Plugin v1.5

SecureWP Documentation

Everything you need to install, configure, and get the most out of SecureWP. Firewall, malware scanning, hardening, two-factor authentication, and more.

Get Started Scan Troubleshooting

Getting Started

SecureWP is a cloud-connected WordPress security plugin. It runs a real-time firewall, malware scanner, login hardening, two-factor authentication, and continuous vulnerability monitoring. A free account is required to enable cloud features. No credit card is needed.

Installation

Requirements: WordPress 6.0 or later, PHP 8.1 or later, and an outbound HTTPS connection for cloud sync (vulnerability database, firewall rule updates).

Download securewp.zip from your SecureWP account or purchase confirmation email.

In your WordPress admin, go to Plugins > Add New > Upload Plugin and select the ZIP file.

Click Install Now, then Activate Plugin. SecureWP now appears in the admin sidebar.

FTP install: Upload the unzipped securewp folder to /wp-content/plugins/ and activate from the Plugins screen.

Activation

After activation the plugin shows the Activate SecureWP screen. Three methods are available. A free license is generated automatically – no existing account is needed.

Method 1: Email (default)

The simplest path. Enter your email address and click Send Code. SecureWP emails a 6-digit one-time code (valid for 10 minutes). Enter the code and your site is connected. If you don’t have a Pro subscription, a Free license is generated automatically.

Method 2: License Key

Switch to the License Key tab and paste your key in XXXX-XXXX-XXXX-XXXX format. This is the preferred method when activating a site that should use an existing Pro seat. If all Pro seats are in use, you will be offered the option to activate on the Free plan or free up a seat from the SecureWP Console.

Method 3: SecureWP Console (SSO)

Click Open Console to open a popup to console.securewp.net. Sign in and approve the connection. SecureWP exchanges a secure code in the background and activates your site. Use this method when managing multiple sites from the Console and want centralized authorization.

After connecting

Once connected, the activation screen is replaced by the setup wizard (first run) or the main dashboard. The license status, plan, and expiry are shown under Settings > License & Plan. Free plan sites show an Activate Pro button there if you later upgrade your subscription.

Automated deployments. Define SECUREWP_LICENSE_KEY in wp-config.php and the plugin activates itself on first load without any admin interaction:

define( 'SECUREWP_LICENSE_KEY', 'XXXX-XXXX-XXXX-XXXX' );

WP-CLI

SecureWP registers a securewp WP-CLI command for scripted activation:

Command	Description
`wp securewp activate --license-key=XXXX-XXXX-XXXX`	Activate with an explicit key
`wp securewp activate`	Activate using the `SECUREWP_LICENSE_KEY` constant
`wp securewp status`	Display current license status and plan
`wp securewp deactivate`	Deactivate and release the license seat

Setup Wizard

After activation the setup wizard guides you through the five highest-impact configuration areas in order. Each step is an embedded view of the real module – changes you make during setup are permanent. You can skip any step or dismiss the wizard entirely; all settings remain accessible from the sidebar at any time.

Step	What you configure
1. Activate License	Connect your site to SecureWP Console to enable cloud features.
2. Hardening	Apply security tweaks to harden your WordPress installation.
3. Firewall	Configure local and edge firewall rules to block malicious traffic.
4. Vulnerabilities	Review known CVEs in your installed plugins, themes, and WordPress core. Requires an active connection.
5. Security Scan	Run your first security scan to detect malware and unauthorized changes.

Dashboard

The dashboard is the first screen after setup and provides a live overview of your site’s security posture. Data refreshes automatically and each widget links to the corresponding module for full configuration.

Website Health

A single score (0-100) and status label summarizing overall risk across active protections, open issues, and scan results. Five levels are possible:

Status	Meaning
Critical	Critical exposure. Immediate action required.
High	High-risk gaps need prompt attention.
Medium	Moderate exposure. Review open items.
Low	Minor hardening opportunities remain.
Secure	Controls are aligned and stable.

The widget also shows the timestamp of the last completed scan. If no scan has run, or the most recent scan is more than 7 days old, the score reflects stale data and a Run New Scan action item appears.

Malware State

The result of the most recent scanner run: Infected, Clean, or Not Scanned. Coverage text below the label confirms “Coverage: filesystem + signatures” once at least one scan has completed.

Vulnerabilities

Total count of active CVEs across all installed plugins, themes, and WordPress core, broken down by Critical / High / Medium / Low severity tokens. Clicking the widget navigates to the Vulnerability Scanner for full details and one-click updates.

Security Events

Total firewall block events recorded over the last 90 days, with a trend indicator comparing today’s count to yesterday. An area chart below the count shows daily attack volume over the past 30 days.

Live Security Feed

A rolling list of the most recent security events from the audit log. Filter by: All, Critical, Warning, Error, or Info. Each entry shows the event name, user, IP address, and timestamp.

Active Lockouts

Currently locked-out IP addresses and usernames from the login limiter, with a count of lockouts in the last 30 days. Up to three of each type are shown inline with an Unlock button. Click Firewall Controls to manage the full block list.

Action Items

Contextual recommendations generated from the current security state. Items are added automatically when SecureWP detects specific conditions:

Firewall protection is disabled – firewall module is not running
Login security controls are inactive – rate limiting and lockout controls are off
Scanner data is stale – no scan has run in the last 7 days
Active vulnerabilities detected – one or more open CVEs on installed components
Updates pending – plugins, themes, or core have available updates

Each action item links directly to the relevant module so issues can be resolved without navigating manually.

Malware Scanner

The scanner runs asynchronously so it never blocks page loads for visitors. It works in stages: system checks run in parallel first, then file collection and integrity verification, followed by cloud-assisted malware signature matching. All results are stored and displayed in the Scanner tab.

An active SecureWP license is required. Cloud scan credits apply on the Free plan (see Cloud Scan Credits below).

Scan Types

Choose the scan type when starting a scan, or set a default under Settings > Scanner > Scan Intensity. Both types run all six scan components. The difference is file scope and hash cache behaviour.

