Bastora Security Audit Wordpress Plugin - Rating, Reviews, Demo & Download

No ratings yet

Free

Plugin Description

Bastora is an honest WordPress security audit. Instead of thousands of switches without explanation, the plugin checks your installation against a fixed catalog of 52 security points and reports the result as a plain-text traffic-light list inside your dashboard.

Bastora is different from other security plugins in three ways:

1. Honest external view. Bastora inspects your site the way a bot would: version leaks in the HTML, open listings, missing security headers, exposed endpoints. Most other plugins only check their own configuration.
2. Conflict-aware auto-hardening. Hardenings are active by default. Bastora checks whether another security plugin (Wordfence, Solid Security, AIOS, Limit Login Attempts, etc.) already handles the same task, and steps aside elegantly instead of creating a conflict.
3. Zero configuration. Install, activate, click “Run scan” once, done. Bastora configures itself.

What Bastora checks

• Access (11 points): HTTPS login, brute-force protection, salt keys, shared accounts, login behavior
• System (10 points): file editor, directory listings, wp-config lockdown, debug mode, file permissions, revisions
• Information leakage (10 points): generator tag, RSD link, WLW manifest, XML-RPC, REST API users, pingbacks, X-Powered-By
• Security headers (5 points): X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS
• Pingbacks (2 points): outbound and inbound pingbacks
• Auto-updates (7 points): nightly protection, minor/major auto-updates, plugin/theme auto-updates, abandoned extensions
• Monitoring (7 points): transients, revision cleanup, captcha, WordPress version, PHP version, /uploads/ PHP lockdown, security plugin status

What Bastora hardens (when no conflict is detected)

• WordPress version removed from HTML and RSS feed
• RSD link and WLW manifest removed
• Login shake effect disabled
• Login error message generalized (no longer reveals existing usernames)
• Author pages redirected (prevents username enumeration)
• XML-RPC disabled (unless a competing plugin already handles it)
• Pingback XML-RPC methods blocked
• REST API /users endpoint blocked for non-logged-in requests
• Application Passwords disabled
• Login Honeypot: hidden form field in the login mask that bots fill out and thereby reveal themselves as bots
• Brute-force protection with IP lockout: 5 failed attempts → 30 min lock. On repeated lockouts: escalation to 4 hours, then 24 hours. Counter resets after a successful login. IPv6 is locked on the /64 prefix. Cloudflare and reverse-proxy IP detection is built in.

Conflict-aware

If you are already running one of the following plugins, Bastora detects it and disables only the overlapping area:

• Wordfence Security
• Sucuri Security
• Solid Security (formerly iThemes)
• All-In-One WP Security & Firewall
• MalCare Security
• WP Cerber Security
• Limit Login Attempts Reloaded
• Disable XML-RPC
• Disable Application Passwords
• Really Simple SSL
• HTTP Headers

In the dashboard you see the status of each hardening with a plain-language explanation of why it is active or inactive.

What Bastora deliberately does **not** do

• No TOTP enforcement. SMB owners routinely lock themselves out with TOTP apps. Bastora relies on brute-force protection, rate limiting, and anomaly detection instead.
• No login URL hiding. Renaming the login URL breaks the password reset email link as soon as the plugin is deactivated. Rate-limit plus honeypot is the cleaner solution.
• No cloud connection without consent. All external connections (including version checks against wordpress.org) are disabled by default. They activate only after you explicitly opt in via the welcome wizard or the settings page.

Optional anonymous statistics (planned, not yet active)

A future plugin version will offer optional anonymized security telemetry to bastora.de. In this plugin version, no telemetry is sent. The opt-in toggle only stores your consent for a future release. Once the sender pipeline goes live in a later release, only the following anonymized technical values would be transmitted:

• WordPress, PHP and MySQL version strings
• Locale (for example de_DE)
• List of installed plugin slugs (without versions)
• Audit results (which of the 52 points are red, yellow, green)
• A random anonymous site ID (UUID) generated locally on first plugin start

What would never be transmitted: domain, URL, IP addresses, email addresses, usernames, post content, file content.

Privacy

External service connections

Bastora contacts external servers in two clearly separated cases. Both are opt-in. By default the plugin makes no external connections.

1. Version checks against api.wordpress.org (opt-in)

When the user enables “Versions-Abgleich erlauben” in the welcome wizard or settings page, Bastora queries api.wordpress.org during a manual scan for:

• The current WordPress core version: https://api.wordpress.org/core/version-check/1.7/
• For each detectable plugin, its last update date: https://api.wordpress.org/plugins/info/1.0/<slug>.json
• For each detectable theme, its last update date: https://api.wordpress.org/themes/info/1.2/?action=theme_information&request[slug]=<slug>

This is the same API WordPress itself uses for its own update checks. Only the slug of each plugin or theme is transmitted. No domain, no user data, no visitor IP data. Calls run only on manual scan-button clicks, never automatically in the background. Responses are cached for 24 hours.

If the user does not opt in, the update-related audit points are marked “not checkable” and no request is made.

2. Anonymous telemetry to bastora.de (planned, not active in this version)

A future plugin version is planned to offer optional anonymized telemetry to bastora.de. In the current plugin version this pipeline is not implemented — no wp_remote_post, no payload, no transmission to bastora.de occurs anywhere in the codebase. The opt-in toggle in the settings page only stores the user’s consent for a future release.

When the sender pipeline goes live in a later release, the following anonymized values would be transmitted:

• WordPress, PHP and MySQL version strings
• Locale code (for example de_DE)
• List of installed plugin slugs (without versions)
• Theme slug of the active theme
• Audit results: per security point the status (passed / warning / failed)
• A random anonymous site ID (UUID) generated locally on first plugin start

What would never be transmitted: domain, URL, IP addresses, email addresses, usernames, post content, file content, database content.

Privacy notice

Full privacy notice: https://bastora.de/datenschutz.php
Responsible party as per imprint: https://bastora.de/impressum.php

Screenshots

No screenshots provided

Similar Plugins:

Rating Widget: Post Rating, 5 Star Rating, Reviews, Thumbs Up & Down, Reaction Reviews And Rating – Google Reviews Reviews Feed – Google Reviews & Yelp Reviews Plugin