The cPFence command-line interface (CLI) is designed to simplify server security management with powerful and intuitive commands. This cheat sheet organizes key commands into categories, making it easy to find what you need. Whether you're configuring settings, monitoring activity, or maintaining server security, this guide will help you work more efficiently and effectively.
General Options
cpfence --status Display information about current running modules and license status.
cpfence --show-stats View protection statistics and information about your server.
cpfence --set-email EMAIL Set or update the email address in the configuration settings.
cpfence --enable-cpfence-smtp Enable SMTP for cPFence notification emails only.
cpfence --disable-cpfence-smtp Disable SMTP for cPFence notification emails only.
cpfence --restart Restart all services and modules to apply new settings.
cpfence --ip-reputation-on Enable regular monitoring of your server's IP reputation.
cpfence --ip-reputation-off Disable regular monitoring of your server's IP reputation.
Protection Control
cpfence --enable-all Enable all default protections.
cpfence --disable-all Disable all protections.
IPDB / DDos Protection Module
cpfence --enable-ipdb Enable cPFence IPDB.
cpfence --disable-ipdb Disable cPFence IPDB.
cpfence --restart-ipdb Restart cPFence IPDB.
cpfence --enable-DDos Enable cPFence DDos Protection.
cpfence --disable-DDos Disable cPFence DDos Protection.
Tip: To monitor the blocked attacks by cPFence IPDB, use the following command:
sudo tail -f /var/log/syslog | grep -E 'cPFence Blocked:|cPFence DDos Protection:'
WordPress Security and Maintenance Tools
cpfence --wp-autoshield-on Enable WP AutoShield - One-Click WordPress Security.
Tip: WP-AutoShield runs daily at 6:10 AM. To trigger it manually, use the command:
/opt/cpfence/app/wpautoshield/cpfautoshield
Tip 2: To exclude sites from WP-AutoShield, edit the exclusion list:
nano /var/log/cpfenceav/wp-exclude-list.txt
To exclude all WordPress installations under a specific account, add:
/var/www/site_id/
To exclude a single WordPress installation, add:
/var/www/site_id/public_html/blog
cpfence --wp-autoshield-off Disable WP AutoShield - One-Click WordPress Security.
cpfence --enable-integrity-check Enable WordPress Integrity Check to safeguard your sites.
cpfence --disable-integrity-check Disable WordPress Integrity Check.
Integrity Check exclude files:
- Add the paths of websites to be excluded in the file:
/opt/cpfence/user-config/cpfowl/exclude_integrity_check_sites.txt
- Add filenames to be excluded from Integrity Check detection in the file:
/opt/cpfence/user-config/cpfowl/exclude_integrity_check_files.txt
Tip: Use the filename only (without path) to exclude files server-wide with the same name.
cpfence --enable-auto-file-action Automatically quarantine unexpected files during the integrity check.
cpfence --disable-auto-file-action Turn off automatic file quarantine for the integrity check.
cpfence --set-check-frequency Set the frequency of the integrity check. Options: 'daily' or 'hourly'.
cpfence --generate-wp-sites-list Generate a list of WordPress sites and their owners on the server.
Tip: The WordPress sites list will be generated to:
/var/log/cpfenceav/wp-sites-list.txt
cpfence --bulk-update-wordpress Perform a bulk update of WordPress core, plugins, themes, and translations.
cpfence --enable-wp-auto-updates Enable automatic updates for WordPress core, plugins, and themes.
cpfence --disable-wp-auto-updates Disable automatic updates for WordPress core, plugins, and themes.
cpfence --vuln-scan Perform a comprehensive vulnerability scan on your WordPress sites.
cpfence --vuln-export Export a detailed vulnerability scan report in CSV format.