Feature	Standard Scan	Deep Scan
Estimated time	1-3 minutes	5-15 minutes
File types collected	Code files only: `.php`, `.js`, `.html`, `.htaccess`, `.xml`, `.css`, and related extensions	All code files plus images (`.jpg`, `.png`, `.gif`, `.svg`, etc.) and documents (`.pdf`, `.doc`, `.docx`)
/uploads directory	Yes – code extensions only	Yes – all file types
Non-WordPress root directories	No	Yes (old backup folders, secondary installs, etc.)
Hash cache behaviour	Trusts “safe” cache hits to conserve cloud credits	Bypasses “safe” cache; all files receive a fresh cloud verdict
Image/document check	No	Local binary content check first, then cloud escalation only if suspicious patterns are found
Max file size	10 MB per file (both types)
System checks	Both types run all six components: File Integrity, Domain Reputation, User Accounts, Content Analysis, Sensitive Data Exposure, Vulnerability Cross-Reference

Standard Scan is recommended for daily scheduled runs. Use Deep Scan for periodic thorough reviews or after a suspected incident.

What each scan component checks

File Integrity – compares checksums of WordPress core, plugin, and theme files against official WordPress.org hashes. Flags modified, added, or deleted files. Cloud signature matching then runs against files that fail integrity (Standard) or all collected files (Deep).
Domain Reputation – checks your domain and server IP against public blocklists and safe browsing databases. A flagged domain affects visitor trust and search engine rankings.
User Accounts – identifies suspicious administrator accounts and accounts with patterns that suggest compromise.
Content Analysis – scans post and page content in the database for injected scripts, obfuscated links, hidden redirects, and other database-level malware indicators.
Sensitive Data Exposure – verifies that sensitive files (wp-config.php, .env, debug logs, database exports) cannot be fetched directly over HTTP.
Vulnerability Cross-Reference – checks installed plugin and theme versions against the live CVE database at scan time. Results also appear in the Vulnerability Scanner module.

Cloud Scan Credits

The Free plan has a monthly cloud scan credit allowance. Credits are consumed during the cloud file analysis step. The credit widget on the Scanner page shows current usage. When the limit is reached, remaining files in that batch are skipped – system checks and previously processed files are unaffected.

Pro plan sites have unlimited cloud scan credits and unlock Enterprise Cloud features: AI Malware Detection and High Sensitivity scanning.

Scheduling and System Limits

Automated Scans

Configure automated scans under Settings > Scanner > Automated Scans. Default: Daily.

Frequency	Notes
Off	No scheduled scans. Manual scans still available at any time.
Every 6 hours	Four scans per day. Recommended for high-traffic or targeted sites.
Every 12 hours	Twice daily.
Daily	Recommended default for most sites.
Weekly	Choose day of week.
Monthly	Choose day of month (1-28).

System Resource Limits

Set caps under Settings > Scanner > System Limits. Defaults: CPU 60%, Memory 40%.

Setting	Range	Description
CPU Limit	10-80%	Controls the throttle sleep between file batches. Lower values increase scan duration but reduce impact on running PHP processes.
Memory Limit	10-80%	Maximum PHP memory share per processing batch.
Execution Timeout	Unlimited (default), 15 min, 30 min, 1 hr, 2 hr	Force-stops the scan if it exceeds this duration. Set a limit on shared hosting with strict execution caps.

Exclusions

Exclude paths or patterns from file collection under Settings > Scanner > Exclusions. System checks are not affected by exclusions.

Directory Paths – one absolute path per line (e.g., /home/user/public_html/wp-content/cache/). The entire directory tree is skipped.
Regex Patterns – PCRE patterns matched against full absolute file paths (e.g., ^.*/wp-content/uploads/.*\.log$).

Reading Scan Results

Results are grouped by scan component (File Integrity, Reputation, Users, Content, Sensitive Data, Vulnerabilities) and sorted by severity. Expand any finding to see the file path, matched pattern or CVE reference, and recommended action. Individual findings can be Ignored to suppress future alerts on confirmed false positives.

Severity	Meaning
Critical	Active malware or a severe misconfiguration requiring immediate action
High	Exploitable vulnerability or a strongly suspicious file modification
Medium	Hardening gap or potential exposure that should be addressed soon
Low / Info	Informational finding with no immediate risk

Previous results remain visible while a new scan runs. Results are replaced only when the new scan completes successfully. Stopping a scan mid-run preserves findings collected up to that point.

Scan Troubleshooting

Work through the steps below if a scan will not start, gets stuck, or produces unexpected results.

Scan does not start

License not connected: An active license is required. Go to Settings > License & Plan and verify the site is connected. The scanner page will show “License Required” if activation has not been completed.
WP-Cron is disabled: Scheduled scans run via WordPress Cron. If your site has define('DISABLE_WP_CRON', true); in wp-config.php, remove it or switch to a real server cron that requests /wp-cron.php every minute.
Insufficient PHP memory: Add define('WP_MEMORY_LIMIT', '256M'); to wp-config.php or raise memory_limit = 256M in php.ini.
Plugin conflict: Another security plugin may intercept the internal HTTP requests used to dispatch scan jobs. Temporarily deactivate other security plugins, start a scan, then re-enable them one by one to identify the conflict.

Scan gets stuck

SecureWP includes a watchdog that detects stuck scans. Simply visiting SecureWP > Scanner triggers automatic recovery. If it remains stuck, click Stop Scan and start a fresh scan. Check wp-content/debug.log (enable with define('WP_DEBUG_LOG', true);) for PHP fatal errors or out-of-memory messages. Raise the Execution Timeout under Settings > Scanner > System Limits if scans are timing out on large sites before completing.

Expected files were not scanned

Images and PDFs in /uploads are only included in Deep Scan mode. Standard Scan collects code extensions only.
Files in non-WordPress directories at the server root (backup folders, old installs) are only collected in Deep Scan.
Files over 10 MB are skipped by both scan types regardless of settings.
Check whether an exclusion rule (directory path or regex) is matching the files you expected to see in results.

False positives on custom or commercial plugins and themes

File integrity checks compare files against official WordPress.org hashes. Commercial plugins (not in the repository) and intentionally modified core files will always fail the integrity check because no official hash exists for comparison. This is expected behaviour. Use the Ignore action on confirmed-clean findings to suppress them in future scans.

Still stuck? Email support@securewp.net with your PHP error log attached. We respond within 30 minutes.

Firewall

The firewall inspects every incoming HTTP request before WordPress processes it. SecureWP evaluates each request against a layered rule set in a fixed order, stopping at the first match:

Priority	Layer	Match action
1	Allowlist	Pass immediately; skip all remaining checks
2	Manual ban list	Block (HTTP 429)
3	Community threat feed	Block (HTTP 429)
4	Country / GeoIP block	Block (HTTP 403)
5	User-agent ban list	Block (HTTP 429)
6	Sensitive path probe detection	Block individual request (HTTP 403); ban IP after threshold
7	Rate limiting	Block and ban IP (HTTP 429) when per-minute limit exceeded

When the Server-Level WAF is installed, allowlisted IPs, banned IPs, and rate limits are enforced at the web server layer before PHP starts. The firewall is disabled by default; enable it from Firewall > Overview with a single toggle.

