WP AutoShield is a cPFence module that secures, fixes, and manages all WordPress sites from one place. You can run every tool from the browser-based WebUI or from the CLI. Each action can target a single site, one server, or your full cluster.
Where in WebUI: Tools & Utilities → WP-AutoShield Bulk Tools. Use the left sidebar “Switch Server” to scope to a server, or leave it unset for the whole cluster. Use “Run on specific WordPress sites only” to target one or more sites.
Auto-pilot: Most protections run daily at 06:10 based on your configured settings.
How to Get Started?
If you’re running the latest cPFence, WP-AutoShield is enabled by default. If not, turn it on with:
cpfence --wp-autoshield-onThen configure the module to your needs in /opt/cpfence/config.conf or from the WebUI settings page. The most common options are:
cPFence_autoupdate_wp_sites_list– Keeps the WordPress site list updated before each cron run.autoshield_updates– Automatically applies WP core, theme, and plugin updates.autoshield_vuln_report– Sends a weekly email report of WordPress vulnerabilities.autoshield_disable_wp_cron– Replaces WP-Cron with system cron for better performance.autoshield_set_wp_secure_keys– Sets salts/keys daily only if missing.autoshield_disable_wp_file_edit– Disables the built-in theme/plugin editors.autoshield_disable_wp_pingbacks– Blocks pingbacks to reduce spam/reflection attacks.autoshield_set_wp_permissions– Applies recommended file and directory permissions.autoshield_wp_hardening– Locks critical files (e.g.,wp-config.php) and uploads.autoshield_disable_wp_xmlrpc– Turns off XML-RPC unless truly required.autoshield_wp_limit_login– Adds rate-limiting towp-login.php.autoshield_wp_captcha– Adds a simple math CAPTCHA to login/registration forms.autoshield_wp_idle_logout– Logs out idle users after 120 minutes.autoshield_rename_wp_admin– Renames the default “admin” username and emails a report.autoshield_disable_xss_in_posts– Strips risky scripts/iframes from posts.autoshield_plugin_blacklist_removal– Deletes plugins listed in/var/log/cpfenceav/blacklisted-wp-plugins.txt.autoshield_custom_mu_plugin– Deploys the MU plugin from/var/log/cpfenceav/mu-plugin.autoshield_cache_plugin_removal– Removes most cache plugins except LiteSpeed Cache.autoshield_bulk_wp_db_scan– Scans all WP databases daily and alerts on malware.autoshield_bulk_wp_db_optimize– Optimizes all WP databases daily.autoshield_security_headers– Adds standard security headers across all sites.autoshield_force_plugin_bundle– Forces installation of plugins listed in/var/log/cpfenceav/wp-plugin-bundle.txt.autoshield_clear_litespeed_cache– Clears LiteSpeed cache for every site daily.autoshield_disable_ls_cache_login_page– Disables LiteSpeed login-page cache daily (recommended with cPFence WAF CAPTCHA).
Feature Groups in the WebUI
General & Backups
- Manually run WP-AutoShield on demand.
- Bulk back up all WordPress sites, and restore sites (beta).
- Generate WordPress sites list, restore core files.
LiteSpeed Tools
- Install and configure LiteSpeed Cache with recommended presets and Redis enabled.
- Clear cache, reset plugin, enable LiteSpeed features (ESI, heartbeat policy), and control login page caching.
Access & Limits
- Rename weak
adminusernames. - Enable or disable XML-RPC.
- Enable or disable login protection (limit login attempts), CAPTCHA, and idle logout.
Manage Updates & Cron
- Bulk update core, plugins, themes, and translations.
- Enable or disable auto-updates per component.
- Disable or enable native WP-Cron, or run due WP-Cron now.
Permissions & Hardening
- Set secure keys, file and directory permissions.
- Harden
wp-includes, uploads, andwp-config.php. - Enable or disable file editing in wp-admin and pingbacks.
- Enable or disable XSS-risky content in posts; enable or disable security headers.
Manage WP Plugins
- Install, enable, disable, uninstall any plugin by slug or ZIP/URL. One-click bundle install.
- Uninstall blacklisted or caching/Redis plugins in bulk (keeps LiteSpeed Cache).
- Install or remove a custom MU plugin server-wide.
Manage WP Themes
- Install, activate, or delete themes in bulk by slug or ZIP/URL.
Manage WP Users
- Create users, list users (CSV), reset all or one user password, and delete users with or without reassigning content.
Content & Visibility
- Toggle search engine indexing and maintenance mode.
Database Tools
- Scan all WordPress databases for malware and injections.
- Optimize databases to reduce overhead.
Language
- Bulk switch the WordPress locale.
Do the Same from the CLI
Every WebUI action also has a CLI equivalent for automation. Run these from the main control panel server.
