This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

LCS Security


This plugin adds a comprehensive suite of security measures to WordPress. Simply install, activate, and rest assured that your site is now protected against most common attacks.

We attempted to create the “Goldilocks” of WordPress security by finding a happy medium between the really complicated plugins that seem to slow down your site and often break functionality because they are too restrictive, and the piece-meal ones that only address one or two vulnerabilities at a time.

The following areas of security weakness are addressed:

  • XML RPC Protection – stops unauthorized content injection.
  • Author Scanning Prevention – prevents revealing of user login names.
  • Malicious Script Blocking – stops execution of scripts in specific vulnerable directories.
  • Comment Spam Prevention – adds a CAPTCHA to the comment form.
  • User Login Protection – includes automatic timed failed login attempt lockouts and CAPTCHA for login page.
  • Automatic IP Ban – bans IP’s from the entire site based on number of failed login attempts.
  • IP Blacklist – allows adding known bad IP’s and bans them from the entire site.
  • IP Whitelist – allows adding known good IP’s.

This plugin also provides a log of all login attempts including geographical IP data.

Temporarily locked IP’s can be unlocked by the administrator.

Permanently banned IP’s can be un-banned by the administrator.

CAUTION: Do not use this plugin with other security plugins to avoid conflicts and other site issues. Use only one active security suite at a time.



  • Options page.
  • Options – continued.


  1. Download the latest zip file and extract the lcs-security directory.
  2. Upload this directory inside your /wp-content/plugins/ directory.
  3. Activate ‘LCS Security’ on the ‘Plugins’ menu in WordPress.
  4. Modify options as needed in Dashboard / LCS Security / Options page.


Will this slow down my site?

No. This plugin is extremely light and fast and adds virtually zero overhead processing.

Can this plugin co-exist with other security plugins?

We strongly suggest using only one security plugin and disabling all others, otherwise you run the risk of conflicts and unpredictable site behavior.

What are the optimal settings for this plugin?

Unless you experience problems, you can leave the options at default settings.

I use Jetpack Forms, and started having issues with them after installing this plugin. What should I do?

Disable XML RPC protection on the LCS Security Options page.

I’m having issues with another plugin not working properly after installing this plugin. What should I do?

Disable WP-INCLUDES malicious script blocking on the LCS Security Options page.

Does this plugin perform virus scanning and cleaning?

Not at this time. If your site is already infected, we suggest restoring from a clean backup and then installing this security plugin to prevent future infections.

Does this plugin protect against DDOS attacks?

No. DDOS is best handled by specialized firewalls or cloud service providers such as CloudFlare and Amazon Web Services. Please check with your hosting service to see what options you have available for your site.


October 26, 2016
My site has been plagued with hackers trying to break in. I knew immediately after installing this plugin that it was working by watching the log fill up quickly. I was having thousands of fake login attempts every hour. This software went to work right away and it’s all automatic. It first locks out the bad IP’s a couple of times after a few failed attempts, then blocks the IP’s permanently after a few more. It’s actually fun to watch this thing fighting the hackers by watching the log. Take that hackers! It’s also super simple to use. Very clear user interface, easy to understand options, and the default settings seem just fine. I looked at some other security plugins and they were truly intimidating and most of them tried to upsell to the “Pro” versions for money. This one appears to be completely free and full featured and doesn’t have any fancy versions you have to pay for. You can easily tell this was created by good developers.
October 14, 2016
I used to have iThemes security installed, but it was giving me a lot of problems on my highly customized e-commerce site. It was way too stringent and restrictive and kept breaking functionality. I kept turning features off until I had virtually no protection. That’s when I started getting bombarded by hacker attacks. I’ve had fake posts injected into my blog. I’ve had bogus users created. I’ve had tens of thousands of login attempts constantly filling up my logs. I installed this based on a recommendation. I watched the logs for a few days. The first day I had 8740 hacker login attempts. On the second day it was down to 5103. Third day – 2030. Fourth day – 607. By the fifth day, the bogus login attempts were down to 61. Amazing!!! This plugin automatically blocked 946 IP’s over five days and the hack attempts virtually stopped and have been below 50/day for the past few days. And, best of all, it didn’t break any of my site functionality and I didn’t notice any performance degradation. I also like the ability to view the log which lists the country and city of the hack attempts, and also to view all the IP’s that are blocked, along with their geographic location as well. My only suggestion is to add a feature where you can block an entire country – maybe in the next version? Otherwise – great job on this plugin guys!
Read all 2 reviews

Contributors & Developers

“LCS Security” is open source software. The following people have contributed to this plugin.


Translate “LCS Security” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Fixed Excel export not working on some configurations.


  • Bug fixes.


  • Improvements to Excel export.


  • Internal improvements.
  • Reorganize code structure.


  • Fix log Excel export bug.


  • Performance improvements.
  • Minor bug fix.


  • Set newly added default options during update.
  • Minor bug fix.


  • Add option to disable code editing within wp-admin.


  • Fully disable XMLRPC in addition to just authenitcated functions to prevent XMLRPC brute force attacks.


  • Removed dependency on obsolete MCRYPT library to support PHP 7.2 and above.


  • Added blocking of JSON endpoint author scanning.


  • Improved handling of author enumeration scans.


  • Improved handling of timed lockouts.


  • Improved compatibility with PHP versions earlier than 5.5.


  • Modified display of locked IP list to recalculate based on lockout minutes parameter setting.
  • Added more search fields to log.


  • Initial release.