The Overview tab shows five protection modules with live status indicators:

Rate Limiting – throttles IPs that send too many requests per minute, stopping brute-force attacks and scrapers.
Bot Protection (Block Known Bots) – blocks scanners and attack tools matched by User-Agent header using the HackRepair.com blocklist. Legitimate crawlers like Google are not affected.
Country Blocking – reject or allow visitors based on their country of origin. Works with Cloudflare edge GeoIP or a local MaxMind database.
Community Threat Feeds – auto-blocks IPs from a crowd-sourced threat intelligence feed aggregated from multiple sources and refreshed every 6 hours.
Server-Level WAF – enforces blocks at the web server before WordPress even loads, protecting the site during PHP errors or plugin conflicts.

IP Blocking and Allowlisting

Manage IP rules manually from Firewall > Builder. IPv4 addresses, IPv6 addresses, and CIDR ranges (e.g. 198.51.100.0/24) are all supported. Each rule has a Ban or Allow action.

Allowlisted IPs bypass every firewall layer including rate limits, country blocks, and the community threat feed. Add your office IP and any trusted monitoring or uptime services before enabling aggressive rules.
Manually blocked IPs receive a 429 response and are stored in the block list until you remove them.
Auto-blocked IPs (added by rate limiting or probe detection) expire automatically after the configured default block duration (default: 7 days). The duration is set in Firewall > Settings > Default Block Duration.

Before you begin: add your own IP address to the allowlist before enabling or tightening firewall rules. This prevents accidentally locking yourself out.

Rate Limiting

Rate limiting uses a true sliding-window algorithm to count requests per IP over a rolling 60-second window. When an IP exceeds a configured limit it is temporarily banned for the default block duration and receives an HTTP 429 response. Limits are per IP; verified Googlebot and Bingbot (confirmed by reverse DNS) are always exempt.

Rule	Default	Description
All Requests per Minute	60 / min	Maximum requests from one IP before a temporary ban. Raises after brute-force attempts and high-volume scrapers.
Missing-Page Requests per Minute	10 / min	Limits requests to URLs that return 404. Stops directory scanning and path enumeration.
XML-RPC API Calls per Minute	5 / min	XML-RPC is a common password-guessing target. Keep this low unless you actively use the XML-RPC API.

Crawler Strictness applies a fractional multiplier to generic (unverified) crawlers. The default of 0.5 gives crawlers half the normal request limit, making them subject to stricter enforcement than browser traffic without blocking legitimate indexing bots. Set to 1.0 to apply the same limit to all traffic.

Bot Protection

Bot Protection checks the User-Agent request header against the HackRepair.com blocklist, a curated database of known attack tools, vulnerability scanners, and malicious crawlers. Matching requests are blocked with a 429 response. Verified search engine bots (Googlebot, Bingbot, and others confirmed by DNS lookup) are always excluded from this check regardless of the setting. Enable from Firewall > Builder.

Probe and Scanner Detection

This module identifies bots probing for exposed configuration files, backups, and version information. Every request to a sensitive path is immediately blocked with a 403 response. When the same IP reaches the probe threshold within the time window, SecureWP bans the IP for the default block duration.

Setting	Default	Description
Threshold	3 attempts	Number of sensitive-path hits before the IP is banned. Individual requests are denied regardless of the threshold.
Time window	5 minutes	Rolling window in which the threshold is counted. Resets after the window expires with no new hits.

Monitored paths include environment files (.env), version control directories (.git), WordPress configuration backups, debug log files, SQL dump files, server status endpoints, and 13 additional high-risk patterns.

Community Threat Feeds

When enabled, SecureWP downloads and maintains a consolidated IP blocklist from crowd-sourced threat intelligence, aggregated from multiple sources including Spamhaus. The feed is refreshed automatically every 6 hours and supports up to 10,000 entries (individual IPs and CIDR ranges). Matching IPs are blocked with a 429 response before any other request processing. Enable from Firewall > Builder.

Country Blocking (GeoIP)

Block or allow traffic by country of origin. Two modes are available:

Blocklist mode (default): all countries are permitted; add specific countries to block their traffic.
Allowlist mode: all countries are blocked by default; only countries explicitly added to the allow list can reach the site. Best suited for businesses that serve a single region.

Country lookups use the following priority chain:

Cloudflare edge GeoIP (when edge enforcement is enabled) – country is blocked at Cloudflare’s network before the request reaches your server.
MaxMind GeoLite2 / GeoIP2 database (local, preferred for PHP-layer enforcement) – add your free MaxMind license key under Firewall > Builder > GeoIP Database. SecureWP downloads and updates the database automatically on a weekly schedule.
HTTP API fallback (ipwho.is) – used when the MaxMind database is not installed. Results are cached locally for 24 hours to minimize external requests.

Matched country requests receive an HTTP 403 response. IPs that cannot be geolocated by any source can be blocked separately with a dedicated toggle.

Server-Level WAF

The Server-Level WAF installs a firewall bootstrap file at the web server layer using auto_prepend_file. It enforces IP allowlists, manual bans, and rate limits before WordPress or any plugin code runs. This protects the site during WordPress errors, plugin conflicts, and high-load events.

Apache / LiteSpeed: SecureWP writes the auto_prepend_file directive into your .htaccess file.
Nginx / PHP-FPM: SecureWP writes the directive into the .user.ini file in your site root.

Go to Firewall > Settings and scroll to the Server-Level WAF section. SecureWP auto-detects your server type and displays it as a badge.

Click Install Server-Level WAF. SecureWP modifies your server configuration file. If anything goes wrong, it attempts an automatic rollback and reports the result.

Confirm the status panel shows Installed and active with green indicators for both WAF files present and Configuration active.

To remove the WAF, click Remove Server-Level WAF. Your PHP-layer firewall stays active and all rules remain in force; only the web-server-layer enforcement is removed.

Cloudflare Integration

When your site runs behind Cloudflare, SecureWP can push firewall rules to Cloudflare’s global network so threats are stopped at the edge before reaching your server. Blocked IPs and countries are enforced from the nearest Cloudflare data center to the attacker across 300+ global locations.

