bluelinq-computers what happened with your RankMath? have not yet seen the issue myself
WP AutoShield®: One-Click WordPress Security from cPFence
bluelinq-computers Crap, I noticed issues with Bricks but not RankMath. What did you notice with RankMath as I'm also using it?
- Edited
Added the ability to exclude specific sites from the daily WP AutoShield security measures.
To configure exclusions, edit the file:
nano /var/log/cpfenceav/wp-exclude-list.txt
Add /var/www/site_id/ to exclude all WordPress installations under a specific account.
Add /var/www/site_id/public_html/blog to exclude a single WordPress installation.
Improved the “Set Secure Keys” function to only update keys when they are missing, skipping sites where keys are already set.
I think this is about Rank Math PRO. I noticed the same thing a few days ago with a customer after I changed the secret keys myself. As a result, you lose the connection to Rank Math PRO and have to reconnect.
But you can work around this problem if you want, see:
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt
https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#disable-sensitive-data-encryption
@cPFence Is there a command to automatically delete the cPFence plugin from all websites?
Regardless of this, here are a few thoughts on the plugin:
I think that the use of the plugin is not GDPR-compliant at the moment, as the recorded IP addresses are not anonymized.
The stored transients are only valid for 5 minutes, but they still remain in the database.
What I don't quite like is that jQuery is forced to be loaded in the frontend. I think this has less to do in a security plugin and should be my own decision whether I want jQuery in the frontend or not.
I see that cPFence relies on jQuery, but I think you can do the same with vanilla JavaScript. Or jQuery should only be loaded in the frontend when a user is logged in, as is done with the cPFence inline script.
But it would be best to do without jQuery completely.
I don't know about most of the others here, but I'm a bit conflicted about the cPFence plugin. On the one hand, I welcome the commitment to the community, but on the other hand, there are already very good plugins that can do exactly that and much more than the cPFence plugin currently does. NinjaFirewall, for example, is one such plugin.
In addition, we do not want to have a “vendor lock-in effect” for our customers. Although the cPFence plugin works on its own, without cPFence being installed on the server, it still gives the impression of a vendor lock-in effect because it is not a plugin that is freely available.
It would perhaps be much better if the plugin were made public in the WordPress plugin directory. This would give cPFence a greater reach, which is certainly the goal, and users would be assured that this is an official plugin that has been reviewed by WordPress.
But again, I'm not sure if it makes sense to put your resources into a WP plugin.
I will continue to use cPFence because it is really good and makes my day-to-day work much easier and will certainly get even better in the future. But I will probably not use the plugin (for the time being) and rely on NinjaFirewall instead.
Thank you for sharing your thoughts and feedback. Let me address your points:
To remove the MU cPFence plugin from all sites, simply run this command:
find /var/www/ -type f -name "cpfence.php" -deleteIn the next cPFence version, this will be handled automatically when you turn off the WP-AutoShield module.
Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party. Many of our enterprise clients have strict GDPR requirements, so ensuring compliance is non-negotiable for us. However, if your lawyer or legal team has any valid and verified comments, please let us know, and we will adapt immediately in less than 48 hours.
In the next cPFence version, jQuery will automatically turn off if the idle logout feature is disabled. Thanks for pointing this out.
WP-AutoShield is designed to be as vanilla and lightweight as possible. According to our tests, the CPU and RAM footprint is close to zero. That said, we’ll revisit the current approach to see if further optimizations can be made. Your feedback is noted and appreciated.
Regarding MU plugins, I understand your concerns. However, using MU plugins to enforce some features is a very common practice among shared hosting companies, including well-known providers. That said, WP-AutoShield is fully optional and turned off by default, so you’re in full control—if you don’t like it, you don’t have to enable it.
Note that WP-AutoShield isn’t just about the MU plugin—it uses various other measures. The plugin itself covers only 4 out of the 10+ features included in the module.
WP-AutoShield was created to address two key challenges faced by sysadmins and shared hosting companies:
First: Applying security measures to hundreds of sites on a server can be a time-consuming and tedious process.
Second: Many clients eventually alter or remove the security measures you’ve applied, undoing your hard work.
WP-AutoShield brilliantly solves both problems by allowing you to apply security measures to thousands of sites quickly and automatically enforce those rules daily. It’s a game-changer for hosting companies, including ourselves, and we’ve received great feedback from others in the industry. Some have even asked us to make it a standalone product for panels like cPanel and DirectAdmin.
Regarding other security plugins like NinjaFirewall, keep in mind that WP-AutoShield isn’t just a plugin—it’s a comprehensive module built specifically for shared hosting environments. While some plugins offer features not yet in WP-AutoShield, we intentionally left out certain measures that are unsuitable for shared hosting. Bulk-applying such measures to hundreds of sites would cause more harm than good, leading to broken features and an influx of support tickets.
