Plugin v1.5

SecureWP Documentation

Everything you need to install, configure, and get the most out of SecureWP. Firewall, malware scanning, hardening, two-factor authentication, and more.

Get Started Scan Troubleshooting

Getting Started

SecureWP is a cloud-connected WordPress security plugin. It runs a real-time firewall, malware scanner, login hardening, two-factor authentication, and continuous vulnerability monitoring. A free account is required to enable cloud features. No credit card is needed.

Installation

Requirements: WordPress 6.0 or later, PHP 8.1 or later, and an outbound HTTPS connection for cloud sync (vulnerability database, firewall rule updates).

Download securewp.zip from your SecureWP account or purchase confirmation email.

In your WordPress admin, go to Plugins > Add New > Upload Plugin and select the ZIP file.

Click Install Now, then Activate Plugin. SecureWP now appears in the admin sidebar.

FTP install: Upload the unzipped securewp folder to /wp-content/plugins/ and activate from the Plugins screen.

Activation

After activation the plugin shows the Activate SecureWP screen. Three methods are available. A free license is generated automatically – no existing account is needed.

Method 1: Email (default)

The simplest path. Enter your email address and click Send Code. SecureWP emails a 6-digit one-time code (valid for 10 minutes). Enter the code and your site is connected. If you don’t have a Pro subscription, a Free license is generated automatically.

Method 2: License Key

Switch to the License Key tab and paste your key in XXXX-XXXX-XXXX-XXXX format. This is the preferred method when activating a site that should use an existing Pro seat. If all Pro seats are in use, you will be offered the option to activate on the Free plan or free up a seat from the SecureWP Console.

Method 3: SecureWP Console (SSO)

Click Open Console to open a popup to console.securewp.net. Sign in and approve the connection. SecureWP exchanges a secure code in the background and activates your site. Use this method when managing multiple sites from the Console and want centralized authorization.

After connecting

Once connected, the activation screen is replaced by the setup wizard (first run) or the main dashboard. The license status, plan, and expiry are shown under Settings > License & Plan. Free plan sites show an Activate Pro button there if you later upgrade your subscription.

Automated deployments. Define SECUREWP_LICENSE_KEY in wp-config.php and the plugin activates itself on first load without any admin interaction:

define( 'SECUREWP_LICENSE_KEY', 'XXXX-XXXX-XXXX-XXXX' );

WP-CLI

SecureWP registers a securewp WP-CLI command for scripted activation:

Command	Description
`wp securewp activate --license-key=XXXX-XXXX-XXXX`	Activate with an explicit key
`wp securewp activate`	Activate using the `SECUREWP_LICENSE_KEY` constant
`wp securewp status`	Display current license status and plan
`wp securewp deactivate`	Deactivate and release the license seat

Setup Wizard

After activation the setup wizard guides you through the five highest-impact configuration areas in order. Each step is an embedded view of the real module – changes you make during setup are permanent. You can skip any step or dismiss the wizard entirely; all settings remain accessible from the sidebar at any time.

Step	What you configure
1. Activate License	Connect your site to SecureWP Console to enable cloud features.
2. Hardening	Apply security tweaks to harden your WordPress installation.
3. Firewall	Configure local and edge firewall rules to block malicious traffic.
4. Vulnerabilities	Review known CVEs in your installed plugins, themes, and WordPress core. Requires an active connection.
5. Security Scan	Run your first security scan to detect malware and unauthorized changes.

Dashboard

The dashboard is the first screen after setup and provides a live overview of your site’s security posture. Data refreshes automatically and each widget links to the corresponding module for full configuration.

Website Health

The top-left card summarizes overall risk using a status label and short explanation generated from live protection state, scan findings, and vulnerability data. Five levels are possible:

Status	Meaning
Critical	Critical exposure. Immediate action required.
High	High-risk gaps need prompt attention.
Medium	Moderate exposure. Review open items.
Low	Minor hardening opportunities remain.
Secure	Controls are aligned and stable.

The card also shows the timestamp of the last completed scan. If no scan has run, or the most recent scan is more than 7 days old, the health summary treats scanner data as stale and the Action Center surfaces a remediation task.

Malware Coverage

This card shows the result of the most recent malware scan: Infected, Clean, or Not Scanned. Once at least one scan has completed, the meta line confirms the scan timestamp and the context line shows the current coverage state.

Known Vulnerabilities

Total count of active CVEs across all installed plugins, themes, and WordPress core, broken down by Critical / High / Medium / Low severity tokens. Clicking the widget navigates to the Vulnerability Scanner for full details and one-click updates.

Blocked Requests

Total blocked firewall requests recorded over the last 90 days. This card links directly to the Audit Log area from the dashboard.

Recent Security Events

A rolling feed of merged Firewall and Authentication activity. Use the source filter to switch between All Sources, Firewall, and Authentication. Each row shows a short event headline, supporting metadata, actor or IP context, and timestamp.

Active Lockouts

Currently locked-out IP addresses and usernames from the login limiter, with a count of lockouts in the last 30 days. Up to three of each type are shown inline with an Unlock button. Click Firewall Controls to manage the full block list.

Bans Overview

A compact summary of current firewall bans and allowlists. The card shows totals for Banned IPs and Allowlisted, plus a source breakdown when bans are present.

Action Center

Prioritized remediation tasks generated from current risk signals. The header also shows current counts of Critical and High-priority items. Common entries include:

Firewall protection is disabled – the firewall module is turned off
Login security controls are inactive – login limiter and related controls are not enabled
Scanner findings require review – unresolved Critical or High scanner findings remain open
Active vulnerabilities detected – one or more open CVEs are present on installed components
Server-level WAF is not active – pre-WordPress enforcement is not installed or has a conflict

The Action Center also includes quick actions for Run Cloud Scan, Review CVEs, and Firewall Controls.

Threat Activity Trend

An area chart showing blocked request volume over the last 7 days. If there has been no recent threat activity, the panel shows an empty-state message instead of a chart.

Malware Scanner

The scanner runs asynchronously so it never blocks page loads for visitors. It works in stages: system checks run in parallel first, then file collection and integrity verification, followed by cloud-assisted malware signature matching. All results are stored and displayed in the Scanner tab.

An active SecureWP license is required. Cloud scan credits apply on the Free plan (see Cloud Scan Credits below).

Scan Types

Choose the scan type when starting a scan, or set a default under Settings > Scanner > Scan Intensity. Both types run all six scan components. The difference is file scope and hash cache behaviour.

Feature	Standard Scan	Deep Scan
Estimated time	1-3 minutes	5-15 minutes
File types collected	Code files only: `.php`, `.js`, `.html`, `.htaccess`, `.xml`, `.css`, and related extensions	All code files plus images (`.jpg`, `.png`, `.gif`, `.svg`, etc.) and documents (`.pdf`, `.doc`, `.docx`)
/uploads directory	Yes – code extensions only	Yes – all file types
Non-WordPress root directories	No	Yes (old backup folders, secondary installs, etc.)
Hash cache behaviour	Trusts “safe” cache hits to conserve cloud credits	Bypasses “safe” cache; all files receive a fresh cloud verdict
Image/document check	No	Local binary content check first, then cloud escalation only if suspicious patterns are found
Max file size	10 MB per file (both types)
System checks	Both types run all six components: File Integrity, Domain Reputation, User Accounts, Content Analysis, Sensitive Data Exposure, Vulnerability Cross-Reference

Standard Scan is recommended for daily scheduled runs. Use Deep Scan for periodic thorough reviews or after a suspected incident.