Setup

Go to Settings > Integrations and enter your Cloudflare Zone ID and either an API Token (recommended) or a Global API Key plus email. Click Save & Verify.
Go to Firewall > Cloudflare Sync and toggle on Edge Enforcement. Rules are pushed to Cloudflare immediately and auto-synced on every firewall change.
Use Push Rules Now to force an immediate sync at any time.

When edge enforcement is active, all manually configured rules from Firewall Builder (blocked IPs, allowed IPs, country restrictions) are continuously mirrored to Cloudflare.

Auto-Escalate Active Attackers

When an IP triggers repeated local firewall violations, SecureWP can automatically push it to Cloudflare as a temporary edge block. These time-limited escalation blocks are separate from your manually configured block list and do not consume your permanent rule quota.

Setting	Default	Description
Block Threshold	3 violations	Number of local firewall hits that trigger an edge escalation for that IP.
Observation Window	10 minutes	Rolling time window in which violations are counted.
Edge Block Duration	120 minutes (2 hr)	How long Cloudflare blocks the IP. Expires automatically.
Max Edge Blocks	5,000 IPs	Cap on simultaneously active escalation blocks. Oldest entries are removed first when the cap is reached.

Edge Rule Action

Choose what Cloudflare does when a rule matches. The default is Managed Challenge, which presents a human-verification puzzle to suspected bots while letting real visitors through without friction.

Managed Challenge – Cloudflare shows a human-verification puzzle (Recommended)
Block – immediately reject the request with a Cloudflare error page
Challenge – show a CAPTCHA
JS Challenge – silent browser integrity check with no visible CAPTCHA
Log Only – allow through but record the match for review

Block by Network (ASN)

ASN blocking lets you block all IP addresses from an entire network provider by entering its Autonomous System Number. Enter one ASN number per line under Cloudflare Sync settings. ASN blocks affect thousands to millions of IPs simultaneously; use them only when you are certain the entire network is a threat source and legitimate traffic from that provider is not expected.

Firewall Settings

Configure general firewall behavior under Firewall > Settings.

Setting	Default	Description
Block Page Message	“Your IP address has been blocked due to suspicious activity.”	Message shown to any visitor whose IP is blocked. Keep it short and actionable.
Default Block Duration	7 days	How long auto-added IP blocks persist before expiring. Individual rules can override this. Set high for near-permanent blocks.

IP Detection

For sites behind a proxy, CDN, or load balancer, SecureWP must read the real visitor IP from the correct HTTP header rather than the direct connection IP. Misconfiguration here allows IP spoofing by passing a false header value.

Automatic (Recommended): SecureWP detects the best IP source for your setup. Correct for most servers, CDNs, and proxies.
Manual: you select the specific header. Options include CF-Connecting-IP (Cloudflare), X-Forwarded-For, X-Real-IP, Forwarded (RFC 7239), and others.
No proxy (direct connection only): always uses the raw TCP connection IP. Choose this only when the server connects directly to visitors with no proxy in front.

Trusted Proxy Configuration ensures proxy headers are only accepted when the direct connection comes from a known proxy server IP, preventing spoofing attacks. Choose the Cloudflare preset (22 IP ranges, auto-updated) or enter your own custom proxy IP list as IPs or CIDR ranges. Use Run Diagnostic to see which headers your server receives, or Auto-Configure to let SecureWP set the right option automatically.

Hardening

The Hardening module reduces your site’s attack surface through targeted WordPress and server-level tweaks. All hardening settings are available on the free plan and are organized into four tabs: WordPress Obscurity, Server Hardening, Login Security, and Security Headers.

WordPress Obscurity

Reduces information leakage and fingerprinting from your WordPress installation. Configure from Hardening > WordPress Obscurity. All settings are disabled by default.

Setting	What it does
Hide WordPress Version	Removes the WordPress version number from the generator meta tag, RSS feeds, and script/style query strings. Prevents automated scanners from fingerprinting your exact WordPress version.
Clean WordPress Head	Strips RSD/WLW manifest links, Windows Live Writer tags, shortlink meta tags, shortlink HTTP headers, and RSS/Atom feed discovery links from the HTML `<head>`. Reduces information leakage and removes unnecessary output.
Prevent Username in Author Slug	Blocks user profiles from using the login username as the author archive slug. When a nicename matches the username, WordPress requires a distinct display name or first/last name to generate a safe slug. Prevents `/author/admin` from revealing actual login credentials.
Block User Enumeration	Comprehensive protection against username discovery: blocks `/?author=N` scanning with a 403 response, removes the `/wp/v2/users` REST endpoint for unauthenticated requests, strips author data from oEmbed responses, and disables the users XML sitemap.
Disable Theme & Plugin Editor	Revokes the `edit_themes`, `edit_plugins`, and `edit_files` capabilities to remove the built-in code editor from the Appearance and Plugins menus. If an administrator account is compromised, the attacker cannot inject malicious code directly through the WordPress dashboard.
Disable Application Passwords	Removes the Application Passwords feature introduced in WordPress 5.6. These long-lived tokens bypass two-factor authentication and can be exploited if an admin account is compromised. Disable unless required by external apps or mobile clients.
Restrict REST API Access	Enforces authentication on the WordPress REST API (`/wp-json/wp/v2/`). Core data endpoints require the appropriate capability. Unknown or third-party endpoints are blocked for unauthenticated visitors. Use the endpoint table below the toggle to selectively allow public access where needed (e.g., for WooCommerce or page builders).

Server Hardening

Writes security rules directly to your web server configuration. Configure from Hardening > Server Hardening. On Apache and LiteSpeed, rules are written to .htaccess; on Nginx with PHP-FPM, rules are written via server config. All settings are disabled by default.

Setting	What it does
Disable Directory Listing	Adds `Options -Indexes` to prevent the web server from displaying directory contents when no index file exists. Stops attackers from discovering backup files, configuration fragments, or other sensitive resources by browsing directory URLs.
Block PHP Execution in Uploads	Denies execution of PHP files within `wp-content/uploads/` via server rules. The uploads directory is the most common target for web shell uploads through vulnerable plugins or themes. This is a critical defense-in-depth measure even when malware scanning is active.
Block Sensitive File Access	Denies public access to files that reveal server or WordPress metadata: `readme.html`, `license.txt`, `wp-config-sample.php`, error logs, and debug files. These files can expose version numbers, directory paths, and configuration details to attackers.
XML-RPC	Controls the `xmlrpc.php` endpoint, a legacy remote publishing interface commonly abused for brute-force amplification attacks and DDoS pingback abuse. Three options: Enable (leave it on), Disable Pingbacks (blocks the multicall pingback exploit while keeping other XML-RPC methods), or Disable Entirely. Disable unless required by Jetpack or the WordPress mobile app.

