What Is WP AutoShield® and How Does It Work?

WP AutoShield is a cPFence module that secures, fixes, and manages all WordPress sites from one place. You can run every tool from the browser-based WebUI or from the CLI. Each action can target a single site, one server, or your full cluster.

Where in WebUI: Tools & Utilities → WP-AutoShield Bulk Tools. Use the left sidebar “Switch Server” to scope to a server, or leave it unset for the whole cluster. Use “Run on specific WordPress sites only” to target one or more sites.

Auto-pilot: Most protections run daily at 06:10 based on your configured settings.

How to Get Started?

If you’re running the latest cPFence, WP-AutoShield is enabled by default. If not, turn it on with:

cpfence --wp-autoshield-on

Then configure the module to your needs in /opt/cpfence/config.conf or from the WebUI settings page. The most common options are:

  • cPFence_autoupdate_wp_sites_list – Keeps the WordPress site list updated before each cron run.
  • autoshield_updates – Automatically applies WP core, theme, and plugin updates.
  • autoshield_vuln_report – Sends a weekly email report of WordPress vulnerabilities.
  • autoshield_disable_wp_cron – Replaces WP-Cron with system cron for better performance.
  • autoshield_set_wp_secure_keys – Sets salts/keys daily only if missing.
  • autoshield_disable_wp_file_edit – Disables the built-in theme/plugin editors.
  • autoshield_disable_wp_pingbacks – Blocks pingbacks to reduce spam/reflection attacks.
  • autoshield_set_wp_permissions – Applies recommended file and directory permissions.
  • autoshield_wp_hardening – Locks critical files (e.g., wp-config.php) and uploads.
  • autoshield_disable_wp_xmlrpc – Turns off XML-RPC unless truly required.
  • autoshield_wp_limit_login – Adds rate-limiting to wp-login.php.
  • autoshield_wp_captcha – Adds a simple math CAPTCHA to login/registration forms.
  • autoshield_wp_idle_logout – Logs out idle users after 120 minutes.
  • autoshield_rename_wp_admin – Renames the default “admin” username and emails a report.
  • autoshield_disable_xss_in_posts – Strips risky scripts/iframes from posts.
  • autoshield_plugin_blacklist_removal – Deletes plugins listed in /var/log/cpfenceav/blacklisted-wp-plugins.txt.
  • autoshield_custom_mu_plugin – Deploys the MU plugin from /var/log/cpfenceav/mu-plugin.
  • autoshield_cache_plugin_removal – Removes most cache plugins except LiteSpeed Cache.
  • autoshield_bulk_wp_db_scan – Scans all WP databases daily and alerts on malware.
  • autoshield_bulk_wp_db_optimize – Optimizes all WP databases daily.
  • autoshield_security_headers – Adds standard security headers across all sites.
  • autoshield_force_plugin_bundle – Forces installation of plugins listed in /var/log/cpfenceav/wp-plugin-bundle.txt.
  • autoshield_clear_litespeed_cache – Clears LiteSpeed cache for every site daily.
  • autoshield_disable_ls_cache_login_page – Disables LiteSpeed login-page cache daily (recommended with cPFence WAF CAPTCHA).

Feature Groups in the WebUI

General & Backups

  • Manually run WP-AutoShield on demand.
  • Bulk back up all WordPress sites, and restore sites (beta).
  • Generate WordPress sites list, restore core files.

LiteSpeed Tools

  • Install and configure LiteSpeed Cache with recommended presets and Redis enabled.
  • Clear cache, reset plugin, enable LiteSpeed features (ESI, heartbeat policy), and control login page caching.

Access & Limits

  • Rename weak admin usernames.
  • Enable or disable XML-RPC.
  • Enable or disable login protection (limit login attempts), CAPTCHA, and idle logout.

Manage Updates & Cron

  • Bulk update core, plugins, themes, and translations.
  • Enable or disable auto-updates per component.
  • Disable or enable native WP-Cron, or run due WP-Cron now.

