Free WordPress Security Plugin · Janric Limited · Southport

Know Exactly What's Attacking Your WordPress Site

Most WordPress site owners have no idea their site is under attack — until it's too late. This free plugin silently watches in the background and logs every suspicious attempt, so you're never caught off guard.

Download Free Plugin Free Security Check ↓

Your WordPress Site Is Being Probed Right Now

It's not paranoia — it's just the internet. Automated bots scan millions of WordPress sites every single day, hunting for weak passwords, outdated plugins, exposed files and known vulnerabilities.

Most of the time this activity is completely invisible to you. You log into your dashboard, everything looks fine, and meanwhile someone has tried your admin password 400 times overnight.

The Janric Simple Attack Monitor changes that. It's a lightweight, no-fuss plugin that watches for these attack patterns and keeps a clear, readable log — right inside your WordPress dashboard. No subscriptions, no monthly fees, no upsells. Just data.

"The first step to securing your site is knowing what you're up against. You can't fix what you can't see."

— Keith, Janric Limited
  • 100% free, no account required
  • Installs in under 60 seconds
  • Runs silently — zero impact on site speed
  • Nothing blocked, nothing changed — observation only
  • Your data stays in your own database
  • Built and maintained by a UK developer

9 Types of Attack, All Logged Automatically

You don't need to configure anything. The moment you activate it, the plugin starts watching for the most common attacks targeting WordPress sites.

🔑

Brute Force Login

Repeated password guessing attempts on your login page — one of the most common WordPress attacks.

📡

XML-RPC Abuse

Hackers using WordPress's remote publishing feature to fire thousands of login attempts in seconds.

👤

User Enumeration

Bots quietly harvesting your username list via the author pages and REST API — the first step before a targeted attack.

🚪

Admin Area Probing

Unauthenticated visitors repeatedly hitting your wp-admin, looking for a way in.

🔍

Path & Plugin Scanning

Automated scans hunting for exposed files like .env, wp-config.php, phpMyAdmin and debug logs.

💉

SQL Injection Attempts

Malicious database commands smuggled into your URLs and forms, trying to read or destroy your data.

XSS Attempts

Cross-site scripting attacks trying to inject malicious code into your website pages.

💬

Comment Flooding

Rapid-fire spam comment submissions, often used to overload your server or sneak in malicious links.

🗺️

REST API Scraping

Automated tools harvesting your user data through the WordPress REST API endpoint.

A Clear Picture, Right in Your Dashboard

No digging through server logs. No decoding cryptic files. Everything is presented clearly inside WordPress, where you already work.

01

Dashboard Widget — This Week at a Glance

Every time you log into WordPress, a summary widget shows you this week's attack categories and counts — a simple bar chart that tells you instantly whether things are quiet or something unusual is happening.

02

Full Log With Day / Week / Month / All-Time Views

Drill into the full event log filtered by time period. Switch between views with one click to spot trends — is traffic spiking on a particular day? Has a new attack type appeared this week?

03

Top Attacking IPs

See exactly which IP addresses are responsible for the most attempts against your site. Useful for reporting to your hosting provider or feeding into a blocking tool.

04

Safe IP Whitelist

Running automated monitoring, a cron job, or working from the same office every day? Add those IP addresses (or whole ranges) to the safe list and they'll never appear in your log. Supports CIDR notation for networks.

05

One Job, Done Well

This plugin deliberately does not block anything. Detection and blocking are separate concerns — and mixing them in one plugin is how you end up accidentally locking yourself out of your own site. Use the data here to make informed decisions about what to block, and how.

🔎

Not Sure How Secure Your WordPress Site Already Is?

Before you can fix anything, you need to know what you're dealing with. Run a free instant security check on your site right now — no signup, no email address, no catch. It takes about 30 seconds and gives you a clear picture of where your site stands today.

Run Your Free WordPress Security Check →

Hackers Are "Trying the Door Handles" on Every WordPress Site — Including Yours

Think nobody cares about your small website? Think again. The moment a new WordPress site goes live, automated scripts start probing it. They don't care who you are or what you sell. They just want a foothold.

It's like a thief walking down a street at 3 AM, quietly pulling on every single car door handle. Most are locked. They keep walking. But if they find one that clicks open, they’re inside. Your site is facing these silent checks every single day, completely out of sight.


You don't need a massive IT budget to find out who is poking around your site. In fact, you can see it happen without spending a penny.

Most people assume their site is safe because it looks fine on the outside. But by looking at your raw traffic access logs—or using a simple, unbloated tracking tool—you can watch these automated bots flag down your login page in real time. If you see dozens of failed login attempts for usernames like "admin" or "test," someone (or rather, a script) is actively trying to guess your way in.


It feels personal, but it isn’t. These aren't hackers sitting in dark rooms guessing your specific pet's name. They are massive networks of compromised computers running automated software.

Why do they want your password? Simple. A compromised WordPress site is valuable. They can use your server to send out millions of spam emails, host hidden phishing pages, or redirect your hard-earned traffic to dodgy retail sites. To see it happening, you just need a dashboard that surfaces failed login attempts. When you see twenty attempts from twenty different countries in five minutes, you realize how relentless the web really is.


Not all automated traffic is evil. Google needs to crawl your pages to index them, and Pinterest needs to read your images to display your pins. These are your good bots.

Bad bots have a entirely different agenda. They skip your content pages and head straight for the vulnerabilities. They scour your files looking for outdated plugins, exposed configuration files, or open doorways. Telling them apart is simple if you look at their target destinations: a human or a good bot wants to read your latest article; a bad bot wants to find a file that shouldn't be there.


You open your site, it loads quickly, and the front page looks perfect. Everything seems calm.

