WP AutoShield®: One-Click WordPress Security from cPFence: Page 2 - Enhance Control Panel

WP AutoShield®: One-Click WordPress Security from cPFence

cPFence

Thank you for your feedback.

Yes, it will work just fine as usual. Enhance handles this by default, but we added this feature after your request because we found it useful. Sometimes, Enhance misses disabling the default cron on some WordPress installations, and that’s where WP-AutoShield’s cron feature comes in handy.
As mentioned earlier in this thread, the ability to exclude specific WordPress installations from WP-AutoShield entirely is already in beta and will be available very soon. You’ll still be able to use WP-AutoShield’s manual tools on those installations if needed.

pratik_asabe

cPFence we added this feature after your request because we found it useful.

Thank you, really appreciate your quick response to feedback of users!

I'll be switching to cpfence now this month, as our cpguard license is expiring soon! Hope to see more exciting features in coming releases!!

cPFence

pratik_asabe

You are welcome. Stay tuned, we will not stop there!

Tip :
Meanwhile, you can disable the XML-RPC feature in the config file and follow these steps:

Use cpfence --generate-wp-sites-list and edit the list /var/log/cpfenceav/wp-sites-list.txt, removing the WordPress sites you want to exclude.
Then, use cpfence --bulk-disable-wp-xmlrpc manually to apply the feature only to the selected sites.

pratik_asabe

cPFence Is this list only for exclusions? that means sites added in /var/log/cpfenceav/wp-sites-list.txt will considered excluded?

cPFence

pratik_asabe

No, this list is for the WordPress sites that WP-AutoShield will use to apply security measures, whether using manual tools or automatic features. To exclude sites from the job, simply remove them from this list before using the manual tools.

In the next version, there will be a separate exclude list, allowing you to activate the automatic features server-wide while excluding specific WordPress installations as needed.

pratik_asabe

cPFence In the next version, there will be a separate exclude list, allowing you to activate the automatic features server-wide while excluding specific WordPress installations as needed.

Just to add, try if possible that separate feature exclusion for example, in our case only xml-rpc, bcz we might still want to get benifit of every other security measures of WP-AutoShield... 🙂

cPFence

pratik_asabe

The new feature will allow you to exclude sites globally, not on a per-feature basis within WP AutoShield. However, you can still manage it manually using the method I explained above to apply specific measures to these sites. Keep in mind this is a one-time action and won’t be applied automatically every day. We might look into improving this in the future.

btraill

I'm not sure if Bricks Builder’s code signing depends on these keys. Please set:

autoshield_set_wp_secure_keys="off"

Try again and let us know if it resolves the issue.

btraill

One thing I did notice this morning is that all of my code signatures were invalid. (Bricks Builder)

In Bricks you have to sign code -- is the "Automatically generate secure keys for all sites daily" functionality possibly de-validating these?

btraill

cPFence I found this in the Bricks documentation:

After changing your WordPress salt (secret keys): Whenever the salts in wp-config.php are changed, you have to regenerate code signatures.

Unfortunate 🙁

cPFence

btraill

Thanks for the heads-up. Sorry for any inconvenience this might have caused. In the next version, this feature will be off by default to avoid issues for sites using plugins that depend on the secret keys. Alternatively, we might make it skip the update if the keys are already set and only apply it if missing. I’ll discuss this with my team.

bluelinq-computers

cPFence Lol, I should've read this entire thread before enabling the secure keys feature. This borked some stuff with Bricks & Rank Math. All the other features are fantastic, though!

cPFence

bluelinq-computers

Sorry about that, fellow. The new version with the skip improvement is coming soon. We tested it on all our servers for several days, but unfortunately, no one raised a ticket about this issue, so we didn’t know until today.

leonardo

bluelinq-computers what happened with your RankMath? have not yet seen the issue myself

btraill

bluelinq-computers Crap, I noticed issues with Bricks but not RankMath. What did you notice with RankMath as I'm also using it?

bluelinq-computers

cPFence Not to worry! It's not that big of a deal. A minor inconvenience is all.

Definitely love the work the cPFence is doing

GoSuccess

leonardo btraill

I think this is about Rank Math PRO. I noticed the same thing a few days ago with a customer after I changed the secret keys myself. As a result, you lose the connection to Rank Math PRO and have to reconnect.

But you can work around this problem if you want, see:
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#disable-sensitive-data-encryption

bluelinq-computers

leonardo @btraill Apologies for the delayed reply, but the issue with RankMath has to do with encryption. https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt

cPFence

Version 3.3.13

Added the ability to exclude specific sites from the daily WP AutoShield security measures.
To configure exclusions, edit the file:
nano /var/log/cpfenceav/wp-exclude-list.txt
Add /var/www/site_id/ to exclude all WordPress installations under a specific account.
Add /var/www/site_id/public_html/blog to exclude a single WordPress installation.

Improved the “Set Secure Keys” function to only update keys when they are missing, skipping sites where keys are already set.

GoSuccess

@cPFence Is there a command to automatically delete the cPFence plugin from all websites?

Regardless of this, here are a few thoughts on the plugin:

I think that the use of the plugin is not GDPR-compliant at the moment, as the recorded IP addresses are not anonymized.

The stored transients are only valid for 5 minutes, but they still remain in the database.

What I don't quite like is that jQuery is forced to be loaded in the frontend. I think this has less to do in a security plugin and should be my own decision whether I want jQuery in the frontend or not.

I see that cPFence relies on jQuery, but I think you can do the same with vanilla JavaScript. Or jQuery should only be loaded in the frontend when a user is logged in, as is done with the cPFence inline script.

