WP AutoShield®: One-Click WordPress Security from cPFence: Page 3 - Enhance Control Panel

WP AutoShield®: One-Click WordPress Security from cPFence

leonardo

bluelinq-computers what happened with your RankMath? have not yet seen the issue myself

GoSuccess

I think this is about Rank Math PRO. I noticed the same thing a few days ago with a customer after I changed the secret keys myself. As a result, you lose the connection to Rank Math PRO and have to reconnect.

But you can work around this problem if you want, see:
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#disable-sensitive-data-encryption

bluelinq-computers

leonardo @btraill Apologies for the delayed reply, but the issue with RankMath has to do with encryption. https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt

btraill

bluelinq-computers Crap, I noticed issues with Bricks but not RankMath. What did you notice with RankMath as I'm also using it?

cPFence

Version 3.3.13

Added the ability to exclude specific sites from the daily WP AutoShield security measures.
To configure exclusions, edit the file:
nano /var/log/cpfenceav/wp-exclude-list.txt
Add /var/www/site_id/ to exclude all WordPress installations under a specific account.
Add /var/www/site_id/public_html/blog to exclude a single WordPress installation.

Improved the “Set Secure Keys” function to only update keys when they are missing, skipping sites where keys are already set.

GoSuccess

@cPFence Is there a command to automatically delete the cPFence plugin from all websites?

Regardless of this, here are a few thoughts on the plugin:

I think that the use of the plugin is not GDPR-compliant at the moment, as the recorded IP addresses are not anonymized.

The stored transients are only valid for 5 minutes, but they still remain in the database.

What I don't quite like is that jQuery is forced to be loaded in the frontend. I think this has less to do in a security plugin and should be my own decision whether I want jQuery in the frontend or not.

I see that cPFence relies on jQuery, but I think you can do the same with vanilla JavaScript. Or jQuery should only be loaded in the frontend when a user is logged in, as is done with the cPFence inline script.

But it would be best to do without jQuery completely.

I don't know about most of the others here, but I'm a bit conflicted about the cPFence plugin. On the one hand, I welcome the commitment to the community, but on the other hand, there are already very good plugins that can do exactly that and much more than the cPFence plugin currently does. NinjaFirewall, for example, is one such plugin.

In addition, we do not want to have a “vendor lock-in effect” for our customers. Although the cPFence plugin works on its own, without cPFence being installed on the server, it still gives the impression of a vendor lock-in effect because it is not a plugin that is freely available.

It would perhaps be much better if the plugin were made public in the WordPress plugin directory. This would give cPFence a greater reach, which is certainly the goal, and users would be assured that this is an official plugin that has been reviewed by WordPress.

But again, I'm not sure if it makes sense to put your resources into a WP plugin.

I will continue to use cPFence because it is really good and makes my day-to-day work much easier and will certainly get even better in the future. But I will probably not use the plugin (for the time being) and rely on NinjaFirewall instead.

cPFence

GoSuccess

Thank you for sharing your thoughts and feedback. Let me address your points:

To remove the MU cPFence plugin from all sites, simply run this command:
find /var/www/ -type f -name "cpfence.php" -delete

In the next cPFence version, this will be handled automatically when you turn off the WP-AutoShield module.
Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party. Many of our enterprise clients have strict GDPR requirements, so ensuring compliance is non-negotiable for us. However, if your lawyer or legal team has any valid and verified comments, please let us know, and we will adapt immediately in less than 48 hours.
In the next cPFence version, jQuery will automatically turn off if the idle logout feature is disabled. Thanks for pointing this out.
WP-AutoShield is designed to be as vanilla and lightweight as possible. According to our tests, the CPU and RAM footprint is close to zero. That said, we’ll revisit the current approach to see if further optimizations can be made. Your feedback is noted and appreciated.
Regarding MU plugins, I understand your concerns. However, using MU plugins to enforce some features is a very common practice among shared hosting companies, including well-known providers. That said, WP-AutoShield is fully optional and turned off by default, so you’re in full control—if you don’t like it, you don’t have to enable it.
Note that WP-AutoShield isn’t just about the MU plugin—it uses various other measures. The plugin itself covers only 4 out of the 10+ features included in the module.
WP-AutoShield was created to address two key challenges faced by sysadmins and shared hosting companies:
- First: Applying security measures to hundreds of sites on a server can be a time-consuming and tedious process.
- Second: Many clients eventually alter or remove the security measures you’ve applied, undoing your hard work.
  