But underneath the hood, the story is usually very different. Automated probes don't break your layout or leave a mess until they actually succeed. To find out if you are a target, you have to look where the cameras are pointing. Checking your site's access records will show you the thousands of background requests that never show up in your standard Google Analytics reports.


If you look at the raw IP addresses attacking your site, you might see locations spanning from Russia and China to data centers right in the US or Europe.

But tracing the physical location doesn't tell the whole story. Most attacks launch from hijacked servers, home routers, or smart devices that have been infected elsewhere. A script running out of a routine cloud hosting account in Virginia can target a small business blog in Southport without the owner of that cloud account ever knowing. It’s a global network of automated white noise.


When people get worried about security, they usually rush to install the biggest, heaviest security plugin they can find. These all-in-one suites do everything: firewalling, file scanning, country blocking, and database optimization.

But they also load massive amounts of code onto every single page visit, slowing your site down for actual human users. On the flip side, lightweight monitoring plugins take a different approach. They don't try to rewrite your whole site structure; they simply keep watch, log the activity, and show you exactly what's happening without dragging your page speeds down into the mud.


A slow website kills your user experience and hurts your rankings. If your security plugin is so heavy that it takes an extra second for your pages to load, it's actively costing you business.

You don't need a plugin that promises fifty different features you will never configure or understand. You need a tool that does one thing incredibly well: absolute visibility. When a plugin is lightweight, it runs quietly in the background, keeping your site fast and nimble while still giving you the data you need to stay safe.


If you look at your site logs, you will likely see hundreds of requests hitting a file called  xmlrpc.php .

This is an old WordPress feature designed to let external apps (like the WordPress mobile app or remote blogging tools) talk to your site. Because it allows a user to try hundreds of password combinations in a single request, bots absolutely love it. It’s one of the most common backdoors they try to abuse, and simply monitoring or disabling access to this single file can eliminate a massive percentage of your daily background noise.


You shouldn't need a degree in cybersecurity to see if your website is safe. Most security tools bombard you with complex acronyms, scary looking graphs, and warnings about things that don't matter to a small business owner.

True security design focuses on clarity. A clean dashboard should tell you three basic things at a glance: who tried to log in, what files they were looking for, and whether your front door is shut tight. No confusing jargon, just straight facts about your traffic.


Let’s look at actual numbers. A brand-new, low-traffic blog with fewer than fifty human visitors a day was fitted with a basic monitor.

The results after seven days? 2,161 automated attempts to access the login page, and more than 1,650 malicious probes looking for common plugin flaws. The owner had no idea because the site never crashed. It shows that no site is too small to be noticed by a botnet scanner.


Many plugins try to build a massive wall, actively blocking IPs and locking out users. The problem? They often lock out the site owner by mistake, or block legitimate customers who simply forgot their password.

A monitoring plugin operates differently. It shows you the activity without interfering with the server's natural behavior. By seeing the attacks clearly, you can make smart decisions—like changing a weak username or moving your login URL—rather than trusting a clumsy automated system to play bouncer for you.


"I thought my site was invisible because I'm a local business," is the most common feedback.

Once owners get a clear look at their site's actual traffic logs, the reaction is almost always surprise. They realize that the internet isn't a passive billboard; it's an active environment. Seeing the numbers firsthand usually gives them the exact push they need to use stronger passwords and take basic site maintenance seriously.


If you want to pull back the curtain and see exactly what is hitting your site this very second, you can do it right now.

By using a targeted, lightweight monitoring tool, you gain total visibility over your WordPress backend. Stop guessing whether your site is safe or wondering if anyone is out there in the dark. Plug in a simple monitor, watch the real-time log, and take control of your site's security today.

Need More Than a Quick Check?

The free check gives you a snapshot. The full audit goes much further — and comes with the expertise to actually fix what's found.

If the free check flags issues — or if you just want total confidence that your site is properly locked down — Keith offers a thorough 25-point WordPress security audit carried out personally, not by an automated tool.

The audit covers every layer of your WordPress installation: server configuration, file permissions, login security, plugin vulnerabilities, database exposure, SSL setup, spam protection and more. You receive a plain-English report explaining every finding, why it matters, and exactly how to fix it.

No jargon. No scaremongering. No padding to justify the fee. Just a clear, actionable picture of your site's security — from someone who has been doing this for over 20 years.

The 25-Point Audit Covers

  • WordPress core & plugin update status
  • Login page & brute force exposure
  • File & directory permissions
  • wp-config.php & sensitive file protection
  • Database prefix & user privileges
  • SSL certificate & HTTPS enforcement
  • XML-RPC & REST API exposure
  • User enumeration vulnerabilities
  • Backup strategy & disaster recovery
  • …and 15 more critical checkpoints
Ask About the Full Audit →

Built by a Developer Who Actually Understands WordPress Security

This isn't a plugin churned out to fill a marketplace gap. It came from genuine frustration with bloated security suites that slow your site down and bury the important stuff under upsell prompts.

👨‍💻

Keith — Janric Limited, Southport

I've been building websites since 2003. Before focusing on small businesses, I spent years building secure systems for NHS Trusts and blue-chip companies — environments where a security failure isn't just embarrassing, it's genuinely dangerous. That background shapes how I think about security for every site I touch.

I built this plugin because I kept seeing small business owners blindsided by attacks they never knew were happening. The plugin gives you the visibility. The free check gives you a starting point. And if you need someone to sit down and properly sort it out — that's what the full audit is for.

Based in Southport, serving small businesses across Merseyside and the UK. Read more about me →


Related searches: WordPress security plugin UK · free WordPress malware check · WordPress brute force protection · WordPress security audit Southport · small business WordPress security · WordPress hack prevention · secure WordPress site · WordPress login protection · detect WordPress attacks