But it would be best to do without jQuery completely.

I don't know about most of the others here, but I'm a bit conflicted about the cPFence plugin. On the one hand, I welcome the commitment to the community, but on the other hand, there are already very good plugins that can do exactly that and much more than the cPFence plugin currently does. NinjaFirewall, for example, is one such plugin.

In addition, we do not want to have a “vendor lock-in effect” for our customers. Although the cPFence plugin works on its own, without cPFence being installed on the server, it still gives the impression of a vendor lock-in effect because it is not a plugin that is freely available.

It would perhaps be much better if the plugin were made public in the WordPress plugin directory. This would give cPFence a greater reach, which is certainly the goal, and users would be assured that this is an official plugin that has been reviewed by WordPress.

But again, I'm not sure if it makes sense to put your resources into a WP plugin.

I will continue to use cPFence because it is really good and makes my day-to-day work much easier and will certainly get even better in the future. But I will probably not use the plugin (for the time being) and rely on NinjaFirewall instead.

cPFence

GoSuccess

Thank you for sharing your thoughts and feedback. Let me address your points:

To remove the MU cPFence plugin from all sites, simply run this command:
find /var/www/ -type f -name "cpfence.php" -delete

In the next cPFence version, this will be handled automatically when you turn off the WP-AutoShield module.
Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party. Many of our enterprise clients have strict GDPR requirements, so ensuring compliance is non-negotiable for us. However, if your lawyer or legal team has any valid and verified comments, please let us know, and we will adapt immediately in less than 48 hours.
In the next cPFence version, jQuery will automatically turn off if the idle logout feature is disabled. Thanks for pointing this out.
WP-AutoShield is designed to be as vanilla and lightweight as possible. According to our tests, the CPU and RAM footprint is close to zero. That said, we’ll revisit the current approach to see if further optimizations can be made. Your feedback is noted and appreciated.
Regarding MU plugins, I understand your concerns. However, using MU plugins to enforce some features is a very common practice among shared hosting companies, including well-known providers. That said, WP-AutoShield is fully optional and turned off by default, so you’re in full control—if you don’t like it, you don’t have to enable it.
Note that WP-AutoShield isn’t just about the MU plugin—it uses various other measures. The plugin itself covers only 4 out of the 10+ features included in the module.
WP-AutoShield was created to address two key challenges faced by sysadmins and shared hosting companies:
- First: Applying security measures to hundreds of sites on a server can be a time-consuming and tedious process.
- Second: Many clients eventually alter or remove the security measures you’ve applied, undoing your hard work.
  
  WP-AutoShield brilliantly solves both problems by allowing you to apply security measures to thousands of sites quickly and automatically enforce those rules daily. It’s a game-changer for hosting companies, including ourselves, and we’ve received great feedback from others in the industry. Some have even asked us to make it a standalone product for panels like cPanel and DirectAdmin.

Regarding other security plugins like NinjaFirewall, keep in mind that WP-AutoShield isn’t just a plugin—it’s a comprehensive module built specifically for shared hosting environments. While some plugins offer features not yet in WP-AutoShield, we intentionally left out certain measures that are unsuitable for shared hosting. Bulk-applying such measures to hundreds of sites would cause more harm than good, leading to broken features and an influx of support tickets.

As system admins ourselves, we’ve carefully curated a list of security measures that balance improved security with minimal disruption. WP-AutoShield focuses on that sweet spot—strong security without creating unnecessary headaches for users.

That said, we are always open to suggestions and improvements. If you have a security measure that can be safely applied to a shared hosting server in bulk, please share it, and we will add it to WP-AutoShield.

Again, thank you for taking the time to write your feedback; it helps us a lot.

GoSuccess

cPFence Thank you for your detailed answer. 🙂

Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party.

That's not quite right about the IP addresses. Just because the IPs are not shared with third parties, they are still processed and this processing is GDPR relevant.

Since it is not necessary to store the IPs, the IPs may not be stored without the visitor's consent. Of course, one could argue that the storage of IPs is security-relevant and can therefore take place without the visitor's consent. However, even then, storage is not permitted for an unlimited period of time, but may only be as short as possible. In this case, for example, 5 minutes. After that, the IPs would have to be deleted from the database in any case.

Regardless of this, the use must always be mentioned in the privacy policy, even if the IPs are stored anonymously. And this again makes it difficult to activate the plugin by default for all customers.

I just wanted to point this out. Perhaps it would be important to simply document somewhere exactly how the plugin works and when which data is processed, so that everyone can make an informed decision for themselves.

cPFence

GoSuccess

You are absolutely correct that processing IPs is GDPR-relevant, as they are considered personal data under the regulation. However, GDPR does allow the storage and processing of IPs for security purposes under the legitimate interest basis (Article 6(1)(f)), as long as this processing is necessary and proportional. You can find more details here: https://gdpr.eu/article-6-how-to-process-personal-data-legally/.

Storing IPs is critical for identifying and mitigating security threats, and this applies to nearly all security software, including plugins like Ninja Firewall and cPFence. Of course, it's essential for both the company's and the client website's privacy policy to mention the processing of IPs. This requirement is not specific to cPFence but applies to any security tool or plugin handling personal data.

I understand your concerns, and I've reached out to the legal team of one of my clients, who frequently deals with GDPR compliance, to review this matter further. I'll share any updates or insights they provide. Acting early to address GDPR considerations is always a good practice to avoid surprises later. Thank you once again.

« Previous Page Next Page »