What each scan component checks

File Integrity – compares checksums of WordPress core, plugin, and theme files against official WordPress.org hashes. Flags modified, added, or deleted files. Cloud signature matching then runs against files that fail integrity (Standard) or all collected files (Deep).
Domain Reputation – checks your domain and server IP against public blocklists and safe browsing databases. A flagged domain affects visitor trust and search engine rankings.
User Accounts – identifies suspicious administrator accounts and accounts with patterns that suggest compromise.
Content Analysis – scans post and page content in the database for injected scripts, obfuscated links, hidden redirects, and other database-level malware indicators.
Sensitive Data Exposure – verifies that sensitive files (wp-config.php, .env, debug logs, database exports) cannot be fetched directly over HTTP.
Vulnerability Cross-Reference – checks installed plugin and theme versions against the live CVE database at scan time. Results also appear in the Vulnerability Scanner module.

Cloud Scan Credits

The Free plan has a monthly cloud scan credit allowance. Credits are consumed during the cloud file analysis step. The credit widget on the Scanner page shows current usage. When the limit is reached, remaining files in that batch are skipped – system checks and previously processed files are unaffected.

Pro plan sites have unlimited cloud scan credits and unlock Enterprise Cloud features: AI Malware Detection and High Sensitivity scanning.

Scheduling and Exclusions

Automated Scans

Configure scanner settings under Settings > Scanner. The current UI lets you choose scheduled scan intensity, scheduled frequency, and scan exclusions. Automated schedules are available on Pro plans; all plans can still run scans manually from the Scanner page.

Frequency	Notes
Manual Only	No scheduled scans. Start scans on demand from the Scanner page.
Daily	Runs once every 24 hours.
Weekly	Runs once per week.
Monthly	Runs once per month.

Scheduled Scan Intensity: Standard keeps recurring scans faster with lower impact, while Deep performs broader verification and content-level checks.

Scan alert delivery is configured separately under Settings > Notifications.

Exclusions

Configure exclusions under Settings > Scanner. Enter one path or pattern per line. System checks are not affected by exclusions.

Bare names – values like cache, backups, or vendor exclude matching directories anywhere in the scanned path.
Absolute paths – values starting with / exclude that exact path tree.
Wildcards – * and ? are supported when you need pattern matching.

Reading Scan Results

Results are grouped by scan component (File Integrity, Reputation, Users, Content, Sensitive Data, Vulnerabilities) and sorted by severity. Expand any finding to see the file path, matched pattern or CVE reference, and recommended action. Individual findings can be Ignored to suppress future alerts on confirmed false positives.

Severity	Meaning
Critical	Active malware or a severe misconfiguration requiring immediate action
High	Exploitable vulnerability or a strongly suspicious file modification
Medium	Hardening gap or potential exposure that should be addressed soon
Low / Info	Informational finding with no immediate risk

Previous results remain visible while a new scan runs. Results are replaced only when the new scan completes successfully. Stopping a scan mid-run preserves findings collected up to that point.

Scan Troubleshooting

Work through the steps below if a scan will not start, gets stuck, or produces unexpected results.

Scan does not start

License not connected: An active license is required. Go to Settings > License & Plan and verify the site is connected. The scanner page will show “License Required” if activation has not been completed.
WP-Cron is disabled: Scheduled scans run via WordPress Cron. If your site has define('DISABLE_WP_CRON', true); in wp-config.php, remove it or switch to a real server cron that requests /wp-cron.php every minute.
Insufficient PHP memory: Add define('WP_MEMORY_LIMIT', '256M'); to wp-config.php or raise memory_limit = 256M in php.ini.
Plugin conflict: Another security plugin may intercept the internal HTTP requests used to dispatch scan jobs. Temporarily deactivate other security plugins, start a scan, then re-enable them one by one to identify the conflict.

Scan gets stuck

SecureWP includes a watchdog that detects stuck scans. Simply visiting SecureWP > Scanner triggers automatic recovery. If it remains stuck, click Stop Scan and start a fresh scan. Check wp-content/debug.log (enable with define('WP_DEBUG_LOG', true);) for PHP fatal errors or out-of-memory messages. On large sites, retry with Standard scan mode first to confirm the queue is healthy before running Deep again.

Expected files were not scanned

Images and PDFs in /uploads are only included in Deep Scan mode. Standard Scan collects code extensions only.
Files in non-WordPress directories at the server root (backup folders, old installs) are only collected in Deep Scan.
Files over 10 MB are skipped by both scan types regardless of settings.
Check whether an excluded path, bare-name rule, or wildcard pattern is matching the files you expected to see in results.

False positives on custom or commercial plugins and themes

File integrity checks compare files against official WordPress.org hashes. Commercial plugins (not in the repository) and intentionally modified core files will always fail the integrity check because no official hash exists for comparison. This is expected behaviour. Use the Ignore action on confirmed-clean findings to suppress them in future scans.

Still stuck? Email support@securewp.net with your PHP error log attached. We respond within 30 minutes.

Firewall

The firewall inspects every incoming HTTP request before WordPress processes it. SecureWP evaluates each request against a layered rule set in a fixed order, stopping at the first match:

Priority	Layer	Match action
1	Allowlist	Pass immediately; skip all remaining checks
2	Manual ban list	Block (HTTP 429)
3	Community threat feed	Block (HTTP 429)
4	Country / GeoIP block	Block (HTTP 403)
5	User-agent ban list	Block (HTTP 429)
6	Sensitive path probe detection	Block individual request (HTTP 403); ban IP after threshold
7	Rate limiting	Return HTTP 429 when per-minute limits are exceeded

The current Firewall UI is organized into five tabs: Rules, Protection, Cloudflare Sync, Advanced, and Traffic Log. A module-level toggle at the top of the Firewall page turns the firewall on or off.

Use the tabs as follows:

Rules – manage allow and ban IP rules, country policy, bot-name blocks, and the unified rules table
Protection – configure Rate Limiting, Block Known Bots, Detect & Block Scanners, and Community Threat Feeds
Cloudflare Sync – configure edge enforcement, push settings, edge action, and ASN rules
Advanced – configure IP detection, trusted proxies, Server-Level WAF, block page message, and default block duration
Traffic Log – review blocked requests and export firewall activity

IP Blocking and Allowlisting

Manage IP rules manually from Firewall > Rules. IPv4 addresses, IPv6 addresses, and CIDR ranges (e.g. 198.51.100.0/24) are all supported. Each rule has a Ban or Allow action.

Allowlisted IPs bypass every firewall layer including rate limits, country blocks, and the community threat feed. Add your office IP and any trusted monitoring or uptime services before enabling aggressive rules.
Manually blocked IPs receive a 429 response and are stored in the block list until you remove them.
Auto-blocked IPs created by scanner/probe detection or other automated ban flows expire according to the configured default block duration (default: 7 days). That duration is set under Firewall > Advanced > Default Block Duration.

