# Ultimate Security - WordPress Security Simplified > Lightweight, privacy-first WordPress security ## Pages - [Home](https://docs.wpultimatesecurity.com/): Documentation Site for “Ultimate Security” WordPress plugin ## Posts ## Docs - [General Settings](https://docs.wpultimatesecurity.com/docs/bot-protection/general-settings/): The General Settings allow you to manage how your site handles automated bots by configuring global behavior for your CAPTCHA... - [Migration](https://docs.wpultimatesecurity.com/docs/maintenance-tools/migration/): Compatibility: Currently, the migration tool is compatible with “Wordfence Login Security. ” According to their announcement, the plugin is scheduled... - [My Devices](https://docs.wpultimatesecurity.com/docs/two-factor-authentication/my-devices/): The My Devices page is your personal security dashboard. It allows you to see every computer, tablet, or phone that... - [2FA Users & Sessions](https://docs.wpultimatesecurity.com/docs/two-factor-authentication/2fa-users-sessions/): While Two-Factor Authentication (2FA) adds a second layer of protection to user accounts, this dashboard gives you an eye view... - [Trusted Devices](https://docs.wpultimatesecurity.com/docs/two-factor-authentication/trusted-devices/): Trusted Devices allows users to “bookmark” their private devices. Once a device is trusted, the plugin will remember it, and... - [Preview & Deploy](https://docs.wpultimatesecurity.com/docs/waf-rules/preview-deploy/): The Preview & Deploy screen is the final “control room” for your Web Application Firewall (WAF). This page allows you... - [Challenge VPN & Login](https://docs.wpultimatesecurity.com/docs/setup-rules/challenge-vpn-login/): The Challenge VPN & Login feature is a powerful layer of your Web Application Firewall (WAF). It is designed to... - [Challenge Cloud Providers & Countries](https://docs.wpultimatesecurity.com/docs/setup-rules/challenge-cloud-providers-countries/): The Challenge Cloud Providers & Countries feature allows you to apply managed challenges to visitors coming from major cloud provider... - [Block Web Hosts & TOR](https://docs.wpultimatesecurity.com/docs/setup-rules/block-web-hosts-tor/): The Block Web Hosts & TOR feature allows you to block or challenge traffic coming from known hosting providers, data... - [Block Crawlers & WP Paths](https://docs.wpultimatesecurity.com/docs/setup-rules/block-crawlers-wp-paths/): The Block Crawlers & WP Paths feature helps protect your WordPress site from aggressive bots, exploit scanners, suspicious crawlers, and... - [Guidance](https://docs.wpultimatesecurity.com/docs/waf-rules/guidance/): This is the Guidance section, which acts as the “Manual” within the plugin. It explains the logic behind each rule... - [Live Rules](https://docs.wpultimatesecurity.com/docs/waf-rules/live-rules/): The Live Rules screen allows you to inspect the active security configurations currently protecting your website on the Cloudflare network.... - [Analytics](https://docs.wpultimatesecurity.com/docs/waf-rules/analytics/): The Analytics screen is your high-level overview of how your website is performing and being protected on the Cloudflare network.... - [Allow Good Bots](https://docs.wpultimatesecurity.com/docs/setup-rules/allow-good-bots/): The Allow Good Bots page lets you create a whitelist of trusted bots, crawlers, and third-party services. When enabled, these... - [Cloudflare Setup](https://docs.wpultimatesecurity.com/docs/waf-rules/cloudflare-setup/): To use the WAF (Web Application Firewall) features, you must first link Ultimate Security with your Cloudflare account. This allows... - [Overview](https://docs.wpultimatesecurity.com/docs/setup-rules/waf-rules-setup-rules/): The Setup & Rules page is your central “Checklist. ” It guides you through configuring seven specific security layers to... - [Security Wizard](https://docs.wpultimatesecurity.com/docs/security-wizard/security-wizard/): To help you get the best protection for your website, we created a simple Security Setup Wizard. This tool handles... - [File Integrity](https://docs.wpultimatesecurity.com/docs/dashboard/file-integrity/): This section helps you monitor changes to your WordPress files. It tracks which files have been modified, added, or deleted,... - [Settings (Scan Configuration)](https://docs.wpultimatesecurity.com/docs/settings-ai-scanner/settings-scan-configuration/): Scan Configuration panel allows you to power your security scans using state-of-the-art Artificial Intelligence. By integrating with the Google Gemini... - [Overview](https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/overview-2/): Passkeys provide a passwordless authentication solution based on the WebAuthn standard. By using device-based methods such as fingerprints, facial recognition... - [Passkeys](https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/passkeys/): Managing passwordless authentication at scale requires clear visibility into user adoption. The Passkeys tab allows administrators to monitor, search, and... - [Settings](https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/settings-2/): Navigation To access the Passkeys settings, navigate to WP Ultimate Security > Passkeys > Settings from your WordPress admin sidebar.... - [Display](https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/display/): Login for WooCommerce This setting integrates passkey authentication directly into your e-commerce storefront. Login for MemberPress This integration is designed... - [Advanced](https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/advanced/): Managing your security data is essential for maintaining site performance and ensuring a clean audit trail. The Advanced Maintenance settings... - [SMS Authentication](https://docs.wpultimatesecurity.com/docs/login-authentication/sms-authentication/): SMS Authentication provides enterprise-grade multi-factor security by sending a 6-digit verification code directly to a user’s mobile device during the... - [Backup Codes](https://docs.wpultimatesecurity.com/docs/login-authentication/backup-codes/): Backup codes are single-use recovery codes that allow users to bypass the 2FA requirement in emergencies. This feature is essential... - [Audit Logs](https://docs.wpultimatesecurity.com/docs/login-authentication/audit-logs/): The 2FA Audit Logs module is designed for enterprise-grade security monitoring. It captures every interaction with your two-factor authentication system,... - [Admin Password Authentication](https://docs.wpultimatesecurity.com/docs/login-hardening/admin-password-authentication/): The Admin Password Authentication feature adds a layer of administrative oversight to your site’s login process. This tool allows high-level... - [Automations](https://docs.wpultimatesecurity.com/docs/session-management/automations/): The Automations tool within Session Management allows you to perform bulk maintenance on user accounts based on specific security criteria.... - [Active Sessions](https://docs.wpultimatesecurity.com/docs/session-management/active-sessions/): The Active Sessions dashboard provides real-time visibility into every user currently logged into your WordPress site. This monitoring tool is... - [Create Access Link](https://docs.wpultimatesecurity.com/docs/temporary-access/create-access-link/): The Temporary Access feature allows you to grant secure, time-limited access to your WordPress site for developers, support staff, or... - [Temporary Access Settings](https://docs.wpultimatesecurity.com/docs/temporary-access/temporary-access-settings/): The Temporary Access feature allows you to grant time-limited access to your WordPress site for developers, support staff, or collaborators.... - [Magic Link Login](https://docs.wpultimatesecurity.com/docs/magic-link-login/magic-link-login/): The Magic Link feature enhances your site’s security by enabling passwordless authentication. Instead of remembering complex passwords, users can log... - [Login Notifications](https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-notifications/): Stay informed about suspicious activity on your site with real-time alerts and activity summaries. Activity Overview The notification dashboard provides... - [Locked Users](https://docs.wpultimatesecurity.com/docs/brute-force-protection/locked-users/): The Locked Users dashboard provides a real-time overview of all user accounts currently restricted from logging in due to repeated... - [Email Blocklist](https://docs.wpultimatesecurity.com/docs/email-blocklist/email-blocklist/): The Email Blocklist feature is designed to prevent unwanted or suspicious users and spam bots from accessing your site. By... - [AI Malware Scanner Overview](https://docs.wpultimatesecurity.com/docs/ai-scanner/ai-malware-scanner-overview/): The AI Malware Scanner provides advanced, AI-powered security analysis for your WordPress files. Unlike traditional scanners that rely solely on... - [Compare Scan](https://docs.wpultimatesecurity.com/docs/compare-scans/compare-scan/): The Compare Scan Results feature is a powerful diagnostic tool that allows you to audit changes in your site’s security... - [Whitelist Manager](https://docs.wpultimatesecurity.com/docs/manage-whitelist/whitelist-manager/): Whitelist Manager allows you to exclude specific files from future security scans. This is particularly useful for handling “False Positives”—legitimate... - [Activity Logs Dashboard](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-logs-dashboard/): The activity logs give you a quick overview of what’s been happening on your WordPress site. It shows you important - [History](https://docs.wpultimatesecurity.com/docs/alerts-notifications/history/): This page shows a record of all security alerts that have been sent from your WordPress site. It’s like a... - [Alerts & Notifications](https://docs.wpultimatesecurity.com/docs/alerts-notifications/alerts-notifications/): This section helps you manage how you receive security alerts from your WordPress site. Dashboard Navigation Tabs At the top,... - [Security Incidents](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/security-incidents/): Security Incidents shows you only the important security-related events on your WordPress site. This tab filters out normal site activity... - [Activity All Logs](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-all-logs/): Activity logs help you monitor and analyze security events and user activity on your WordPress site. This feature records everything... - [Scan History](https://docs.wpultimatesecurity.com/docs/scan-history/scan-history/): The Scan History tab shows you all the security scans you’ve run on your WordPress site. It helps you track... - [Vulnerability Scanner Dashboard](https://docs.wpultimatesecurity.com/docs/dashboard-vulnerability-scanner/vulnerability-scanner-dashboard/): The Vulnerability Scanner helps you check your WordPress site for security issues in your plugins, themes, and WordPress core. It... - [Vulnerability Scanner Settings](https://docs.wpultimatesecurity.com/docs/configure-api-key/vulnerability-scanner-settings/): This window helps you configure the scanner. What You Can Configure: API Configuration: Schedule: Notifications: Buttons: - [Error Notifications](https://docs.wpultimatesecurity.com/docs/error-notifications/error-notifications/): This page helps you set up how you want to get alerts when something goes wrong with your website. Notification... - [Site Health](https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/site-health/): The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is... - [Test Mode](https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/test-mode/): This page helps you test your security settings without actually blocking real users. Enable Test Mode: User Roles: Safety Options:... - [Comments Management](https://docs.wpultimatesecurity.com/docs/maintenance-tools/comments-management/): Global Comments This section lets you decide where people are allowed to leave comments. Select Post Types If you chose... - [Backup & Restore](https://docs.wpultimatesecurity.com/docs/maintenance-tools/backup-restore/): Backup Settings This section lets you save your current settings into a file that lives on your computer. Restore Settings... - [Security Tools](https://docs.wpultimatesecurity.com/docs/maintenance-tools/security-tools/): REST API Methods The REST API uses four main types of messages to manage your website’s data: What the Status... - [Advanced Settings](https://docs.wpultimatesecurity.com/docs/maintenance-tools/advanced-settings/): Data Management Welcome to the Advanced Settings page of the Ultimate Security plugin. This page contains important technical options that... - [Database Cleanup](https://docs.wpultimatesecurity.com/docs/maintenance-tools/database-cleanup/): Database Stats At the top, you’ll see four important numbers: Overview Tab This is the main dashboard that shows you:... - [Self Defense](https://docs.wpultimatesecurity.com/docs/maintenance-tools/self-defense/): This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: File Integrity Monitoring... - [Keyboard Shortcut](https://docs.wpultimatesecurity.com/docs/content-protection/keyboard-shortcut/): Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks... - [Overview](https://docs.wpultimatesecurity.com/docs/login-authentication/overview/): It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Navigate... - [Email OTP](https://docs.wpultimatesecurity.com/docs/login-authentication/email-otp/): This page lets you set up email verification. When turned on, users will get a one-time code in their email... - [Authentication Apps](https://docs.wpultimatesecurity.com/docs/login-authentication/authentication-apps/): Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet... - [Custom Login URL](https://docs.wpultimatesecurity.com/docs/login-authentication/custom-login-url/): This page helps you protect your website by hiding your login page. By changing the address of your login page,... - [Password Requirements](https://docs.wpultimatesecurity.com/docs/login-authentication/password-requirements/): This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that... - [Settings](https://docs.wpultimatesecurity.com/docs/login-authentication/settings/): The Session Management module gives you total control over active user logins on your website. By hardening your security settings... - [Google reCAPTCHA](https://docs.wpultimatesecurity.com/docs/bot-protection/google-recaptcha/): This section helps you block bots from spamming your website’s form. You can choose exactly which default WordPress forms you... - [Cloudflare Turnstile](https://docs.wpultimatesecurity.com/docs/bot-protection/cloudflare-turnstile/): Cloudflare Turnstile is a smart, privacy-focused alternative to traditional CAPTCHAs. It helps keep bots away from your website forms while... - [Login Attempts](https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-attempts/): This setting helps you stop automated robots from guessing your password. Login Limit This is the main switch that activates... - [Lockout Notifications](https://docs.wpultimatesecurity.com/docs/brute-force-protection/lockout-notifications/): Lockout Notifications The switch controls the configuration setting Notification Email Notify On User Lockout Sends an email when someone is... - [Text Protection](https://docs.wpultimatesecurity.com/docs/content-protection/text-protection/): This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors... - [Security Hardening](https://docs.wpultimatesecurity.com/docs/security-hardening/security-hardening/): This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra... - [Update History](https://docs.wpultimatesecurity.com/docs/update-manager/update-history/): This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you... - [Theme Updates](https://docs.wpultimatesecurity.com/docs/site-hardening/theme-updates/): Themes are the visual designs and layouts of your website – they control how your site looks and feels to... - [Plugin Updates](https://docs.wpultimatesecurity.com/docs/site-hardening/plugin-updates/): This page helps you control how your website updates itself. Updates are important because they: Plugin Updates Section This specific... - [API & Data Privacy](https://docs.wpultimatesecurity.com/docs/api-data-privacy/api-data-privacy/): API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think... - [WordPress Security Keys](https://docs.wpultimatesecurity.com/docs/security-keys/wordpress-security-keys/): WordPress Security Keys and Salts are cryptographic tokens that secure your site’s authentication cookies and password encryption. This feature helps... - [Display Settings](https://docs.wpultimatesecurity.com/docs/content-protection/display-settings/): You can customize the message when visitors try to do something that is blocked. Notification Type You can select from... - [Image Protection](https://docs.wpultimatesecurity.com/docs/content-protection/image-protection/): This helps you stop people from stealing the images on your website. It makes it much harder for visitors to... - [Content Protection Overview](https://docs.wpultimatesecurity.com/docs/content-protection/content-protection-overview/): Content Protection Overview page helps you protect your website’s content from being copied by visitors. Enable Content Protection This main... - [Monitoring & Diagnostics](https://docs.wpultimatesecurity.com/docs/how-it-works/monitoring-diagnostics/): Site Health The Site Health page is like a doctor’s report for your website. It shows you exactly how your... - [Maintenance & Tools](https://docs.wpultimatesecurity.com/docs/how-it-works/maintenance-tools/): Comments Management Global Comments This section lets you decide where people are allowed to leave comments. 2. Select Post Types... - [Site Hardening](https://docs.wpultimatesecurity.com/docs/how-it-works/site-hardening/): Content Protection Content Protection Overview page helps you protect your website’s content from being copied by visitors. Enable Content Protection... - [Login & Authentication](https://docs.wpultimatesecurity.com/docs/how-it-works/login-authentication/): Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery... - [Threat Protection](https://docs.wpultimatesecurity.com/docs/how-it-works/threat-protection/): Bot Protection reCAPTCHA Settings This section helps you block bots from spamming your website’s form. It uses a tool from... - [Installation](https://docs.wpultimatesecurity.com/docs/getting-started/installation/): You can install the plugin in two ways. The easiest way is through the WordPress Dashboard. Method 1: Install via... - [Dashboard](https://docs.wpultimatesecurity.com/docs/dashboard/dashboard/): Once the plugin is activated, you will see a new menu item in your WP dashboard called Ultimate Security. Click... - [System Requirements](https://docs.wpultimatesecurity.com/docs/getting-started/system-requirements/): Before installing WP Ultimate Security, please ensure your server meets the following minimum requirements: # # Detailed Content ## Pages - Published: 2026-01-26 - Modified: 2026-03-01 - URL: https://docs.wpultimatesecurity.com/ Documentation Site for "Ultimate Security" WordPress plugin ## Posts ## Docs - Published: 2026-06-18 - Modified: 2026-06-18 - URL: https://docs.wpultimatesecurity.com/docs/bot-protection/general-settings/ - Docs Categories: Bot Protection, Threat Protection The General Settings allow you to manage how your site handles automated bots by configuring global behavior for your CAPTCHA providers. These settings ensure that your chosen security measures work together smoothly without interfering with your forms. To configure the settings, navigate to Ultimate Security > Settings > Threat Protection > Bot Protection > General Settings What It Does This section provides a overview of your active security status and offers tools to manage conflicts when using multiple bot protection services simultaneously. Bot Protection Status: This informative section displays the current status of both Google reCAPTCHA and Cloudflare Turnstile, so you can see at a glance which of your forms they are protecting. No-Conflict Mode: This feature enables priority-based loading of CAPTCHA scripts. When a form is protected by both reCAPTCHA and Turnstile, the provider set in the CAPTCHA Priority setting will load its script and protect the form, while the other provider will be disabled on that form to prevent conflicts. CAPTCHA Priority: This setting gives you control over which provider takes priority. When both reCAPTCHA and Turnstile are enabled for the same form, the provider you select here will be used, and the other will be skipped. How to Use It By enabling No-Conflict Mode and selecting your preferred CAPTCHA Priority, WordPress Ultimate Security ensures only one provider stays active for a smooth, secure user experience. Enable No-Conflict Mode: Locate the No-Conflict Mode toggle and switch it to the ON position if you intend to use both protection services on your site. Set CAPTCHA Priority: Under the CAPTCHA Priority section, select your preferred provider. Choose Turnstile if you want Cloudflare to take the lead when both services cover the same form. Choose reCAPTCHA if you prefer Google’s service to take priority. Save Your Settings: Once you have adjusted your preferences, click the Save Changes button at the bottom of the page to apply them. If you change your mind, click Discard Changes to revert to your previous configuration. - Published: 2026-06-15 - Modified: 2026-06-15 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/migration/ - Docs Categories: Maintenance & Tools Compatibility: Currently, the migration tool is compatible with "Wordfence Login Security. " According to their announcement, the plugin is scheduled to be discontinued on or around July 1, 2026. If you are looking for an alternative choice, try Ultimate Security. We are actively working on expanding this list, and support for more security plugins will be added in future updates. The Migration tool allows you to safely move your compatible 2FA and login protection settings from another security plugin directly into Ultimate Security. Currently, Ultimate Security is compatible. This feature ensures a smooth transition while keeping your current security configuration intact. Navigate to Ultimate Security > Maintenance & Tools > Migration. How it Works The migration process is designed to be safe and non-destructive: Read-Only: The plugin only reads your existing data; it never modifies or deletes your source data. Snapshot: A snapshot of your settings is taken before any changes are made, allowing you to roll back if necessary. Safe Skipping: Users already using Ultimate Security 2FA are left untouched Migration Steps 1. Detect The plugin will automatically scan your WordPress installation for compatible security data. You will see a "Detection checklist" confirming that the necessary tables and files have been found. Click the Continue to Preview button to proceed. 