Configure from Hardening > Login Security. Settings are organized into two groups: Password Policies and Login Controls.

Password Policies

Setting	Default	Description
Enforce Strong Passwords	Off	Requires all passwords to meet a minimum complexity score powered by the zxcvbn algorithm. Detects dictionary words, keyboard sequences, character substitutions, and date formats. Default minimum: score 3 (Strong) for regular users, score 4 (Very Strong) for administrators and editors.
Prevent Password Reuse	Off	Prevents users from setting their new password to the same value as their current password. Appears as a sub-option under Enforce Strong Passwords.
Breached Password Detection	Off	Checks new passwords against the Have I Been Pwned database of over 900 million compromised credentials. Uses a privacy-safe k-anonymity partial hash lookup; your users’ actual passwords are never transmitted.
Enforce Reset for Breached Passwords on Login	Off	Retroactively checks existing passwords at login time. If the password appears in a known breach, the user is immediately redirected to a password change screen before access is granted. Appears as a sub-option under Breached Password Detection.
Password Expiration Policy	Disabled	Requires all users to change their password after a defined number of days (default: 90 days when enabled). Helps meet compliance requirements such as PCI DSS and HIPAA.
Require Password Change on Role Promotion	Off	When a user’s role is elevated to Administrator or Editor, they are required to set a new password on their next login. Prevents privilege escalation using a weak pre-existing credential.

Login Controls

Setting	Default	Description
Restrict Login Identifier	Both (username or email)	Controls whether users log in with their email address, username, or both. Email Address Only is recommended; it prevents attackers from using harvested usernames for login attempts.
Obfuscate Login Error Messages	Off	Replaces specific WordPress error messages (“No account found with that username”, “Incorrect password”) with a single identical generic response on the login, password reset, and registration forms. Prevents attackers from confirming whether a specific username or email address exists on your site.
Bot Detection (CAPTCHA)	Off	Adds challenge verification to the login form. Two providers are supported: Google reCAPTCHA v3 (invisible, scores requests silently; set threshold 0.1-1.0, default 0.5) and Cloudflare Turnstile (privacy-respecting, no user tracking). Configure API keys under Settings > Integrations first.
Limit Login Attempts	Off	Temporarily locks out IP addresses and usernames after repeated failed logins. Tracks attempts separately per IP and per username.

Login Attempt Limiting defaults when enabled: 5 max attempts per IP, 10 max attempts per username, within a 5-minute window. Lockout duration: 1 hour (60 minutes). Lockout events are recorded in the Audit Log.

Custom Login URL

Replaces /wp-login.php and the /wp-admin redirect with a custom URL slug that only you know. Direct requests to /wp-login.php return a 403 error or redirect to a configured slug. Significantly reduces automated bot traffic targeting the standard login endpoint.

Requires pretty permalinks. Go to Settings > Permalinks and select any structure other than “Plain” before enabling this feature.

Go to Hardening > Login Security and scroll to Custom Login URL.
Enter your chosen login slug (e.g., team-portal). A Register Slug is optional; leave it empty to disable public registration via the new URL.
Note the full login URL shown in the preview, then save. SecureWP sends an email notification to the site admin with the new URL and rotates the access token.

Save the new URL before leaving the page. If you lose it, deactivate SecureWP via SFTP by renaming the plugin folder to restore access at the default /wp-login.php. Re-activate the plugin and set a new slug.

Security Headers

HTTP response headers that instruct browsers on how to handle your pages. Configure from Hardening > Security Headers. Each header is toggled independently.

Header	What it does
Content-Security-Policy	Restricts which external resources the browser may load, mitigating XSS and data injection attacks. Presets available: Strict, Moderate, and WordPress-compatible. Deploy in Report-Only mode first to log violations without blocking anything, then switch to enforcing once validated.
Strict-Transport-Security (HSTS)	Forces HTTPS-only connections, preventing protocol downgrade attacks and cookie hijacking. Configurable max-age, subdomain inclusion, and HSTS preload list opt-in. Verify HTTPS works on all pages before enabling.
X-Frame-Options	Prevents your site from being embedded in third-party iframes, blocking clickjacking attacks. Options: DENY (no embedding) or SAMEORIGIN (embedding by your own domain only).
X-Content-Type-Options	Prevents browsers from MIME-type sniffing responses away from their declared content type, blocking content-type confusion attacks.
Referrer-Policy	Controls how much referrer URL information is sent when users navigate away from your site. Protects sensitive URL paths and query parameters from leaking to third parties.
Permissions-Policy	Restricts which browser APIs (camera, microphone, geolocation, payment, autoplay, etc.) your pages can access and whether embedded iframes may use them.
Remove X-Powered-By	Strips the `X-Powered-By: PHP/x.x.x` response header, reducing server technology fingerprinting by automated scanners.
Remove Server Header	Strips the web server software and version from HTTP responses. Note: WordPress PHP responses already suppress this header. Full removal for static assets may require additional server configuration outside WordPress.
Remove X-Generator	Removes the `X-Generator: WordPress` HTTP header, preventing CMS platform identification by automated scanners.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step at login so that a stolen password alone is not enough to access an account. Available on the free plan. Access it from Hardening > Two-Factor (2FA) in the SecureWP admin menu. The page has two tabs: 2FA Enforcement (site-wide policy) and My 2FA (individual account setup).

Setting Up 2FA (My 2FA Tab)

Navigate to Hardening > Two-Factor (2FA) > My 2FA. Click Set Up and choose a verification method.

Authenticator App (TOTP)

Select Authenticator App and click Continue.
Scan the QR code with an authenticator app such as Google Authenticator, Authy, or 1Password. If you cannot scan the code, expand Can’t scan? Enter key manually to see the plain-text secret key.
Enter the 6-digit code currently shown in your app and click Verify & Activate. 2FA is now active on your account.

Email Code

Select Email Code and click Continue. SecureWP sends a 6-digit verification code to your WordPress email address.
Enter the code and click Verify & Activate. If the code does not arrive, use Resend code. Codes expire after 10 minutes.

After activation, each login prompts for a fresh 6-digit code from your app or a new code sent to your email, depending on the method you chose.

Recovery Codes

After completing 2FA setup, SecureWP generates 8 single-use recovery codes. Copy or save them to a password manager immediately; they are shown only once. Each code can be used exactly once to bypass the 2FA prompt when you lose access to your authenticator app or email. Recovery codes can be regenerated at any time from the My 2FA tab, which immediately invalidates the previous set.