Before you begin: add your own IP address to the allowlist before enabling or tightening firewall rules. This prevents accidentally locking yourself out.

Rate Limiting

Rate limiting uses a true sliding-window algorithm to count requests per IP over a rolling 60-second window. When an IP exceeds a configured limit, SecureWP immediately returns an HTTP 429 response. Limits are per IP; verified Googlebot and Bingbot (confirmed by reverse DNS) are always exempt.

Rule	Default	Description
All Requests per Minute	60 / min	Maximum requests from one IP before throttling begins. Helps slow brute-force attempts and high-volume scrapers.
Missing-Page Requests per Minute	10 / min	Limits requests to URLs that return 404. Stops directory scanning and path enumeration.
XML-RPC API Calls per Minute	5 / min	XML-RPC is a common password-guessing target. Keep this low unless you actively use the XML-RPC API.

Crawler Strictness applies a fractional multiplier to generic (unverified) crawlers. The default of 0.5 gives crawlers half the normal request limit, making them subject to stricter enforcement than browser traffic without blocking legitimate indexing bots. Set to 1.0 to apply the same limit to all traffic.

Bot Protection

Block Known Bots checks the User-Agent request header against the HackRepair.com blocklist, a curated database of known attack tools, vulnerability scanners, and malicious crawlers. Matching requests are blocked with a 429 response. Verified search engine bots (Googlebot, Bingbot, and others confirmed by DNS lookup) are always excluded from this check regardless of the setting. Enable it from Firewall > Protection.

Uptime Monitor Allowlist

SecureWP uptime monitoring checks your site externally, the same way a visitor or third-party monitoring service would. If your firewall, WAF, CDN, or reverse proxy returns HTTP 403 to that probe, SecureWP classifies the monitor as blocked and sends a dedicated alert instead of a false “site down” notification.

What to allowlist: the SecureWP uptime checker IP address shown in your SecureWP firewall event log, host WAF log, or other block log for the denied uptime request.
Where to allowlist it: SecureWP firewall allow rules, hosting firewalls, Cloudflare custom rules, server-level WAF rules, and any upstream proxy or CDN layer that can return HTTP 403.
Why it matters: until that checker IP is allowlisted, the uptime probe can be blocked even while the website is healthy, which prevents reliable uptime verification.

Tip: If you receive an Uptime Monitor Blocked alert, review the latest blocked uptime request, copy the checker IP address from that event, and add it to your allowlist before re-testing.

Probe and Scanner Detection

This module identifies bots probing for exposed configuration files, backups, and version information. Every request to a sensitive path is immediately blocked with a 403 response. When the same IP reaches the probe threshold within the time window, SecureWP bans the IP for the default block duration.

Setting	Default	Description
Threshold	3 attempts	Number of sensitive-path hits before the IP is banned. Individual requests are denied regardless of the threshold.
Time window	5 minutes	Rolling window in which the threshold is counted. Resets after the window expires with no new hits.

Monitored paths include environment files (.env), version control directories (.git), WordPress configuration backups, debug log files, SQL dump files, server status endpoints, and 13 additional high-risk patterns.

Community Threat Feeds

When enabled, SecureWP downloads and maintains a consolidated IP blocklist from crowd-sourced threat intelligence, aggregated from multiple sources including Spamhaus. The feed is refreshed automatically every 6 hours and supports up to 10,000 entries (individual IPs and CIDR ranges). Matching IPs are blocked with a 429 response before any other request processing. Enable it from Firewall > Protection.

Country Blocking (GeoIP)

Block or allow traffic by country of origin. Two modes are available:

Blocklist mode (default): all countries are permitted; add specific countries to block their traffic.
Allowlist mode: all countries are blocked by default; only countries explicitly added to the allow list can reach the site. Best suited for businesses that serve a single region.

Country lookups use the following priority chain:

Cloudflare edge GeoIP (when edge enforcement is enabled) – country is blocked at Cloudflare’s network before the request reaches your server.
MaxMind GeoLite2 / GeoIP2 database (local, preferred for PHP-layer enforcement) – add your free MaxMind Account ID and License Key under Settings > Integrations > MaxMind GeoIP, then click Update Country Database. SecureWP uses that local database for local country decisions and automatic updates.
HTTP API fallback (ipwho.is) – used when the MaxMind database is not installed. Results are cached locally for 24 hours to minimize external requests.

For MaxMind setup, use the vendor pages directly: create a free GeoLite2 account, then generate a license key in MaxMind License Key Management.

Country rules are managed from Firewall > Rules. Matched requests receive an HTTP 403 response. Logged-in administrators are exempt from country blocking to reduce accidental lockouts. IPs that cannot be geolocated by any source can be blocked separately with a dedicated toggle.

Server-Level WAF

The Server-Level WAF installs a firewall bootstrap file at the web server layer using auto_prepend_file. It enforces IP allowlists, manual bans, and rate limits before WordPress or any plugin code runs. This protects the site during WordPress errors, plugin conflicts, and high-load events.

Apache / LiteSpeed: SecureWP writes the auto_prepend_file directive into your .htaccess file.
Nginx / PHP-FPM: SecureWP writes the directive into the .user.ini file in your site root.

Go to Firewall > Advanced and scroll to the Server-Level WAF section. SecureWP auto-detects your server type and displays it as a badge.

Click Install Server-Level WAF. SecureWP modifies your server configuration file. If anything goes wrong, it attempts an automatic rollback and reports the result.

Confirm the status panel shows Installed and active with green indicators for both WAF files present and Configuration active.

If another security tool is already using auto_prepend_file, SecureWP shows a conflict warning and will not install until that conflict is removed. To remove the WAF later, click Remove Server-Level WAF. Your PHP-layer firewall stays active and all rules remain in force; only the web-server-layer enforcement is removed.

Cloudflare Integration

When your site runs behind Cloudflare, SecureWP can push firewall rules to Cloudflare’s global network so threats are stopped at the edge before reaching your server. Blocked IPs and countries are enforced from the nearest Cloudflare data center to the attacker across 300+ global locations.

Setup

Go to Settings > Integrations and enter your Cloudflare Zone ID and either an API Token (recommended) or a Global API Key plus email. Click Save & Verify. SecureWP validates authentication, the selected zone, and the permissions required for managed list sync and edge WAF rules.
Go to Firewall > Cloudflare Sync and toggle on Edge Enforcement. Rules are pushed to Cloudflare immediately and auto-synced on every firewall change.
Use Push Rules Now to force an immediate sync at any time.

Create the API Token

In Cloudflare, open My Profile > API Tokens.
Click Create Token, then choose Create Custom Token.
Name the token clearly, for example SecureWP Edge Sync.
Add the required permissions listed below.
Under Zone Resources, include the zone you want SecureWP to protect.
Under Account Resources, include the Cloudflare account that owns that zone.
Create the token and copy the token value immediately. Cloudflare only shows the full token once.

SecureWP Cloudflare integration settings showing Zone ID, credentials, and permission status — Example: SecureWP validates the zone, resolves the owning account, and reports whether the required Cloudflare permissions are available.