Tip: To apply the manual tools below to specific sites only and leave all others intact,
edit the list before running the command:
/var/log/cpfenceav/wp-sites-list.txt
WP-AutoShield will automatically update the list again at 6:10 AM to apply its changes,
so you’ll need to edit it each time you want to run manual tools.
cpfence --bulk-disable-wp-cron Disable Default WordPress Cron to improve performance.
cpfence --bulk-enable-wp-cron Enable Default WordPress Cron for all listed sites.
cpfence --bulk-disable-wp-file-edit Disable file editing in WordPress Admin panel for all listed sites.
cpfence --bulk-enable-wp-file-edit Enable file editing in WordPress Admin panel for all listed sites.
cpfence --bulk-disable-wp-pingback Disable default pingbacks in WordPress for all listed sites.
cpfence --bulk-enable-wp-pingback Enable default pingbacks in WordPress for all listed sites.
cpfence --bulk-set-wp-secure-keys Set secure keys for all listed sites.
cpfence --bulk-set-wp-permissions Fix and Apply secure permissions to critical files and directories.
cpfence --bulk-enable-wp-hardening Enable WordPress hardening to secure wp-includes, uploads, config, etc.
cpfence --bulk-disable-wp-hardening Disable WordPress hardening for all listed sites.
cpfence --bulk-disable-wp-xmlrpc Fully Disable XML-RPC for all WordPress sites with a 403 denied error.
cpfence --bulk-enable-wp-xmlrpc Enable XML-RPC for all listed WordPress sites.
cpfence --bulk-enable-wp-limit-login Enable wp-login protection by implementing Limit Login Attempts.
cpfence --bulk-disable-wp-limit-login Disable wp-login protection by removing Limit Login Attempts.
cpfence --bulk-enable-wp-idle-logout Enable automatic logout protection after 60 minutes for idle users.
cpfence --bulk-disable-wp-idle-logout Disable automatic logout protection after 60 minutes for idle users.
cpfence --bulk-rename-wp-admin Rename the default 'admin' username to a unique, secure name.
cpfence --bulk-disable-xss-in-wp-posts Disable XSS & risky code such as iframes, embeds, or scripts.
Tip: Avoid enabling this for developer clients or those requiring full access to editor features like WPBakery
or Elementor. While it won’t cause issues in the frontend, it will disable some risky plugin features
in the admin panel silently.
cpfence --bulk-enable-xss-in-wp-posts Enable XSS & risky code such as iframes, embeds, or scripts.
cpfence --bulk-enable-wp-captcha Enable CAPTCHA on login, registration, and lost password forms.
cpfence --bulk-disable-wp-captcha Disable CAPTCHA on login, registration, and lost password forms.
cpfence --bulk-remove-mu-plugin Remove the cPFence MU plugin from all WordPress sites server-wide.
cpfence --bulk-install-ls-plugin Install the LiteSpeed plugin on all WordPress sites server-wide.
cpfence --bulk-configure-ls-plugin Configure LiteSpeed with advanced presets and Redis enabled.
cpfence --bulk-enable-ls-redis Enable Redis caching within the LiteSpeed plugin server-wide.
cpfence --bulk-enable-ls-heartbeat Bulk enable and configure heartbeat options in LiteSpeed.
cpfence --bulk-reset-ls-plugin Reset all options in the LiteSpeed Cache plugin to defaults.
cpfence --bulk-clear-litespeed-cache Clear the LiteSpeed cache on all WordPress sites server-wide.
cpfence --bulk-install-wp-plugin Search and install any WordPress plugin server-wide.
cpfence --bulk-uninstall-wp-plugin Deactivate and Uninstall any WordPress plugin server-wide.
cpfence --bulk-run-due-wp-cron Run all WordPress cron events due right now server-wide.
cpfence --bulk-force-wp-core-files Force restore WordPress core files to default server-wide.
cpfence --bulk-create-wp-user Create a WordPress user server-wide.
cpfence --bulk-backup-wp-sites Bulk create WordPress backups and store them in /cpf_wp_backups/.
cpfence --bulk-install-plugin-bundle Bulk install the plugin bundle.