  WP-AutoShield brilliantly solves both problems by allowing you to apply security measures to thousands of sites quickly and automatically enforce those rules daily. It’s a game-changer for hosting companies, including ourselves, and we’ve received great feedback from others in the industry. Some have even asked us to make it a standalone product for panels like cPanel and DirectAdmin.

Regarding other security plugins like NinjaFirewall, keep in mind that WP-AutoShield isn’t just a plugin—it’s a comprehensive module built specifically for shared hosting environments. While some plugins offer features not yet in WP-AutoShield, we intentionally left out certain measures that are unsuitable for shared hosting. Bulk-applying such measures to hundreds of sites would cause more harm than good, leading to broken features and an influx of support tickets.

As system admins ourselves, we’ve carefully curated a list of security measures that balance improved security with minimal disruption. WP-AutoShield focuses on that sweet spot—strong security without creating unnecessary headaches for users.

That said, we are always open to suggestions and improvements. If you have a security measure that can be safely applied to a shared hosting server in bulk, please share it, and we will add it to WP-AutoShield.

Again, thank you for taking the time to write your feedback; it helps us a lot.

GoSuccess

cPFence Thank you for your detailed answer. 🙂

Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party.

That's not quite right about the IP addresses. Just because the IPs are not shared with third parties, they are still processed and this processing is GDPR relevant.

Since it is not necessary to store the IPs, the IPs may not be stored without the visitor's consent. Of course, one could argue that the storage of IPs is security-relevant and can therefore take place without the visitor's consent. However, even then, storage is not permitted for an unlimited period of time, but may only be as short as possible. In this case, for example, 5 minutes. After that, the IPs would have to be deleted from the database in any case.

Regardless of this, the use must always be mentioned in the privacy policy, even if the IPs are stored anonymously. And this again makes it difficult to activate the plugin by default for all customers.

I just wanted to point this out. Perhaps it would be important to simply document somewhere exactly how the plugin works and when which data is processed, so that everyone can make an informed decision for themselves.

cPFence

GoSuccess

You are absolutely correct that processing IPs is GDPR-relevant, as they are considered personal data under the regulation. However, GDPR does allow the storage and processing of IPs for security purposes under the legitimate interest basis (Article 6(1)(f)), as long as this processing is necessary and proportional. You can find more details here: https://gdpr.eu/article-6-how-to-process-personal-data-legally/.

Storing IPs is critical for identifying and mitigating security threats, and this applies to nearly all security software, including plugins like Ninja Firewall and cPFence. Of course, it's essential for both the company's and the client website's privacy policy to mention the processing of IPs. This requirement is not specific to cPFence but applies to any security tool or plugin handling personal data.

I understand your concerns, and I've reached out to the legal team of one of my clients, who frequently deals with GDPR compliance, to review this matter further. I'll share any updates or insights they provide. Acting early to address GDPR considerations is always a good practice to avoid surprises later. Thank you once again.

cPFence

Update:

We’ve received feedback from our client’s legal team regarding GDPR compliance. Based on their advice, we’ve implemented a few minor changes to enhance compliance and follow best practices.

Here’s the latest cPFence update:

Version 3.3.14

Added:

Introduced the ability to bulk remove the cPFence MU plugin from all WordPress sites server-wide. Use the command:
cpfence --bulk-remove-mu-plugin.

Improved:

Idle Logout Feature: jQuery is now enqueued only when the idle logout functionality is enabled, optimizing resource usage.
Login Limit Feature: IP addresses are now hashed before being stored in the database, ensuring full anonymization and enhanced GDPR compliance.
Automatic Cleanup: WP AutoShield now clears all expired transients storing hashed IPs daily, further ensuring GDPR compliance.

To ensure full transparency and compliance with GDPR, as advised by the legal team, we recommend including the guidance outlined in the following link within the privacy policy of your hosting company website or any client’s website concerned about GDPR compliance:

Is cPFence GDPR-Compliant?