Required token permissions

These permission labels are not enough on their own. The token must also be scoped to the exact Zone Resource and the owning Account Resource for the site you are connecting.

Permission	Why SecureWP needs it
`Zone – Zone – Read`	Validate the zone, read zone details, and resolve the owning account.
`Zone – WAF – Edit`	Create and update the managed edge firewall rule SecureWP uses for enforcement.
`Account – Filter Lists – Edit`	Create and maintain Cloudflare account-level IP lists for block and allow synchronization.

Required additional permission

Permission	When it is used
`Account – Firewall Access Rules – Edit`	Required for reliable Cloudflare synchronization and recovery paths. This access is account-scoped, so the token must be granted access to the owning Cloudflare account.

Connection state. For the most reliable Cloudflare setup, the token should validate the zone, resolve the owning account, and include all four permissions SecureWP uses: Zone Read, Zone WAF Edit, Account Filter Lists Edit, and Account Firewall Access Rules Edit.

What Save & Verify checks

Authentication works with the supplied credential.
The Zone ID is valid and accessible.
The owning Cloudflare account can be resolved from that zone.
The token has the access SecureWP needs for managed IP lists and edge WAF rules.
The token can access account-level Firewall Access Rules for the owning account.

If a required check fails, SecureWP keeps the integration in Configured state and shows what must be corrected before edge sync can be trusted.

When edge enforcement is active, the current rules from Firewall > Rules are continuously mirrored to Cloudflare. The Cloudflare Sync page also shows last push time, current edge counts, limit warnings, and a retry path if the last push failed.

Auto-Escalate Active Attackers

When an IP triggers repeated local firewall violations, SecureWP can automatically push it to Cloudflare as a temporary edge block. These time-limited escalation blocks are separate from your manually configured block list and do not consume your permanent rule quota.

Setting	Default	Description
Block Threshold	3 violations	Number of local firewall hits that trigger an edge escalation for that IP.
Observation Window	10 minutes	Rolling time window in which violations are counted.
Edge Block Duration	120 minutes (2 hr)	How long Cloudflare blocks the IP. Expires automatically.
Max Edge Blocks	5,000 IPs	Cap on simultaneously active escalation blocks. Oldest entries are removed first when the cap is reached.

Edge Rule Action

Choose what Cloudflare does when a rule matches. The default is Managed Challenge, which presents a human-verification puzzle to suspected bots while letting real visitors through without friction.

Managed Challenge – Cloudflare shows a human-verification puzzle (Recommended)
Block – immediately reject the request with a Cloudflare error page
Challenge – show a CAPTCHA
JS Challenge – silent browser integrity check with no visible CAPTCHA
Log Only – allow through but record the match for review

Block by Network (ASN)

ASN blocking lets you block all IP addresses from an entire network provider by entering its Autonomous System Number. Enter one ASN number per line under Cloudflare Sync settings. ASN blocks affect thousands to millions of IPs simultaneously; use them only when you are certain the entire network is a threat source and legitimate traffic from that provider is not expected.

Firewall Settings

Configure general firewall behavior under Firewall > Advanced.

Setting	Default	Description
Block Page Message	“Your IP address has been blocked due to suspicious activity.”	Message shown to any visitor whose IP is blocked. Keep it short and actionable.
Default Block Duration	7 days	How long auto-added IP blocks persist before expiring. Individual rules can override this. Set high for near-permanent blocks.

IP Detection

For sites behind a proxy, CDN, or load balancer, SecureWP must read the real visitor IP from the correct HTTP header rather than the direct connection IP. Misconfiguration here allows IP spoofing by passing a false header value.

Automatic (Recommended): SecureWP detects the best IP source for your setup. Correct for most servers, CDNs, and proxies.
Manual: you select the specific header. Options include CF-Connecting-IP (Cloudflare), X-Forwarded-For, X-Real-IP, Forwarded (RFC 7239), and others.
No proxy (direct connection only): always uses the raw TCP connection IP. Choose this only when the server connects directly to visitors with no proxy in front.

Trusted Proxy Configuration ensures proxy headers are only accepted when the direct connection comes from a known proxy server IP, preventing spoofing attacks. Choose the Cloudflare preset (22 IP ranges, auto-updated), Custom, or None. Use Run Diagnostic to see which headers your server receives, Test Current Settings to verify the current result, or Auto-Configure to let SecureWP set the right option automatically.

Hardening

The Hardening module reduces your site’s attack surface through targeted WordPress and server-level tweaks. All hardening settings are available on the free plan and are organized into four tabs: WordPress Obscurity, Server Hardening, Login Security, and Security Headers.

WordPress Obscurity

Reduces information leakage and fingerprinting from your WordPress installation. Configure from Hardening > WordPress Obscurity. All settings are disabled by default.

Setting	What it does
Hide WordPress Version	Removes the WordPress version number from the generator meta tag, RSS feeds, and script/style query strings. Prevents automated scanners from fingerprinting your exact WordPress version.
Clean WordPress Head	Strips RSD/WLW manifest links, Windows Live Writer tags, shortlink meta tags, shortlink HTTP headers, and RSS/Atom feed discovery links from the HTML `<head>`. Reduces information leakage and removes unnecessary output.
Prevent Username in Author Slug	Blocks user profiles from using the login username as the author archive slug. When a nicename matches the username, WordPress requires a distinct display name or first/last name to generate a safe slug. Prevents `/author/admin` from revealing actual login credentials.
Block User Enumeration	Comprehensive protection against username discovery: blocks `/?author=N` scanning with a 403 response, removes the `/wp/v2/users` REST endpoint for unauthenticated requests, strips author data from oEmbed responses, and disables the users XML sitemap.
Disable Theme & Plugin Editor	Revokes the `edit_themes`, `edit_plugins`, and `edit_files` capabilities to remove the built-in code editor from the Appearance and Plugins menus. If an administrator account is compromised, the attacker cannot inject malicious code directly through the WordPress dashboard.
Disable Application Passwords	Removes the Application Passwords feature introduced in WordPress 5.6. These long-lived tokens bypass two-factor authentication and can be exploited if an admin account is compromised. Disable unless required by external apps or mobile clients.
Restrict REST API Access	Enforces authentication on the WordPress REST API (`/wp-json/wp/v2/`). Core data endpoints require the appropriate capability. Unknown or third-party endpoints are blocked for unauthenticated visitors. Use the endpoint table below the toggle to selectively allow public access where needed (e.g., for WooCommerce or page builders).

Server Hardening

Writes security rules directly to your web server configuration. Configure from Hardening > Server Hardening. On Apache and LiteSpeed, rules are written to .htaccess; on Nginx with PHP-FPM, rules are written via server config. All settings are disabled by default.

