Search Over 30,000 FREE Plugins from the Official WordPress Plugin Directory Repository

Pareto Security

WordPress core security class: A Web Application Firewall to protect your Wordpress web portal

Pareto Security Features

Firstly Wordpress and most other CMS's are built using PHP. PHP is a very insecure programming language, even worse in the hands of amateurs.

Wordpress has been plagued by plugins authored by amateurs that bring with them security vulnerabilities.

Wordpress users depend on the security skills of these 3rd party developers to check all user inputs and to escape all outputs from their plugin code.

However in many many cases this is not done correctly leading to vulnerabilities and often websites being attacked, malware code installed, and in worst cases, entire servers taken over.

Pareto Security class acts as a central security hub checking all inputs from users.

Using the principle of "Artificial Ignorance" with blacklists rather than arbitrary blacklists, Pareto Security method ignores requests it knows aren't interesting and processes the remaining requests that must then be of interest.

Any remaining user inputs/requests are most likely attempts to break rules and are tested against a list of rules, bad requests are prevented from completing their action.

This acts as a "temporary" shield during that period of time between when a vulnerability is discovered in Wordpress or 3rd party plugins, and when they are patched, and, when you update your Wordpress website.


  • Full web application firewall preventing attacks from reaching Wordpress codex
  • The most powerful input security plugin on Wordpress for protecting your Wordpress *.php files
  • Automatically secures your Wordpress repository against unsecured inputs common in Wordpress 3rd party plugins
  • No customisation needed, works silently in the background
  • Protects against malicious command and database injections
  • Using the principle of "Artificial Ignorance" with blacklists rather than arbitrary blacklists, processes and checks all user inputs, the REQUEST_URI, QUERY_STRING, _GET, _POST, _COOKIE and browser user-agents to detect known security threats.
  • Pareto Security is 100% free
  • Prevents uploading of backdoors, arbitrary file includes
  • Locks down server error and information messages that can be used to assist attackers
  • Scans inputs from content submitted by visitors in comments and posts.
  • Block known bad crawlers.
  • Checks against malicious Request Types
  • Pareto Security is multi-site ready
  • Optional IP address banning
  • Works silently in the background blocking attacks

A Word on Security: Keeping any CMS as secure as possible is not easy. The very best thing you can do to prevent attacks is to always keep your website code, themes and plugins up to date, and remove any plugins and themes you are not using.

What Pareto Security cannot do ( as with any Web Application Firewall ) is save your website from really really badly written site, theme and/or plugin code, or save your site from attacks that result from when administrators do not follow basic security practices.

Pareto Security does not claim to prevent all PHP related attack vectors either. It does however attempt to do it better than most addons/plugins that do claim to be the end all of PHP security.

Footnote 1: Wordfence file scanner will flag pareto_security.php as possibly malicious. You can safely add pareto_security.php to the Wordfence ignore list to prevent future messages.

Footnote 2: I recommend that you also install a plugin that sets the Content Security Policy header

Author Te_Taipo
Contributors te_taipo
Tags authentication bypass, command injection, CRLF, cross-site scripting, CSRF, database security, exploit, firewall security, hack, hacked, hacker, injection, local file inclusion, malware, phishing, remote file inclusion, rfi, scrapers, secure, secure login, security, SQL Injection, vulnerability, WAF, website security, wordpress, wordpress security, xss
  • Automated Setup Steps
  1. Upload /pareto-security/ to the /wp-content/plugins/ directory
  2. Activate the plugin through the 'Plugins' menu in WordPress


  • Redirect to URL if POST content-length = 0
  • Improved finding .htaccess file


  • Bugfix: removed false positive for cookie filtering


  • Bugfix: removed conflicting security headers affecting the Safari browser


  • Updated blacklists
  • When deleting Pareto Security, any blacklists in .htaccess are now removed
  • Update to secure headers


  • Fixed a bug in updated injection filters


  • Added 444 No Response header for bots
  • No longer exit when UA is empty
  • Major update to database injection filters


  • Update to Tor2Web block for advanced mode fixing possible false positives.


  • Added optional Tor2Web block for advanced mode


  • Fixed potential bug where large post data could result in 500 error

Where can I get more information?

Using the Tor Browser, visit http://hokioisec7agisc4.onion/?p=25 for more information, including support requests

How can I contribute to the cause

Donations via Bitcoin to 1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Do you have an email contact?

Email me at

Other contacts:

Version 1.3.8

Requires WordPress version: 3.0.1 or higher

Compatible up to: 4.7.2

Last Updated 28 Jan 2017

Date Added: 13 Jun 2015

Plugin Homepage


5 stars
4 ratings


Not Enough Data

Works: 0
Broken: 0