Trusted Devices

When logging in, users can opt to Remember this device. SecureWP skips the 2FA prompt on that browser for the configured duration (default: 30 days). If a device should no longer be trusted, it can be revoked from the My 2FA tab.

Disabling 2FA

To remove 2FA from your account, scroll to Disable Two-Factor Authentication on the My 2FA tab, enter your current WordPress password, and click Disable 2FA. Password confirmation is required to prevent accidental removal.

Enforcing 2FA by Role (2FA Enforcement Tab)

Administrators control site-wide 2FA requirements from Hardening > Two-Factor (2FA) > 2FA Enforcement. Settings are saved automatically when toggled.

Setting	Default	Description
Enable Two-Factor Authentication	Off	Master toggle that allows users to set up 2FA on their accounts. Must be on for enforcement to work.
Allowed 2FA Methods	Both (TOTP + Email)	Choose which methods users can select: Authenticator App (TOTP), Email Code, or both. Restricting to TOTP is more secure; Email Code is a fallback for users without a smartphone.
Enforce 2FA for Roles	Administrator	Roles that must have 2FA active. All five roles are available: Administrator, Editor, Author, Contributor, Subscriber. Users in an enforced role who have not set up 2FA are redirected on every login until they complete enrollment.
Remember Device Duration (days)	30 days	How long a trusted browser is remembered before prompting for 2FA again. Set to 0 to disable device trust entirely.
Grace Period (days)	3 days	Days users in enforced roles have to set up 2FA after enforcement is activated. During this period, a dismissible admin notice reminds them to enroll. After the grace period expires, unenrolled users are blocked from the admin until they complete setup.

Vulnerability Scanner

SecureWP monitors every plugin, theme, and WordPress core version installed on your site against a cloud vulnerability intelligence database. Plugin and theme inventories are sent to the SecureWP cloud API, which returns matched CVEs, severity scores, and remediation metadata. Available on the free plan. New vulnerabilities trigger an email notification when detected.

What is checked

All installed plugins (active and inactive) – each plugin slug and version is matched against known CVEs. Custom and commercial plugins not tracked by the WordPress.org update system are detected automatically and flagged to the cloud for enrichment.
All installed themes (active and inactive) – same CVE matching applied to themes.
WordPress core – current core version checked against known vulnerabilities.
Abandoned plugins and themes – components not updated by their author in over 365 days are flagged. Abandoned software is no longer patched and represents an ongoing risk even without an active CVE.

Reading the results

Issues are grouped by component. Each group shows the component name, installed version, and an action button. Expand a vulnerability row to see:

Vulnerability title and full description of the security impact
Affected version range – the version constraint under which the vulnerability exists
CVE ID – links directly to the CVE record at cve.org for additional context
Severity badge with CVSS score – four levels: Critical, High, Medium, Low

Severity	Recommended action
Critical / High	Update or remove the component immediately. These are actively or trivially exploitable without authentication.
Medium	Update at your earliest opportunity. Risk depends on your site configuration and exposure.
Low	Low exploitation risk under typical conditions. Monitor and update in your next maintenance window.

Remediating vulnerabilities

Update Now – for plugins and themes hosted on WordPress.org, SecureWP triggers the update directly from the Vulnerabilities page. No need to visit the Plugins or Themes screen.
Fix Manually – for commercial or custom plugins not in the WordPress.org repository, SecureWP shows a Fix Manually link. Visit the plugin vendor’s site to obtain the patched version.

Click Check Now on the Vulnerability Scanner page to run an immediate check against the cloud database without waiting for the next scheduled scan.

Audit Log

The Audit Log captures security-relevant activity on your site with a timestamped record for every event: the event name, the user responsible (or “System” for automated actions), their IP address, their role, severity level, and a structured details panel with additional context. Use it to investigate incidents, track configuration changes, or satisfy compliance requirements.

Events recorded

The following events are captured automatically.

Event	Severity	Details captured
User Login	Info	Username of the authenticated user.
Login Failed	Warning	Username attempted.
Plugin Activated	Info	Plugin file path (e.g. `akismet/akismet.php`).
Plugin Deactivated	Warning	Plugin file path.
Plugin Updated	Info	Plugin file path.
Theme Switched	Info	Theme display name.
Theme Updated	Info	Theme slug.
WordPress Core Updated	Info	Recorded when an upgrader process for core completes.
User Registered	Info	New username and email address.
User Deleted	Warning	Username of the deleted account.
User Profile Updated	Info	Username and the field that changed. Currently detected: email address change.
Site Setting Changed	Warning	Option name, old value, and new value. Tracked options: `siteurl`, `home`, `admin_email`, `users_can_register`, `default_role`, `active_plugins`, `start_of_week`.
Audit Log Cleared	Info	Recorded automatically after a successful Clear All operation, so the log is never completely empty.

Log viewer

Navigate to SecureWP > Audit Log to view the 100 most recent events. The table displays six columns per row:

Event – event name with a severity-colored icon and a key/value details summary beneath it.
User – WordPress username and assigned role. Automated system events show “System”.
Date & Time – timestamp in YYYY-MM-DD HH:MM:SS format (server time).
Category – event group label (Authentication, Plugins, Themes, User, Settings, Updates).
IP Address – real visitor IP resolved using the same proxy-aware detection logic as the firewall.
Severity – Info (blue), Warning (amber), or Critical (red).

Filtering and export

Use the search field above the table to filter the visible log by event name, username, or IP address. The filter applies instantly to all loaded entries; pagination resets to page 1 on each new search. The log paginates at 15 rows per page.

Export CSV downloads the currently filtered view (not just the current page) as a CSV file with columns: Timestamp, Event, Category, User, Role, IP, Details, Severity. The filename includes the current date.

Clear All permanently deletes every database and file log entry after a confirmation prompt. The action is irreversible. A new “Audit Log Cleared” entry is written immediately after the operation so the log is never left with no history of what occurred.

Storage and retention

Configure log storage under Settings > Advanced > Data Configuration. Three storage modes are available:

Database Only (default) – entries are written to a custom database table. The Audit Log viewer in the plugin admin always reads from this table.
File Only – entries are written to a rotating log file on disk. Note: the admin log viewer reads from the database; select Database + File if you need both the on-disk archive and the in-admin viewer.
Database + File – entries are written to both destinations simultaneously. If the file write fails, the database record is still preserved.

