Login Security, FireWall, Malware removal by CleanTalk
Brute force, Login security & Two Factor Auth (2FA). Limit login. Malware & Vulnerabilities scan. FireWall. Enterprise ready security plugin.
4.8(379 reviews)
·30K+ active installs·Updated 4 days agoAs of April 2026, Login Security, FireWall, Malware removal by CleanTalk is a WordPress WAF plugin with 30K+ active installations and a 4.8/5 rating from 379 reviews. It has been downloaded 2.6M+ times in total. Requires WordPress 5.0+ and PHP 7.2+. Available on WordPress.org since 2016. Actively maintained — updated within the last month. Downloads are up 529% this week. Support resolution rate: 76%. Top alternative: CloudSecure WP Security.
4.8/5379 reviews
30K+active installs
76%resolved
10 yearssince 2016
Overview
Brute force, Login security & Two Factor Auth (2FA). Limit login. Malware & Vulnerabilities scan. FireWall. Enterprise ready security plugin.
SECURITY PLUGIN BY CLEANTALK (SPBCT)
We focus on eliminating the most common security threats for WordPress. At the same time, we strive to ensure that site performance remains unaffected. To achieve this, each release goes through automated and expert-driven testing pipelines. We also verify performance using Google PageSpeed Insights and GTMetrix. Typically, we release a new version twice a month to keep features up to date and protection strong.
SECURITY FEATURES
- Limit Login Attempts and rate limits for logins.
- Two Factor Authentication (2FA)
- Custom wp-login URL (wp-login.php)
- Hide Login Default Login Page
- Disable or Stop User Enumeratio…
Screenshots
Ratings & Reviews
4.8379 reviews
5 ★
349
4 ★
6
3 ★
3
2 ★
3
1 ★
18
Recent Reviews
Software works
by Historic City News·3 days ago·1 reply
I like software that just works.
I got hacked
·3 weeks ago·3 replies
Hi, I’m writing to get some feedback. I have the Cleantalk antispam and security installed and my website got hacked via the password recovery hack. It seems there is no way to protect the wordpress login form with Cleantalk, no possibility to put a recaptcha on the login form. That’s why my bad low score for this plugin.
After my website got hacked I went into the Cleantalk security panel to check if there was any anomalies and the plugin is not reporting any issues.
- This topic was modified 3 weeks, 2 days ago by enricooo.
This plugin is AWESOME!
by dennismcooper·1 month ago·1 reply
I’ve been using this plugin for a few months now and it has never let me down!
Easy to manage and block potential invaders.
Easy to manage
by antcw·1 month ago·1 reply
I’ve tried antispam and security. Both are easy to set up and with useful reporting. Support is excellent
Dieses Plugin muss sein
by Waldemar Kaubukowski·2 months ago·1 reply
Auf Vieles kann man gerne verzichten. Wenn’s um Sicherheit geht, gibt es keine Kompromisse. Wenn ich durch dieses Plugin sehe, wer oder was versucht von meiner Seite Besitzt zu ergreifen bekomme ich regelmäßig Gänsehaut, echt gruselig was für Kreaturen das Netz durchstreifen. Ich bin jedenfalls jederzeit sicher! Vielen Dank!!!!
Download Trends
Today: 856Yesterday: 1KThis week: 24KPeriod total: 723K
Compatibility
| WordPress | 5.0+ requiredTested up to 7.0 |
| PHP | 7.2+ required |
Version Adoption
v2.175
58.4%
Other
35.3%
v2.174
6.3%
Top Alternatives to Login Security, FireWall, Malware…
Frequently Asked Questions
Changelog
= 2.176 Mar 30 2026
New. RateLimiter. Classes implemented for strict calls frequency.
Upd. 2FA. User with sufficient caps now can disable 2FA app.
Upd. JestTests. Add new tests for settings tab, fix jest run.
Upd. Settings. Update RC flow for license_update.
Upd. Settings. React updates.
Fix. GetModulesHashes. Filtering empty keys and delete cache after saving results.