Setting	What it does
Disable Directory Listing	Adds `Options -Indexes` to prevent the web server from displaying directory contents when no index file exists. Stops attackers from discovering backup files, configuration fragments, or other sensitive resources by browsing directory URLs.
Block PHP Execution in Uploads	Denies execution of PHP files within `wp-content/uploads/` via server rules. The uploads directory is the most common target for web shell uploads through vulnerable plugins or themes. This is a critical defense-in-depth measure even when malware scanning is active.
Block Sensitive File Access	Denies public access to files that reveal server or WordPress metadata: `readme.html`, `license.txt`, `wp-config-sample.php`, error logs, and debug files. These files can expose version numbers, directory paths, and configuration details to attackers.
XML-RPC	Controls the `xmlrpc.php` endpoint, a legacy remote publishing interface commonly abused for brute-force amplification attacks and DDoS pingback abuse. Three options: Enable (leave it on), Disable Pingbacks (blocks the multicall pingback exploit while keeping other XML-RPC methods), or Disable Entirely. Disable unless required by Jetpack or the WordPress mobile app.

Configure from Hardening > Login Security. Settings are organized into two groups: Password Policies and Login Controls.

Password Policies

Setting	Default	Description
Enforce Strong Passwords	Off	Requires all passwords to meet a minimum complexity score powered by the zxcvbn algorithm. Detects dictionary words, keyboard sequences, character substitutions, and date formats. Default minimum: score 3 (Strong) for regular users, score 4 (Very Strong) for administrators and editors.
Prevent Password Reuse	Off	Prevents users from setting their new password to the same value as their current password. Appears as a sub-option under Enforce Strong Passwords.
Breached Password Detection	Off	Checks new passwords against the Have I Been Pwned database of over 900 million compromised credentials. Uses a privacy-safe k-anonymity partial hash lookup; your users’ actual passwords are never transmitted.
Enforce Reset for Breached Passwords on Login	Off	Retroactively checks existing passwords at login time. If the password appears in a known breach, the user is immediately redirected to a password change screen before access is granted. Appears as a sub-option under Breached Password Detection.
Password Expiration Policy	Disabled	Requires all users to change their password after a defined number of days (default: 90 days when enabled). Helps meet compliance requirements such as PCI DSS and HIPAA.
Require Password Change on Role Promotion	Off	When a user’s role is elevated to Administrator or Editor, they are required to set a new password on their next login. Prevents privilege escalation using a weak pre-existing credential.

Login Controls

Setting	Default	Description
Restrict Login Identifier	Both (username or email)	Controls whether users log in with their email address, username, or both. Email Address Only is recommended; it prevents attackers from using harvested usernames for login attempts.
Obfuscate Login Error Messages	Off	Replaces specific WordPress error messages (“No account found with that username”, “Incorrect password”) with a single identical generic response on the login, password reset, and registration forms. Prevents attackers from confirming whether a specific username or email address exists on your site.
Bot Detection (CAPTCHA)	Off	Adds challenge verification to the login form. Supported providers are Google reCAPTCHA v2 (Checkbox or Invisible), Google reCAPTCHA v3 (score-based, threshold 0.1-1.0, default 0.5), and Cloudflare Turnstile. Configure provider keys under Settings > Integrations first.
Limit Login Attempts	Off	Temporarily locks out IP addresses and usernames after repeated failed logins. Tracks attempts separately per IP and per username.

Login Attempt Limiting defaults when enabled: 5 max attempts per IP, 10 max attempts per username, within a 5-minute window. Lockout duration: 1 hour (60 minutes). Lockout events are recorded in the Audit Log.

Custom Login URL

Replaces /wp-login.php and the /wp-admin redirect with a custom URL slug that only you know. Direct requests to old login URLs can return 403, 404, or redirect to a local path you choose. This significantly reduces automated bot traffic targeting the standard login endpoint.

Requires pretty permalinks. Go to Settings > Permalinks and select any structure other than “Plain” before enabling this feature.

Go to Hardening > Login Security and scroll to Custom Login URL.
Enter your chosen login slug (e.g., team-portal). You can keep the default signup path (wp-signup.php) or define a custom Register Slug.
Note the full login URL shown in the preview, then save. SecureWP sends an email notification to the site admin with the new URL and rotates the access token.

Save the new URL before leaving the page. If you lose it, deactivate SecureWP via SFTP by renaming the plugin folder to restore access at the default /wp-login.php. Re-activate the plugin and set a new slug.

Security Headers

HTTP response headers that instruct browsers on how to handle your pages. Configure from Hardening > Security Headers. Each header is toggled independently.

Header	What it does
Content-Security-Policy	Restricts which external resources the browser may load, mitigating XSS and data injection attacks. Presets available: Strict, Moderate, and WordPress-compatible. Deploy in Report-Only mode first to log violations without blocking anything, then switch to enforcing once validated.
Strict-Transport-Security (HSTS)	Forces HTTPS-only connections, preventing protocol downgrade attacks and cookie hijacking. Configurable max-age, subdomain inclusion, and HSTS preload list opt-in. Verify HTTPS works on all pages before enabling.
X-Frame-Options	Prevents your site from being embedded in third-party iframes, blocking clickjacking attacks. Options: DENY (no embedding) or SAMEORIGIN (embedding by your own domain only).
X-Content-Type-Options	Prevents browsers from MIME-type sniffing responses away from their declared content type, blocking content-type confusion attacks.
Referrer-Policy	Controls how much referrer URL information is sent when users navigate away from your site. Protects sensitive URL paths and query parameters from leaking to third parties.
Permissions-Policy	Restricts which browser APIs (camera, microphone, geolocation, payment, autoplay, etc.) your pages can access and whether embedded iframes may use them.
Remove X-Powered-By	Strips the `X-Powered-By: PHP/x.x.x` response header, reducing server technology fingerprinting by automated scanners.
Remove Server Header	Strips the web server software and version from HTTP responses. Note: WordPress PHP responses already suppress this header. Full removal for static assets may require additional server configuration outside WordPress.
Remove X-Generator	Removes the `X-Generator: WordPress` HTTP header, preventing CMS platform identification by automated scanners.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step at login so that a stolen password alone is not enough to access an account. Available on the free plan. Access it from Hardening > Two-Factor (2FA) in the SecureWP admin menu. The page has two tabs: 2FA Enforcement (site-wide policy) and My 2FA (individual account setup).

Setting Up 2FA (My 2FA Tab)

Navigate to Hardening > Two-Factor (2FA) > My 2FA. Click Set Up and choose a verification method.

Authenticator App (TOTP)

Select Authenticator App and click Continue.
Scan the QR code with an authenticator app such as Google Authenticator, Authy, or 1Password. If you cannot scan the code, expand Can’t scan? Enter key manually to see the plain-text secret key.
Enter the 6-digit code currently shown in your app and click Verify & Activate. 2FA is now active on your account.

Email Code

Select Email Code and click Continue. SecureWP sends a 6-digit verification code to your WordPress email address.
Enter the code and click Verify & Activate. If the code does not arrive, use Resend code. Codes expire after 10 minutes.

After activation, SecureWP challenges future logins with your chosen 2FA method unless the login qualifies for a remembered device exemption.

Recovery Codes

After completing 2FA setup, SecureWP generates 8 single-use recovery codes. Copy or save them to a password manager immediately; they are shown only once. Each code can be used exactly once to bypass the 2FA prompt when you lose access to your authenticator app or email. Recovery codes can be regenerated at any time from the My 2FA tab, which immediately invalidates the previous set.