2. Preview In this step, the plugin provides a summary of the migration: Will be migrated: Displays the number of users with 2FA and any detected reCAPTCHA settings. Will be skipped: Lists any entries that cannot be migrated. Important Notes: Review the system notes regarding specific settings that may not be migrated due to differences in plugin functionality. 3. Start Migration When you are ready, click the Start Migration button. A confirmation pop-up will appear reiterating that a snapshot will be taken first. Click Start Migration again to finalize the process. 4. Migration Success Once finished, you will see a success message. Important: Before deactivating your old security plugin, follow these manual steps: Test a login using a migrated administrator account. Ask users to regenerate their backup codes. Review reCAPTCHA behavior on your login and registration forms. Deactivate the old security plugin only after verifying that all logins work as expected. Rollback If you encounter any issues after the migration, you can revert your changes to the pre-migration state. On the Migration screen, click Rollback This Migration. A confirmation modal will appear, explaining that this will restore your settings as they were captured before the migration. Click Rollback to confirm. The system will restore your settings and provide a success notification once complete. Your original source plugin data remains unchanged throughout this process. If you encounter any difficulties during the process, our support team is available to assist you in securing your site seamlessly. - Published: 2026-05-12 - Modified: 2026-05-12 - URL: https://docs.wpultimatesecurity.com/docs/two-factor-authentication/my-devices/ - Docs Categories: Two-Factor Authentication The My Devices page is your personal security dashboard. It allows you to see every computer, tablet, or phone that you have authorized to skip the Two-Factor Authentication (2FA) step. This gives you control over your own account security, allowing you to spot and remove any device you don't recognize quickly. Overview At the top of the page, you can see a summary of your current trust status: Active Devices: Shows how many of your devices are currently recognized by the system. Maximum Allowed: Displays the limit set by the site administrator Trust Duration: Shows how long a device stays "trusted" before you need to verify with 2FA again Managing Your Devices In the Your Devices table, you can monitor the specific details of your authorized access points: Device Info: Identifies the type of device or browser used. IP Address: Shows the network location from which the device last accessed the site. Last Used & Expires: Tells you exactly when the device was last active and the date its "trusted" status will automatically expire. Actions: If you lose a device or use a public computer by mistake, you can use the Actions menu to "Revoke" access immediately. Always check this list occasionally to ensure only your current devices are active. If you see a device or an IP address that doesn't look familiar, click the Actions button to remove it and then change your password just to be safe. At the bottom Click Save Changes to apply - Published: 2026-05-12 - Modified: 2026-05-12 - URL: https://docs.wpultimatesecurity.com/docs/two-factor-authentication/2fa-users-sessions/ - Docs Categories: Two-Factor Authentication While Two-Factor Authentication (2FA) adds a second layer of protection to user accounts, this dashboard gives you an eye view of that security. It allows you to see who has enabled 2FA, which devices they are using, and most importantly, to terminate active sessions if you suspect an account has been compromised. Session Tracking At the top of the page, you will find a real-time summary of user activity: Active Sessions: The total number of people currently logged into your website. Active Users: How many unique individuals are currently browsing. Unique Devices: The number of different computers or phones used to access the site. Expiring Today: Sessions that are scheduled to automatically log out soon based on your security settings. 2FA Users This section provides a detailed list of every registered user on your site (Administrators, Editors, Customers, etc. ) 2FA Type: See at a glance which method a user is using (e. g. , Email OTP, Authenticator App, or Not Set). Activity Monitoring: Track the number of active sessions and devices per user, as well as their last activity timestamp. Bulk Actions: You can search for specific users or use the "Delete all 2FA" button to reset 2FA configurations for everyone in case of a site-wide security update. Session Maintenance This is a tool for maintaining the site users. If you need to log everyone out immediately, use the Session Maintenance tools at the bottom: Clean Up Expired: Removes old session data from your database to keep your site running fast. Revoke All Active: Instantly logs out every single user. They will be forced to log in again and pass their 2FA check. Delete All Sessions: Clears all session records entirely. - Published: 2026-05-12 - Modified: 2026-05-12 - URL: https://docs.wpultimatesecurity.com/docs/two-factor-authentication/trusted-devices/ - Docs Categories: Two-Factor Authentication Trusted Devices allows users to "bookmark" their private devices. Once a device is trusted, the plugin will remember it, and the user won't be asked for a 2FA code on that specific device for a set period. Configuration Settings As an administrator, you can control exactly how "trust" works on your site: Enable Trusted Devices: Use this toggle to turn the feature on or off site-wide. Trust Duration: Decide how long a device remains "trusted" before the user has to enter a 2FA code again (The recommended setting is 30 days). Maximum Devices Per User: To keep security tight, you can limit how many trusted devices one person can have (The recommended limit is 5 devices). New Device Notifications: When enabled, the plugin will send an email alert whenever a new device is added to a user's trusted list. This is a vital security measure to alert users if someone else has accessed their account. Show Remember Checkbox: This adds a "Remember this device" checkbox directly on the 2FA verification page for your users. Statistics A quick-glance dashboard shows you the health of your trusted device ecosystem: Total/Active: See how many devices are currently recognized. Users: The number of unique members currently utilizing this feature. Revoked/Expired: Tracks how many devices have had their trust removed or have naturally timed out. All Trusted Devices This section lists every trusted device across your entire site. You can see the Device type, the User it belongs to, their IP Address, and when it was Last Used. Cleanup: Use this button to manually remove old or expired device data. Actions: Administrators have the power to manually "Revoke" any device at any time if a security risk is suspected. Don't forget to click "Save Changes" after adjusting these settings - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/waf-rules/preview-deploy/ - Docs Categories: WAF Rules The Preview & Deploy screen is the final "control room" for your Web Application Firewall (WAF). This page allows you to review the technical rules generated by your settings before they are sent to Cloudflare. It ensures that you have full visibility into how your site is being protected. Generated Rule Expressions The plugin automatically converts your simple "On/Off" toggles into complex code called Wirefilter expressions. These are the instructions Cloudflare uses to filter your traffic. You cannot edit the code directly here. To change these rules, you must go back to the specific Setup & Rules sections. If you just made changes in another tab, click the Refresh Expressions button to load the most recent version of your rules. Rule Breakdown You will see several boxes, each representing a specific layer of defense. Each box shows the Action (Skip, Block, or Managed Challenge) and a summary of what is included: Allow Good Bots: Usually set to SKIP. This ensures that search engines like Google and Bing can still crawl your site without getting blocked. Block Aggressive Crawlers & WP Paths: Set to BLOCK. This stops "bad" bots and protects sensitive WordPress files from being poked by hackers. Block Web Hosts & TOR: Set to BLOCK. This prevents traffic from known data centers or anonymous TOR networks, which are frequently used for attacks. Challenge Large Providers / Country: Set to MANAGED CHALLENGE. This forces visitors from specific regions or cloud providers to pass a security check. Challenge VPN & wp-login: Set to MANAGED CHALLENGE. This specifically targets VPN users trying to reach your login page. Each rule box has a Copy button. If you ever need to contact support or manually check a rule in your Cloudflare dashboard, you can quickly copy the expression to your clipboard. Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/challenge-vpn-login/ - Docs Categories: Setup Rules The Challenge VPN & Login feature is a powerful layer of your Web Application Firewall (WAF). It is designed to stop bots and malicious actors who use Virtual Private Networks (VPNs) to hide their identity while attempting to attack your WordPress login page. By enabling this, you require visitors using known VPN services to pass a "challenge" (like a CAPTCHA or a browser verification) before they can access sensitive areas of your site. Enable Challenge VPN Connections & wp-login This activates the entire VPN and login protection system. If this is off, none of the settings below will take effect. Toggle the Enable switch to turn the protection on. Once active, it monitors traffic from known VPN providers and applies security checks to anyone trying to reach your login page. VPN Providers Section When this is toggled ON, the plugin will automatically challenge traffic from all major providers. If you want to allow some VPNs but block others, turn off the "Challenge All" toggle and manually select the providers listed. Available VPNs NordVPN ExpressVPN PureVPN Surfshark IPVanish QuadraNet OVH France Mullvad VPN Private Layer Protected Paths WordPress Login (wp-login. php): This is the default WordPress login page. When enabled, anyone trying to access wp-login. php will be challenged. Custom Login URL Section Protects a custom login URL if you have changed it from the default wp-login. php. Ultimate Security itself lets you rename your login page to something like /my-secret-login/ instead of /wp-login. php. This hides your login page from casual attackers. If you have done this, you need to tell the WAF to protect that custom URL too Text field: Enter your custom login path in the placeholder. Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/challenge-cloud-providers-countries/ - Docs Categories: Setup Rules The Challenge Cloud Providers & Countries feature allows you to apply managed challenges to visitors coming from major cloud provider networks or from countries outside your target audience. Enable Challenge Large Providers / Country Enable this option to activate challenge protection for cloud providers and country-based traffic filtering. Once enabled, Ultimate Security will apply managed challenge rules based on the selected configuration. Use these buttons to quickly enable or disable all provider challenge rules. Cloud Providers This section allows you to challenge requests coming from major cloud hosting providers and infrastructure networks. These providers are commonly used for automated traffic, scraping, and attack activity. Available Options Amazon AWS (16509, 14618, 7224) (Challenges traffic from Amazon AWS, where many automated attacks originate. ) Google Cloud (15169, 396982) (Challenges traffic from Google Cloud, which is frequently used for automated credential stuffing. ) Microsoft Azure (8075) (Challenges traffic from Microsoft Azure, a common source of cloud-hosted bot attacks. ) Country Restriction This section allows you to challenge visitors whose IP addresses are located outside your selected target countries. When enable this settings, a Allowed Countries option appears where you enlist the country names. Available Option Challenge visitors from outside your selected countries (Issues a managed challenge to visitors outside your selected countries. Best for geographically limited audiences. ) Allowed Countries Visitors outside the selected countries will receive a managed challenge. Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/block-web-hosts-tor/ - Docs Categories: Setup Rules The Block Web Hosts & TOR feature allows you to block or challenge traffic coming from known hosting providers, data centers, cloud networks, and TOR exit nodes. This feature helps reduce the following: automated attacks bot traffic proxy-based abuse fake registrations spam requests suspicious login attempts Most malicious traffic targeting WordPress websites originates from cloud hosting providers, VPS services, or anonymous proxy networks. This module helps filter that traffic before it reaches your website. Enable Block or Challenge Web Hosts / TOR Enable this option to activate protection against traffic originating from hosting providers and TOR exit nodes. Once enabled, Ultimate Security will apply the selected ASN-based filtering rules. The settings have an Enable All and Disable All button for quick bulk control, plus individual toggles for each service. Web Hosting Providers (ASN-based) This section allows you to block or challenge requests coming from known hosting providers and cloud infrastructure networks. These rules work using ASN (Autonomous System Number) detection. Available Options DigitalOcean (Blocks traffic from DigitalOcean (ASN 14061), a common source of automated bot traffic. ) Linode (Akamai) (Blocks traffic from Linode/Akamai Connected Cloud (ASN 63949). ) Vultr (Blocks traffic from Vultr (ASN 20473), often seen in scraping and brute-force activity. ) Hetzner (Blocks traffic from Hetzner (ASNs 24940 and 213230), a frequent attack source. ) OVH (Blocks traffic from OVH/OVHcloud, a large hosting network that often produces bot traffic. ) Contabo (Blocks traffic from Contabo, a budget provider frequently used for scraping and spam. ) Scaleway (Blocks traffic from Scaleway, a cloud provider sometimes used for automated attacks. ) DreamHost (Blocks traffic from DreamHost where compromised accounts can run attack scripts. ) M247 (Blocks traffic from M247/DataCamp, a major data center network frequently seen in bot traffic. ) LeaseWeb (Blocks traffic from LeaseWeb. Useful against bots, but may affect some legitimate services. ) GoDaddy (Blocks traffic from GoDaddy hosting. Useful, but may cause false positives for some services. ) Alibaba (Blocks traffic from Alibaba Cloud, a common source of automated scanning from Asia. ) HostRoyale (Blocks traffic from HostRoyale, an offshore host frequently associated with malicious traffic. ) Cloudvider (Blocks traffic from Cloudvider, an infrastructure provider sometimes associated with bot networks. ) Block TOR Exit Nodes (Blocks traffic from TOR exit nodes. Strong protection, but it may block privacy-conscious visitors. ) Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/block-crawlers-wp-paths/ - Docs Categories: Setup Rules The Block Crawlers & WP Paths feature helps protect your WordPress site from aggressive bots, exploit scanners, suspicious crawlers, and requests targeting sensitive WordPress files. It runs before blocking rules so good bots are never caught by them. Enable Block Aggressive Crawlers & WP Paths Turn on the main toggle to activate this protection module. Once enabled, Ultimate Security will start applying the selected crawler and path protection rules. The settings have an Enable All and Disable All button for quick bulk control, plus individual toggles for each service. Aggressive Crawlers This section blocks known crawlers and bots that may heavily scan your website, consume bandwidth, or collect data aggressively. Available Rules: Yandex (Safe to block unless you target Russian-speaking audiences. ) Sogou (Safe to block unless you target Chinese-speaking audiences. ) SEMrush (If you use SEMrush, allow it in Allow Good Bots instead. ) Ahrefs (If you use Ahrefs, allow it in Allow Good Bots instead. ) Baidu (Safe to block unless you need Chinese search visibility. ) Neevabot (Safe to block because the service is no longer operational. ) Generic Bot Patterns This section blocks suspicious requests that match common bot-related patterns. Available Rules: Python Requests (Blocks requests using the python-requests user agent. Most legitimate services use custom agents. ) Generic "crawl" in User-Agent (Blocks user agents containing "crawl" except verified Cloudflare bots. ) Generic "bot" in User-Agent (Blocks user agents containing "bot" except verified Cloudflare bots. Monitor for false positives. ) Generic "spider" in User-Agent (Blocks user agents containing "spider" except verified Cloudflare bots. ) Exploit Scanners This section blocks well-known vulnerability scanners and penetration testing tools commonly used by attackers. Available Rules Nikto (Blocks the Nikto vulnerability scanner. ) SQLMap (Blocks SQL injection testing tools. ) Masscan (Blocks Masscan network scanning requests. ) Nmap (Blocks requests related to the Nmap scanner. ) WordPress Path Protection This section protects sensitive WordPress files and endpoints that attackers frequently target. Available Rules Block XML-RPC (Blocks access to the XML-RPC endpoint. Helps prevent brute-force attacks and pingback abuse. ) Block wp-config (Blocks attempts to access the wp-config. php file. ) Block WP-JSON (REST API) (Restricts access to the WordPress REST API endpoint. ) Block install. php (Blocks install. php to reduce the risk of reinstallation exposure on production sites. ) Block WLW Manifest (Blocks wlwmanifest. xml, which mostly exposes WordPress metadata. Safe to block. ) Block readme. html (Blocks readme. html, which can reveal your WordPress version. ) Block license. txt (Blocks license. txt to reduce WordPress fingerprinting and information disclosure. ) Attack Patterns This section blocks requests commonly associated with advanced attack techniques. Available Rules Time-delay / Blind SQLi Primitives (Blocks time-based blind SQL injection payloads like pg_sleep and waitfor delay. ) Encoded Path Traversal / LFI (Blocks URL-encoded path traversal attempts like . . /etc/passwd and similar LFI probes. ) Enable both protections for improved WAF coverage. Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/waf-rules/guidance/ - Docs Categories: WAF Rules This is the Guidance section, which acts as the "Manual" within the plugin. It explains the logic behind each rule group so you can understand the operational impact of your security settings. Allow Good Bots The Allow Good Bots rule is arguably the most important part of your firewall setup. Purpose This rule ensures that legitimate bots such as search engine crawlers and monitoring services can access your site without restrictions or challenges by using Cloudflare’s Skip action. It must be Rule #1 so verified bots are whitelisted before any blocking or challenge rules run. Key Benefits Ensures your site is properly indexed by search engines (Google, Bing, etc. ) Allows monitoring tools to verify your site's uptime and performance Prevents disruptions to services that rely on API access Improves SEO by ensuring search engines can crawl your content efficiently Enables social media platforms to generate preview cards when your site is shared Important Considerations The Skip action is automatically configured via API when you deploy; no manual Cloudflare dashboard setup is needed. Be selective about which bot categories you allow if you have bandwidth or performance concerns. If a bot you need is being blocked by other rules, enable it here to ensure it has unrestricted access. Recommendation Select only the Cloudflare verified bot categories you know you need. Always enable logging for proper testing and auditing. Block Aggressive Crawlers & WP Paths While "Good Bots" are welcomed, the internet is full of "Bad Bots" that can slow down your site or look for security holes. This rule acts as your site’s security guard, specifically watching for aggressive behavior and protecting your most sensitive "private rooms. " Purpose This rule targets bots that consume excessive resources or crawl your site too aggressively and protects sensitive WordPress paths from unauthorized access. It uses User-Agent matching and URI pattern detection to identify bad actors. Key Benefits Reduces server load from aggressive crawlers that do not respect crawl limits Prevents bandwidth consumption from unauthorized SEO tools Blocks common penetration testing tools (Nikto, SQLMap, Masscan, Nmap) Protects sensitive WordPress paths (xmlrpc, wp-config, wp-json, install. php) Hides WordPress version info by blocking readme. html and license. txt Prevents XML-RPC amplification attacks and brute force attempts Important Considerations If you use SEO tools like Ahrefs or SEMrush, allow them in Rule #1 before blocking here. If you use the WordPress REST API (wp-json), do not enable that path protection. Some WordPress plugins or mobile apps may require XML-RPC access. Monitor your event logs after implementing this rule because some legitimate bots may be caught. Recommendation Start with blocking generic unverified crawlers and bots first. For WordPress paths, enable xmlrpc and wlwmanifest blocking by default, and only enable wp-json blocking if you don’t use the REST API. Block or Challenge Web Hosts / TOR Most regular visitors access your website through a standard Internet Service Provider (ISP) like Comcast or local mobile networks. However, malicious scripts and automated "attack bots" usually run from Web Hosting Providers (data centers) or the anonymous TOR network. This rule allows you to filter this high-risk traffic. Purpose This rule manages traffic from common web hosting providers and TOR exit nodes, which are frequently sources of automated attacks and malicious scripts. You can choose to block them entirely or use Managed Challenge to allow legitimate visitors through. Key Benefits Blocks or challenges automated attacks from web hosting providers where malicious scripts often run Prevents TOR-based attacks while optionally allowing legitimate TOR users Reduces fraudulent transactions and spam registrations Helps prevent credential stuffing attacks Flexible: use Block for maximum security or Managed Challenge when legitimate proxy users matter Important Considerations Some legitimate visitors may use TOR for privacy reasons Corporate traffic sometimes routes through cloud providers or proxies External services you use may be hosted on blocked ASNs; allowlist them in Rule #1 if needed. Monitor WAF events after deployment to check for false positives. Recommendation Start with Block action for maximum security. If you see false positives or need to allow legitimate proxy connections, switch to Managed Challenge. It still blocks automated attacks while letting real humans through after a quick challenge. Challenge Large Providers / Country Even if a bot isn't "aggressive," it might still be running on a professional server. This rule allows you to put a "security checkpoint" in front of traffic coming from the world's biggest cloud companies and from countries outside your target market. Purpose This rule adds security by challenging traffic from cloud provider IP ranges (AWS, Google Cloud, Azure) where many automated attacks originate, and optionally challenges visitors from outside your target country audience. Key Benefits Reduces automated attacks that often originate from cloud providers Helps prevent credential stuffing and brute force attempts Can limit spam and bot registrations from contact forms Adds geographic protection if your site only serves specific countries Uses Managed Challenge so legitimate visitors can usually pass through transparently Important Considerations If you target a multi-national audience, leave the country option unchecked. Corporate traffic and remote workers sometimes route through cloud providers. API integrations with third-party services might be affected if they use these ASNs. The country picker becomes available below the rule card when the country option is enabled. Recommendation Managed Challenge is barely invasive to humans but very effective against bots. Check all cloud provider options to start. Only enable the country restriction if your site serves a specific geographic audience. Challenge VPN Connections & wp-login The WordPress login page (wp-login. php) is the most targeted "door" on your website. This rule adds a sophisticated security checkpoint to that door, specifically focusing on traffic coming from VPN providers, which attackers often use to hide their true location. Purpose This rule protects WordPress login paths from unauthorized access and adds security against connections coming through VPN providers, which are frequently used for manual and automated attacks against WordPress sites. Key Benefits Prevents most brute force attacks and credential stuffing on wp-login. php Blocks automated attacks targeting WordPress vulnerabilities Adds security against attacks originating from VPN services The Managed Challenge is transparent to real humans but stops automated scripts Important Considerations Legitimate visitors may use VPNs, so monitor the Challenge Solve Rate after deployment. For higher security, consider using a Cloudflare Configuration Rule to set "I'm Under Attack" mode on wp-login. php. For the highest security, use Cloudflare Access to protect wp-login. php and wp-admin instead. Recommendation Enable wp-login. php protection and select all VPN providers. This is one of the most impactful rules for WordPress security and won't noticeably disrupt legitimate users. - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/waf-rules/live-rules/ - Docs Categories: WAF Rules The Live Rules screen allows you to inspect the active security configurations currently protecting your website on the Cloudflare network. While other screens show you what will be deployed, this screen confirms exactly what is currently standing guard at your site's "front door. " Live Zone WAF Rules This section acts as a real-time monitor for your Web Application Firewall (WAF) Cloudflare Connection Status: A green bar confirms that your WordPress site is successfully communicating with Cloudflare. You must have a solid connection here to load or manage rules. Live Zone WAF Rules: This is the main inspection area where you can view the actual code running on Cloudflare's servers. Use the dropdown menu labeled "Select a zone to inspect" to choose your domain. Click the purple Load Rules button. The plugin will fetch the live data from Cloudflare and display the active rules in the window below. Because a single Cloudflare account can manage multiple websites (zones), you need to specify which one you want to look at. Click Save Changes or Discard to apply settings - Published: 2026-05-11 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/waf-rules/analytics/ - Docs Categories: WAF Rules The Analytics screen is your high-level overview of how your website is performing and being protected on the Cloudflare network. It provides data-driven insights into your traffic volume, security threats, and server efficiency. Zone Analytics Before you can view your data, the plugin needs to pull the latest metrics from Cloudflare. Ensure the green status bar is visible. This confirms that your API credentials are active and ready to fetch data. Use the "Select a zone... " dropdown to choose the specific website domain you want to analyze. Select the period you want to review (e. g. , Last 24 Hours, Last 7 Days, or Last 30 Days) to see trends over time. - Published: 2026-05-10 - Modified: 2026-05-10 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/allow-good-bots/ - Docs Categories: Setup Rules The Allow Good Bots page lets you create a whitelist of trusted bots, crawlers, and third-party services. When enabled, these verified bots get unrestricted access to your site and skip all WAF rules meaning they won't be blocked, challenged, or slowed down by your firewall. Without this, legitimate services like Google Search, backup plugins, uptime monitors, or SEO tools might be blocked by stricter WAF rules (like "Block Crawlers" or "Challenge Cloud Providers"). This ensures your site stays functional and findable. Allow Good Bots Enable Allow Good Bots toggle this ON. This activates the entire whitelist system. If this is off, none of the categories below will take effect, even if individually enabled. The settings have an Enable All and Disable All button for quick bulk control, plus individual toggles for each service. Cloudflare Verified Bot Categories Allows bots that Cloudflare itself has verified and classified as legitimate through their automated system. Services included: Accessibility (Allows assistive technology crawlers (e. g. , screen reader validators) to access your site without restriction) Academic Research (Allows academic and research crawlers like Common Crawl. Disable if you want to restrict data harvesting) Advertising & Marketing (Allows academic and research crawlers like Common Crawl. Disable if you want to restrict data harvesting) Aggregator (Allows content aggregation bots (e. g. , Feedly, Flipboard). Enable if your content is syndicated via RSS) AI Assistant (Allows AI assistant bots (e. g. , ChatGPT plugins). Disable to prevent AI tools from reading your content) AI Crawler (Allows AI training crawlers (GPTBot, CCBot, Google-Extended). Disable to block AI model training on your content) AI Search (Allows AI-powered search engines (Perplexity, You. com). Disable if you do not want AI search indexing) Archiver (Allows web archive bots (e. g. , Internet Archive/Wayback Machine). Enable to preserve your content history) Feed Fetcher (Allows RSS/Atom feed readers to fetch your content. Disable only if you do not publish feeds) Monitoring & Analytics (Allows analytics and monitoring bots to validate your site. Recommended to keep enabled) Page Preview (Allows link preview generators used by messaging apps to create rich previews) Search Engine Crawler (Allows major search engine crawlers like Googlebot and Bingbot. Disabling this will hurt SEO) Search Engine Optimization (Allows SEO audit tools to crawl your site for optimization insights) Security (Allows security scanning bots such as safe browsing and reputation checks) Social Media Marketing (Allows security scanning bots such as safe browsing and reputation checks. Recommended to keep enabled) Webhooks (Allows webhook delivery bots like Stripe, GitHub, and Zapier. Disable only if you do not use webhooks) WordPress Backup Services Allows popular WordPress backup plugins to access your site without being interrupted by the WAF Services included: BackupBuddy BlogVault UpdraftPlus If you use any of these backup plugins, enable them here. Backups often run via cron jobs or remote servers that WAF rules might flag as suspicious. Website Monitoring Services Allows uptime and performance monitoring tools to check your site regularly without triggering challenges or blocks. Services included: BetterStack GTmetrix Pingdom StatusCake UptimeRobot Enable any service you actively use. If a monitoring tool is blocked, you'll get false "site down" alerts. Performance & Image Optimization Allows image optimization and CDN services to fetch and process your content. Services included: Cloudflare Image Resizing Easy IO / ExactDN EWWW Image Optimizer FlyingPress Imagify ShortPixel TinyPNG Enable any image optimization plugin/CDN you use. These services need to pull your images, optimize them, and serve them back. WAF blocking would break this. SEO Crawlers Allows SEO tools to crawl and analyze your site for rankings, audits, and backlink data. Services included: Ahrefs Ahrefs Site Audit Majestic (MJ12bot) Moz Rogerbot Screaming Frog SEMrush SiteAuditBot SEMrush OCOB Security & Malware Scanners Allows security scanning services to audit your site for vulnerabilities without being blocked. Use these services for external security audits. Services included: SiteLock Sucuri VirusTotal Wordfence Social Media Previews Allows social platforms to generate link previews (image + description) when your URL is shared. Services included: Facebook LinkedIn Twitter / X Remember, without this, shared links will appear as plain text without images or descriptions. WordPress Management Allows WordPress management tools and services to connect to your site. Services included: Jetpack MainWP ManageWP GoDaddy Uptime Monitor WP Umbrella Allow Let's Encrypt Verification (ACME) Enable any tool you use to manage multiple WordPress sites from one dashboard. Allow ACME challenge verification for SSL certificate renewal when using Let’s Encrypt. Deploy to Cloudflare After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare. Deploy Rules: Pushes your saved settings to Cloudflare and activates them livePreview Rules: Shows you the exact rule expressions that will be generated. Review before deployingRemove Plugin Rules: Removes all WAF rules created by this plugin from CloudflareZone Selector: Choose which Cloudflare domain (zone) to deploy to. How Deployment Works From the Plugin: Save your WAF settings first using the Save Changes button at the bottom of the page Select the Cloudflare zone you want to protect Preview Rules shows the current draft output, including source tags for each generated rule Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules The plugin only manages its own rules. It won't delete or overwrite any rules you created manually in Cloudflare. - Published: 2026-05-10 - Modified: 2026-06-09 - URL: https://docs.wpultimatesecurity.com/docs/waf-rules/cloudflare-setup/ - Docs Categories: WAF Rules To use the WAF (Web Application Firewall) features, you must first link Ultimate Security with your Cloudflare account. This allows the plugin to manage your security zones and deploy protective rules automatically. Enable WAF Rules Before configuring your connection, you must activate the WAF rule management engine within the plugin. Enabling this allows the plugin to handle rule deployment, configuration, and traffic analytics. How to Enable It Navigate to Ultimate Security → WAF Rules → Cloudflare Setup from your WordPress admin sidebar. Locate the Enable WAF Rules toggle switch. Click the toggle to turn it on. Connecting Your Cloudflare Account To manage your rules, you need to link your Cloudflare account under the Connect Cloudflare Account section. First, provide a general label for your reference: Account Name / Label: Enter a friendly name to identify this specific Cloudflare account (e. g. , "Main Account" or "Client Admin"). Next, choose one of the three authentication methods below to complete the connection. Method 1: API Token What It Is The API Token method is the most secure way to connect your site to Cloudflare. Instead of exposing your master password, it uses a scoped token that grants our plugin only the specific permissions required to deploy WAF rules. How to Configure It Under Authentication Method, select API Token. API Token: Paste your unique Cloudflare API token into the field. Required Permissions: Your token must be created in your Cloudflare dashboard with these exact scopes: Zone → WAF → Edit and Zone → Zone → Read. Token Duration: Choose how long you want to keep these credentials securely stored from the dropdown menu. Click Verify & Save to validate the token permissions. Method 2: Email + Global API Key What It Is The Email + Global API Key method connects your site using your master Cloudflare credentials. Security Note: While fully operational, using a Global API Key grants full administrative access to your entire Cloudflare profile. For optimal security. How to Configure It Under Authentication Method, select Email + Global API Key. Cloudflare Account Email: Enter the exact email address linked to your Cloudflare profile. Global API Key: Paste your master Cloudflare Global API Key into the field. Token Duration: Choose your preferred credential storage timeframe from the dropdown menu (e. g. , Forever). Click Verify & Save to authenticate the connection. Method 3: OAuth What It Is The OAuth method authenticates with the Cloudflare API via a self-managed OAuth application. This establishes a securely scoped integration without sharing any raw account passwords or master keys. How to Configure It Under Authentication Method, select OAuth. Client ID: Paste the Client ID from your self-managed application. Where to find it: In Cloudflare, go to Manage Account → OAuth Clients. Client Secret: Enter the unique secret key issued for your OAuth client. Treat this entry with the same security as a password. Access Token: Paste the bearer token generated after user authorization. Refresh Token (Optional): Enter the refresh token. Providing this is recommended so the plugin can seamlessly fetch a new access token when the current one expires. Token Duration: Set your credential storage duration using the dropdown menu (e. g. , Forever). Click Verify & Save to authorize the application connection. Finalizing Changes After completing your chosen verification method, notice the Unsaved Changes warning bar at the top or bottom of your screen. Click Save Changes to write your configurations permanently. You can add multiple separate Cloudflare accounts to this interface and switch between them at any time. Quick Guide: How to get your API Token If you aren't sure where to find your credentials, follow these three steps: Log in to your Cloudflare Dashboard. Navigate to My Profile > API Tokens. Create a token using the "Edit Zone DNS" template or a custom token with the permissions mentioned above (WAF Edit, Zone Read). Copy the token and paste it back here in the Ultimate Security settings. Managing Multiple Accounts Ultimate Security supports multi-account management. You can add multiple Cloudflare accounts and switch between them at any time to manage different security zones without leaving your WordPress site. - Published: 2026-05-10 - Modified: 2026-05-11 - URL: https://docs.wpultimatesecurity.com/docs/setup-rules/waf-rules-setup-rules/ - Docs Categories: Setup Rules The Setup & Rules page is your central "Checklist. " It guides you through configuring seven specific security layers to ensure your site is locked down while remaining accessible to real visitors. It sits between your site and the internet, filtering out malicious traffic before it ever touches your server. Getting Started Before you begin, ensure your Cloudflare account is connected. Status Check: If you see a "Cloudflare not connected" warning at the top, your rules will not protect your site live. You can customize settings in any order, but you must Preview & Deploy (Step 7) to push those changes live. Cloudflare Checklist Each item below represents a "Rule Group. " Click the Open button next to any item to configure it. 1. Cloudflare Setup This is the "engine" that powers the firewall. Without this, the other rules cannot be deployed. 2. Allow Good Bots It ensures your search engine rankings are safe. You want security to block hackers, not search engines. 3. Block Crawlers & WP Paths Hackers often target files like xmlrpc. php to guess passwords. This rule shuts that door. 4. Block Web Hosts & TOR Most genuine visitors use a home or mobile internet provider. Traffic from data centers is often automated or malicious. 5. Challenge Cloud Providers & Countries It stops automated scripts while still allowing a real human to click a button and enter your site. 6. Challenge VPN & Login The login page is the most attacked part of a site. This ensures that even if someone hides behind a VPN, they must prove they are human. 7. Preview & Deploy Nothing is live until you do this. Think of this as the "Save and Publish" button for your entire firewall. Quick Status Guide Keep an eye on the colored badges next to each rule: Not Configured (Grey): Needs your initial setup. Needs Review (Orange): The rule is active but requires you to check the settings for your specific site. Deployed (Green): The rule is live and protecting your site. Note: Rule groups ship enabled by default, but they are NOT automatically active until you review, save, and deploy them. Don't assume you're protected just because you see the checklist - Published: 2026-03-12 - Modified: 2026-03-12 - URL: https://docs.wpultimatesecurity.com/docs/security-wizard/security-wizard/ - Docs Categories: Security Wizard To help you get the best protection for your website, we created a simple Security Setup Wizard. This tool handles the technical side for you, making sure your site is safe without any complicated steps. Setup Process The wizard is divided into four simple stages, which you can track at the top of your screen: Security Scan: The plugin analyzes your current WordPress environment for vulnerabilities. Choose Profile: You select a security level (Basic, Moderate, or Strict) that fits your needs. Review Changes: A summary of the upcoming adjustments for your final approval. Complete: Your settings are applied, and your site is secured. Note: Every setting configured during this wizard can be adjusted later from the main plugin settings page. Security Scan After initiating the setup, the plugin performs a comprehensive scan of your WordPress site. This screen displays your Security Grade and a detailed breakdown of your current security posture. At the top of the page, you will see a summary of your results: Security Grade: A letter grade (e. g. , A, B, C) representing your overall protection level. Passed: The number of security checks your site successfully cleared. Warnings: Areas that are functional but could be improved for better security. Critical: High-priority issues that represent a significant risk to your site. Security scan results The table below the dashboard provides a granular look at specific technical areas. Each row will give you a specific security check like SSL, password policies, and login settings, with a status of Passed, Warning, or Critical, plus a brief explanation of why. Choose Profile Now that the scan is complete, it’s time to choose a security profile. These profiles are pre-configured sets of rules designed to provide the right balance between high-level security and ease of use. You can choose from three distinct protection tiers. Each tier builds upon the previous one to strengthen your site's defenses. 1. Basic Protection (Recommended for Beginners) This profile provides essential security measures with almost zero impact on your site's performance or daily workflow. It is ideal for small websites and personal blogs. Custom login URL: Changes your login page address to hide it from bots. Basic password policy: Ensures all users use at least 10 characters. Login attempt limits: Blocks IP addresses that repeatedly fail to log in. Hide WordPress version: Removes public information that hackers use to target specific vulnerabilities. 