000 signatures) · OpenPhish + URLhaus (~30.000 URL) · api.wordpress.org (checksum, CVE) · daily cron |
| Recovery | Guided cleanup, reversible quarantine, salt regeneration, incident report |
| Log | Audit log on a dedicated table · CSV export · 90 days |
| License | GPLv2 or later · WP Plugin Check 0 errors / 0 warnings |