Permissions & Hardening

  • Set secure keys, file and directory permissions.
  • Harden wp-includes, uploads, and wp-config.php.
  • Enable or disable file editing in wp-admin and pingbacks.
  • Enable or disable XSS-risky content in posts; enable or disable security headers.

Manage WP Plugins

  • Install, enable, disable, uninstall any plugin by slug or ZIP/URL. One-click bundle install.
  • Uninstall blacklisted or caching/Redis plugins in bulk (keeps LiteSpeed Cache).
  • Install or remove a custom MU plugin server-wide.

Manage WP Themes

  • Install, activate, or delete themes in bulk by slug or ZIP/URL.

Manage WP Users

  • Create users, list users (CSV), reset all or one user password, and delete users with or without reassigning content.

Content & Visibility

  • Toggle search engine indexing and maintenance mode.

Database Tools

  • Scan all WordPress databases for malware and injections.
  • Optimize databases to reduce overhead.

Language

  • Bulk switch the WordPress locale.

Do the Same from the CLI

Every WebUI action also has a CLI equivalent for automation. Run these from the main control panel server.

Core WP AutoShield and Integrity

cpfence --wp-autoshield-on
cpfence --wp-autoshield-off
cpfence --enable-integrity-check
cpfence --disable-integrity-check
cpfence --enable-auto-file-action
cpfence --disable-auto-file-action
cpfence --set-check-frequency [daily|hourly]
cpfence --generate-wp-sites-list
cpfence --exclude-wp-site
cpfence --del-exclude-wp-site
cpfence --exclude-integrity-site
cpfence --del-exclude-integrity-site
cpfence --exclude-integrity-file
cpfence --del-exclude-integrity-file

Updates, Auto-updates, Vulnerabilities, and Cron

cpfence --bulk-update-wordpress
cpfence --bulk-auto-update-all-sites [all|core|plugins|themes|translations]
cpfence --enable-wp-auto-updates [all|core|plugins|themes|translations]
cpfence --disable-wp-auto-updates [all|core|plugins|themes|translations]
cpfence --vuln-scan
cpfence --vuln-export
cpfence --bulk-disable-wp-cron
cpfence --bulk-enable-wp-cron
cpfence --bulk-run-due-wp-cron

Permissions, Hardening, Headers, and Editorial Safety

cpfence --bulk-disable-wp-file-edit
cpfence --bulk-enable-wp-file-edit
cpfence --bulk-disable-wp-pingback
cpfence --bulk-enable-wp-pingback
cpfence --bulk-set-wp-secure-keys
cpfence --bulk-set-wp-permissions
cpfence --bulk-enable-wp-hardening
cpfence --bulk-disable-wp-hardening
cpfence --bulk-enable-sec-headers
cpfence --bulk-disable-sec-headers
cpfence --bulk-disable-xss-in-wp-posts
cpfence --bulk-enable-xss-in-wp-posts
cpfence --bulk-force-wp-core-files

Access Controls: XML-RPC, Login Limits, CAPTCHA, Idle Logout, Admin Rename

cpfence --bulk-disable-wp-xmlrpc
cpfence --bulk-enable-wp-xmlrpc
cpfence --bulk-enable-wp-limit-login
cpfence --bulk-disable-wp-limit-login
cpfence --bulk-enable-wp-captcha
cpfence --bulk-disable-wp-captcha
cpfence --bulk-enable-wp-idle-logout
cpfence --bulk-disable-wp-idle-logout
cpfence --bulk-rename-wp-admin

LiteSpeed Cache and Redis

cpfence --bulk-install-ls-plugin
cpfence --bulk-configure-ls-plugin
cpfence --bulk-enable-ls-redis
cpfence --bulk-enable-ls-cache-login-page
cpfence --bulk-disable-ls-cache-login-page
cpfence --bulk-enable-ls-heartbeat
cpfence --bulk-reset-ls-plugin
cpfence --bulk-clear-litespeed-cache

