The cPFence MU-Plugin provides 5 key security features designed to enhance the protection of your WordPress sites. These features include:
- Disabling XML-RPC: Prevents unauthorized access and mitigates XML-RPC-based attacks.
- Limiting Login Attempts: Protects against brute-force attacks by restricting the number of failed login attempts.
- Math Captcha for Login Pages: Adds an extra layer of security by requiring users to solve a simple math problem before logging in.
- Idle User Logout: Automatically logs out idle users to prevent unauthorized access to active sessions.
- Content Security Policy (Security Headers):
 Prevents XSS and code injection by controlling allowed content sources.
Tip: you can run cpfence --bulk-remove-mu-plugin to remove the cPFence MU plugin from all WordPress sites server-wide.
To prevent the WP AutoShield module from adding the MU plugin again, ensure the following options remain set to 'off' in your configuration:
1. autoshield_disable_wp_xmlrpc="off"
2. autoshield_wp_limit_login="off"
3. autoshield_wp_captcha="off"
4. autoshield_wp_idle_logout="off"
5. autoshield_security_headers="off"What If You Don’t Want to Use These Features?
If you prefer not to use the MU-Plugin’s features, you can safely remove the plugin. However, ensure that you first disable these features in the WP-AutoShield configuration. This prevents the MU-Plugin from being re-added automatically.
Alternatively, if you want to exclude specific sites from these security measures, you can add them to the exclusion list. This way, only the specified sites will remain unaffected by the plugin’s features.
Use the exclusion file /var/log/cpfenceav/wp-exclude-list.txt to exclude specific sites from the daily cron job.
Important Points to Remember
- The exclusion list (wp-exclude-list.txt) affects only the automatic daily cron jobs.
- The daily cron job applies only the measures enabled in your configuration file.
- Manual commands bypass the exclusion list and provide flexibility to apply selected measures to specific sites in the wp-sites-list.txtfile.
- You can remove the MU Plugin server-wide running the command : cpfence --bulk-remove-mu-plugin
Need Assistance?
If you have additional questions or need help managing the MU-Plugin, please reach out to our support team via your client portal.