Retention is configured separately for each storage type. Database Log Retention (default 90 days, max 3,650) and File Log Retention (default 90 days, max 3,650) are each auto-purged by a daily background job. If file-only mode is selected and a file write fails, the entry is silently written to the database as a fallback.

Security Tools

Advanced maintenance utilities available under SecureWP > Tools. Each tool shows its current status inline and requires an explicit confirmation step before executing. All tools require administrator (manage_options) access. Executions fire a securewp_tools_action_completed hook that can trigger admin notifications.

Change Database Table Prefix

The default WordPress table prefix is wp_. Many automated SQL injection payloads are hard-coded to target this default. SecureWP renames all database tables and updates all corresponding references in wp_options and wp_usermeta to the new prefix.

The card footer shows the current prefix. Click Generate Random Prefix to produce a safe 5-character prefix (one starting letter followed by three alphanumeric characters plus a trailing underscore, e.g. sp7k_), or type your own. Prefix rules: must start with a letter or underscore, contain only letters, numbers, and underscores, and end with an underscore. The Execute Change button is disabled when wp-config.php is read-only.

After clicking Execute Change, an inline confirmation panel expands requiring you to enter the new prefix and check I have created a database backup before the Confirm Change button becomes active.

Create a full database backup before running this tool. While SecureWP handles all known table and meta references, a backup is the safest first step before any structural database operation.

Change User ID 1

WordPress assigns ID 1 to the first user account created during installation. Many automated attack scripts target user ID 1 specifically. SecureWP migrates all posts, pages, and database objects from ID 1 to a new randomized ID and logs you out immediately on completion.

The card footer shows Secured when no user with ID 1 exists (the tool has already been run or ID 1 was never present) and Vulnerable when ID 1 still exists. The Run Tool button only appears when the site is in a Vulnerable state.

Clicking Run Tool auto-generates a safe unused ID (current max user ID plus a random offset) and pre-fills it. An inline panel shows the migration warning and requires you to check I understand I will be logged out before the Migrate ID button becomes active.

Regenerate Security Salts

WordPress uses eight authentication constants in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their four corresponding SALT variants) to sign and verify authentication cookies. Replacing these constants immediately invalidates every active session on the site, forcing all users including administrators to log in again.

The card footer shows whether wp-config.php is Writable or Read-Only. The Regenerate button is disabled when the file is read-only. Clicking it expands an inline confirmation panel with the warning All 8 authentication constants in your configuration file will be replaced. You will be logged out immediately. You must check Confirm invalidating all active user sessions before the Invalidate Sessions button activates.

Use this after a suspected credential compromise, session hijacking incident, or when rotating security keys as part of a routine security audit.

Rotate Encryption Key

SecureWP encrypts sensitive data at rest: API tokens, cloud credentials, and 2FA TOTP secrets. The master key is stored either in a dedicated key file (source: file) or as a constant in wp-config.php (source: constant). Rotating the key generates a new master key and immediately re-encrypts all stored secrets with it.

The card footer shows the current key source. If the source is constant and wp-config.php is read-only, the button is disabled. After rotation, verify that any users with TOTP-based 2FA can still authenticate with their authenticator app. Cloud credentials are recovered automatically.

Use this periodically or after a suspected server-level compromise where the key file or configuration file may have been exposed.

Configuration Transfer

Export your current SecureWP configuration as a JSON file, or restore a previously saved configuration to rapidly replicate settings across multiple domains or environments. Secret keys, API credentials, and license tokens are automatically excluded from the export.

Export: Click Export Settings. A file named securewp - settings - YYYY-MM-DD.json downloads immediately, containing all non-sensitive configuration values formatted as readable JSON.
Import: Click Import Settings and select a .json file. The selected filename and file size are shown for confirmation. Click Commit Import to apply the configuration immediately. Click Dump to discard the file and cancel the import without making any changes.

Settings

Global configuration under SecureWP > Settings, organized across five tabs: Scanner, Notifications, Integrations, License & Plan, and Advanced.

Scanner

Configure automated scan scheduling, resource limits, and path exclusions under Settings > Scanner.

Exclusions

Two exclusion mechanisms prevent specific content from being scanned:

Directory Paths: one absolute path per line. Any file under an excluded path is skipped entirely. Useful for large cache directories or known-clean backup archives.
Regex Patterns: PCRE patterns matched against each file’s full absolute path. Useful for excluding files by name pattern across multiple directories (e.g., ^.*/wp-content/uploads/.*\.log$).

Automated Scans

Scan Intensity sets the type of scan run on schedule: Standard (fast, checks integrity and scans only modified or unknown files) or Deep (thorough, scans all files including images and PDFs, ignores checksums).

Scan Frequency determines how often automated scans run. Options: Off, Every 6h, Every 12h, Daily, Weekly, Monthly. Weekly scans add a day-of-week selector (Sunday through Saturday). Monthly scans add a day-of-month selector (1 through 28).

System Limits

CPU Limit: Maximum CPU percentage the scanner may consume. Range 10-80%, default 60%, adjusted in 5% increments.
Memory Limit: Maximum memory percentage the scanner may consume. Range 10-80%, default 40%, adjusted in 5% increments.
Execution Timeout: Force-stop the scan if it exceeds this duration. Options: Unlimited (default), 15 minutes, 30 minutes, 1 hour, 2 hours.

Notifications

Configure which security events trigger alerts under Settings > Notifications. A master Enable Email Notifications toggle controls all email delivery. Leave Recipient Email blank to use the WordPress admin email, or enter one address to route to a dedicated security inbox. Events are organized into three groups.

Scanner & Threat Detection

Event	Description
Scan Results	Single summary email when a security scan completes with findings. Clean scans do not generate a notification. Configurable Minimum Severity filter: All Severities, Low and above, Medium and above, High and above, or Critical only.
Vulnerability Detection	Triggered when a known CVE is identified in an installed plugin or theme. Same Minimum Severity filter as Scan Results.
Scan Error	Triggered when a scan fails to complete due to an API timeout, database issue, or resource limit.

Firewall & Access Control

Event	Description
Firewall Block Digest	A scheduled summary report of all WAF block events (SQL injection, XSS, remote file inclusion, IP blocklist matches). Digest schedule: Daily, Weekly, or Monthly. Selected per-event when the alert is enabled.
Brute-Force Lockout	Sent once when an IP address or username is locked out after exceeding the maximum failed login attempts. One alert per distinct lockout event.

Account & Administration

These events are disabled by default and intended for compliance auditing and administrative oversight.