Core WP AutoShield and Integrity
cpfence --wp-autoshield-on
cpfence --wp-autoshield-off
cpfence --enable-integrity-check
cpfence --disable-integrity-check
cpfence --enable-auto-file-action
cpfence --disable-auto-file-action
cpfence --set-check-frequency [daily|hourly]
cpfence --generate-wp-sites-list
cpfence --exclude-wp-site
cpfence --del-exclude-wp-site
cpfence --exclude-integrity-site
cpfence --del-exclude-integrity-site
cpfence --exclude-integrity-file
cpfence --del-exclude-integrity-file
Updates, Auto-updates, Vulnerabilities, and Cron
cpfence --bulk-update-wordpress
cpfence --bulk-auto-update-all-sites [all|core|plugins|themes|translations]
cpfence --enable-wp-auto-updates [all|core|plugins|themes|translations]
cpfence --disable-wp-auto-updates [all|core|plugins|themes|translations]
cpfence --vuln-scan
cpfence --vuln-export
cpfence --bulk-disable-wp-cron
cpfence --bulk-enable-wp-cron
cpfence --bulk-run-due-wp-cron
Permissions, Hardening, Headers, and Editorial Safety
cpfence --bulk-disable-wp-file-edit
cpfence --bulk-enable-wp-file-edit
cpfence --bulk-disable-wp-pingback
cpfence --bulk-enable-wp-pingback
cpfence --bulk-set-wp-secure-keys
cpfence --bulk-set-wp-permissions
cpfence --bulk-enable-wp-hardening
cpfence --bulk-disable-wp-hardening
cpfence --bulk-enable-sec-headers
cpfence --bulk-disable-sec-headers
cpfence --bulk-disable-xss-in-wp-posts
cpfence --bulk-enable-xss-in-wp-posts
cpfence --bulk-force-wp-core-files
Access Controls: XML-RPC, Login Limits, CAPTCHA, Idle Logout, Admin Rename
cpfence --bulk-disable-wp-xmlrpc
cpfence --bulk-enable-wp-xmlrpc
cpfence --bulk-enable-wp-limit-login
cpfence --bulk-disable-wp-limit-login
cpfence --bulk-enable-wp-captcha
cpfence --bulk-disable-wp-captcha
cpfence --bulk-enable-wp-idle-logout
cpfence --bulk-disable-wp-idle-logout
cpfence --bulk-rename-wp-admin
LiteSpeed Cache and Redis
cpfence --bulk-install-ls-plugin
cpfence --bulk-configure-ls-plugin
cpfence --bulk-enable-ls-redis
cpfence --bulk-enable-ls-cache-login-page
cpfence --bulk-disable-ls-cache-login-page
cpfence --bulk-enable-ls-heartbeat
cpfence --bulk-reset-ls-plugin
cpfence --bulk-clear-litespeed-cache
Plugins
cpfence --bulk-install-wp-plugin
cpfence --bulk-install-plugin-auto
cpfence --bulk-disable-wp-plugin
cpfence --bulk-disable-wp-plugin-auto
cpfence --bulk-enable-wp-plugin
cpfence --bulk-enable-wp-plugin-auto
cpfence --bulk-uninstall-wp-plugin
cpfence --bulk-uninstall-plugin-auto
cpfence --bulk-uninstall-cache-plugins
cpfence --bulk-uninstall-bl-plugins
cpfence --bulk-install-plugin-bundle
cpfence --bulk-install-custom-mu-plugin
cpfence --bulk-uninstall-custom-mu-plugin
cpfence --bulk-remove-mu-plugin
Themes
cpfence --bulk-install-wp-theme
cpfence --bulk-install-wp-theme-auto
cpfence --bulk-activate-wp-theme
cpfence --bulk-activate-wp-theme-auto
cpfence --bulk-delete-wp-theme
cpfence --bulk-delete-wp-theme-auto
Users
cpfence --bulk-create-wp-user
cpfence --bulk-create-wp-user-auto
cpfence --bulk-list-wp-users
cpfence --bulk-list-wp-users-auto
cpfence --bulk-wp-reset-all-passwords
cpfence --bulk-wp-reset-all-passwords-auto
cpfence --bulk-wp-reset-user-password
cpfence --bulk-wp-reset-user-password-auto
cpfence --bulk-delete-wp-user-reassign
cpfence --bulk-delete-wp-user-reassign-auto
cpfence --bulk-delete-wp-user
cpfence --bulk-delete-wp-user-auto
Content, Visibility, Databases, and Language
cpfence --bulk-disable-search-engine-index
cpfence --bulk-enable-search-engine-index
cpfence --bulk-enable-maintenance-mode
cpfence --bulk-disable-maintenance-mode
cpfence --bulk-scan-wp-databases
cpfence --bulk-optimize-wp-databases
cpfence --bulk-switch-wp-language
Excluding Sites from WP AutoShield®
You can keep WP AutoShield enabled server/cluster-wide while excluding specific WordPress sites from its automatic daily cron. Exclusions can be managed in the WebUI or via CLI/files.
Exclude via WebUI (Recommended)
- Go to Tools & Utilities → WP-AutoShield Bulk Tools, tick Run on specific WordPress sites only, and select just the sites you want to affect (everything else is effectively excluded for that run).
- For permanent exclusions from the daily cron, open System Settings → Edit Configuration Files and add site paths (one per line) to:
/var/log/cpfenceav/wp-exclude-list.txt.
Exclude via CLI
- Add/remove a site from the exclusion list:
cpfence --exclude-wp-site
cpfence --del-exclude-wp-siteThese commands update /var/log/cpfenceav/wp-exclude-list.txt, which the daily cron honors.
Target Specific Sites with Manual Tools
Manual runs bypass the exclusion list and act only on the sites you explicitly list. Before running a manual/bulk command, populate:
/var/log/cpfenceav/wp-sites-list.txtInclude only the sites you want to affect, one per line. Update this file each time you run manual tools.
Configuration Scope & Safety
- The exclusion list (
wp-exclude-list.txt) affects daily cron tasks only; manual commands ignore it. - Daily cron applies only the measures you enable in
/opt/cpfence/config.conf. - From the WebUI or CLI, you can apply any feature to a single site, a single server, or the full cluster.
Need Further Assistance?
If you need further help , reach out through your client portal.