Trusted Devices

When logging in, users can opt to Remember this device. SecureWP skips the 2FA prompt on that browser for the configured duration (default: 30 days). Administrators can change the duration under the 2FA Enforcement settings, or set it to 0 to disable remembered devices entirely.

Disabling 2FA

To remove 2FA from your account, scroll to Disable Two-Factor Authentication on the My 2FA tab, enter your current WordPress password, and click Disable 2FA. Password confirmation is required to prevent accidental removal.

Enforcing 2FA by Role (2FA Enforcement Tab)

Administrators control site-wide 2FA requirements from Hardening > Two-Factor (2FA) > 2FA Enforcement. Settings are saved automatically when toggled.

Setting	Default	Description
Enable Two-Factor Authentication	Off	Master toggle that allows users to set up 2FA on their accounts. Must be on for enforcement to work.
Allowed 2FA Methods	Both (TOTP + Email)	Choose which methods users can select: Authenticator App (TOTP), Email Code, or both. Restricting to TOTP is more secure; Email Code is a fallback for users without a smartphone.
Enforce 2FA for Roles	Administrator	Roles that must have 2FA active. All five roles are available: Administrator, Editor, Author, Contributor, Subscriber. Users in an enforced role who have not set up 2FA are redirected on every login until they complete enrollment.
Remember Device Duration (days)	30 days	How long a trusted browser is remembered before prompting for 2FA again. Set to 0 to disable device trust entirely.
Grace Period (days)	3 days	Days users in enforced roles have to set up 2FA after enforcement is activated. During this period, a dismissible admin notice reminds them to enroll. After the grace period expires, unenrolled users are blocked from the admin until they complete setup.

Vulnerability Scanner

SecureWP monitors every plugin, theme, and WordPress core version installed on your site against a cloud vulnerability intelligence database. Plugin and theme inventories are sent to the SecureWP cloud API, which returns matched CVEs, severity scores, and remediation metadata. Available on the free plan. New vulnerabilities trigger an email notification when detected.

What is checked

All installed plugins (active and inactive) – each plugin slug and version is matched against known CVEs. Custom and commercial plugins not tracked by the WordPress.org update system are detected automatically and flagged to the cloud for enrichment.
All installed themes (active and inactive) – same CVE matching applied to themes.
WordPress core – current core version checked against known vulnerabilities.
Abandoned plugins and themes – components not updated by their author in over 365 days are flagged. Abandoned software is no longer patched and represents an ongoing risk even without an active CVE.

Reading the results

Issues are grouped by component. Each group shows the component name, installed version, and an action button. Expand a vulnerability row to see:

Vulnerability title and full description of the security impact
Affected version range – the version constraint under which the vulnerability exists
CVE ID – links directly to the CVE record at cve.org for additional context
Severity badge with CVSS score – four levels: Critical, High, Medium, Low

Severity	Recommended action
Critical / High	Update or remove the component immediately. These are actively or trivially exploitable without authentication.
Medium	Update at your earliest opportunity. Risk depends on your site configuration and exposure.
Low	Low exploitation risk under typical conditions. Monitor and update in your next maintenance window.

Remediating vulnerabilities

Update Now – for plugins and themes hosted on WordPress.org, SecureWP triggers the update directly from the Vulnerabilities page. No need to visit the Plugins or Themes screen.
Open Fix Guide – for commercial or custom plugins not in the WordPress.org repository, SecureWP links to a vendor or guidance page instead of attempting an automatic update. Vulnerable removable themes may show Delete Theme instead.

Click Check Now on the Vulnerability Scanner page to run an immediate check against the cloud database without waiting for the next scheduled scan.

Audit Log

The Audit Log captures security-relevant activity on your site with a timestamped record for every event: the event name, the user responsible (or “System” for automated actions), their IP address, their role, severity level, and a structured details panel with additional context. Use it to investigate incidents, track configuration changes, or satisfy compliance requirements.

Events recorded

The following events are captured automatically.

Event	Severity	Details captured
User Login	Info	Username of the authenticated user.
Login Failed	Warning	Username attempted.
Plugin Activated	Info	Plugin file path (e.g. `akismet/akismet.php`).
Plugin Deactivated	Warning	Plugin file path.
Plugin Updated	Info	Plugin file path.
Theme Switched	Info	Theme display name.
Theme Updated	Info	Theme slug.
WordPress Core Updated	Info	Recorded when an upgrader process for core completes.
User Registered	Info	New username and email address.
User Deleted	Warning	Username of the deleted account.
User Profile Updated	Info	Username and the field that changed. Currently detected: email address change.
Site Setting Changed	Warning	Option name, old value, and new value. Tracked options: `siteurl`, `home`, `admin_email`, `users_can_register`, `default_role`, `active_plugins`, `start_of_week`.
Audit Log Cleared	Warning	Recorded automatically after a successful Clear All operation, so the log is never completely empty.

Log viewer

If audit logging is currently disabled, the Audit Log page shows an Enable Audit Logging action instead of the table. Once enabled, the page displays the 100 most recent events. The table shows six columns per row:

Event – event name with a severity-colored icon and a key/value details summary beneath it.
User – WordPress username and assigned role. Automated system events show “System”.
Date & Time – timestamp in YYYY-MM-DD HH:MM:SS format (server time).
Category – event group label (Authentication, Plugins, Themes, User, Settings, Updates).
IP Address – real visitor IP resolved using the same proxy-aware detection logic as the firewall.
Severity – Info (blue), Warning (amber), or Critical (red).

Filtering and export

Use the search field above the table to filter the visible log by event name, username, or IP address. The filter applies instantly to all loaded entries; pagination resets to page 1 on each new search. The log paginates at 15 rows per page.

Export CSV downloads the currently filtered view (not just the current page) as a CSV file with columns: Timestamp, Event, Category, User, Role, IP, Details, Severity. The filename includes the current date.

Clear All permanently deletes every database and file log entry after a confirmation prompt. The action is irreversible. A new “Audit Log Cleared” entry is written immediately after the operation so the log is never left with no history of what occurred.

Storage and retention

Configure log storage under Settings > Advanced > Data Configuration. Audit logging has a master enable/disable toggle, a log-level control, and three storage modes:

Database Only (default) – entries are written to a custom database table. The Audit Log viewer in the plugin admin always reads from this table.
File Only – entries are written to a rotating log file on disk. Note: the admin log viewer reads from the database; select Database + File if you need both the on-disk archive and the in-admin viewer.
Database + File – entries are written to both destinations simultaneously. If the file write fails, the database record is still preserved.

Log Level controls the minimum significance of stored events. Standard is the recommended default and suppresses routine noise while keeping security-relevant activity.

Retention is configured separately for each storage type. Database Log Retention (default 90 days, max 3,650) and File Log Retention (default 90 days, max 3,650) are each auto-purged by a daily background job. If file-only mode is selected and a file write fails, the entry is silently written to the database as a fallback.

Security Tools

Advanced maintenance utilities available under SecureWP > Tools. Each tool shows its current status inline and requires an explicit confirmation step before executing. All tools require administrator (manage_options) access. Executions fire a securewp_tools_action_completed hook that can trigger admin notifications.