Tip: Add slugs for your bundle here /var/log/cpfenceav/wp-plugin-bundle.txt
Tip2: For Cronjob use this command :
/opt/cpfence/app/setup/cpfmain --bulk-install-plugin-bundle -y
cpfence --bulk-uninstall-bl-plugins Bulk uninstall blacklisted plugins
Tip: Add slugs for your blacklisted plugins here /var/log/cpfenceav/blacklisted-wp-plugins.txt
Tip2: For Cronjob use this command :
/opt/cpfence/app/setup/cpfmain --bulk-uninstall-bl-plugins -y
cpfence --bulk-install-custom-mu-plugin Bulk install your custom MU plugin.
Tip: Add your one file MU plugin to /var/log/cpfenceav/mu-plugin before running.
Tip2: To force Mu plugin use cronjob :
/opt/cpfence/app/setup/cpfmain --bulk-install-custom-mu-plugin -y
cpfence --bulk-uninstall-custom-mu-plugin Bulk uninstall your custom MU plugin
Tip: For this to work you must add your one file MU plugin to /var/log/cpfenceav/mu-plugin before running.
cpfence --bulk-uninstall-cache-plugins Bulk uninstall all major and widely used cache and Redis plugins
Tip: To force it, use cronjob :
/opt/cpfence/app/setup/cpfmain --bulk-uninstall-cache-plugins -y
cpfence --bulk-disable-search-engine-index Disable search engine indexing
cpfence --bulk-enable-search-engine-index Enable search engine indexing
cpfence --bulk-enable-maintenance-mode Enable maintenance mode
cpfence --bulk-disable-maintenance-mode Disable maintenance mode
cpfence --bulk-scan-wp-databases Scan all WP databases for malware
Tip: To exclude Databases from DB Scanning, edit the exclusion list:
nano /opt/cpfence/user-config/cpfmrtp/whitelisted_databases.txt
Use the full path of the WP installation.
cpfence --bulk-optimize-wp-databases Optimize all WordPress databasesWAF Management
cpfence --enable-ols-waf Enable OLS/LS latest cPFence WAF.
cpfence --disable-ols-waf Disable OLS/LS cPFence WAF.
cpfence --disable-waf-rule RULE-ID Disable a specific OLS/LS WAF rule by ID (server-wide).
cpfence --enable-waf-rule RULE-ID Re-enable a currently disabled OLS/LS WAF rule by ID (server-wide).
cpfence --disable-waf-domain DOMAIN Disable OLS/LS WAF entirely for a specific domain.
cpfence --enable-waf-domain DOMAIN Re-enable OLS/LS WAF for a previously disabled domain.
cpfence --disable-waf-domain-byid Disable one or more WAF rules for a specific domain.
cpfence --enable-waf-domain-byid Re-enable one or more WAF rules for a specific domain.
Tip: For Manual Whitelisting, all your WAF whitelist rules should be added to the following file:
/opt/cpfence/user-config/cpfwaf/whitelist_ols.conf
Common Examples:
# Disable a rule manually for all sites:
SecRuleRemoveById Numeric_rule_id
# Whitelist a specific URL for some rules only:
SecRule REQUEST_URI "@contains /wp-admin/page.php" "id:6003,phase:1,pass,nolog,ctl:RuleRemoveById=200007,ctl:RuleRemoveById=225170,ctl:RuleRemoveById=200002,ctl:RuleRemoveById=210230"
or
SecRule REQUEST_URI "@contains /wp-admin/page.php" "id:6003,phase:1,pass,nolog,ctl:ruleEngine=Off"
# Restart OLS / LS after adding new rules by running:
docker exec openlitespeed /usr/local/lsws/bin/lswsctrl restart
or
docker exec litespeed /usr/local/lsws/bin/lswsctrl restart
# Useful Guides:
How to Identify Problematic WAF Rule IDs in cPFence?