Thanks, @GoSuccess, for your valuable feedback!

Zoinkies

cPFence any chance you guys can make a module for auot including a mu plugin estate wide?

cPFence

Introducing Owl AutoMySQL®: One-Click MySQL Resource Limits from cPFence

Owl AutoMySQL automates the monitoring and management of abusive MySQL users, solving a major pain point for shared hosting servers with high user volumes. It ensures optimal server performance by preventing resource abuse, all without manual intervention.

One-Click Activation:
Activate with a single command: cpfence --owl-automysql-on
Owl AutoMySQL will begin 24/7 smart monitoring and management instantly.

Customizable Exclusions:
Exclude specific websites or priority clients by adding them to your configuration file: /opt/cpfence/config.conf.

slimx

cPFence Introducing Owl AutoMySQL®: One-Click MySQL Resource Limits from cPFence

Owl AutoMySQL automates the monitoring and management of abusive MySQL users, solving a major pain point for shared hosting servers with high user volumes. It ensures optimal server performance by preventing resource abuse, all without manual intervention.

One-Click Activation:
Activate with a single command: cpfence --owl-automysql-on
Owl AutoMySQL will begin 24/7 smart monitoring and management instantly.

Customizable Exclusions:
Exclude specific websites or priority clients by adding them to your configuration file: /opt/cpfence/config.conf.

How does this actually "prevent the resource abuse" exactly?
I have one client for example their site uses MySQL heavily They have 200,000 products (with variations), so the CPU usage is always quite high. Is OWL AUTOMYSQL going to effect this site? I don't want the site to crash out...

cPFence WordPress Bulk Management:
Gone are the days of relying on tools like MainWP or InfiniteWP to bulk manage your WordPress sites. With cPFence, you can now handle it all seamlessly with server-wide commands:
cpfence --bulk-install-wp-plugin: Search and install any WordPress plugin using a name, ZIP file path, or URL to ZIP server-wide.
cpfence --bulk-uninstall-wp-plugin: Deactivate and uninstall any WordPress plugin server-wide using the plugin slug.

This is EXCELLENT! Thank you!

cPFence New server migration with hundreds of sites? Ensure they’re clean and reset to a secure state with ease:
cpfence --bulk-force-wp-core-files: Force restore WordPress core files to default server-wide (for experienced system administrators only).

With this feature, does this just "re-install wordpress minus the config file and wp-content"?

xyzulu

I was the same till i saw MobaXterm, it's just "WOW".

cPFence

Zoinkies

Bulk plugin installation, uninstallation, and blacklisting are coming soon. We might consider adding MU plugin support in the future.

Zoinkies

cPFence kickass thank you, hopefully you’ll soon be able to put a Ui in Enhance for all of this.

cPFence

Zoinkies

We’re just waiting for the Enhance framework to make this happen. In the meantime, we’re focused on adding more one-click, set-it-and-forget-it features.

franco

cPFence I think waiting for Enhance is not a good idea.

They are swamped with things to launch and I believe this is at the end of the queue.

Besides, they are very late.

Sulli86

Has anyone had issues with users now being unable to log into their website after doing the math equation? I have had multiple clients report issues of signing in/

cPFence

Sulli86

Yes, we’ve had a few clients report this, and it turns out they’re either entering the password or math equation incorrectly. One case involved a custom math captcha modification conflicting with the cPFence one.

I’d recommend trying to log in yourself to confirm the issue. If you still encounter problems, feel free to drop us a ticket, and we’ll get it sorted.

For less tech-savvy clients, it might be easier to add them to the exclusion list to avoid the headache altogether.

Sulli86

cPFence It actually appears to be if third-party MFA is enabled for instance wordfence or two-factor

cPFence

Sulli86

It’s been tested to work well with Wordfence MFA. If you’ve found another plugin that conflicts with it, please drop us a ticket and let us know so we can look into it.

Sulli86

cPFence Ill do further testing and raise a ticket

cPFence

Sulli86

After testing multiple MFA plugins, I was able to replicate the issue with one plugin (miniOrange 2-factor). Please submit a ticket with the name of the problematic plugin, and we will assist you in resolving the issue. The next version will offer enhanced compatibility with these MFA plugins.

« Previous Page Next Page »