2. Balanced Security (Recommended for Most Sites) This profile offers comprehensive protection while maintaining a smooth experience for your visitors. It is the best choice for business websites and growing blogs. Includes all Basic features. Two-factor authentication (Email): Adds a second layer of security by requiring a code sent to your email. Enhanced brute force protection: Stricter rules for blocking malicious login attempts. Security headers enabled: Protects your site from common browser-based attacks. 3. Maximum Security This is an enterprise-grade tier with strict policies. It provides the highest level of defense but may require some user training to navigate the stricter login requirements. Includes all Balanced features. Mandatory 2FA for administrators: Requires all admins to use two-factor authentication. Advanced rate limiting: Prevents scrapers and bots from overloading your site. Full security headers suite: The most robust set of browser protections available. How to Apply a Profile Review the features listed under each card. Click on the card that best fits your needs to select it. Click the Next button to move to the Review Changes step. Review Changes Before the plugin applies your new security configuration, you are provided with a complete overview of the adjustments. This step ensures you have full visibility into how your site’s settings will change based on the profile you selected. Selected Profile: Displays the name of the profile you chose in the previous step (e. g. , Basic Protection). Settings to Change: The total number of individual settings that will be modified. Total Settings: The overall number of security parameters managed by the plugin. Comparison Table The Settings that will change the table allow you to compare your site’s current state with the new, optimized configuration. ColumnDescriptionSettingThe specific feature being updated. Current ValueYour site's current configuration before the update. New ValueThe optimized settings will be applied to your site. Finalizing the Setup Take a moment to scroll through the list and ensure you are comfortable with the updates. If everything looks correct: Click the Next button to apply the changes and move to the final step. If you wish to choose a different security level, click the Back button to return to the Choose Profile screen. Configuration Complete This final screen confirms the changes made and suggests additional steps to further harden your site's defenses. At the top of the page, you will see a confirmation of the profile you applied for. Undo Changes: If you realize you’ve made a mistake or want to revert to your previous settings immediately, click the "Undo Changes" button in the top right. What Was Enabled: This section provides a checklist of the core features that are now active on your site, such as your Custom login URL or Login attempt limits. Recommended Next Steps While the wizard has secured the essentials, there are always additional layers you can add. The plugin suggests impactful actions you can take right away. To set up any of these features, click the Configure button next to the respective item. Once you are satisfied with the setup. Click Go to Dashboard at the bottom right to exit the wizard and access the main plugin management area. - Published: 2026-03-02 - Modified: 2026-03-02 - URL: https://docs.wpultimatesecurity.com/docs/dashboard/file-integrity/ - Docs Categories: Dashboard This section helps you monitor changes to your WordPress files. It tracks which files have been modified, added, or deleted, which is crucial for detecting unauthorized changes or potential security threats. Key Information Statistics (last 7 days): Total Changes: Shows all modified files Modified Files: Show file changes New Files: Shows new files Deleted Files: Shows removed files Action Buttons Refresh: Update the current view with the latest file status Run Scan Now: Manually start a new file integrity scan Settings: Configure how file monitoring works File List The table shows detailed information about modified files: File Path: Where the file is located on your server Status: Shows as "MODIFIED" for changed files Change Type: What kind of change occurred File Size: The size of the file Modified: When the file was last changed Last Checked: When the plugin last scanned this file Actions: Use the "Reset" button to mark a file as legitimate if you made the changes yourself Search Function Use the search bar to find specific files in the list quickly. This feature helps you spot suspicious file changes that could indicate a security breach or hacking attempt. File Integrity Settings This page lets you configure how the File Integrity feature works. You can control when scans run, how long data is saved, and how you're notified about changes. Enable File Integrity Toggle this on to activate file monitoring The system will track changes to your WordPress files Scan Frequency Choose how often to check for file changes Data Retention Period Set how long to keep file change records Alert Settings Toggle this on to receive notifications when files are modified Get instant alerts about suspicious activity Enter an email address for alerts Leave empty to use your default WordPress admin email Ensure you receive important security notifications Cancel: Discard any changes you've made Save Settings: Apply your configuration changes These settings help you balance security monitoring with your needs. More frequent scans provide better protection but use more resources. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/settings-ai-scanner/settings-scan-configuration/ - Docs Categories: Settings Scan Configuration panel allows you to power your security scans using state-of-the-art Artificial Intelligence. By integrating with the Google Gemini API, Ultimate Security moves beyond simple file matching to perform deep, contextual code analysis, identifying complex malware that traditional scanners often miss. Setting Up the AI Engine To access these settings, click the Settings (gear icon) on the top right of the AI Scanner dashboard. 1. Engine Selection Engine: Select your preferred AI provider. Currently, the scanner is optimized for Google Gemini integration to ensure high-speed, accurate analysis. 2. API Integration Google Gemini API Key: Paste your unique API key into this field. This key is required to connect your site to the AI model. Get API Key: If you don't have a key, click this link to generate one from the Google AI Studio. Test Button: After entering your key, click Test to verify that the connection is active and working correctly. 3. Model Selection Select Model: Choose the specific AI model to perform the scan. 4. Performance Settings API Timeout (seconds): Define how long the plugin should wait for a response from the AI for each file analyzed. Range: 30–600 seconds. Default: 300 seconds is recommended for most server environments to prevent timeouts on larger files. Notifications & Automation Keep your team informed without having to manually check the dashboard. Email Notifications: Toggle this switch to ON to receive a comprehensive summary of every scan directly in your inbox. This includes details on any detected threats or suspicious patterns found by the AI. Advanced Analysis Controls Output Mode The Output Mode dropdown defines the primary objective of the AI analysis. Perform Security Scan: (Default) The AI scans for malware, backdoors, and known vulnerabilities. Code Audit/Optimization: Use this mode if you want the AI to analyze your themes or plugins for performance bottlenecks or coding best practices. Ignored Directories To speed up scans and prevent the AI from wasting resources on non-critical files, you can exclude specific folders. Configuration: Enter comma-separated directory paths relative to the wp-content folder. Recommended Exclusions: Heavy directories like node_modules, vendor, or large media cache folders should be added here if they do not contain executable PHP code. Custom AI Prompt For advanced users and security researchers, you can override the default AI logic. Custom Prompt: Enter specific instructions for the AI model to follow during its analysis. For example: "Focus only on identifying SQL injection patterns in the following files. " Note: Leave this field empty to use the Ultimate Security default prompt, which is professionally engineered for comprehensive malware detection. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/overview-2/ - Docs Categories: Biometric Login (Passkey), Login & Authentication - Docs Tags: Beginner Passkeys provide a passwordless authentication solution based on the WebAuthn standard. By using device-based methods such as fingerprints, facial recognition (FaceID), or a hardware security key, you can provide a modern, highly secure, and friction-free login experience for your users. Navigation To access the Passkeys management dashboard, navigate to: Ultimate Security > Biometric Login (Passkeys) > Overview Passkeys Statistics The statistics panel provides a high-level overview of how passwordless authentication is being adopted on your WordPress site: Users: The total number of unique users who have at least one passkey registered. Passkeys: The total count of active passkeys currently enrolled across the entire site. Activities: A tally of all authentication events processed via WebAuthn. Challenges: The number of cryptographic challenges issued by the server to verify user identity. Quick Actions From the Overview screen, you can quickly jump to specific management tasks using the following buttons: Settings: Configure global passkey behavior, such as user enrollment rules and authentication requirements. Activity Log: View a detailed audit trail of all biometric login attempts and registrations. Manage Passkeys: Direct access to add, remove, or rename passkeys for your account. Authenticator Types This section displays a distribution chart of the devices and methods your users are choosing for authentication. Common types include: Platform Authenticators: Built-in methods like Windows Hello, Touch ID (macOS/iOS), or Android Biometrics. Cross-Platform Authenticators: External hardware keys (USB/NFC/Bluetooth) used for logging in across multiple devices. Recent Activity The Recent Activity log provides a real-time feed of login events. This allows administrators to monitor: Which user logged in. The timestamp of the authentication. The status (Success/Failure) of the biometric verification. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/passkeys/ - Docs Categories: Biometric Login (Passkey), Login & Authentication Managing passwordless authentication at scale requires clear visibility into user adoption. The Passkeys tab allows administrators to monitor, search, and manage all security keys registered across the site. This centralized management interface ensures that you can support users who may have lost devices or need to verify their biometric enrollment status. Navigation To manage registered passkeys, navigate to: Ultimate Security > Biometric Login (Passkeys) > Passkeys Filter & Search Passkeys As your user base grows, finding specific credentials becomes essential. This section provides robust filtering options to audit your security landscape: Search Bar: Search for specific passkeys using the user’s name, email, or the custom label assigned to the passkey. Status Filter: Filter passkeys by their current state (e. g. , Active, Revoked, or Pending). Type Filter: Narrow down the list by authenticator type, such as mobile biometrics or hardware keys. Date Range: Select a specific timeframe using the calendar pickers to view passkeys registered within a certain period. Reset Filters: Instantly clear all search parameters to return to the full list of registered credentials. Registered Passkeys List This section serves as your primary ledger for all biometric credentials currently active on your WordPress site. Credential Overview: Displays the user associated with the passkey, the device type used for registration, and the last used date. Management Actions: From this list, administrators can perform critical maintenance tasks such as renaming a passkey for better identification or revoking a passkey if a user reports a lost or stolen device. Empty State: If no users have enrolled yet, the dashboard will display a "No passkeys registered" message. Passkeys will automatically appear here as users complete the enrollment process from their individual profiles. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/settings-2/ - Docs Categories: Biometric Login (Passkey), Login & Authentication Navigation To access the Passkeys settings, navigate to WP Ultimate Security > Passkeys > Settings from your WordPress admin sidebar. Enable Passkeys This is the master toggle for the WebAuthn authentication system. Function: When switched to Enable, the plugin activates the passkey infrastructure across your site. User Impact: If enabled, users with authorized roles can register their devices and use them for subsequent logins. Enable Maximum Passkeys This setting allows administrators to control the "device footprint" of their users. Function: Toggle this to ON to restrict the number of passkeys a single user can register. Default Behavior: If this is disabled, users are permitted to register an unlimited number of passkeys/devices. Max Passkeys Number Once a limit is enabled, this field defines the specific numerical threshold for security credentials. Usage: Enter a whole number (e. g. , 3) to set the maximum capacity. Note: This setting only functions if the Enable Maximum Passkeys toggle is active. Enabled User Roles This granular control determines which segments of your user base can access passwordless technology. Selection: Use the dropdown menu to select specific roles, such as Administrator or Editor. Management: Use the Select All button to enable the feature sitewide or Remove All to reset your selections. Important: Users with roles that are not selected will not be able to log in via passkeys, and the registration form will be hidden from their profiles and registration shortcodes. Exclude Existing Credentials This feature prevents the accumulation of redundant security keys and ensures a streamlined authentication database. Function: Toggle to Enable to prevent users from registering a passkey that is already associated with their account. Recommendation: It is highly recommended to keep this setting enabled to avoid configuration conflicts and redundant registrations. Registration Timeout This setting establishes a security window for the initial setup of a new passkey. Usage: Enter a numerical value in the field to set the expiration time in minutes. Default: The standard setting is 5 minutes. Impact: If a user does not complete the device-level verification (e. g. , fingerprint scan or PIN entry) within this timeframe, the registration session will automatically expire. Login Timeout Similar to registration, this setting manages the lifespan of a login attempt. Usage: Specify the duration (in minutes) that a login request remains valid. Default: The standard setting is 5 minutes. Security Benefit: This prevents persistent login sessions from remaining active indefinitely if a user initiates a login but fails to complete the biometric verification. Enable User Verifications This toggle controls the requirement for the authenticator to verify the user during the passkey process. Function: Switch to Enable to ensure that the device (phone, laptop, or hardware key) actively verifies the user's identity via biometrics or a PIN before proceeding. Effect: When disabled, restrictions on the number of registered passkeys may not be strictly enforced. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/display/ - Docs Categories: Biometric Login (Passkey), Login & Authentication Login for WooCommerce This setting integrates passkey authentication directly into your e-commerce storefront. Function: Toggle to Enable to add the passkey login option to the WooCommerce "My Account" and checkout login forms. Requirement: The WooCommerce plugin must be installed and activated on your site for this option to work correctly. Login for MemberPress This integration is designed for membership sites requiring high-level account security. Function: Toggle to Enable to allow members to log in to their accounts using passkeys on MemberPress-generated login forms. Requirement: The MemberPress plugin must be installed and activated for this toggle to have an effect. Login for Easy Digital Downloads Ensure your digital marketplace is protected with modern authentication. Function: Toggle to Enable to provide a passkey login alternative for your Easy Digital Downloads (EDD) customers. Requirement: The Easy Digital Downloads plugin must be installed and activated to utilize this feature. Login Short Code This shortcode allows you to place a "Login via Passkey" button anywhere on your site, such as custom landing pages or sidebars. Shortcode: Function: Embeds the login button to allow users to authenticate using their registered passkey credentials. Note: If a user is already logged in, the form will remain hidden to maintain a clean user interface. Register Short Code Use this shortcode to create custom registration areas for users to link their devices. Shortcode: Function: Embeds the "Register via Passkey" button, allowing logged-in users to set up new passkey credentials. Note: Similar to the login shortcode, this form will not be displayed if the user session does not require it. Display Passkeys in Users List This option enhances the standard WordPress User management screen with security insights. Function: Toggle to Enable to add a dedicated "Passkeys" column to the administrative Users list. Benefit: Allows administrators to see at a glance which users have secured their accounts with biometric or device-based authentication. Display Passkeys in Edit User/Profile This setting integrates passkey management directly into individual user profiles. Function: Toggle to Enable to show registered passkeys on the Edit User and Profile pages within the admin area. Benefit: Provides a centralized location for admins or users to view and manage their existing security keys. Always remember to click Save Changes after updating your shortcode or admin area preferences to ensure the new display settings take effect. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/biometric-login-passkey/advanced/ - Docs Categories: Biometric Login (Passkey), Login & Authentication Managing your security data is essential for maintaining site performance and ensuring a clean audit trail. The Advanced Maintenance settings allow you to automate the deletion of old log records and configure the underlying system tasks required for these operations. Delete log records older than Over time, activity logs can accumulate and increase the size of your database. Use this setting to keep your logs relevant and your database optimized. Function: Select a timeframe from the dropdown menu (e. g. , Older than 30 days) to automatically purge outdated log entries. - Published: 2026-02-25 - Modified: 2026-04-29 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/sms-authentication/ - Docs Categories: Two-Factor Authentication, Login & Authentication SMS Authentication provides enterprise-grade multi-factor security by sending a 6-digit verification code directly to a user's mobile device during the login process. This ensures that even if a password is compromised, an attacker cannot gain access without physical possession of the user's phone. To configure these settings, navigate to Login & Authentication > Two-Factor Authentication > SMS Authentication. Enable SMS Authentication This toggle activates the SMS-based verification system for your WordPress site. Function: Switch to Enable to allow users to receive 6-digit verification codes via SMS during login. Requirement: SMS 2FA requires a Twilio account. You must sign up at twilio. com to obtain your API credentials before this feature can send messages. Enable for Roles This setting allows you to enforce SMS-based security for specific segments of your user base. Selection: Use the Select roles dropdown to choose which user levels (e. g. , Administrator, Editor, Subscriber) are required to use SMS authentication. Management: Use the Select All button to mandate SMS 2FA for every user on the site, or Remove All to clear your current selections. Twilio Configuration To enable SMS delivery, you must connect the plugin to your Twilio account using your unique API credentials. Twilio Account SID The Account SID acts as the primary identifier for your Twilio account. Action: Enter your Twilio Account SID into the field. Location: You can find this string in your Twilio Console dashboard. Your Auth Token The Auth Token serves as the password for your API requests. Action: Enter your Auth Token into the masked field. Safety: Keep this token secret. Do not share it or display it in public screenshots. Twilio Sender The sender identity tells the recipient who the message is from. Supported Formats: You can enter a phone number (e. g. ), an alphanumeric ID (e. g. ), or a messaging service SID (starting with MG... ). Formatting: Phone numbers must be entered in E. 164 format (+). Alphanumeric Constraints: These must be 2–11 characters long and consist of letters and numbers only. International SMS Requirements Many countries require a registered alphanumeric sender ID to successfully receive SMS messages. Using a standard US or international phone number in these regions will result in Error 21612. Countries requiring registration include: Bangladesh, India, Pakistan, Philippines, Vietnam Saudi Arabia, UAE, Egypt, Nigeria, Kenya Indonesia, Thailand, Malaysia, and many others IMPORTANT: For these countries, you must register an alphanumeric sender ID in your Twilio console under Messaging > Senders. SMS Expiry: Codes sent via Twilio expire after 5 minutes. Costs: Standard Twilio charges apply for every SMS sent. User Setup: Once configured, users must add their phone numbers in their individual Profile settings to use this feature. Click Save Changes in the top-right corner. If you made a mistake and haven't saved yet, you can click Discard to revert to the previous state. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/backup-codes/ - Docs Categories: Login & Authentication, Two-Factor Authentication Backup codes are single-use recovery codes that allow users to bypass the 2FA requirement in emergencies. This feature is essential for preventing permanent account lockouts while maintaining a high security standard. Enable Backup Codes and Roles This is the master switch for the recovery code system. Function: Toggle to Enable to allow the generation and use of backup recovery codes across your site. User Experience: Once enabled, permitted users can generate a set of codes from their individual profile page under the Two-Factor Authentication section. Selection: Use the Select roles dropdown to choose which user tiers (e. g. , Administrator, Editor) can generate backup codes. Management: Use the Select All or Remove All buttons for rapid configuration across all site roles. Backup Code Statistics This dashboard provides a real-time overview of how recovery codes are being utilized on your site. Users with Codes: The total number of users who have generated at least one set of backup codes. Low on Codes: Identifies users who have nearly exhausted their supply of single-use codes and may need to generate new ones. Used Today / This Month: Tracks the frequency of recovery code usage to help you identify periods of high recovery activity. Users with Backup Codes This section provides a list of specific users who currently have active recovery codes. Management: If no users have generated codes yet, this area will remain empty. Refresh: Click the Refresh button to update the list with the most recent user data. Every time a backup code is used, the event is logged in the 2FA Audit Logs with a precise timestamp, IP address, and user information for security auditing. After adjusting your settings, ensure you click Save Changes in the top-right corner to apply the new configuration. - Published: 2026-02-25 - Modified: 2026-04-29 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/audit-logs/ - Docs Categories: Login & Authentication, Two-Factor Authentication The 2FA Audit Logs module is designed for enterprise-grade security monitoring. It captures every interaction with your two-factor authentication system, providing administrators with the visibility needed to identify patterns of unauthorized access or troubleshoot user login issues. Enable Audit Logging This toggle controls the sitewide tracking of 2FA events. Function: Toggle to Enable to begin recording all 2FA activities directly to your database. Data Captured: Every log entry includes essential metadata such as timestamps, IP addresses, user IDs, and the full context of the event. Statistics (2FA Activity Metrics) The Statistics dashboard provides a high-level overview of your 2FA system's health and usage. Event Volume: View Total Events alongside specific time-based breakdowns for Today, This Week, and This Month. Success vs. Failure: Monitor the number of Successful vs. Failed 2FA attempts to quickly spot potential brute-force attacks or user frustration. User & Network Reach: Track Unique Users and Unique IPs to understand the scope of 2FA adoption and identify if multiple users are attempting to log in from the same suspicious network. Top Users by Activity This section provides a visual ranking of account interaction. Function: Automatically identifies and displays users with the highest volume of 2FA events. Security Use: Helps administrators quickly spot users who may be experiencing technical difficulties or accounts that are being targeted by frequent login attempts. Filter & Search Logs Refine your audit trail using granular criteria to find exactly what you need. Event Type: Use the All Events dropdown to filter by specific actions, such as successful logins, failed attempts, or backup code usage. Date Range: Select a Start date and End date to isolate events within a specific timeframe. IP Filtering: Enter a specific address in the Filter by IP field to track all 2FA activity originating from a single network. Action Buttons: Apply Filters: Updates the list based on your current criteria. Clear Filters: Resets all fields to show the full audit trail. Data Exporting For external auditing and long-term storage, you can export your filtered results in two standard formats. Export CSV: Downloads your logs as a spreadsheet-compatible file, ideal for manual review or local backups. Export JSON: Downloads the data in a machine-readable format, perfect for importing into Security Information and Event Management (SIEM) tools or custom dashboards. Log Maintenance Manually clean up your audit trail to prevent excessive database growth. Cleanup Options: You can choose to Delete Logs Older Than 90 Days, Delete Logs Older Than 30 Days, or Delete All Logs entirely. Permanent Action: Deleting audit logs is permanent and cannot be undone. Always ensure you have exported any logs you need to keep for compliance or historical review before using the deletion tools. Logged Event Types The audit system automatically tracks a wide array of security-critical interactions. Events tracked by the system include: Authentication Status: 2FA Enabled/Disabled, Verification Success/Failed, and Account Lockouts. Method Management: Backup Codes Generated/Used, Passkeys Registered/Used, and Method Changed. User Details: Phone Number Updated and Trusted Device Added. Session Data: SMS Sent/Verified and Session Created. Database Information For advanced users and developers, this section provides technical details regarding log storage. Table Name: All 2FA audit data is stored in the wp_ultimate_security_2fa_logs table. Indexed Fields: Key fields such as user_id, event_type, created_at, and ip_address are indexed to ensure high-speed data retrieval. Storage Format: Metadata is stored as JSON for maximum flexibility in recording diverse event details. Performance: The database structure utilizes optimized indexes specifically designed for fast queries, even with large datasets. Use the Save Changes button at the bottom of the screen to commit any configuration updates - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/login-hardening/admin-password-authentication/ - Docs Categories: Login Hardening The Admin Password Authentication feature adds a layer of administrative oversight to your site's login process. This tool allows high-level users to access lower-level user accounts using their own administrative credentials, ensuring you can manage site content or troubleshoot user issues without needing to reset or know individual user passwords. How to Enable Admin Password Use To activate this policy for your WordPress site: Navigate to the Login Hardening section in the sidebar. Click on the Admin Password Authentication tab. Locate the Enable Administrator Password Use toggle. Switch the toggle to ON. Click Save Changes at the bottom of the screen. User Roles Configuration Once enabled, you can define which specific roles are subject to this authentication policy. This allows trusted high-level roles to log into the accounts of lower-level users. Administrator: This role always has this capability enabled by default and cannot be disabled. Target Roles: You can toggle access for the following roles: Editor Author Contributor Subscriber Note: Always ensure that only trusted high-level roles are granted the ability to bypass standard user logins to maintain the integrity of your site's security hierarchy. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/session-management/automations/ - Docs Categories: Session Management The Automations tool within Session Management allows you to perform bulk maintenance on user accounts based on specific security criteria. This feature is particularly useful for cleaning up old or inactive accounts and ensuring that your user database remains secure and streamlined. How to Execute User Deletion This tool allows you to filter and remove users based on their role and registration date. Follow these steps to use the automation: User Role: Select the specific WordPress user role you wish to target from the dropdown menu (e. g. , Administrator, Editor, Subscriber). Session Type: Choose the type of session status you want to target. (Has Active Session No Active Session) Registered Before: Use the date picker to select a cutoff date. The tool will only identify users who registered before this specific date. Execute Deletion: Once your filters are set, click the Start Deletion button to begin the process. Warning: User deletion is a permanent action. We strongly recommend creating a full database backup before running this automation to prevent accidental loss of important user data. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/session-management/active-sessions/ - Docs Categories: Session Management The Active Sessions dashboard provides real-time visibility into every user currently logged into your WordPress site. This monitoring tool is essential for identifying unauthorized access, tracking user behavior, and maintaining tight control over account security. Monitoring Login Activity The dashboard displays a comprehensive table of all live connections with the following data points: User Information: Displays the username and associated email address. Remote IP: Shows the IP address from which the user is accessing your site. Device & OS: Identifies if the user is on a Desktop or Mobile device and the specific Operating System (e. g. , Windows, macOS). Client: Specifies the browser being used, such as Chrome or Firefox. Login Timestamp: The exact date and time the session was initiated. Login Activity: Tracks the duration of the current session. Managing Sessions You can take immediate action if you notice suspicious activity or need to clear sessions for maintenance: Search & Filter: Use the search bar to find specific users or filter by roles (e. g. , "Administrator") to narrow down the list. Individual Termination: Click the Logout (Back Arrow) icon on the far right of any row to instantly terminate that specific user's session. Bulk Actions: To log out multiple users at once, select the checkboxes next to their names, choose Bulk actions from the dropdown menu, and click Apply. - Published: 2026-02-25 - Modified: 2026-04-22 - URL: https://docs.wpultimatesecurity.com/docs/temporary-access/create-access-link/ - Docs Categories: Temporary Access The Temporary Access feature allows you to grant secure, time-limited access to your WordPress site for developers, support staff, or collaborators. Instead of sharing your primary admin credentials, you can create unique temporary accounts that automatically expire, maintaining your site's long-term security. How to Create a Temporary Access Link To generate a new temporary login, navigate to Temporary Access > Create Access Link and fill in the following details: FieldDescriptionEmailThe email address where the access link or notifications will be sent. First Name / Last NameThe identifiable name for the temporary user. UsernameA unique username for this temporary session. RoleThe WordPress user role (e. g. , Administrator, Editor) assigned to the guest. Redirect after loginChoose where the user lands (e. g. , Dashboard) immediately after using the link. ExpirySet the lifespan of the account (e. g. , One Day, One Week). LanguageSet the preferred dashboard language for the user. After filling in the box, press the Create temporary Login button: A new user will be created once done. The user can now log in using a temporary link. To get the URL, the admin has to copy the link from the Action section. There's a copy icon for the temporary link and a delete button to remove the user. - Published: 2026-02-25 - Modified: 2026-04-22 - URL: https://docs.wpultimatesecurity.com/docs/temporary-access/temporary-access-settings/ - Docs Categories: Temporary Access The Temporary Access feature allows you to grant time-limited access to your WordPress site for developers, support staff, or collaborators. Instead of creating permanent user accounts, you can generate secure temporary logins that expire automatically, ensuring your site remains secure after the work is completed. Configuration Settings To manage how temporary login links are generated, navigate to the Temporary Access settings tab. Visible Roles: Choose which WordPress user roles can be assigned when creating a temporary link. Only the roles selected here will appear in the selector during the login creation process. You can use the Select All or Remove All buttons for quick management. Default Role: Set the primary role that is automatically assigned to new temporary logins (e. g. , Administrator, Editor, or Subscriber). Default Redirect: Define where a user is sent immediately after using a temporary login link. By default, this is set to the Dashboard, but it can be customized based on your needs. Default Expiry Time: Select how long the temporary access remains valid by default. Options include presets like One Week, after which the link will automatically expire and the user will lose access. Save Your Settings Adjust the roles and default behaviors to match your security requirements. Click Save Changes to apply the settings. If you want to revert your edits before saving, click Discard Changes. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/magic-link-login/magic-link-login/ - Docs Categories: Magic Link Login The Magic Link feature enhances your site's security by enabling passwordless authentication. Instead of remembering complex passwords, users can log in via a secure, single-use link sent directly to their email address. This eliminates the risk of password-related vulnerabilities like brute-force attacks or credential stuffing. How Magic Link Login Works The user enters their email on the WordPress login page. The system generates and sends a secure, single-use link to that email. Clicking the link automatically authenticates and logs the user into the site. For added security, these links expire after a pre-configured amount of time. Configuration Settings Enable Magic Link Login: Toggle this switch to allow users to log in using secure email links. Link Expiration Time: Use the dropdown to define how long the magic link remains valid after being sent (e. g. , 10 minutes). Enabled for Roles: Select specific user roles authorized to use passwordless login. You can use the Select All or Remove All buttons for quick selection. If left empty, the feature will be available for all user roles. Security & Rate Limiting To prevent abuse of the passwordless login system, you can configure strict security protocols for how links are requested and used. Rate Limiting: Set the maximum number of magic link requests allowed per email address every hour. This prevents malicious actors from spamming a user's inbox with login requests. IP Address Verification: When enabled, the magic link must be used from the same IP address that originally requested it. This adds a layer of protection against session hijacking. Display Settings Control where the magic link option appears on your site to ensure a seamless user experience. Show on WordPress Login: Toggle this to display the magic link option directly on the default WordPress login page (wp-login. php). Show on WooCommerce Login: If you are running an e-commerce store, enable this to add the magic link option to the WooCommerce "My Account" login form. Require CAPTCHA: To prevent bot-driven link requests, enable this to require CAPTCHA verification (using your configured reCAPTCHA or Turnstile settings) before a link is sent. Email Customization You can fully personalize the email users receive when they request a login link: Email Subject: Enter a custom subject line. Use to include your site title automatically. Email Template: Customize the body of the email. You must include the following placeholders for the system to function correctly: {user_name}: The name of the user. {site_name}: Your website name. {magic_link}: The unique URL the user clicks to log in. {expiry_minutes}: The time remaining before the link expires. Shortcode Available You can place a magic link login form anywhere on your site using this shortcode: - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-notifications/ - Docs Categories: Brute Force Protection Stay informed about suspicious activity on your site with real-time alerts and activity summaries. Activity Overview The notification dashboard provides a quick snapshot of the last 24 hours and the past 7 days, including: Failed Logins: The number of incorrect password attempts. Lockouts: How many times users or bots were actively blocked from logging in. Total Events: A summary of all security-related login activity over the last week. Configuration Enable Login Notifications: Toggle this switch to start receiving alerts about failed attempts and lockouts. Notification Email: Enter the email address where alerts should be sent. If left empty, the plugin will default to your WordPress site admin email. Send Test: Use the Send Test button to ensure your server's email system is correctly delivering notifications. Real-time Alerts Configure specific triggers to receive immediate notifications: Failed Login Alerts: Enable notifications for repeated failed attempts. You can set a Threshold (e. g. , 3 failed attempts) to filter out common typos. Account Lockout Alerts: Get notified instantly whenever the Brute Force protection system locks out a user account. Successful Login After Failures: Receive an alert when a successful login occurs following multiple failed attempts, which may indicate a successful "password guess". New Location/Device Alerts: Get notified when a user logs in from an unrecognized IP address or a new browser/device. Digest Emails If you prefer periodic updates over instant alerts, you can schedule automated security reports: Daily Digest: Enable this to receive a daily summary of security activity. You can customize the specific Send at time (e. g. , 09:00 AM). Weekly Summary: Enable this to receive a broader overview of the week's events. You can choose the specific day of the week (e. g. , Monday) for delivery. Additional Security Options Enhance the detail and utility of your notification emails: Include Geolocation: Automatically shows the country, city, and region for every IP address mentioned in your notifications. One-Click Block: Adds a button to alert emails that allows you to instantly block an attacking IP address directly from your inbox. Recent Activity Log The Recent Activity section at the bottom of the page displays a live feed of login events, showing the Type (Success/Failure), User Details, IP Address, and the exact Time of the event. You can use the Refresh button to update the list or Clear History to reset the log. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/locked-users/ - Docs Categories: Brute Force Protection The Locked Users dashboard provides a real-time overview of all user accounts currently restricted from logging in due to repeated failed attempts. This feature is a core part of the Brute Force Protection suite, allowing administrators to monitor security threats and manually intervene when a legitimate user gets locked out. Navigating the Locked Users Table To access this dashboard, navigate to Ultimate Security > Brute Force Protection > Locked Users. The table displays the following critical information for every locked account: User: The username or email address associated with the login attempt. Lock Phase: Indicates the severity of the lockout (e. g. , Phase 1 for temporary blocks, Phase 2 for extended bans). Failed Attempts: The total number of incorrect password entries recorded before the lockout occurred. Locked Since: The exact timestamp when the restriction was applied. Expires In: A countdown timer showing when the user will automatically regain access. Actions: Manual controls to unlock a user immediately or extend a ban. Managing Lockouts 1. Filtering and Searching If your site is under a heavy brute-force attack, the list can grow quickly. Use the top navigation bar to filter the view: All / Phase 1 / Phase 2: Filter users based on their current lockout stage. Search Users: Quickly find a specific user by typing their username in the search bar. 2. Bulk Actions To manage multiple users at once: Select the checkboxes next to the usernames. Choose an option from the Select Option dropdown (e. g. , "Unlock" or "Delete"). Click Apply. 3. Manual Refresh The dashboard does not auto-refresh to save server resources. Click the Refresh button at the top right to pull the most recent lockout data. Pro-Tips Verify before unlocking: If you see a user locked out with a high number of Failed Attempts from an unrecognized username, it is likely a bot. Avoid unlocking these accounts manually. Phase 2 Lockouts: Users in Phase 2 have typically triggered multiple Phase 1 lockouts. If a legitimate team member reaches Phase 2, consider reviewing their password habits or checking if they have a misconfigured device trying to sync with old credentials. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/email-blocklist/email-blocklist/ - Docs Categories: Email Blocklist The Email Blocklist feature is designed to prevent unwanted or suspicious users and spam bots from accessing your site. By blocking specific email addresses or entire domains, you can effectively stop spam registrations, fraudulent WooCommerce orders, and unauthorized activities before they happen. Key Capabilities The Email Blocklist provides several layers of protection: Targeted Blocking: Block specific email addresses or use wildcards to block entire domains (e. g. , *@spam-domain. com). Disposable Email Prevention: Stop spam registrations from temporary or disposable email services. Account Protection: Block problematic users without needing to delete their existing accounts. E-commerce Security: Protect WooCommerce orders from being placed using fraudulent email addresses. How to Configure Email Blocklist Navigate to Ultimate Security > Email Blocklist in your WordPress dashboard. Toggle the Enable email blocklist switch to ON to activate the protection. Use the + Add Emails button to manually add addresses or domains to your list. Monitoring Blocklist Activity The dashboard features a real-time statistics bar to help you track the effectiveness of your blocklist: Total Blocked: The cumulative number of emails currently restricted. Added Today: Shows how many new entries were added within the last 24 hours. Added This Week: Monitors growth in your blocklist over the current week. Managing the Blocklist Table Once you start adding emails, they will appear in the management table where you can view the Email address and the Date Added. Search & Filter: Quickly find specific entries using the Search emails... bar or filter by timeframes such as Today, Last 7 days, or This Month. Bulk Actions: Select multiple entries to delete or modify them simultaneously using the Bulk action dropdown. Import/Export: Use the Import button to upload a CSV of known spam addresses, or Export your current list for use on other websites. Pro-Tip Use Wildcards Wisely: If you notice a high volume of spam coming from a specific provider, blocking the entire domain (e. g. , *@example-spam. com) is much more efficient than blocking individual users one by one. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/ai-scanner/ai-malware-scanner-overview/ - Docs Categories: AI Scanner The AI Malware Scanner provides advanced, AI-powered security analysis for your WordPress files. Unlike traditional scanners that rely solely on static signatures, this tool uses intelligent models to identify suspicious patterns and potential zero-day threats within your themes and plugins. Configuring Your Scan Scope Before starting a scan, you can define exactly what the AI should analyze to save time and server resources. Scan Scope: Use this dropdown to choose between scanning your entire site or specific sections. Selected Themes: If you choose a custom scope, you can select individual themes from your library. Use Select All or Remove All for quick management. Selected Plugins: Similar to themes, you can isolate specific plugins for analysis. This is highly recommended after installing a new plugin from an untrusted source. Running a Scan Once your scope is set, click the Start Security Scan button. Scan Result appears here: IMAGE Important Note: Scanning may take several minutes depending on the total number of files on your site. The AI model meticulously analyzes each file for malware signatures and complex suspicious patterns. Managing Scan Results & History The right-hand sidebar allows you to track your security posture over time: Previous Reports: A chronological list of your most recent scans. Clicking a report ID allows you to view the detailed findings from that specific date. All Reports: Access a full archive of every scan ever performed on the site. Compare Scans: Select two different reports to see what has changed in your file system between scans. Manage Whitelist: If the AI flags a file you know to be safe (a false positive), you can add it to the Whitelist here so it is ignored in future scans. Manage Quarantine: View and restore files that were moved to the secure quarantine folder during a scan. Advanced Settings Click the Settings (gear icon) at the top right of the scanner interface to configure: Automated Scanning: Schedule the AI to run daily or weekly. Sensitivity Levels: Adjust how strictly the AI flags "suspicious" code patterns. Email Alerts: Receive a notification the moment the scanner detects a high-priority threat. Pro-Tip Post-Update Scans: Always run an AI Malware Scan immediately after updating your WordPress core, themes, or plugins. This ensures that the updated files haven't been tampered with and that no new vulnerabilities have been introduced. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/compare-scans/compare-scan/ - Docs Categories: Compare Scans The Compare Scan Results feature is a powerful diagnostic tool that allows you to audit changes in your site’s security posture over time. By comparing a current scan against a previous baseline, you can instantly identify new vulnerabilities, verify if recent fixes were successful, and track unchanged issues. How to Compare Scans To access this interface, navigate to the AI Scanner dashboard and click the Compare Scans button in the right-hand sidebar. Analyzing the Results Table The detailed results table breaks down findings file-by-file, providing contextual AI analysis for each entry: File Path: The exact location of the file within your WordPress directory (e. g. , wp-content/themes/... ). Issue: A detailed, AI-generated explanation of the detected pattern. This includes analysis of security functions (like esc_html or printf) and structural code patterns that may affect site flow or security. Severity: A color-coded tag indicating the risk level (e. g. , Info, Warning, or Critical). Managing Navigation If a scan results in a high number of entries, use the pagination controls at the bottom of the window to move through the reports. You can see exactly how many issues are being displayed out of the total found (e. g. , "Showing 1 to 5 of 291"). Pro-Tip Post-Update Audits: After updating a plugin or theme, use the Compare tool to see exactly how the new code changed your security landscape. If "New Issues" appear in a trusted theme, they may simply be "Info" level code style changes, but they should always be reviewed to ensure no backdoors were introduced. - Published: 2026-02-25 - Modified: 2026-02-25 - URL: https://docs.wpultimatesecurity.com/docs/manage-whitelist/whitelist-manager/ - Docs Categories: Manage Whitelist Whitelist Manager allows you to exclude specific files from future security scans. This is particularly useful for handling "False Positives"—legitimate files that the AI might flag as suspicious due to complex or unconventional code patterns. Once a file is whitelisted, the AI Malware Scanner will skip it in subsequent runs, ensuring your reports stay clean and focused only on actual threats. Managing Whitelisted Files You can access this manager by clicking the Manage Whitelist button on the main AI Scanner dashboard. File List: Any files you have marked as safe from previous scan results will appear here. The table displays the File Path, a brief Issue Description (why it was originally flagged), and the date it was Whitelisted On. Automatic Skipping: Whitelisted files are automatically ignored by the engine during both manual and scheduled scans. Removing from Whitelist: If you update a file or want the AI to re-analyze it, you can remove it from this list using the Actions column. This will include the file in the next scan cycle. How to Whitelist a File You do not add files manually here. Instead: Run an AI Malware Scan. Review the detected issues in your Scan Report. For any file you verify as safe, click the Whitelist option next to that specific result. The file will then automatically appear in the Whitelist Manager. Dashboard Controls Whitelisted Files Counter: Quickly see exactly how many files are currently being bypassed by the scanner. Refresh: Use the Refresh button to update the list if you have recently whitelisted files from a separate scan window. Pro-Tip Audit Your Whitelist Regularly: It is a security best practice to review your whitelisted files after major plugin or theme updates. If a whitelisted file is modified by an attacker, it will remain invisible to the scanner. Periodically clearing your whitelist and performing a "fresh" scan ensures no malicious code is hiding in plain sight. - Published: 2026-02-17 - Modified: 2026-03-10 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-logs-dashboard/ - Docs Categories: Activity Logs & Monitoring, Dashboard The activity logs give you a quick overview of what's been happening on your WordPress site. It shows you important statistics and recent events to help you monitor your site's activity. Navigation Tabs Dashboard: Current view showing statistics and summaries All Logs: View all recorded activities Security Incidents: See only important security-related events Time Period Filter Choose how far back you want to see activity: You can change this to see different time ranges Statistics Overview These boxes give you quick insights: Total Events: How many activities have occurred (63 in this example) High Severity: Number of important security events Unique Users: How many different people have been active Failed Logins: Any unsuccessful login attempts Severity Distribution This shows how serious the events were: High: Most critical events Medium: Moderately important events Low: Less critical events Top Event Types See what activities happen most often: post_created: New posts or pages added post_delete: Posts or pages removed user_login: Users logging in taxonomy_add: Categories or tags created login_success: Successful logins Recent Critical Events This section shows the most important recent activities: Plugin deactivations Critical setting changes When they happened Activity Trend This is a visual graph of security events over time, which gives you an idea of patterns and unusual activity spikes - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/alerts-notifications/history/ - Docs Categories: Alerts & Notifications, History This page shows a record of all security alerts that have been sent from your WordPress site. It's like a logbook of what's been happening with your site's security. Filtering Your Alerts You can narrow down what you see using these filters: Status: Choose to see all alerts or only specific ones (like pending, sent, or failed) Priority: Filter by importance level (low, medium, high) Event Type: Focus on specific types of security events Date Range: Look at alerts from a specific time period Search and Export Search alerts: Type keywords to find specific alerts quickly Reset Filters: Clear all your filter selections Refresh: Update the page to see the latest information Export: Save your alert data as CSV or JSON files for records or analysis Alert List The table shows detailed information about each alert: Created: When the security event happened Type: What kind of security event occurred Priority: How important the alert is (HIGH priority events are marked in red) Title: A brief description of the event (click to see more details) Status: Whether the alert was successfully sent Attempts: How many times the system tried to send the alert Sent At: When the alert was actually delivered Actions: Additional options for each alert This history helps you track your site's security over time and understand what types of events are occurring most frequently. - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/alerts-notifications/alerts-notifications/ - Docs Categories: Alerts & Notifications, Settings This section helps you manage how you receive security alerts from your WordPress site. Dashboard Navigation Tabs At the top, you'll see two tabs: Settings: Where you configure your alert preferences History: View past alert activity and logs Alert Queue Statistics This section shows you the current status of your security alerts: 1. Pending: Alerts waiting to be sent 2. Sent: Alerts that have been successfully delivered 3. Failed: Alerts that couldn't be sent 4. Total: All alerts processed in the system Email Notifications This feature sends security alerts directly to your email when issues are detected: Toggle the switch to enable/disable email alerts Enter your email address Use the Send Test button to check if your email notifications are working Webhook Integrations Connect your security alerts to other services: Send alerts to platforms like Slack, Discord, Microsoft Teams, or custom endpoints Currently shows "0 configured" - meaning no webhooks are set up yet Click Add Webhook to connect external services Notification Filters Settings This page helps you choose which types of security incidents should send you alerts. You can customize exactly what notifications you want to receive. Quick Actions Enable All: Turn on notifications for every security event Disable All: Turn off all notifications at once Notification Types You Can Configure Each toggle switch controls whether you receive alerts for specific events: Login Attacks: Get notified about repeated failed login attempts Blocked IPs: Alerts when IP addresses are blocked by security rules Brute Force Attacks: Notifications for detected brute force attack patterns File Changes: Alerts when core files are modified Plugin/Theme Updates: Get notified about available security updates Plugin Deactivation: Know when your security plugin is turned off Privilege Changes: Alerts for modified user roles or permissions New Admin User: Notifications when new administrator accounts are created After making your selections, click the Save Settings button to apply your preferences. This ensures your notification configuration takes effect immediately. This dashboard helps you stay informed about your site's security by delivering important alerts through your preferred methods. - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/security-incidents/ - Docs Categories: Activity Logs & Monitoring, Security Incidents Security Incidents shows you only the important security-related events on your WordPress site. This tab filters out normal site activity and shows you potential security issues that need your attention. Security Incidents Tab Click on this tab to view only security-related events, instead of all site activities. Refresh Button Click this purple button to get the latest security incident information. Incident Statistics These boxes show you at a glance: Total Active Incidents: How many security issues are currently active Critical: Most serious security problems High: Important security issues Medium: Less serious but still important issues Filters Section Use these to narrow down what incidents you see: Status: Choose to see all incidents or specific ones Severity: Filter by how serious the incidents are Bulk action: Select multiple incidents to take action on them at once Apply: Click to apply your filter settings Search Bar Use this to find specific security incidents by searching for details. What You'll See When your site has no security issues, you'll see a message saying, "No incidents detected. Your site is secure! " This is good news! Why Use Security Incidents? Focus only on important security matters Quickly see if your site has any vulnerabilities Monitor for suspicious activity Take action on multiple incidents at once The Security Incidents tab helps you stay on top of your site's security without being overwhelmed by normal site activity. - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-all-logs/ - Docs Categories: Activity Logs & Monitoring, All Logs Activity logs help you monitor and analyze security events and user activity on your WordPress site. This feature records everything that happens on your site, so you can see who did what and when. All Logs Tab This is the main view showing all recorded activities on your site. Refresh Button Click this purple button to get the latest activity log information. Time Filters These help you narrow down what logs you see: All: Shows all logs Today: Shows only today's activities Last 7 days: Shows activities from the past week This Month: Shows activities from the current month Severity Filter Choose to see logs with specific importance levels. Sources Filter Filter logs by where they came from. Export CSV Button Click this purple button to download your activity logs as a CSV file for record-keeping or analysis. Search Bar Use this to find specific events by searching for: Event names Messages IP addresses User information Log Table The table shows detailed information about each activity: ID: Unique identifier for the log entry Source: Where the activity came from Severity: How important the event is Date: When it happened User: Who performed the action IP: The user's IP address Browser/Platform/Device: Technical details about the user's setup Object: What was affected Event: What happened Why Use Activity Logs? Keep track of who's accessing your site Monitor for suspicious activity See when changes are made to your site Maintain a record of site events for security purposes The activity logs help you stay aware of everything happening on your WordPress site and catch potential security issues early. - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/scan-history/scan-history/ - Docs Categories: Scan History, Vulnerability Scanner The Scan History tab shows you all the security scans you've run on your WordPress site. It helps you track when you scanned your site and what the results were. Scan History Tab Click on this tab to view your past security scans instead of the dashboard overview. Scan Now and Settings Scan Now button instantly starts scanning all files, and Setting button lets you configure API. Refresh Button Click this purple button to get the latest scan history information. Previous Scans Section This area shows your scan history with important details: Scan Date: When the scan was performed Vulnerabilities: How many security issues were found Items Scanned: What parts of your site were checked (plugins, themes, etc. ) API: The scanning technology used Scan Entry You'll see entries like: Date and time of the scan Number of vulnerabilities found (0 means no issues) What was scanned (plugins, themes, etc. ) The scanning method used Why Use Scan History Keep track of when you last checked your site's security See if vulnerabilities were found in previous scans Monitor your site's security over time Compare scan results to ensure your site stays secure The scan history helps you maintain a record of your site's security checks and ensures you're regularly protecting your WordPress installation. - Published: 2026-02-17 - Modified: 2026-03-10 - URL: https://docs.wpultimatesecurity.com/docs/dashboard-vulnerability-scanner/vulnerability-scanner-dashboard/ - Docs Categories: Vulnerability Scanner, Dashboard The Vulnerability Scanner helps you check your WordPress site for security issues in your plugins, themes, and WordPress core. It scans for known vulnerabilities that could make your site unsafe. Top Action Buttons Scan Now: Click this purple button to start a security scan of your entire WordPress site Settings: Access advanced scanner settings and preferences Dynamic Data This is your main view showing an overview of your site's security status. It displays: Vulnerabilities Found Critical/High issues Available updates Abandoned items Search Bar Use this to search for specific plugins or themes in your list. Just type the name you're looking for. Filter Dropdown This helps you narrow down what you see: "All Items" shows everything You can filter to see Vulnerable, Outdated, or Abandoned items Content Tabs Plugins: View and manage all your installed plugins Themes: See your installed themes and their status WordPress Core: Check your WordPress installation status How to Use Click "Scan Now" to check your site's security Use the search bar to find specific items quickly Switch between tabs to manage different parts of your site Check the dashboard for a quick security overview The scanner helps keep your WordPress site secure by identifying potential security issues before they can be exploited. - Published: 2026-02-17 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/configure-api-key/vulnerability-scanner-settings/ - Docs Categories: Configure API Key, Configure API Key, Settings This window helps you configure the scanner. What You Can Configure: API Configuration: WPScan API Key: Get WPScan API key, and paste it into the field Patchstack API Key: Get Patchstack API key, and paste it into the field Schedule: Scan Frequency: Choose how often to scan (currently set to "Daily") Abandoned Threshold: Set how many days to check for abandoned plugins/themes Notifications: Email Notifications: Toggle ON/OFF (currently ON) Notification Email: Enter the email address to receive alerts Severity Levels: Choose which types of issues to notify about (Critical, High, Medium, Low) Buttons: Cancel: Close without saving Continue: Save your settings - Published: 2026-02-16 - Modified: 2026-03-05 - URL: https://docs.wpultimatesecurity.com/docs/error-notifications/error-notifications/ - Docs Categories: Monitor & Diagnostics, Error Notifications This page helps you set up how you want to get alerts when something goes wrong with your website. Notification Email: You can choose which email address gets error messages Send Test Email: Click the "Send Test" button to check if your email notifications work Remember to check your spam folder if you don't see the test email Slack Channel: You can send error alerts to a Slack channel The channel must already exist in your Slack workspace Slack Webhook URL: This is a special link that connects your website to Slack Send Test Message: Click "Send Slack" to test if your Slack notifications work Error Levels To Notify: These are different types of errors your site might have You can turn each type ON or OFF using the toggle switches - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/site-health/ - Docs Categories: Monitor & Diagnostics The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is built and if it is running smoothly. If you ever need to ask a professional for help, all the information they need is right here. The Action Buttons At the top of the page, you have three main tools: Copy site info: This copies all your technical details so you can easily paste them into an email for support. Refresh: This updates the page to show the most recent information. Export: This saves a copy of all this information to your computer. The Information Tabs There are six different "folders" of information you can look through: 1. WordPress This shows your site’s "ID card. " It tells you which version of WordPress you are using (like 6. 