https://my.cpfence.app/knowledgebase/20/How-to-Identify-Problematic-WAF-Rule-IDs-in-cPFence.html
Whitelisting and Managing WAF Rules in cPFence:
https://my.cpfence.app/knowledgebase/19/Whitelisting-and-Managing-WAF-Rules-in-cPFence.html
Malware Protection Settings
cpfence --enable-MRTP Enable Malware Real-Time Protection.
cpfence --disable-MRTP Disable Malware Real-Time Protection.
cpfence --enable-proactive Enable Proactive Scan. (Fast detection...recommended)
cpfence --disable-proactive Disable Proactive Scan. (Slower detection, less RAM usage)
cpfence --enable-quarantine Enable Auto Quarantine infected files to /opt/cpfence/quarantined/.
cpfence --disable-quarantine Disable Auto Quarantine. (You will need to review scan results manually.)
cpfence --enable-email-quarantine Enable Email Quarantine to /opt/cpfence/quarantined/.
cpfence --disable-email-quarantine Disable Email Quarantine. (You will need to review email results manually.)
cpfence --enable-spam-protection Enable Spam Protection, applying advanced filters to detect spam in emails.
cpfence --disable-spam-protection Disable Spam Protection. (Spam filtering will no longer be applied.)
Scanning Options
cpfence --full-scan Run a full scan on all files. (takes 30 mins up to several hours)
cpfence --smart-scan Run a smart scan on critical areas & commonly infected files.
cpfence --custom-scan PATH Run a custom scan on any specified path or files you want.
cpfence --stop-scan Stop all running Smart, Full, and Custom scanning jobs.
Tip: Check '/var/log/cpfenceav/infections.history' for more info about detected viruses.
cpfence --exclude-path PATH Whitelist a path or file from all virus scanning jobs.
Tip: You can whitelist all files with the same name server-wide. Example:
cpfence --exclude-path /unique-name.php
Tip 2: To restore the Quarantined File, use this command:
mv /opt/cpfence/quarantined/example-file.php /var/www/XXXXXXX/public_html/example-file.php
cpfence --del-exclude-path PATH Remove a path or file from virus scanning exclusions.
cpfence --exclude-hash FILE_PATH Whitelist the hash of a file (use full path only).
cpfence --del-exclude-hash HASH Remove a hash from virus scanning exclusions.
cpfence --exclude-sig SIGNATURE_NAME Whitelist a signature from most virus scanning jobs.
cpfence --del-exclude-sig SIG_NAME Remove a signature from virus scanning exclusions.
Tip: You can manually add a file to the exclusion list here:
/opt/cpfence/user-config/cpfmrtp/whitelisted_files.txt
You can add a unique filename or directory name, for example:
/unique-plugin-name/ or /my_unique_whitelisted_file.html
and it will be whitelisted globally for all sites on the server.
Useful guide:
How to Whitelist Files or Folders from cPFence Virus Scan?
https://my.cpfence.app/knowledgebase/48/How-to-Whitelist-Files-or-Folders-from-cPFence-Virus-Scan.html
cPFence Owl™ Monitoring Module
cpfence --enable-owl Enable cPFence Owl Monitoring system. (recommended)
cpfence --disable-owl Disable cPFence Owl Monitoring system.
cpfence --restart-owl Restart the cPFence Owl Monitoring system.
Tip: To monitor the cPFence Owl™ Module Output, use the following command:
sudo tail -f /opt/cpfence/app/owl/tmp/logs/main_log
cpfence --owl-automysql-on Enable Owl AutoMySQL - One-Click MySQL Resource Governor.
cpfence --owl-automysql-off Disable Owl AutoMySQL - One-Click MySQL Resource Governor.
Tip: Check '/var/log/cpfenceav/killed_queries.history' for more info about killed queries.
Rootkit Scanner
cpfence --rootkit-on Turn on Rootkit daily scanner. (recommended)
cpfence --rootkit-off Turn off Rootkit daily scanner.