Fix. ListTable. Editing the display of all external links of the same domain.
Fix. ListTable. Edit when using prepare().
Fix. LoginPageRename. Editing the connection wp-login.php with action = postpass.
Fix. Security log. Loop logs ajax load fixed.
Fix. Security log. Show more logs behavior fixed and updated.
= 2.175 Mar 17 2026
Upd. Links. Editing links Request Malware removal
Fix. Links. Edit domain name
Fix. Settings. Last sync date implementation. (#606)
Fix. Firewall. Firewall logs interface fixed. (#608)
Upd. Settings. Updated RC to init settings update.
Fix. Settings. React – Settings Api key implemented. (#613)
Fix. BFP. Edits to the authorization page definition
Fix. Scanner. Actions description fixed.
Fix. Code. Redirect check
Fix. Pass check. Module working fixes. (#620)
Fix. Settings debug. Debug collection and drop fixed. (#621)
Upd. AdminBanners. Update user notification with detailed security recommendations. (#612)
Fix. Settings. WPMS sync fixed.
Fix. Password leak. Redirect after password change fixed.
Fix. Editor disabler. Disabling plugins/themes editor fixed.
= 2.174 Mar 02 2026
New. Settings. Settings overview implemented.
Upd. Security log. Login with token event added.
Upd. Outbound links. Sanitize data before output.
Upd. Security log. Sanitize data before output.
Upd. Firewall. Sanitize data before output.
Upd. Code. Gulp. CSS minifying updated.
= 2.173 Feb 16 2026
Upd. FileEditorDisable. Updated structure to keep file editor disabled.
Upd. Banners. Improve dismiss statement.
Upd. Scan. Improved sort opportunity.
Fix. Code. Edits ip resolving
Fix. SecFW. Checking request against logged_in fixed.
Fix. Admin bar. Admins counter description fixed.
Fix. Remote Calls. Skip check if no sign of RC action provided in Request.
= 2.172 Feb 02 2026
* Fix. Settings. Display modules list fixed.
* Fix. Settings. check_pass__enable enabled for the new users.
* Fix. Firewall. Changes to the Firewall test page
* Fix. Code. Protects against PTR spoofing
* Fix. Code. Checking the class_exists variable storage
= 2.171 Jan 18 2026
New. Code. Separate GitHub action for libraries checking.
New. Settings. Added project management menu item.
New. Settings. Added RC to init settings update.
Upd. Code. PHP compatibility increased to 7.2.
Upd. Settings. Disable REST access. Merged options.
Upd. SecurityLogs. Improve operations with data on multisite.
Upd. Scanner interface. Logs actions updated.
Upd. Settings. Disable REST access. Merged options.
Fix. Code. Heuristic library updated.
Fix. Cron. Task spbc_scanner_update_pscan_files_status fixed.
Fix. Activator. WPMS new blog activation fixed.
= 2.170 Dec 15 2025
Upd. Code. Refactoring Firewall tab to react.
Upd. Automatic assets. Use .7zignore file.
Code. PHPUnit. Now use SpbcTestCase as extension to force units isolation.
Fix. Firewall. Fixed data providing.
Fix. ScannerQueue. Edit using the plugins_api hook.
= 2.169 Dec 01 2025
* Fix. 2FA. Fixed 2FA for WooCommerce login.
* Fix. Settings. Children elements state fixed.
* Fix. Settings. Escaping page_url output in the Firewall table
* Fix. Settings. Escaping user_agent output in the Firewall table
* Fix. Settings. Fixed 2FA users roles setting.
* Fix. WpFooter. Removed unnecessary styles and duplicates.
* Github. Added action to create assets from dev/fix on push event
* New. Scan. Added AJAX action for bulk restoring files from quarantine.
* Upd. Dashboard widget. Show widget for roles filtered by hook.
* Upd. Code. Libraries. Updated common libraries.
* Upd. UserPassCheck. Added default roles depending on capabilities
* Upd. UserPassCheck. Updated password change form.
