Control XSS Filtering in Posts (WebUI Method)
- Log into cPFence WebUI and pick the server you are modifying.
- Navigate to Tools & Utilities ➜ WP-AutoShield Bulk Tools.
- Select Disable XSS in Posts to strip risky embeds/iframes, or Enable XSS in Posts to restore full editor freedom.
- Confirm the action; the MU plugin settings are updated across every detected site (or only those selected with the site selector).
- If you rely on WP-AutoShield automation, disable the matching setting in System Settings so it does not revert unexpectedly.
Disabling XSS features quietly blocks common exploit payloads inside the WordPress editor while keeping front-end output stable.
Tip: Ensure autoshield_disable_xss_in_posts is set to ‘Off’ in the Settings page (if it’s currently on), or WP-AutoShield will automatically re-disable it during the next 6:10 AM run.
Command Line (CLI) Method
- SSH into the server.
- Disable risky embeds:
cpfence --bulk-disable-xss-in-wp-posts - Enable them again if needed:
cpfence --bulk-enable-xss-in-wp-posts
Communicate with developer-heavy tenants before disabling rich embeds so they understand why certain shortcodes stop working.
Need Further Assistance?
Visit our Knowledgebase or contact our support team for help.