9) and if your site is using a "secure lock" (HTTPS). If you see "HTTPS is not enabled," you should fix this to keep your site safe. 2. Environment This shows details about the computer (server) where your website lives. PHP Version: This is the main "engine" version your site runs on. Memory Limit: This shows how much "brain power" your site is allowed to use. WP_DEBUG: If this says "Enabled" with a red warning, it might show technical errors to your visitors. It is usually safer to have this "Disabled". 3. Database This is the "filing cabinet" where all your posts, pages, and settings are stored. It lists the technical names and versions of your database so experts can see how it is organized. 4. Filesystem This section checks the "drawers" on your server to make sure WordPress is allowed to save and move files. It shows where your plugins, themes, and images are kept on the computer. 5. Themes This lists the different designs (Themes) you have installed. Active: The design you are currently using for your site. Inactive: Other designs you have downloaded but are not using right now. 6. Plugins This shows the extra "tools" (Plugins) you have added to your site, like Ultimate Security. It tells you if they are Active and which version you are using. - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/test-mode/ - Docs Categories: Monitor & Diagnostics, Test Mode This page helps you test your security settings without actually blocking real users. Enable Test Mode: When ON, it simulates security features without really blocking anyone User Roles: You can choose which user types to test with: Administrator (always active) Editor Author Contributor Subscriber Each has its own toggle switch Safety Options: Always exclude administrators (recommended) - keeps you safe from being blocked Log simulated blocks to activity logs - keeps records of test runs Show test mode notice in admin dashboard - reminds you it's in test mode Simulation Statistics: Shows how many test blocks happened: Today: 0 This Week: 0 This Month: 0 Total: 0 You can "Refresh Stats" or "Clear All Logs" Recent Simulations: Shows your test results Right now it says: "No simulation logs yet. Enable test mode and wait for security events to be simulated. " - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/comments-management/ - Docs Categories: Maintenance & Tools Global Comments This section lets you decide where people are allowed to leave comments. What it does: You can turn off comments for your whole website or just for specific types of pages. How to use it: Use the dropdown menu to choose if you want to disable comments everywhere or only on certain parts of your site. Select Post Types If you chose to turn off comments on "certain post types," this is where you pick them. What it does: You can flip the switch for Posts, Pages, Media (like images), or Products. Why use it: Sometimes you want people to comment on your blog posts, but not on your "Contact Us" page or product images. Comment Settings (The Spam Blockers) Spammers love to leave links to other websites. These settings stop them. Remove "url" in the comment form: This hides the box where people normally type their website address. If they can't put their link, they usually won't leave a spam comment. Remove external links in the comments: If a spammer does leave a link, this tool will strip it out. Replace external links from author bio: This stops people from using their profile name to advertise other websites. Cleaning Up Old Comments The bottom sections are for deleting comments that are already there. Remove All Comments: Use this to wipe the slate clean and delete every single comment on your site. Remove Spam Comments: This deletes comments that WordPress has already flagged as "Spam. " Remove Unapproved Comments: This clears out comments waiting for you to say "Yes" or "No" to them. Remove Trashed Comments: This empties the "Trash" bin for your comments, like taking the garbage out to the curb. Always click the purple Save Changes button at the very bottom left after you make a choice. If you don't, the plugin won't remember what you picked! - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/backup-restore/ - Docs Categories: Maintenance & Tools Backup Settings This section lets you save your current settings into a file that lives on your computer. What it does: It turns all your switches and buttons into a special file (called a JSON file). Select sections to export: You can choose exactly what to save. You can check boxes for things like Login Settings, Security Settings, or Access Restrictions. Download Backup: When you click this purple button, the file downloads to your computer. Copy: This button lets you copy the settings as text if you just want to paste them somewhere else. Restore Settings If you move to a new website or accidentally mess up your settings, use this area to fix it. What it does: It takes a file you saved earlier and puts all those settings back onto your site. How to use it: You can Drag & drop your saved file into the gray box, or click Select JSON File to find it on your computer. Import Settings: Once the file is uploaded, click this to turn the settings on. - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/security-tools/ - Docs Categories: Maintenance & Tools REST API Methods The REST API uses four main types of messages to manage your website's data: GET (The "Reader"): This is used when your site wants to read or look at information. It’s like opening a book to see what is written inside. POST (The "Creator"): This is used to add or create something new. It’s like writing a brand-new page and adding it to your book. PUT (The "Editor"): This is used to update or fix something that is already there. It’s like taking an eraser to a mistake and writing the correct information over it. DELETE (The "Eraser"): This is used to remove information. It’s like ripping a page out of the book and throwing it away. What the Status Colors Mean Active (Green): The "door" is open, and your website can use this method to talk to other apps. Inactive (Red): The "door" is locked. This might be for safety, but sometimes it can stop certain features from working. Server Resources This part shows you how hard your website's "brain" is working. Memory Limit: This is the total amount of "thinking space" your website has (for example, 256M). Current Usage: This shows how much of that space you are using right now. If the green bar gets too full, your site might slow down. Max Execution Time: This is the amount of time (in seconds) your site is allowed to work on a single task before it gives up. Copy & Print: You can use these buttons to save this information if you ever need to show it to a tech expert for help. Scheduled Tasks This is the "To-Do List" for your security plugin. Event Name: This is the name of the specific job the plugin needs to do, like checking your files for changes or sending alerts. Schedule: This tells you how often the job happens (for example, "every minute" or "hourly"). Next Run: This shows a countdown of when the job will start again. Actions (Run Button): If you don't want to wait for the timer, you can click the Run button to make the plugin do that task immediately. You don't usually need to change anything here. This page is mostly for checking that everything is working exactly as it should! - Published: 2026-02-16 - Modified: 2026-03-31 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/advanced-settings/ - Docs Categories: Maintenance & Tools Data Management Welcome to the Advanced Settings page of the Ultimate Security plugin. This page contains important technical options that help you customize how the security plugin works on your WordPress site. This section controls what happens to your plugin data when you uninstall the plugin. Delete Plugin Data on Uninstall When enabled, this option removes all plugin settings, logs, and database tables when you uninstall the plugin. Toggle the switch to enable or disable this feature. This action cannot be undone. Once you uninstall the plugin with this option enabled, all data will be permanently deleted. Emergency Access This is a crucial safety feature that helps you regain access to your site if you get locked out. Press "Regenerate URL" and save this URL in a safe place. You'll need it if you ever get locked out. This special URL allows you to deactivate the plugin if you're locked out (for example; forgot custom login URL or IP restrictions blocked you) Reset & Cache If the plugin isn’t behaving as expected or you’ve made too many changes and want to start over, use these tools. Reset to Defaults: This button instantly reverts every setting in the plugin back to its original "out-of-the-box" state. Use this if you’ve misconfigured a setting and aren't sure how to fix it. Clear Cache: Sometimes, old "cached" data can cause the dashboard to show outdated information. Clicking this refreshes the plugin's internal temporary data without changing your actual security settings. Quick Tip: Before using the Reset to Defaults or Delete plugin data options, it is always a good idea to have a recent backup of your website just in case. - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/database-cleanup/ - Docs Categories: Maintenance & Tools Database Stats At the top, you'll see four important numbers: Total Database Size: How big your database is (right now it shows 0 B) Total Records: How many things are stored in your database (right now it shows 0) 30-Day Growth Estimate: How much your database might grow in 30 days Avg. Daily Records: How many new things are added each day Overview Tab This is the main dashboard that shows you: Your total database size How many records (items) are in your database How your database is growing Average daily records being added Turn On Automatic Cleanup You'll see two toggle switches: Enable Automatic Cleanup - This automatically removes old, unnecessary data from your database Enable Archiving Before Deletion - This saves a copy of data before removing it (good for safety) Both are turned ON by default, which is usually best for most websites. Clean Up Your Database In the "Database Cleanup" section, you can: Select which tables (parts of your database) to clean Delete old records that you don't need anymore Right now, it shows "No log tables found" which means your database is already clean! Retention Policies Tab This tab helps you control how long data stays in your database. What It Does: Configure Retention Periods: You can set how many days to keep records in each part of your database Save Retention Policies: Click this blue button to save your settings Why This Matters: Keeping your database clean means your website runs faster You can choose how long to keep different types of data This helps prevent your database from getting too big and slow Archives Tab This tab shows you archived records - data that has been saved before being deleted. What You'll See: Archived Records: Any data that was archived (saved) before cleanup Right now it shows "No archives found" which means your database is clean! Why Archives Are Good: They act like a backup before data gets deleted You can review what was removed if needed Makes cleanup safer because you can always restore archived data History Tab This tab keeps track of all the cleanup activities. What It Shows: Cleanup History: A log of everything the plugin has cleaned up Right now it shows "No cleanup history found" which means the plugin hasn't done any cleanups yet, or it's a new installation Why History Is Helpful: You can see what was cleaned and when Helps you track how your database is being maintained Good for troubleshooting if something goes wrong Important Tips: Always save your changes by clicking "Save Changes" at the bottom If you make a mistake, you can "Discard Changes" to go back Start with the default settings if you're not sure what to do These features help keep your website fast and secure! Important Notes Automatic cleanup helps keep your site running fast Archiving before deletion is like making a backup before cleaning - it's safer You can always turn these features off if you prefer to clean your database manually Click "Save Changes" to keep your settings, or "Discard Changes" to go back to how things were - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/self-defense/ - Docs Categories: Maintenance & Tools This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: When this is ON (green), it means: No one can turn off your security plugin If someone tries to turn it off, they'll need to prove who they are first Your website stays protected File Integrity Monitoring This feature watches your security plugin files to make sure no one changes them. Enable file integrity checks: When this is ON (green), it means: The plugin checks if any files have been changed If someone tries to mess with your plugin code, you'll get an alert Your security stays strong and trustworthy Deactivation Alerts This feature tells you when someone tries to turn off your security plugin. Send alerts on deactivation: When this is ON (green), it means: You'll get a message if someone tries to turn off your security Alerts can come to your email or other places you set up You'll know right away if something suspicious happens Important Warning If you ever need to turn off this security plugin (maybe to fix something), remember: You can use the "Emergency Access URL" from the Advanced Settings page Or you'll need to prove it's really you trying to turn it off - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/keyboard-shortcut/ - Docs Categories: Content Protection, Site Hardening Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks keyboard shortcuts like F12, Ctrl+Shift+I, and Ctrl+Shift+J that people use to open browser developer tools. This prevents visitors from inspecting your website's code. Disable View Source This blocks the Ctrl+U shortcut that allows visitors to view the HTML source code of your pages. Disable Save Page This blocks the Ctrl+S shortcut that lets visitors save your entire webpage. Disable Print This blocks the Ctrl+P shortcut and hides the print content option from printing your website content. Save or Discard button to apply changes - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/overview/ - Docs Categories: Login & Authentication, Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Navigate to Ultimate Security > Login Authentication 2FA Security Status At the top of the page, you will find three key metrics: Security Status  Indicates the 2FA system is active and working correctly Active Methods  See your 2FA options here. Click 'Compare method' to see a table at the bottom that explains the differences between each method. User Adoption Tracks how many users on your site have actually set up 2FA for their account. Quick Actions This section provides shortcuts to manage your two-factor authentication settings: Test 2FA: Verify your current setup by clicking here. You will be taken to a dashboard where you can choose to test either email or an authenticator app. Setup Wizard: Follow a guided flow to configure 2FA. You can select email OTP or an authenticator app. The wizard walks you through Level -> Method -> Roles -> Review steps before leading you to the final configuration page. View User Status: See which users on your site currently have 2FA enabled. Audit Logs: Review a history of authentication events and activities Authentication Methods This section helps you compare the two available security methods to decide which one to use. Email Verification: This method is easy to set up and does not require any extra applications. Authenticator App (Recommended): This option is very secure and easy to use. It requires a smartphone. You can view the security rating, pros, and cons for each method. To start setting up a method, click the Configure button. - Published: 2026-02-15 - Modified: 2026-05-20 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/email-otp/ - Docs Categories: Login & Authentication, Two-Factor Authentication This page lets you set up email verification. When turned on, users will get a one-time code in their email every time they log in. Enable the Verification toggle switch to activate the feature Enable for Roles This setting allows you to choose which user groups are required to use email 2FA. You may choose to disable this for regular subscribers to avoid friction during simple logins, unless your site deals with sensitive user data. NB: "Save Changes" or "Discard Changes" button will apply the settings Next Steps for Users Once you have enabled this feature on this page: Go to WordPress Dashboard → Users → Profile Scroll down and find the Ultimate Security section Select Email as the 2FA method Click the Send OTP button to receive a verification code in your email Enter the code in the box Once you submit the OTP in the box, you will get a "Verified" mark. and click " Save Settings " to apply. Finally, click on the "Update Profile" button at the very end to start 2FA. If you want to start from the beginning, there is a Reset 2FA Settings to wipe out the current settings. Please keep the following in mind: To be able to receive emails, the site owner must set up an email SMTP service on the given WordPress site. Read more about SMTP Email delivery is not always instant. Network issues or server load can cause delays, making the verification code expire before the user finds it. If a hacker has already compromised a user's email password, they can access the 2FA code, rendering this layer of security ineffective. Occasionally, verification codes can be flagged as spam and end up in the user's junk folder. Test Your Setup After completing the configuration, verify that email OTP is working before your users start logging in. Log out of your WordPress site Go to the login page and enter your username and password Check if the OTP verification screen appears after submitting Open your email inbox and enter the code in the verification field If you reach the dashboard, the setup is working correctly - Published: 2026-02-15 - Modified: 2026-04-22 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/authentication-apps/ - Docs Categories: Login & Authentication, Two-Factor Authentication Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet or phone signal. For extra protection, your login code changes every 30 seconds Authenticator Applications This switch enables or disables two-factor authentication. Enable for Roles This setting allows you to select which user roles are allowed to use the Authenticator App. Advanced Settings This section allows you to select the algorithm used to generate your OTP. You can choose between two options: TOTP (Time-Based): This is the most common algorithm and is used by virtually all authenticators. It generates a new verification code every 30 seconds based on the current time. HOTP (Event-Based): This option generates codes based on a counter. The code only changes when an event occurs (like a login attempt), rather than based on the time. XML-RPC  XML-RPC is a feature in WordPress that allows external services to communicate with your site remotely. You will see a dropdown menu with two specific options. This setting decides if 2FA is required when these external services try to connect. Option 1: Do not require 2FA over XMLRPC (default). External tools and mobile apps can connect to your site using just a username and password. They will not be asked for a 2FA code. Option 2: Do require 2FA over XMLRPC Any connection attempt via XML-RPC (including mobile apps) must provide a valid two-factor authentication code in addition to the password. Note: Only enable this requirement if you are sure your external apps support Two-Factor Authentication, or if you do not use external apps to manage your site Encrypt Keys in Database This feature locks your security codes inside the database to keep them hidden. It adds an extra layer of protection so that even if a hacker gets into your database, they cannot see or steal your login secrets. Note: Once you enable this feature, it cannot be disabled. However, it is completely safe to keep it enabled. Important Notice:  For the highest level of security, we strongly recommend using the Authentication App method (if available) instead of Email OTP. Authentication apps generate codes offline on your device, are immune to email delays, and are virtually impossible to intercept remotely. Prerequisites Before you begin the setup, please download one of the following recommended authenticator apps on your mobile device: Google Authenticator: iOS App Store | Google Play Store Microsoft Authenticator: iOS App Store | Google Play Store 2FAS Authenticator (Open Source): Official Website How to activate 2FA from WordPress Profile Once you have downloaded the authenticator app, follow the process below: Go to their WordPress Dashboard > Users > Profile page. Scroll down and find the Ultimate Security Select the Authenticator Application method. Click Setup Scan the provided QR code with their preferred mobile app to finish the connection. Reset 2FA Method settings to restore all settings How to Use the Private Key While scanning the QR code is the recommended and quickest method to set up your authenticator app, the private key provides an alternative manual entry option. If you're unable to scan the QR code (for example, if you're setting up authentication on a different device or experiencing camera issues), you can: Click the copy icon next to the private key field to copy the entire key to your clipboard Open your authenticator application on your device Select the option to manually enter a key or add account manually Paste or type the private key into the provided field Complete the setup process in your authenticator app Resetting Your Private Key If you need to reset your private key (for example, if you've accidentally shared it, suspect it's