If Write to Files is disabled under Settings, the Tools page shows a warning banner and file-writing tools operate in manual mode until file writes are re-enabled.

Manual Configuration Rules

This card opens the Hardening > Server manual rules view so you can copy production-safe wp-config.php and server rules when automatic file writing is unavailable.

Change Database Table Prefix

The default WordPress table prefix is wp_. Many automated SQL injection payloads are hard-coded to target this default. SecureWP renames all database tables and updates all corresponding references in wp_options and wp_usermeta to the new prefix.

The card footer shows the current prefix. Click Generate Random Prefix to produce a safe 5-character prefix (one starting letter followed by three alphanumeric characters plus a trailing underscore, e.g. sp7k_), or type your own. Prefix rules: must start with a letter or underscore, contain only letters, numbers, and underscores, and end with an underscore. The Execute Change button is unavailable when SecureWP is not allowed to write configuration changes.

After clicking Execute Change, an inline confirmation panel expands requiring you to enter the new prefix and check I have created a database backup before the Confirm Change button becomes active.

Create a full database backup before running this tool. While SecureWP handles all known table and meta references, a backup is the safest first step before any structural database operation.

Change User ID 1

WordPress assigns ID 1 to the first user account created during installation. Many automated attack scripts target user ID 1 specifically. SecureWP migrates all posts, pages, and database objects from ID 1 to a new randomized ID and logs you out immediately on completion.

The card footer shows Secured when no user with ID 1 exists (the tool has already been run or ID 1 was never present) and Vulnerable when ID 1 still exists. The Run Tool button only appears when the site is in a Vulnerable state.

Clicking Run Tool auto-generates a safe unused ID (current max user ID plus a random offset) and pre-fills it. An inline panel shows the migration warning and requires you to check I understand I will be logged out before the Migrate ID button becomes active.

Regenerate Security Salts

WordPress uses eight authentication constants in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their four corresponding SALT variants) to sign and verify authentication cookies. Replacing these constants immediately invalidates every active session on the site, forcing all users including administrators to log in again.

The card footer shows whether wp-config.php is Writable or Read-Only. The Regenerate button is unavailable when configuration file writes are blocked. Clicking it expands an inline confirmation panel with the warning All 8 authentication constants in your configuration file will be replaced. You will be logged out immediately. You must check Confirm invalidating all active user sessions before the Invalidate Sessions button activates.

Use this after a suspected credential compromise, session hijacking incident, or when rotating security keys as part of a routine security audit.

Rotate Encryption Key

SecureWP encrypts sensitive data at rest: API tokens, cloud credentials, and 2FA TOTP secrets. The master key is stored either in a dedicated key file (source: file) or as a constant in wp-config.php (source: constant). Rotating the key generates a new master key and immediately re-encrypts all stored secrets with it.

The card footer shows the current key source. If the source is constant and configuration file writes are blocked, the button is disabled. After rotation, verify that any users with TOTP-based 2FA can still authenticate with their authenticator app. Cloud credentials are recovered automatically.

Use this periodically or after a suspected server-level compromise where the key file or configuration file may have been exposed.

Configuration Transfer

Export your current SecureWP configuration as a JSON file, or restore a previously saved configuration to rapidly replicate settings across multiple domains or environments. Secret keys, API credentials, and license tokens are automatically excluded from the export.

Export: Click Export Settings. A file named securewp - settings - YYYY-MM-DD.json downloads immediately, containing all non-sensitive configuration values formatted as readable JSON.
Import: Click Import Settings and select a .json file. The selected filename and file size are shown for confirmation. Click Commit Import to apply the configuration immediately. Click Dump to discard the file and cancel the import without making any changes.

Diagnostics

The Diagnostics card generates a consolidated environment and configuration report. Use Run Diagnostics to gather the current status, Refresh to fetch a fresh report, and Copy Status to copy a support-friendly summary to the clipboard.

Settings

Global configuration under SecureWP > Settings, organized across five tabs: Scanner, Notifications, Integrations, License & Plan, and Advanced.

Scanner

Configure automated scan scheduling and path exclusions under Settings > Scanner.

Exclusions

The current Scanner settings UI exposes one Excluded Paths field. Enter one path or pattern per line:

Bare names: values like cache, backups, or vendor exclude matching directories anywhere in the scanned path.
Absolute paths: values starting with / exclude that exact path tree.
Wildcard patterns: * and ? are supported for pattern matching.

Automated Scans

Scan Intensity controls the type used for scheduled scans: Standard keeps recurring scans faster with lower impact, while Deep performs broader verification and content-level checks.

Scan Frequency options in the current UI are Manual Only, Daily, Weekly, and Monthly. Automated schedules are available on Pro plans.

Notifications

Configure which security events trigger alerts under Settings > Notifications. A master Enable Email Notifications toggle controls all email delivery. Leave Recipient Email blank to use the WordPress admin email, or enter one address to route to a dedicated security inbox. Events are organized into three groups.

Scanner & Threat Detection

Event	Description
Scan Results	Single summary email when a security scan completes with findings. Clean scans do not generate a notification. Configurable Minimum Severity filter: All Severities, Low and above, Medium and above, High and above, or Critical only.
Vulnerability Detection	Triggered when a known CVE is identified in an installed plugin or theme. Same Minimum Severity filter as Scan Results.
Scan Error	Triggered when a scan fails to complete due to an API timeout, database issue, or resource limit.

Firewall & Access Control

Event	Description
Firewall Block Digest	A scheduled summary report of all WAF block events (SQL injection, XSS, remote file inclusion, IP blocklist matches). Digest schedule: Daily, Weekly, or Monthly. Selected per-event when the alert is enabled.
Brute-Force Lockout	Sent once when an IP address or username is locked out after exceeding the maximum failed login attempts. One alert per distinct lockout event.

Account & Administration

These events are disabled by default and intended for compliance auditing and administrative oversight.

Event	Description
Two-Factor Authentication Change	Triggered when a user enables or disables 2FA on their account.
Administrative Tool Usage	Triggered when a sensitive security tool is executed (salt regeneration, database prefix change, encryption key rotation).
Administrator Login	Sends an alert when an admin user logs in. Includes their IP address, browser, and login time.
SecureWP Deactivated	Critical-severity alert sent when SecureWP itself is deactivated. Helps detect unauthorized changes to your security setup.

Webhook Delivery

Forward security events to Slack, Discord, or a custom HTTP endpoint alongside email. Enable the Webhook Notifications toggle, then select a provider and paste your webhook URL.

Slack – payloads formatted as Slack Block Kit messages with a header, site name, event details, and timestamp. Create an Incoming Webhook in your Slack workspace under Apps.
Discord – payloads formatted as Discord rich embeds with color-coded severity (red for malware, blue for general events). Create a webhook under Channel Settings > Integrations > Webhooks.
Generic (JSON) – raw JSON POST to any HTTP endpoint. Includes an X-SecureWP-Signature HMAC-SHA256 header so your server can verify the payload origin. Use the Send Test Webhook button to confirm your endpoint is receiving events.

Integrations

Configure third-party credentials under Settings > Integrations. The current page includes Cloudflare, MaxMind GeoIP, and CAPTCHA provider settings.

