Security Documentation

Comprehensive guide to Wp Admin's security services — from firewall configuration and malware scanning to authentication hardening and compliance management.

📅 Last updated: Jan 15, 2025

⏱ 12 min read

📌 Core Service

On This Page

Overview

Wp Admin's security suite provides multi-layered protection for your WordPress websites. Our approach follows the defense-in-depth strategy, implementing security controls at every level — from the network perimeter down to individual file permissions.

ℹ️

Service Availability Security monitoring is active 24/7/365 across all pricing plans. Advanced security features are available on Professional and Enterprise tiers.

Security Model

Our security model is built on three pillars:

Prevention

Firewall rules, access controls, and hardening measures that stop threats before they reach your site.

Detection

Real-time monitoring, malware scanning, and anomaly detection that identifies potential breaches instantly.

Response

Automated incident response, emergency cleanup, and guaranteed recovery within SLA timeframes.

Firewall Configuration

Wp Admin implements a Web Application Firewall (WAF) specifically tuned for WordPress. The firewall operates at Layer 7 and filters incoming traffic using a combination of rule-based filtering and machine learning models.

Firewall Rules

The firewall automatically applies the following protection rules:

Rule Category	Description	Status
SQL Injection	Blocks SQL injection attempts via URLs, POST data, and cookies	Active
XSS Protection	Prevents cross-site scripting attacks by sanitizing inputs	Active
Brute Force	Limits login attempts and blocks suspicious IPs automatically	Active
Bot Protection	Identifies and blocks malicious bots, scrapers, and crawlers	Active
Comment Spam	Filters comment spam using AI-based detection	Optional
Geo-blocking	Restricts access by geographic region or country	Optional

Custom Rules

You can define custom firewall rules using our configuration API. Rules are applied using a priority-based system:

                        JSON
                        
                    

                        {
  "firewall_rules": {
    "enabled": true,
    "mode": "strict",
    "custom_rules": [
      {
        "id": "block-suspicious-ua",
        "action": "block",
        "priority": 100,
        "conditions": {
          "user_agent": { "contains": ["scanner", "exploit"] }
        }
      },
      {
        "id": "rate-limit-api",
        "action": "throttle",
        "priority": 200,
        "conditions": {
          "path": "/wp-json/*",
          "rate_limit": "30/min"
        }
      }
    ],
    "whitelist_ips": ["203.0.113.0/24", "198.51.100.10"]
  }
}
                    

⚠️

Whitelist with Caution Adding IPs to the whitelist bypasses all firewall rules. Only whitelist trusted IPs and review them regularly through the dashboard.

Malware Scanning

Wp Admin performs automated malware scans on a configurable schedule. Scanning covers all WordPress core files, themes, plugins, and uploaded media files.

Scan Types

Full File System Scan

Complete scan of all files on the server comparing against a known-good WordPress file database. Detects modified, injected, or unknown files.

Code Analysis

Static analysis of PHP files looking for suspicious patterns, obfuscated code, eval() calls, and base64-encoded payloads commonly found in WordPress malware.

Database Scan

Examines all database tables for injected content in post content, comments, user metadata, and options tables where malware often hides.

Redirect Detection

Checks for malicious 301/302 redirects, JavaScript redirects, and meta-refresh redirects that could be sending visitors to phishing or malicious sites.

Scan Configuration

                        YAML
                        
                    

                        # wpadmin-security.yml
malware_scanning:
  schedule: "0 */6 * * *"  # Every 6 hours
  scan_type: "full"       # full | quick | scheduled
  auto_cleanup: false     # Never auto-delete without approval
  exclusions:
    paths: ["/wp-content/uploads/bundles/"]
    extensions: [".psd", ".ai"]
  notifications:
    on_threat_found: ["email", "webhook", "slack"]
    on_scan_complete: "email"
    report_recipients: ["admin@yourdomain.com"]
                    

🚨

Auto-Cleanup Warning We never automatically delete files flagged as malware. All threats require manual approval through the dashboard or API before remediation. This prevents false positives from breaking your site.

Authentication

Strong authentication is the first line of defense. Wp Admin enforces security best practices for all WordPress login mechanisms.