IP Management Commands
cpfence --check-ip IP Check the current state of an IP.
cpfence --add-whitelist-ip IP Add IP to whitelist.
cpfence --del-whitelist-ip IP Remove IP from whitelist.
cpfence --add-blacklist-ip IP Add IP to blacklist.
cpfence --del-blacklist-ip IP Remove IP from blacklist.
Tip: You can manually review or manage your custom whitelist and blacklist files here:
- Blacklist: /opt/cpfence/user-config/cpfipdb/blacklistips.txt
- Whitelist: /opt/cpfence/user-config/cpfipdb/whitelistips.txt
- Whitelist IPv6: /opt/cpfence/user-config/cpfipdb/whitelistips_v6.txt
- Blacklist IPv6: /opt/cpfence/user-config/cpfipdb/blacklistips_v6.txt
cpfence --bulk-whitelist-ip URL Bulk Add IPs in URL/FILE to whitelist.
cpfence --bulk-blacklist-ip URL Bulk Add IPs in URL/FILE to blacklist.
cpfence --bulk-del-wl-ip URL Bulk Delete IPs in URL/FILE from whitelist.
cpfence --bulk-del-bl-ip URL Bulk Delete IPs in URL/FILE from blacklist.
Tip: To avoid issues, always convert the file to Unix format using:
dos2unix /var/www/#################/path/tor_ips.txt
Country Blacklisting / Whitelisting Module
cpfence --whitelist-country CODE Add country to whitelist.
cpfence --blacklist-country CODE Add country to blacklist.
cpfence --del-whitelist-country CODE Remove country from whitelist.
cpfence --del-blacklist-country CODE Remove country from blacklist.
Tip: You can manually review or manage your custom whitelist and blacklist files here:
- Blacklist: /opt/cpfence/user-config/cpfipdb/blacklistips.txt
- Whitelist: /opt/cpfence/user-config/cpfipdb/whitelistips.txt
cPFence MonitorPro - Website Monitoring
cpfence --monitorpro-on Enable the cPFence MonitorPro Module.
Tip: The monitored site list is located in:
/var/log/cpfenceav/monitor-sites-list.csv
Examples:
# To add external domains for monitoring, append them to the CSV file like this:
domain1.com,,,Yes,
# To stop monitoring for a domain, append Yes like this:
domain1.com,,,,Yes
# To Set required content for a domain, use this format:
domain1.com,Required Keyword,,,
# To Set not wanted content for a domain, use this format:
domain1.com,,Not Wanted Keyword,,,
cpfence --monitorpro-off Disable the cPFence MonitorPro Module.
cpfence --export-cluster-domains Export all cluster domains in CSV format for use with cPFence MonitorPro.
Ideal for setting up monitoring on other servers.
cpfence --monitorpro-scan-status Quickly check the uptime status of all websites in your cluster on demand.
Maintenance Options
cpfence --backup-cpf-settings Backup your cPFence settings to be moved to other servers.
cpfence --restore-cpf-settings Restore your cPFence settings from a previously created backup file.
cpfence --sync-ips Sync all of your server IPs to your per-website cPFence license.
Tip: You can also use:
/opt/cpfence/app/setup/validate -sync-ips
cpfence --update Update cPFence software and virus signatures to the latest version.
Tip: you can use "cpfence --update -yes" for auto updates all servers using MultiRun Tool.
cpfence --uninstall Uninstall cPFence software.
Tip: If your license is expired or not working, you can use this alternative command:
/opt/cpfence/app/setup/uninstall
cpfence --version Display cPFence installed version.
cpfence --help Display this help message.
Server Administration Helper Utilities
cpfence --multirun A powerful tool to bulk run commands on all your servers in one shot.
cpfence --fix-permissions-dry Lists all files and directories not owned by the expected owner (dry run).
cpfence --fix-permissions Fix ownership of files and dirs not owned by the expected owner.
cpfence --enable-global-smtp Enable server-wide global SMTP relay.
cpfence --disable-global-smtp Disable server-wide global SMTP relay.
Need Further Assistance?
Visit our Knowledgebase or contact our support team for help.