Cloudflare Connection

Enter your Cloudflare Zone ID (found in the Cloudflare Dashboard under Website > Overview) and authenticate with either API Token (recommended) or Global API Key (requires your Cloudflare email). Click Save & Verify to validate credentials against Cloudflare’s API, confirm zone access, and audit the permissions SecureWP needs for list sync and edge WAF management. A status panel shows Connection state, discovered Account ID, permission-check result, and detected Cloudflare plan. Use Re-verify Credentials to re-test saved credentials without changing settings.

The recommended path is to create a custom API Token in Cloudflare, scope it to the correct account and zone, paste the token value and Zone ID into SecureWP, then click Save & Verify. If required permissions are missing, SecureWP lists the exact scopes that must be added.

API Token (Recommended) provides the best security model: least-privilege, revocable, and scoped to specific zones. Global API Key grants broad account-level access and should be used only as a fallback when token-based authentication is not available.

SecureWP Cloudflare integration screen with connection status and permission checks — The Integrations screen shows the Cloudflare connection state, resolved account context, and permission audit after Save & Verify.

API Token Permissions

Create a Custom Token in the Cloudflare Dashboard and grant these required permissions:

Permission	Purpose
`Zone – Zone – Read`	Zone and profile validation, plan detection
`Zone – WAF – Edit`	Managed zone-level custom firewall rule updates
`Account – Filter Lists – Edit`	Managed account-level IP block and allow lists

Required additional permission:

Permission	When it is used
`Account – Firewall Access Rules – Edit`	Required for reliable Cloudflare synchronization and recovery flows. This permission is checked against the owning account, not the zone endpoint.

Under Zone Resources, include the zone(s) you are protecting. Under Account Resources, include the account that owns those zones. SecureWP checks these permissions during Save & Verify and reports exactly which required scopes are missing.

How to read the status

Status	Meaning
Connected	Authentication, zone access, account access, and all required token permissions are valid.
Configured	Credentials were saved, but SecureWP still needs you to correct zone access, account scope, or token permissions before edge sync is fully ready.
Not Configured	Zone ID or credentials are missing.

Credential Input Rules

API Token mode expects the raw token value only. Do not paste Authorization:, Bearer, extra spaces, or the Token ID (the short hex identifier shown next to the token name).
Global API Key mode expects the raw key value plus the matching Cloudflare account email address.

Most connection failures happen because a Cloudflare Token ID is pasted into the API Token field instead of the actual token value. The Token ID is only an identifier visible in the dashboard; it cannot authenticate API calls. Copy the token value shown only once at creation time.

Connection Troubleshooting

invalid request header usually means the wrong credential type was entered for the selected authentication mode (e.g., a Global API Key in the API Token field, or extra whitespace).
Token looks like a short hex string (16-20 characters) rather than a long alphanumeric string: you have likely copied the Token ID, not the API Token value.
Save & Verify returns a missing-permission error: update the token to include all four permissions: Zone – Zone – Read, Zone – WAF – Edit, Account – Filter Lists – Edit, and Account – Firewall Access Rules – Edit.
Connected but rules are not syncing: verify that the token’s Zone Resources include the correct zone and Account Resources include the owning account. If scopes were changed after initial setup, use Re-verify Credentials so SecureWP refreshes the permission audit.

Least-privilege recommendation. Use an API Token scoped only to the required Cloudflare account and zone. Use a broad Global API Key only when token-based authentication is not available.

Firewall policy rules are configured under Firewall > Rules. Edge synchronization is managed under Firewall > Cloudflare Sync.

MaxMind GeoIP

Use this section to configure local country lookups for country blocking. SecureWP expects a MaxMind Account ID and License Key. After saving them, click Update Country Database to download or refresh the local GeoLite2 country database.

Country rules themselves still live under Firewall > Rules. The Integrations page handles provider credentials and database maintenance only.

For MaxMind setup, use the vendor pages directly: create a free GeoLite2 account, then generate a license key in MaxMind License Key Management.

CAPTCHA / Bot Detection

Configure CAPTCHA API keys here, then enable protection in Hardening > Login Security. Three providers are supported:

Google reCAPTCHA v2 – supports Checkbox and Invisible variants. Requires Site Key and Secret Key from the Google reCAPTCHA admin console.
Google reCAPTCHA v3 – risk-score based, no user interaction required. Includes a Score Threshold slider (0.1 to 1.0, default 0.5; lower is more permissive, higher is stricter).
Cloudflare Turnstile – privacy-respecting bot detection. Site Key found in the Cloudflare Dashboard under Turnstile.

For provider setup, use the vendor pages directly: Google reCAPTCHA Admin Console and Cloudflare Turnstile Docs.

Advanced: Server Configuration

Configure under Settings > Advanced > Server Configuration.

Server Type: Auto-Detect (default), Apache, LiteSpeed, or Nginx. Auto-detect works for most setups. Override if your server is behind a reverse proxy or uses a non-standard configuration.
Nginx Config File: Shown when Nginx or Auto-Detect is selected. Provide the path to the nginx include file that PHP can write to. Leave blank to use the default (nginx.conf in the site root).
Write to Files: Enabled by default. When toggled off, SecureWP stops automatically writing rules to .htaccess or nginx.conf. Disable this if you manage server configuration manually.

Advanced: IP Detection

Configure under Settings > Advanced > IP Detection. SecureWP runs an automatic IP diagnostic on page load and displays the currently detected visitor IP and the header it was sourced from.

Automatic (Recommended): SecureWP selects the best proxy header for your server environment automatically.
Manual: Exposes a Proxy Header dropdown. Select the specific header your proxy uses: CF-Connecting-IP (Cloudflare), X-Forwarded-For, Forwarded (RFC 7239), X-Real-IP, X-Client-IP, Client-IP, or X-Cluster-Client-IP.
Disabled (Direct Connection): Uses REMOTE_ADDR only. Best for servers without a reverse proxy.

An Advanced Options link leads to the full IP detection configuration in Firewall > Advanced.

Advanced: Data Configuration

Configure under Settings > Advanced > Data Configuration.

Audit Logging: master toggle that enables or disables audit event capture globally.
Log Storage: Database Only (default), File Only, or Database + File simultaneously. Note: the Audit Log viewer in the plugin admin always reads from the database; select Database + File if you need both the on-disk archive and in-admin log display.
Log Level: All Events, Standard (Recommended), or Warnings Only. Standard keeps the log useful without preserving routine low-value noise.
Database Log Retention: Shown when storage is Database Only or Database + File. Auto-purge entries older than this threshold (default 90 days, max 3,650 days).
File Log Retention: Shown when storage is File Only or Database + File. Auto-purge rotated log files older than this threshold (default 90 days, max 3,650 days).

A daily background cron job runs the retention cleanup. If File Only mode is selected and a file write fails, the entry is silently written to the database as a fallback.

Reset Plugin Data is available under Settings > Advanced > Danger Zone. It permanently erases all local settings, scan history, and cached data. Your license link to SecureWP Console will require re-activation. This action cannot be undone.

Need more help?

Our security team is available 24/7. We typically respond within 30 minutes.

Contact Support support@securewp.net