Enforced Policies

Password Strength: Enforced minimum of 12 characters with complexity requirements (uppercase, lowercase, numbers, symbols)
Two-Factor Authentication (2FA): Mandatory 2FA for all administrator accounts using TOTP (Time-based One-Time Password)
Login Attempts: Maximum 5 failed attempts before 30-minute lockout with exponential backoff
Session Management: Sessions expire after 24 hours of inactivity; concurrent sessions limited to 3 per user
XML-RPC: Disabled by default unless explicitly required by your site's functionality
Admin URL: Customizable login URL to prevent automated discovery attacks

2FA Setup

                        JavaScript
                        
                    

                        // Enable 2FA via Wp Admin API
const response = await fetch("https://api.wpadmin.com/v3/auth/2fa/enable", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${WP_ADMIN_TOKEN}`,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    site_id: "site_abc123",
    method: "totp",
    enforce_roles: ["administrator", "editor"],
    backup_codes_count: 10,
    grace_period: 15  // minutes without 2FA enforcement
  })
});

const data = await response.json();
// Returns QR code URL and secret key
console.log(data.qr_code_url);
                    

SSL / HTTPS

All managed sites are served over HTTPS. Wp Admin handles SSL certificate provisioning, renewal, and configuration automatically.

SSL Features

Feature	Starter	Professional	Enterprise
Let's Encrypt Auto-Renewal	✓	✓	✓
HTTP → HTTPS Redirect	✓	✓	✓
HSTS Header	—	✓	✓
Custom SSL Certificates	—	—	✓
Wildcard SSL	—	—	✓
SSL Stapling	—	✓	✓
TLS 1.3 Only	—	✓	✓

Hardening

Wp Admin applies industry-standard WordPress hardening techniques automatically upon onboarding and maintains them continuously.

Automatic Hardening Actions

✅ File System Hardening

✓

Set wp-config.php permissions to 640 (owner read/write, group read only)

✓

Remove write permissions from wp-includes and wp-admin directories

✓

Disable directory browsing via Options -Indexes

✓

Block access to .htaccess, .git, and .env files

✓

Remove readme.html, license.txt, and wp-config-sample.php

✅ WordPress Configuration Hardening

✓

Set unique AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY values

✓

Disable WP_DEBUG in production environments

✓

Disable file editor with define('DISALLOW_FILE_EDIT', true)

✓

Limit post revisions to 5 with WP_POST_REVISIONS

✓

Set EMPTY_TRASH_DAYS to 7 days

Compliance

Wp Admin helps you maintain compliance with industry security standards and regulations applicable to your website.

Supported Standards

OWASP Top 10: All OWASP vulnerabilities addressed through firewall rules and hardening
GDPR: Cookie consent management, data export/erasure endpoints, privacy policy templates
PCI DSS: Network security requirements for e-commerce sites handling payment data
HIPAA: Audit logging, access controls, and encryption for healthcare-related WordPress sites (Enterprise only)
SOC 2 Type II: Wp Admin is SOC 2 Type II certified — audit reports available upon request

✅

Compliance Reports Enterprise customers receive automated compliance reports on a monthly basis, including evidence snapshots, control assessments, and remediation recommendations.

API Endpoints

Manage security settings programmatically using our REST API. All security endpoints require the security:admin scope.

Endpoint	Method	Description
/v3/security/scan	POST	Trigger an on-demand security scan
/v3/security/scan/:id	GET	Get scan results by scan ID
/v3/security/firewall	GET	Get current firewall configuration
/v3/security/firewall	PATCH	Update firewall configuration
/v3/security/threats	GET	List recent security threats and incidents
/v3/security/blocklist	POST	Add IP addresses to blocklist
/v3/security/blocklist	DELETE	Remove IP from blocklist
/v3/security/audit-log	GET	Retrieve security audit log entries

Example: Triggering a Scan

                        cURL
                        
                    

                        curl -X POST https://api.wpadmin.com/v3/security/scan \n  -H "Authorization: Bearer wp_live_sk_abc123..." \n  -H "Content-Type: application/json" \n  -d '{
    "site_id": "site_xyz789",
    "scan_type": "full",
    "notify": true
  }'

// Response:
// {
//   "scan_id": "scan_9a8b7c",
//   "status": "queued",
//   "estimated_duration": "15-30 minutes",
//   "created_at": "2025-01-15T10:30:00Z"
// }
                    

Security Checklist

Use this checklist to ensure your WordPress site meets our recommended security baseline. Items marked with ✓ are automatically handled by Wp Admin.

🔒 Essential Security Measures

✓

SSL certificate installed and auto-renewing

✓

WordPress core updated to latest stable version

✓

All plugins and themes updated

✓

Web Application Firewall (WAF) active

✓

Malware scanning scheduled (at least daily)

✓

Two-factor authentication enabled for all admins

✓

Automatic backups with off-site storage

✓

Brute force protection active on login page

✓

File permissions hardened (640/750)

✓

XML-RPC disabled unless needed

✓

Unique auth salts configured

✓

Security audit log enabled

💡

Need Help? Our security team is available 24/7 on the Professional and Enterprise plans. For emergency security incidents, use the priority support channel in your dashboard.