WP AutoShield®: One-Click WordPress Security from cPFence

slimx

I love this.
So is this just automatically added into our existing CPFENCE Security? Or is this an additional product?

cPFence
That's great news!

cPFence

Yes, it’s included in your cPFence license. Just flip the switch, and WP AutoShield will take care of everything, protecting all your sites while you sleep.

leonardo

cPFence This is brilliant, I need to try this out and see how to make it work with Defender Pro we use now on client websites - possibly this could replace the plugin altogether?

cPFence

leonardo

Yes, with WP AutoShield running server-wide, there’s no need for any additional security plugins. Feel free to disable other per-website plugins.

wenani

@cPFence we appreciate for this.

I was waiting for the Captcha feature. Is it possible to disable it on specific users. I have users who have integrated their eCommerce sites with external payment systems, and I noticed they are not able to verify payments when Captcha is enabled on /wp-admin. I don't know if it is possible to whitelist specific urls or users?

Also, is it possible to manually enable Captcha for a specific link/ directory. For instance if I wanted to protect my whmcs url, e.g client.domain.ext/login url and other custom urls.

cPFence

wenani

Excluding users from WP AutoShield is already in beta and will be available very soon. For now, you can activate it without concerns for payment verification, as it doesn’t interfere with data transfers. The math CAPTCHA only appears on login, registration, and lost password forms.

It’s even compatible with reCAPTCHA plugins in WordPress, so they work together seamlessly without any issues.

PDudeP

cPFence

What about Wordfence, Sucuri, etc?
No need for them also?

cPFence

PDudeP

No need to keep them on unless you specifically need a per-website blocking feature that’s not available in cPFence.

cPFence will even install Wordfence CLI for you (if it’s not already installed) and use it for additional scanning power server-wide, eliminating the need for resource-heavy per-website solutions.

pratik_asabe

cPFence cPFence will even install Wordfence CLI for you

That's really a customer winning move cpfence! now im even more sure to try cpfence and move to it replacing cpguard, im almost ready to compromise ui thing (as a sys admin i love terminal),

But two things can you please clarify,

If default wp-cron is disabled then enhance's cron will work, right? just like i raise this issue while back on other thread that one of the many reasons we use cpguard is ability to disable default wp-cron which is basically useless and unreliable and enhance took care of it already by automatically adding cron for wp!
Some of our news blogging clients are non-technical and uses WordPress's dumb android app which is not secured bcz its heavily rely on xml-rpc, and these clients are not ready to throw that app comfort and doesn't understand sh*t of security lessons i try to make'em aware of so, how can we white-list xml-rpn per-site basis bcz i want that xml-rpc blocked serverwide! currently we're missing this and fortunately you took care of it in new version of cpfence...

PDudeP

That's great. Thanks!

Sulli86

Just a heads up, if you have something encrypting data in the DB based on the salt, you will need to add the data again. I use fluent SMTP, which stores the secret in the DB. After the Salt reset, all websites need the data added again.

Sorry if any terminology is wrong.

cPFence

Sulli86

Thank you for your feedback. You have two solutions here:

Disable the autoshield_set_wp_secure_keys option in the config file /opt/cpfence/config.conf (not recommended).
Use another great plugin we always recommend, WP Mail SMTP, which has over 3 million active installations and doesn’t have this limitation. It works well on most setups.

ivansalloum

Sulli86 You can save them to the wp-config.php file.

Sulli86

ivansalloum I wanted to avoid this as users have access to their hosting. but great idea.
cPFence Thanks, i uses AWS SES which is a pro feature for WP MAIL SMTP. I think i will disable short term, fix issue and reassess when I have time.

cPFence

pratik_asabe

Thank you for your feedback.

Yes, it will work just fine as usual. Enhance handles this by default, but we added this feature after your request because we found it useful. Sometimes, Enhance misses disabling the default cron on some WordPress installations, and that’s where WP-AutoShield’s cron feature comes in handy.
As mentioned earlier in this thread, the ability to exclude specific WordPress installations from WP-AutoShield entirely is already in beta and will be available very soon. You’ll still be able to use WP-AutoShield’s manual tools on those installations if needed.

pratik_asabe

cPFence we added this feature after your request because we found it useful.

Thank you, really appreciate your quick response to feedback of users!

I'll be switching to cpfence now this month, as our cpguard license is expiring soon! Hope to see more exciting features in coming releases!!

cPFence

pratik_asabe

You are welcome. Stay tuned, we will not stop there!

Tip :
Meanwhile, you can disable the XML-RPC feature in the config file and follow these steps:

Use cpfence --generate-wp-sites-list and edit the list /var/log/cpfenceav/wp-sites-list.txt, removing the WordPress sites you want to exclude.
Then, use cpfence --bulk-disable-wp-xmlrpc manually to apply the feature only to the selected sites.

pratik_asabe

cPFence Is this list only for exclusions? that means sites added in /var/log/cpfenceav/wp-sites-list.txt will considered excluded?

cPFence

pratik_asabe

No, this list is for the WordPress sites that WP-AutoShield will use to apply security measures, whether using manual tools or automatic features. To exclude sites from the job, simply remove them from this list before using the manual tools.

In the next version, there will be a separate exclude list, allowing you to activate the automatic features server-wide while excluding specific WordPress installations as needed.

pratik_asabe

cPFence In the next version, there will be a separate exclude list, allowing you to activate the automatic features server-wide while excluding specific WordPress installations as needed.

Just to add, try if possible that separate feature exclusion for example, in our case only xml-rpc, bcz we might still want to get benifit of every other security measures of WP-AutoShield... 🙂

cPFence

pratik_asabe

The new feature will allow you to exclude sites globally, not on a per-feature basis within WP AutoShield. However, you can still manage it manually using the method I explained above to apply specific measures to these sites. Keep in mind this is a one-time action and won’t be applied automatically every day. We might look into improving this in the future.

btraill

I'm not sure if Bricks Builder’s code signing depends on these keys. Please set:

autoshield_set_wp_secure_keys="off"

Try again and let us know if it resolves the issue.