As system admins ourselves, we’ve carefully curated a list of security measures that balance improved security with minimal disruption. WP-AutoShield focuses on that sweet spot—strong security without creating unnecessary headaches for users.
That said, we are always open to suggestions and improvements. If you have a security measure that can be safely applied to a shared hosting server in bulk, please share it, and we will add it to WP-AutoShield.
Again, thank you for taking the time to write your feedback; it helps us a lot.
cPFence Thank you for your detailed answer. 
Our software is fully GDPR-compliant. IPs are stored only in the client’s database and are not sent to any third party.
That's not quite right about the IP addresses. Just because the IPs are not shared with third parties, they are still processed and this processing is GDPR relevant.
Since it is not necessary to store the IPs, the IPs may not be stored without the visitor's consent. Of course, one could argue that the storage of IPs is security-relevant and can therefore take place without the visitor's consent. However, even then, storage is not permitted for an unlimited period of time, but may only be as short as possible. In this case, for example, 5 minutes. After that, the IPs would have to be deleted from the database in any case.
Regardless of this, the use must always be mentioned in the privacy policy, even if the IPs are stored anonymously. And this again makes it difficult to activate the plugin by default for all customers.
I just wanted to point this out. Perhaps it would be important to simply document somewhere exactly how the plugin works and when which data is processed, so that everyone can make an informed decision for themselves.
leonardo @btraill Apologies for the delayed reply, but the issue with RankMath has to do with encryption. https://rankmath.com/kb/fix-automatic-update-unavailable-for-this-plugin/#unable-to-encrypt
You are absolutely correct that processing IPs is GDPR-relevant, as they are considered personal data under the regulation. However, GDPR does allow the storage and processing of IPs for security purposes under the legitimate interest basis (Article 6(1)(f)), as long as this processing is necessary and proportional. You can find more details here: https://gdpr.eu/article-6-how-to-process-personal-data-legally/.
Storing IPs is critical for identifying and mitigating security threats, and this applies to nearly all security software, including plugins like Ninja Firewall and cPFence. Of course, it's essential for both the company's and the client website's privacy policy to mention the processing of IPs. This requirement is not specific to cPFence but applies to any security tool or plugin handling personal data.
I understand your concerns, and I've reached out to the legal team of one of my clients, who frequently deals with GDPR compliance, to review this matter further. I'll share any updates or insights they provide. Acting early to address GDPR considerations is always a good practice to avoid surprises later. Thank you once again.
Update:
We’ve received feedback from our client’s legal team regarding GDPR compliance. Based on their advice, we’ve implemented a few minor changes to enhance compliance and follow best practices.
Here’s the latest cPFence update:
Added:
- Introduced the ability to bulk remove the cPFence MU plugin from all WordPress sites server-wide. Use the command:
cpfence --bulk-remove-mu-plugin.
Improved:
- Idle Logout Feature: jQuery is now enqueued only when the idle logout functionality is enabled, optimizing resource usage.
- Login Limit Feature: IP addresses are now hashed before being stored in the database, ensuring full anonymization and enhanced GDPR compliance.
- Automatic Cleanup: WP AutoShield now clears all expired transients storing hashed IPs daily, further ensuring GDPR compliance.
To ensure full transparency and compliance with GDPR, as advised by the legal team, we recommend including the guidance outlined in the following link within the privacy policy of your hosting company website or any client’s website concerned about GDPR compliance:
Thanks, @GoSuccess, for your valuable feedback!
Introducing Owl AutoMySQL®: One-Click MySQL Resource Limits from cPFence
Owl AutoMySQL automates the monitoring and management of abusive MySQL users, solving a major pain point for shared hosting servers with high user volumes. It ensures optimal server performance by preventing resource abuse, all without manual intervention.
One-Click Activation:
Activate with a single command: cpfence --owl-automysql-on
Owl AutoMySQL will begin 24/7 smart monitoring and management instantly.
Customizable Exclusions:
Exclude specific websites or priority clients by adding them to your configuration file: /opt/cpfence/config.conf.
Has anyone had issues with users now being unable to log into their website after doing the math equation? I have had multiple clients report issues of signing in/
Yes, we’ve had a few clients report this, and it turns out they’re either entering the password or math equation incorrectly. One case involved a custom math captcha modification conflicting with the cPFence one.
I’d recommend trying to log in yourself to confirm the issue. If you still encounter problems, feel free to drop us a ticket, and we’ll get it sorted.
For less tech-savvy clients, it might be easier to add them to the exclusion list to avoid the headache altogether.