Event	Description
Two-Factor Authentication Change	Triggered when a user enables or disables 2FA on their account.
Administrative Tool Usage	Triggered when a sensitive security tool is executed (salt regeneration, database prefix change, encryption key rotation).
Administrator Login	Sends an alert when an admin user logs in. Includes their IP address, browser, and login time.
SecureWP Deactivated	Critical-severity alert sent when SecureWP itself is deactivated. Helps detect unauthorized changes to your security setup.

Webhook Delivery

Forward security events to Slack, Discord, or a custom HTTP endpoint alongside email. Enable the Webhook Notifications toggle, then select a provider and paste your webhook URL.

Slack – payloads formatted as Slack Block Kit messages with a header, site name, event details, and timestamp. Create an Incoming Webhook in your Slack workspace under Apps.
Discord – payloads formatted as Discord rich embeds with color-coded severity (red for malware, blue for general events). Create a webhook under Channel Settings > Integrations > Webhooks.
Generic (JSON) – raw JSON POST to any HTTP endpoint. Includes an X-SecureWP-Signature HMAC-SHA256 header so your server can verify the payload origin. Use the Send Test Webhook button to confirm your endpoint is receiving events.

Integrations

Configure third-party credentials under Settings > Integrations. Two integration sections are available.

Cloudflare Connection

Enter your Cloudflare Zone ID (found in the Cloudflare Dashboard under Website > Overview) and authenticate with either API Token (recommended) or Global API Key (requires your Cloudflare email). Click Save & Verify to validate credentials against Cloudflare’s API before storing them. Credentials are saved only after successful verification. A status panel shows Connection state (Connected / Not Verified / Not Configured), discovered Account ID, active Sync Mode, and detected Cloudflare plan. Use Re-verify Credentials to re-test saved credentials without changing settings.

API Token (Recommended) provides the best security model: least-privilege, revocable, and scoped to specific zones. Global API Key grants broad account-level access and should be used only as a fallback when token-based authentication is not available.

API Token Permissions

Create a Custom Token in the Cloudflare Dashboard and grant these three permissions:

Permission	Purpose
`Zone – Zone – Read`	Zone and profile validation, plan detection
`Zone – WAF – Edit`	Managed zone-level custom firewall rule updates
`Account – Filter Lists – Edit`	Managed account-level IP block and allow lists

Under Zone Resources, include the zone(s) you are protecting. Under Account Resources, include the account that owns those zones. When list operations are unavailable, SecureWP falls back to zone access rules, which also require the scopes above.

Credential Input Rules

API Token mode expects the raw token value only. Do not paste Authorization:, Bearer, extra spaces, or the Token ID (the short hex identifier shown next to the token name).
Global API Key mode expects the raw key value plus the matching Cloudflare account email address.

Most connection failures happen because a Cloudflare Token ID is pasted into the API Token field instead of the actual token value. The Token ID is only an identifier visible in the dashboard; it cannot authenticate API calls. Copy the token value shown only once at creation time.

Connection Troubleshooting

invalid request header usually means the wrong credential type was entered for the selected authentication mode (e.g., a Global API Key in the API Token field, or extra whitespace).
Token looks like a short hex string (16-20 characters) rather than a long alphanumeric string: you have likely copied the Token ID, not the API Token value.
Connected but rules are not syncing: verify that the token’s Zone Resources include the correct zone and Account Resources include the owning account. Confirm WAF – Edit and Filter Lists – Edit scopes are granted.

Firewall policy rules are configured under Firewall > Builder. Edge synchronization is managed under Firewall > Cloudflare Sync.

CAPTCHA / Bot Detection

Configure CAPTCHA API keys here, then enable protection in Hardening > Login Security. Three providers are supported:

Google reCAPTCHA v2 (Checkbox) – standard interactive challenge. Requires Site Key and Secret Key from the Google reCAPTCHA admin console.
Google reCAPTCHA v3 (Invisible) – risk-score based, no user interaction required. Includes a Score Threshold slider (0.1 to 1.0, default 0.5; lower is more permissive, higher is stricter).
Cloudflare Turnstile – privacy-respecting bot detection. Site Key found in the Cloudflare Dashboard under Turnstile.

Advanced: Server Configuration

Configure under Settings > Advanced > Server Configuration.

Server Type: Auto-Detect (default), Apache, LiteSpeed, or Nginx. Auto-detect works for most setups. Override if your server is behind a reverse proxy or uses a non-standard configuration.
Nginx Config File: Shown when Nginx or Auto-Detect is selected. Provide the path to the nginx include file that PHP can write to. Leave blank to use the default (nginx.conf in the site root).
Write to Files: Enabled by default. When toggled off, SecureWP stops automatically writing rules to .htaccess or nginx.conf. Disable this if you manage server configuration manually.

Advanced: IP Detection

Configure under Settings > Advanced > IP Detection. SecureWP runs an automatic IP diagnostic on page load and displays the currently detected visitor IP and the header it was sourced from.

Automatic (Recommended): SecureWP selects the best proxy header for your server environment automatically.
Manual: Exposes a Proxy Header dropdown. Select the specific header your proxy uses: CF-Connecting-IP (Cloudflare), X-Forwarded-For, Forwarded (RFC 7239), X-Real-IP, X-Client-IP, Client-IP, or X-Cluster-Client-IP.
Disabled (Direct Connection): Uses REMOTE_ADDR only. Best for servers without a reverse proxy.

An Advanced Options link leads to the full IP detection configuration in Firewall > Settings.

Advanced: Data Configuration

Configure under Settings > Advanced > Data Configuration.

Log Storage: Database Only (default), File Only, or Database + File simultaneously. Note: the Audit Log viewer in the plugin admin always reads from the database; select Database + File if you need both the on-disk archive and in-admin log display.
Database Log Retention: Shown when storage is Database Only or Database + File. Auto-purge entries older than this threshold (default 90 days, max 3,650 days).
File Log Retention: Shown when storage is File Only or Database + File. Auto-purge rotated log files older than this threshold (default 90 days, max 3,650 days).

A daily background cron job runs the retention cleanup. If File Only mode is selected and a file write fails, the entry is silently written to the database as a fallback.

Reset Plugin Data is available under Settings > Advanced > Danger Zone. It permanently erases all local settings, scan history, and cached data. Your license link to SecureWP Console will require re-activation. This action cannot be undone.

Need more help?

Our security team is available 24/7. We typically respond within 30 minutes.

Contact Support support@securewp.net