= 2.168 Nov 10 2025
* Mod. Header. Splitting the Header component into separate components
* Mod. Header. Editing styles
* Fix. Header. Moving common styles to a higher level
* Fix. SyncSettings. Reloading the page after syncing.
* Fix. FSWatcher. Cron run implemented.
* Fix. Settings. Settings validating fixed.
* Upd. Settings. Updated wrong key banner show rules.
* New. Banner. A banner about an empty key has been added, and the error block output has been corrected
= 2.167.2 Oct 30 2025
* Revert “Fix. Vulnerability alarm. Finally fixed the vulnerable and installed version comparison.”
= 2.167.1 Oct 29 2025
* Fix. SyncSettings. Reloading the page after syncing.
* Fix. Settings. Settings validating fixed.
= 2.167 Oct 27 2025
* Code. FSW Jest prepared.
* Upd. Local domain host added.
* New. FileOfPluginChecker. Trying to detect if a file is a part of non-wordpress repository plugin.
* Fix. VulnerabilityAlarm. Slugs getting unified.
* Upd. File of plugin. PHPUnit fixes.
* Fix. VA. Psalm fixed.
* Fix. Vulnerability alarm. Finally fixed the vulnerable and installed version comparison.
* Fix. Settings. Traffic Control description fixed.
* Upd. FSWatcher. Refactored to react.
* Code. Removed unused FSW code.
* Code. Localiztion removed.
* New. VulnarabilityAlarm. Notification output in the theme details folder
* Upd. Settings. Added UTM parameters to the registration link.
* Fix. Ajax. Ajax actions checking fixed.
* Fix. List Table. Query for limit/offset data fixed.
* Upd. Settings. Added UTM parameters to the registration link.
* Fix. FSWComparisonTableRow. Added React import
* Fix. ListTable. Condition for adding actions
= 2.166.1 Oct 14 2025
* Fix. Settings. Settings updater fixed.
= 2.166 Oct 13 2025
* New. ProtectUploadsDir. Prevent PHP execution in uploads directory.
* Fix. React. Active tab state issues resolved.
* Fix. Settings. Simplified conditions and updated descriptions.
* Upd. Timeline. Enhanced tooltip positioning and event highlighting.
* Upd. Timeline. Activity now shown in widget header.
* Mod. ScannerExclusions. Improved scan exclusion functionality.
* Mod. UDPPhpExec. Updated handle() output and status collection logic.
* Mod. SetCookies. Added security enhancements for cookie installation.
* Mod. AltSessions. Removed REST route registration for security.
* Mod. 2FA. Renamed Google authentication to 2FA app throughout codebase.
* Ref. Code. Major refactoring for spbc-scanner file command.
= 2.165 Sep 29 2025
* New. CriticalUpdates. Switching to the Critical Updates react
* Fix. CriticalUpdates. Using the research link from the backend
* Upd. Scanner. Files row actions now has tooltips.
* Upd. Scanner. Updated missed descriptions.
* Ref. Code. Remove unnecessary Surface execution.
* Mod. React. Switching from Critical Upd tab to react
* Fix. React. Edits based on the review
* Fix. React. The condition for adding Secure cookies
* Mod. Security Log. Filtering unauthorized users in the widget graph
* Fix. Remote calls. Debug RC now hide sensitive data.
= 2.164 Sep 11 2025
* Fix. Settings. Long description and long recommendation fixed.
* Fix. Settings. Backups tab ico fixed.
* New. Security log. Timeline widget.
* Fix. UpdaterScript. Editing indexes for the spbc_users_pass table
= 2.163 Sep 01 2025
* Upd. Integrations. Add exclusions to prevent cache firewall block page.
* Fix. React interface. Tabs has been rebuild to the own components.
* Fix. SyncReact. Returned the file for processing synchronization requests
* Fix. React. Error block
* Fix. Settings. Fix long description
Look for early changelogs in changelog.txt
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.