SiteFort documentation

FAQ

Short answers to common SiteFort questions on setup order, scan types, Cloudflare Sync, IP Detection, Trusted IPs, security headers, and sensitive tools.

Documentation HomeRecommended Settings

SiteFort FAQ

What should I enable first after installing SiteFort?

After installation, start with the SiteFort activation wizard. The wizard guides you through the recommended setup order: activate your license, enable key hardening controls, configure firewall protection, and then run your first security scan. Most baseline security settings can be enabled directly from the wizard, so you do not need to configure every module manually before getting protected. For a safe production rollout, enable Hardening first to reduce the WordPress attack surface, then configure Firewall protection after confirming that IP Detection is reading visitor IPs correctly. Once those controls are active, run the final Security Scan step to check for malware, unauthorized file changes, and known vulnerabilities. After the baseline is stable, you can add stricter controls such as Cloudflare Sync, country rules, CAPTCHA, Content Security Policy, and advanced notification routing.

Should I use Standard Scan or Deep Scan?

Use Standard Scan for normal daily protection. Use Deep Scan when you suspect compromise, after cleanup, before launch, or when Standard Scan findings require broader verification.

Can I use Cloudflare Sync without Cloudflare DNS proxying?

SiteFort can verify credentials and push supported rules only for the configured zone, but edge blocking affects traffic that actually passes through Cloudflare. DNS records should be proxied when you expect Cloudflare to stop traffic before it reaches the origin server.

Why is IP Detection so important?

Firewall decisions depend on the visitor IP. If a proxy header is wrong or spoofable, bans, allowlists, country rules, rate limits, and lockouts can affect the wrong user.

Will Trusted IPs bypass all firewall checks?

Yes. Trusted IPs bypass firewall rules. Use them only for stable administrator, office, VPN, monitoring, or partner IPs that you control.

Can Security Headers break a WordPress site?

Most headers are low risk, but Content-Security-Policy and HSTS require careful rollout. Test CSP in Report Only mode and enable HSTS preload only when every subdomain is HTTPS-ready.

What should I do before using sensitive tools?

Back up the site, understand the impact, and run during a maintenance window when needed. Salt regeneration logs users out, encryption key rotation affects stored secrets, database prefix changes modify tables, and User ID 1 migration forces logout.