Plugins

cpfence --bulk-install-wp-plugin
cpfence --bulk-install-plugin-auto
cpfence --bulk-disable-wp-plugin
cpfence --bulk-disable-wp-plugin-auto
cpfence --bulk-enable-wp-plugin
cpfence --bulk-enable-wp-plugin-auto
cpfence --bulk-uninstall-wp-plugin
cpfence --bulk-uninstall-plugin-auto
cpfence --bulk-uninstall-cache-plugins
cpfence --bulk-uninstall-bl-plugins
cpfence --bulk-install-plugin-bundle
cpfence --bulk-install-custom-mu-plugin
cpfence --bulk-uninstall-custom-mu-plugin
cpfence --bulk-remove-mu-plugin

Themes

cpfence --bulk-install-wp-theme
cpfence --bulk-install-wp-theme-auto
cpfence --bulk-activate-wp-theme
cpfence --bulk-activate-wp-theme-auto
cpfence --bulk-delete-wp-theme
cpfence --bulk-delete-wp-theme-auto

Users

cpfence --bulk-create-wp-user
cpfence --bulk-create-wp-user-auto
cpfence --bulk-list-wp-users
cpfence --bulk-list-wp-users-auto
cpfence --bulk-wp-reset-all-passwords
cpfence --bulk-wp-reset-all-passwords-auto
cpfence --bulk-wp-reset-user-password
cpfence --bulk-wp-reset-user-password-auto
cpfence --bulk-delete-wp-user-reassign
cpfence --bulk-delete-wp-user-reassign-auto
cpfence --bulk-delete-wp-user
cpfence --bulk-delete-wp-user-auto

Content, Visibility, Databases, and Language

cpfence --bulk-disable-search-engine-index
cpfence --bulk-enable-search-engine-index
cpfence --bulk-enable-maintenance-mode
cpfence --bulk-disable-maintenance-mode
cpfence --bulk-scan-wp-databases
cpfence --bulk-optimize-wp-databases
cpfence --bulk-switch-wp-language

 

Excluding Sites from WP AutoShield® 

You can keep WP AutoShield enabled server/cluster-wide while excluding specific WordPress sites from its automatic daily cron. Exclusions can be managed in the WebUI or via CLI/files.

Exclude via WebUI (Recommended)

  • Go to Tools & Utilities → WP-AutoShield Bulk Tools, tick Run on specific WordPress sites only, and select just the sites you want to affect (everything else is effectively excluded for that run).
  • For permanent exclusions from the daily cron, open System Settings → Edit Configuration Files and add site paths (one per line) to:
  • /var/log/cpfenceav/wp-exclude-list.txt.

Exclude via CLI

  • Add/remove a site from the exclusion list:
cpfence --exclude-wp-site
cpfence --del-exclude-wp-site

These commands update /var/log/cpfenceav/wp-exclude-list.txt, which the daily cron honors.

Target Specific Sites with Manual Tools

Manual runs bypass the exclusion list and act only on the sites you explicitly list. Before running a manual/bulk command, populate:

/var/log/cpfenceav/wp-sites-list.txt

Include only the sites you want to affect, one per line. Update this file each time you run manual tools.

Configuration Scope & Safety

  • The exclusion list (wp-exclude-list.txt) affects daily cron tasks only; manual commands ignore it.
  • Daily cron applies only the measures you enable in /opt/cpfence/config.conf.
  • From the WebUI or CLI, you can apply any feature to a single site, a single server, or the full cluster.

Need Further Assistance?

If you need further help , reach out through your client portal.

 

  • 2 Els usuaris han Trobat Això Útil
Ha estat útil la resposta?

Articles Relacionats

How to Perform and Export Wordpress Vulnerability Scans with cPFence?

cPFence provides powerful tools for identifying and analyzing Wordpress vulnerabilities. With the...

How to Generate a List of All WordPress Sites on Your Server?

cPFence provides an easy way to generate a comprehensive list of all WordPress sites on your...

How to Quickly Identify Infected WordPress Sites Using cPFence?

cPFence makes it easy to identify and clean infected WordPress sites on your server. Follow the...

How to Clean an Infected WordPress Site?

Has your WordPress site been infected, and cPFence reported malware or other issues? Don’t worry;...

How to Secure Your WordPress Sites with cPFence?

WordPress is a powerful platform, but it can become vulnerable if not properly secured. With...