Free · Zero config · Works instantly

Protect WordPress
Without a Single
Database Query

Most security plugins run inside WordPress, giving attackers your CPU and DB. LiteShield Security blocks before WordPress loads — attackers don't get a single function call.

⬇ Download Free See how it works
0DB Queries
<1msOverhead per Request
10+Detection Methods
19AI Crawlers Controlled

Live Dashboard Preview

See Every Attack in Real Time

Dashboard auto-updates every 10 seconds, showing what's blocked, why it was blocked, and which IPs are attacking right now.

wp.example.com › LiteShield Security
LiteShield Security v1.0.0
Live
247
Blocked Today
3,891
This Month
12
Banned IPs
● Engine ON
Status
09:55/wp-login.php?action=registerBrute Force
09:54/xmlrpc.phpBad Directory
09:52/.env.productionScanner UA

What's Happening Right Now

Your site is being probed right now

Most plugins can block — but attackers still get your CPU and database. LiteShield Security gives them nothing.

🤖

AI Crawlers Scrape 24/7

OpenAI, Gemini, Meta, ByteDance and 15+ others harvest your content to train AI without permission.

🔍

Scanners Run 24/7

sqlmap, nuclei, dirbuster, WPScan constantly probe for vulnerabilities. On shared hosting, just "passing through" burns your CPU quota.

💥

Automated Brute Force

Modern bots don't try 10 passwords — they try thousands from rotating IPs. Standard login protection isn't enough.

🐢

Security Plugin Slows You Down

A plugin running 50+ DB queries per request on shared hosting can be slower than the attack it's supposed to stop.

What Gets Blocked

Comprehensive Attack Coverage

Engine blocks at mu-plugin level before WordPress loads. Everything below works automatically from day one.

Attack Type Description Severity Default
Brute Force LoginRate limiting on wp-login.php with auto ban. Configurable threshold and window.HighOn
Scanner User-AgentsBlocks 50+ attack tools by UA signature: sqlmap, nikto, nuclei, dirbuster, nmap, masscan, WPScan.HighOn
Exploit & Path ProbesBlocks requests to .env, .git, /xmlrpc.php, /backup, shell paths, and 30+ dangerous endpoints.HighOn
SQL InjectionDeep pattern matching with double-encode bypass prevention: ..%252f, uni%256fn+select, and evasion techniques.HighOn
Header AnomalyCatches automation sending malformed or missing HTTP headers. Blocks curl/wget/python attack tools.MediumOn
IP Reputation System3 high-severity hits within 1 hour triggers automatic 24-hour ban. Engine learns IPs probing slowly to evade detection.HighOn
Honeypot TrapsDecoy paths no legitimate user would visit. Any IP that does is immediately banned 24h. Zero false positives.HighOn
AJAX FloodRate limiting on unauthenticated AJAX. Protects against WooCommerce and REST API abuse.MediumOn
Host Header InjectionValidates HTTP Host header against your actual domain. Blocks cache poisoning and routing attacks.MediumOn
Bad Directory LearningPaths generating repeated 404s from scanners get cached and auto-banned. Engine learns your site's specific attack patterns.LowOn
WP-Cron AbuseBlocks external requests to wp-cron.php used for resource exhaustion attacks.MediumOn
AI Crawler ControlControl 19 AI crawlers individually: GPTBot, Google-Extended, ClaudeBot, Meta, ByteSpider, CCBot, and more.MediumConfigurable

Architecture

Why Is It Faster Than Other Plugins?

Other plugins run "inside" WordPress. LiteShield Security runs "before" WordPress — that's the entire difference.

1

Install Plugin → Engine is Created

After activation, the plugin writes wpls-engine.php to wp-content/mu-plugins/ — WordPress loads Must-Use plugins automatically before everything else.

2

Settings Embedded in Engine — No DB

When you save Settings, all values are embedded as PHP arrays directly into the Engine file. Zero DB lookups during any request.

3

Request Arrives → Engine Checks → Blocks in <1ms

Engine reads one .json file, checks IP, Header, UA, Path, then blocks or passes. WordPress hasn't even started loading.

4

Atomic Write — No Fatal Errors

When settings change, Engine is written via .tmp + rename() in a single filesystem operation. No request ever loads a partially-written Engine.

5

Deactivate → Engine Removed, Nothing Left

Deactivating removes wpls-engine.php from mu-plugins automatically. Site returns to normal immediately. No leftover files.

Engine Flow (simplified)
// mu-plugin — loads BEFORE WordPress
wpls_engine($_SERVER)

// 1. Check banned IPs (file cache)
if isBanned($ip) block()

// 2. Header anomaly check
if badHeaders($headers) block()

// 3. Scanner UA check
if scannerUA($ua) block()

// 4. Bad path / exploit probe
if badPath($uri) block()

// 5. Rate limiting (login / AJAX)
if rateLimit($ip, $uri) block()

// Legitimate request — continue to WP
→ WordPress loads normally

Bot Management & SEO

Block Unwanted Bots Without Affecting SEO

Not all bots are equal. LiteShield Security separates them into 3 clear groups — and search engine bots are always protected.

🔒

Permanent Allowlist
Always SEO Safe

These bots cannot be blocked by any setting. Your site is always indexed normally.

GooglebotBingbotDuckDuckBotYahoo SlurpYandexApplebotFacebookTwitter/XLinkedInWhatsAppSlack

All Search Engine and Social Preview bots are on the Permanent Allowlist.

🔍

AI Search Bots
On by Default

Helps your site appear in AI search results like ChatGPT Search, Perplexity, Google AI Mode.

ChatGPT-UserPerplexityBotGoogle-ExtendedYouBot

On by default — site appears in AI search. Disable per-bot if desired.

🚫

AI Training Bots
Off by Default

Bots that harvest your content to train AI models without permission — blocked from day one.

GPTBotClaudeBotMeta-ExternalAgentByteSpiderCCBotAmazonBotAppleBot-ExtendedAnthropic-AI

Off by default — content won't be harvested for model training. Control per-bot.

No SEO Worries — Here's What You Need to Know

Googlebot ≠ Google-ExtendedThe bot that indexes your site for Google Search and the bot that trains Gemini AI are separate. Blocking one doesn't affect the other.
GPTBot ≠ ChatGPT SearchGPTBot trains ChatGPT models. ChatGPT-User enables site appearance in ChatGPT Search. Blocking GPTBot doesn't remove your site from ChatGPT Search.
SEO-Safe by DesignGooglebot, Bingbot, DuckDuckBot, and Social Preview bots are hardcoded into the Permanent Allowlist. No setting can block them.
Per-Bot ControlAll 19 AI crawlers are individually configurable. Keep AI Search on while blocking all AI Training — your choice.

For Shared Hosting & VPS

Problems You're Probably Facing — Solved

Designed specifically for shared hosting, where every DB connection and CPU millisecond matters.

Before

CPU Spikes, Account Suspended

Bots and scanners hit simultaneously, flooding CPU quota until hosting suspends your account.

After

Bots blocked before WordPress loads. No full PHP execution, no DB queries. CPU usage drops significantly.

Before

wp-login.php Constantly Brute Forced

Bots try thousands of passwords daily. Login page slows down, log files balloon.

After

Rate limiting on wp-login.php with configurable threshold. Attacking IPs auto-banned for 24h.

Before

Scanners Probing .env, .git, Shell Paths

Bots constantly probe for exposed config files like .env.production, /backup, /.git/config.

After

30+ dangerous endpoints blocked instantly before WordPress loads. Plus Honeypot traps for hard-to-detect scanners.

Before

DB Connections Full, 503 Errors

On shared hosting, connection pools are limited. When bots flood simultaneously, DB fills up and real users get errors.

After

Bots blocked without opening a DB connection. Zero queries, no connection pool consumed. DB connections stay free for real users.

Before

WooCommerce AJAX Flooded

Bots flood unauthenticated AJAX to /wp-admin/admin-ajax.php, spiking server load and slowing checkout.

After

AJAX rate limiting prevents floods. AJAX Whitelist for plugins that need it. Configurable threshold.

Before

No Visibility Into Attacks

Only long server logs with no clarity on which IPs are dangerous or what patterns are probing your site.

After

Live Dashboard updates every 10s. Top IPs every 60s. 30-day chart. Real-time Attack Feed. Full visibility into everything happening.

🧪 Tested on Shared Hosting: SiteGround, Hostinger, Bluehost, Namecheap, DreamHost, A2 Hosting · Servers: Apache, Nginx, LiteSpeed, OpenLiteSpeed · PHP: 7.4 – 8.3 · WordPress: 5.6 – 6.7 · Cloudflare, BunnyCDN · Elementor, Divi, WooCommerce

Pricing

Free Forever, No Strings

All features, no expiry
LiteShield Security
฿0
GPL-2.0 · Open Source
mu-plugin Engine — Zero DB queries
All 12 attack detection methods
Live Dashboard + 30-day Chart
Auto IP Ban + Reputation System
19 AI Crawler controls
Cloudflare IP validation
PHP 7.4–8.3 · WordPress 5.6–6.7 · Multisite
8 Developer hooks for extending
Download from WordPress.org

Need automation & Pro features? Get notified

FAQ

Frequently Asked Questions

Will LiteShield Security slow my site down?
No. The Engine runs before WordPress bootstraps, reads a single .json file, with zero DB queries. Overhead under 1ms on most shared hosting. In fact, blocking 1,000 attacks per day through LiteShield Security uses far fewer server resources than letting those requests reach WordPress.
What is wpls-engine.php in mu-plugins? Is it safe?
It's a Must-Use plugin that LiteShield Security creates to run before WordPress. The file is plain PHP — nothing obfuscated, nothing encoded, no remote calls. Open it in any text editor anytime. Written atomically via .tmp + rename() so there's no partial-write risk.
Will Googlebot or SEO be affected?
No. Googlebot, Bingbot, DuckDuckBot, Yahoo Slurp, Yandex, Applebot, and all social preview bots are on a permanent allowlist — no setting can block them. LiteShield Security is 100% SEO-safe by design.
If my own IP gets banned and I can't access admin, what do I do?
Two ways: (1) If you can still access wp-admin: go to LiteShield Security → Settings → IP Management and remove your IP. (2) If locked out: connect via FTP or File Manager and rename wp-content/mu-plugins/wpls-engine.php to wpls-engine.php.disabled. Access restored immediately.
Does it work with Cloudflare?
Yes. Validates CF-Connecting-IP headers come from genuine Cloudflare IP ranges before trusting them — prevents attackers from forging this header to spoof their IP. One-click sync fetches the latest Cloudflare IP list from cloudflare.com/ips-v4.
How is this different from Wordfence?
Wordfence is a mature, feature-rich plugin that runs inside WordPress and requires DB access. On dedicated servers the difference is minor. On shared hosting — where you share DB connection pools with other tenants — the zero-query difference is significant, especially under attack.

Contact

Have a Question or Issue?

Support via WordPress.org

Ask questions, report issues, or request features at the WordPress.org Support Forum — the primary support channel, monitored directly. Thai language welcome.

Open Support Forum

Or visit the Plugin Page on WordPress.org for details and changelog.

🛡 Download Free