been compromised, or are having trouble setting up your authenticator app), click the Reset Private Key button located below the private key field. Important: Resetting your private key will: Generate a completely new private key Invalidate the previous key immediately Require you to reconfigure your authenticator app with the new key Update the QR code to reflect the new key After resetting, you'll need to either scan the new QR code or manually enter the new private key into your authenticator application to continue using two-factor authentication. What Happens After 2FA Is Enabled Once you finish the setup, the next time you (or any user with 2FA enabled) log in to WordPress, the login process will have an extra step. What you will see: Enter your username and password as usual on the WordPress login page. After submitting, a second screen will appear asking for your 6-digit verification code. Open your authenticator app (Google Authenticator, Microsoft Authenticator, or 2FAS) on your phone. Find the code for your site and enter it on the login screen. Click Verify, and you are in. The code refreshes every 30 seconds, so make sure you enter it before it expires. - Published: 2026-02-15 - Modified: 2026-06-23 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/custom-login-url/ - Docs Categories: Login & Authentication, Login Hardening This page helps you protect your website by hiding your login page. By changing the address of your login page, you can stop automated robots and hackers from finding it. Login Page URL Below, you will see the login page URL field. This displays the default address for your login page. In the type box, you can change the default login URL and create a new private entrance. Old Login Page Redirect This option lets you redirect anyone who tries to access the default WordPress login page URL The default setting is 404. If a bot or hacker tries the old default link, they will receive a "Page Not Found" error. You can also add a custom URL in the box to redirect them to another link Show a Consent Message This option lets you show a custom message in the login form This feature has a toggle switch. Next to it, there is a text box containing a default message. This is the text that users will see when they reach your login page. You can type a custom message or welcome message here. Login Gate (HTTP Auth) Login Gate acts as a "security checkpoint" before you even reach your WordPress login screen. It requires a browser-level username and password. This is highly effective because most automated hacking bots aren't programmed to handle this extra layer, so they get blocked before they can even try to guess your WordPress password. Credentials Before you turn the gate on, you must set your access keys and enable the toggle. Set Credentials: Click the Set credentials button to choose the username and password you will use for this first "checkpoint. " HTTPS Requirement: For security, this should only be used if your site has an SSL certificate (HTTPS), as your credentials are sent with each request. Realm Name: You can change the "Realm shown in the browser auth dialog" (e. g. , "Restricted Area"). This is the message users will see in the browser popup. Protecting Your Paths Enable the toggle switch. The Ultimate Security plugin automatically identifies the most vulnerable areas to protect: WordPress Admin: Protects the /wp-admin/ folder. Default Login URL: You can toggle a switch to also protect the /wp-login. php file. Status: A green badge will indicate when these areas are successfully covered by HTTP Auth. To prevent someone from trying to guess your "Gate" password, you can configure these limits Failed attempts before lockout: Set how many times someone can get the password wrong before being temporarily blocked (e. g. , 10 attempts). Lockout duration: Decide how long they are blocked (e. g. , 15 minutes). Trusted IP addresses: If you have a static IP address for your office or home, add it here. The Login Gate will "recognize" you and let you through without asking for the extra password. Note for Beginners: Passwords for the Login Gate are stored using bcrypt encryption, which means they are highly secure and cannot be recovered if lost. Keep them in a safe place Emergency Access Use this Emergency Access link if you ever get locked out of your account. So keep it private and store it somewhere safe. Click the Generate Key button. The plugin will create a secret link just for you. Click the Copy button to save the deactivation link to your clipboard, and the eye button to view the existing link Important Reminder: Bookmark your new custom login URL or write it down Save the Plugin's Emergency Access URL for temporary deactivation At the bottom of the section, save changes to apply - Published: 2026-02-15 - Modified: 2026-05-23 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/password-requirements/ - Docs Categories: Login & Authentication, Login Hardening This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that all users create strong, hard-to-guess passwords. Enable Password Policies You will see the main option labeled "Enable password policies. " This is the switch for this entire page. If you turn this off, none of the password rules below will apply to your users. Quick Presets Below the main switch, you will see a row of tabs labeled "Quick presets. " These are shortcuts to quickly set how strict you want the password rules to be. The available tabs are Basic: Sets simple, easy-to-follow rules. Strong: Sets stricter rules for better security. Enterprise: Sets the highest level of security for professional environments. NB: Clicking one of these tabs automatically fills in the settings below (like length and character types) to match that level of security. Minimum Length Under the presets, you will find the setting for "Minimum length. " This controls how many characters a password must have. You can adjust the number (e. g. , 8, 12, 16) to make passwords shorter or longer. Require Uppercase & Lowercase Next, there is a checkbox labeled "Require uppercase & lowercase. " It means users cannot use all lowercase letters. They must be mixed in capital letters Require Numbers Below that, there is a checkbox labeled "Require numbers. " It means users must include at least one number in their password. Require Special Characters Finally, there is a checkbox labeled "Require special characters. " What this means: Users must include at least one special symbol (like ! , @, #, $, or %) in their password. Exclude Characters Located right below the "Require special characters" option, you will see an input box. While you force users to use special characters, you might want to ban specific ones that cause technical problems or are hard to type. If you type characters into this box (like " '), users will not be allowed to use those specific symbols in their passwords. Password History Next, you will see the setting for "Password history. " This is set to 1 by default This stops users from reusing their old passwords. A setting of "1" means a user cannot reuse their most recent password. They must pick a new one. If you set it to "5," they couldn't reuse their last 5 passwords. Expiration Period Below that, there is an option labeled "Expiration period. " This makes users pick a new password after a certain amount of time. Setting it to "0" (zero) means passwords never expire. Users can keep their password forever. If you want them to change it every 3 months or even in a year, you would enter "3" here and select the month/year near the box. Warning Days Next to the expiration setting, you will see "Warning days. " If you have an expiration period set, this setting warns the user before their password runs out. Setting any number means the user will receive a notice before their password expires, reminding them to update it. Grace Period Below the warning days, there is the "Grace period" setting. This gives users a few extra chances to log in after their password has technically expired. Setting any number means the user can still log in for the certain number of days after the expiration date. During this time, the site will usually force them to pick a new password immediately. After the days are over, they are locked out completely. Email Notification You will see a toggle switch labeled "Email notification. " The system will automatically send emails to users regarding their password. This ensures users get notified about upcoming expirations or required changes without you having to tell them manually. First Login Reset At the bottom of this section, there is a toggle labeled "First login reset. " This is useful for new accounts. When you create a new user and they log in for the very first time, the system will force them to change their password immediately. This ensures that only the actual user knows their password, not the admin who created the account Disable Self-Service Reset You will see a toggle switch labeled "Disable self-service reset. " Normally, users can click a "Lost your password? " link to reset their own password via email. By turning this on, you are disabling that feature. This is useful for high-security sites where you want to personally verify who is asking for a password reset. It prevents hackers from trying to take over accounts by using the reset tool. Custom Reset Message Below the toggle, there is a text box labeled "Custom reset message. The box currently contains the text "Contact site administrator to reset your password. " What this means: Since the standard reset link is now hidden, this is the message users will see instead. You can type any instructions you want here. For example, you could provide an email address telling users exactly how to reach you to get their password fixed. Custom Reset URL Next, there is an input field labeled "Custom reset URL. " What this means: If you have created a specific custom page or form on your website for users to request help, you can paste that link here. If you do not have a custom page, you can leave this as is. If you enter a URL, the system might redirect users to that specific page when they try to reset their password. Refuse Compromised Passwords This feature checks user passwords against a massive database of known leaked credentials in real-time. If a user tries to use a compromised password during registration, profile updates, or a password reset, the system instantly blocks it and forces them to choose a safer alternative. Uses the trusted Have I Been Pwned database to automatically reject passwords that hackers already know from past data breaches What the User Sees When a user attempts to set a password that exists in the data breach database, the plugin injects a real-time warning box. The system explicitly states exactly how many times the chosen password has appeared in public data leaks. This visually proves to the user why their password is safe to reject. Save or Discard Changes At the very bottom of the page, you will see buttons to control your settings. - Published: 2026-02-15 - Modified: 2026-06-23 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/settings/ - Docs Categories: Login & Authentication, Session Management The Session Management module gives you total control over active user logins on your website. By hardening your security settings here, you prevent account sharing, stop unauthorized session hijacking, and ensure that inactive users are safely logged out. Below is a detailed explanation of every feature available in this section. Enable Session Security Turning this switch on activates all the underlying protections you configure below. If this is turned off, the entire module is disabled, and none of the session security features, cookie rules, or limits will apply to your site. Cookie Hardening When a user logs into WordPress, the site places small data files called "cookies" in their browser to remember them. If a hacker steals these cookies, they can log in as that user without needing a password. Cookie hardening blocks the most common ways hackers try to steal these files. HttpOnly Cookies It prevents web browser scripts (like JavaScript) from reading or accessing your authentication cookies. It stops a malicious script from grabbing a user's session data during a Cross-Site Scripting (XSS) attack. Secure Cookies This forces the browser to only send login cookies over secure, encrypted connections. It stops hackers from sniffing out and stealing session data when users are on unsecured networks, like public coffee shop Wi-Fi. Note: This feature only works if your website has an active SSL certificate (HTTPS). SameSite Attribute It controls whether cookies are sent along with requests originating from third-party websites. You can choose between Strict, Lax, or None from the dropdown menu. It protects your site from Cross-Site Request Forgery (CSRF) attacks, where an external malicious site tries to trick an authenticated user's browser into performing actions on your site. Lax is the recommended default for most WordPress sites, offering excellent protection without breaking normal user navigation. Session Binding Session Binding links a user's active login session to the unique identity of their specific device or browser fingerprint. If a hacker steals a session token but tries to use it from a different device, the system detects the mismatch and blocks them instantly. Enable Session Binding The main switch that locks each active login to the unique browser fingerprint that originally created it. If the fingerprint changes mid-session, the session is invalidated immediately. Bind to IP Address It ties the user's active session to their specific internet connection (IP address). If the IP address changes, the user is logged out. You should disable this if your users complain about being logged out too frequently. This often happens to users browsing on mobile data networks or using VPNs, where IP addresses shift constantly. Bind to User-Agent It ties the active session to the specific web browser and operating system (the User-Agent string) the user used to log in. If a user logs in via Google Chrome on a Mac, and the session suddenly switches to Firefox on Windows, the system recognizes a potential hack and terminates the session. It has a very low false-alarm rate and is safe for almost all sites to use. Concurrent Session Limits These features limit how many times a single user account can be logged in simultaneously across different devices, which heavily reduces your attack surface and stops unauthorized account sharing. Maximum Active Sessions It specifies the maximum number of concurrent active logins a single user account can have open at one time. If set to 12 , a user can be logged in on 12 different devices at once. Setting it to 0 allow unlimited active sessions. For optimal security, change this to 2 or 3 (e. g. , one laptop, one phone, one office desktop). Over-Limit Action This determines exactly what happens when a user attempts a new login but has already reached their maximum active sessions limit. Block new login: A strict security approach that completely stops the user from logging in on the new device until they manually log out from an older one. Destroy oldest: A user-friendly approach that automatically logs out the oldest active device session to make room for the new login. Session Limit Message Specify a custom message to be shown on the default login page whenever a login is blocked due to a user exceeding their active session limit. You can customize this text using the following dynamic placeholder variables to display live numbers to the user: {max_sessions} – Displays the maximum number of allowed active sessions configured on your site. {current_sessions} – Displays the number of active sessions the user currently has open. Note: This configuration only applies when the Over-Limit Action is set to "Block new login. " Exempt Administrators It allows site administrators to completely bypass session limits, session binding rules, and idle timeouts. This serves as an essential safety net. It ensures that you, the site owner, won't accidentally lock yourself out of your own dashboard if you are working across multiple devices or switching internet networks. Idle Timeout (seconds) This settings automatically destroy a login session and log the user out if they have been inactive on your site for the specified number of seconds. Setting it to 0 disable the timeout entirely. Set this to 1800 seconds (which equals 30 minutes). This keeps your site highly secure if a user leaves their computer unattended, without annoying them with constant logouts. Click Save Changes (Button) to save and immediately apply all the configuration changes, and Discard Changes (Button) resets all the settings. - Published: 2026-02-15 - Modified: 2026-06-21 - URL: https://docs.wpultimatesecurity.com/docs/bot-protection/google-recaptcha/ - Docs Categories: Threat Protection, Bot Protection This section helps you block bots from spamming your website's form. You can choose exactly which default WordPress forms you want to protect from brute force attacks, automated spam, and bot registrations. To manage these settings, navigate to Threat Protection > Bot Protection > Google reCAPTCHA in your Ultimate Security Settings. Default WordPress Forms You can customize your security coverage by toggling protection for individual forms based on your site's specific vulnerabilities. Simply flip the switches next to the forms you wish to shield from automated traffic. Enable (Master Toggle): Use this global toggle to quickly turn reCAPTCHA protection ON or OFF across all selected default WordPress forms simultaneously. WordPress Login: Toggle this on to add reCAPTCHA protection to your standard WordPress login page (wp-login. php). This stops automated brute-force credential stuffing. WordPress Register: Enable this to secure your user registration page. This is crucial for preventing malicious bots from creating thousands of fake user accounts on your site. WordPress Reset Password: Toggle this on to protect the "Lost your password? " form, preventing bots from spamming your users with automated password reset emails. WordPress Comment: Enable this to deploy reCAPTCHA on your standard WordPress comment sections, effectively blocking automated comment spam and trackbacks. WooCommerce Forms This setting enables reCAPTCHA across your WooCommerce store pages. You can turn on protection for all forms at once and then choose to enable it for specific, individual pages depending on your store's security needs. To set up this protection, follow these steps: Navigate to the Settings: Locate the "WooCommerce Forms" section Enable Master Control: Toggle the main "Enable" switch to activate reCAPTCHA for all WooCommerce forms simultaneously. Choose Specific Forms: If you prefer to enable protection for individual pages only, you can toggle the switches for the following forms: WooCommerce Login: Protects your customer login page. WooCommerce Register: Secures the account registration process. WooCommerce Lost Password: Adds security to the password recovery page. WooCommerce Checkout: Helps prevent fraudulent activity during the checkout process. reCAPTCHA Version You can choose between two versions of this method: v2: Usually shows the familiar "I'm not a robot" checkbox. v3: Works silently in the background without bothering your users unless it detects suspicious behavior. Enter Your Keys (Site Key & Secret Key) To make these features work, you need two special codes from Google. Site Key: This is a public code that goes into your website's form. Secret Key: This is a private code that stays on your server (in the plugin settings) Click the Verify & Save Keys button to validate your entered keys with Google to ensure the connection is active If you need to change your credentials, you can click the Reset Keys button to clear the current entries and start over. Once the keys are verified, you will notice a Green Badge indicating "Verified. " How to fill this out: You will need to get these keys for free from the Google reCAPTCHA website. Once you have them, copy and paste the "Site Key" into the first box. Copy and paste the "Secret Key" into the second box. General Settings The General Settings section allows you to customize how the reCAPTCHA widget looks and behaves on your website. You can customize these options as follows: Error Messages: You can set custom text for when verification fails or when there is an issue connecting to the server. Default messages are pre-filled for your convenience. reCAPTCHA Field Title: Enter the label text you want displayed above the reCAPTCHA widget on your forms (e. g. , "Verify you are human"). Visual Appearance: reCAPTCHA Theme: Select either "Light" or "Dark" to match your website's design. reCAPTCHA Size: Choose the display size of the widget, either "Normal" or "Compact". Disable Submit Button: Use this toggle to enable or disable the submit button until the reCAPTCHA verification is complete. reCAPTCHA V3 Score Threshold: Set the minimum score required to pass verification. The range is from 0. 1 (most permissive) to 1. 0 (most strict), with a default of 0. 5. Google recommends starting with the default value of 0. 5. Whitelist Settings Whitelist settings allow you to bypass reCAPTCHA verification for trusted entities, ensuring a seamless user experience for your team, loyal customers, or specific automated integrations without compromising your site's overall security. You can exclude specific users, network configurations, or browsers from seeing the reCAPTCHA challenges. Whitelist Configuration Options Logged In Users: Toggle this switch to instantly bypass reCAPTCHA challenges for any user who is already authenticated and logged into your WordPress site. This prevents internal team members or registered subscribers from being repeatedly interrupted by security checks. IP Addresses: Enter trusted IP addresses into the text field (press Enter after each one to separate them). Input one IP address per line. Note that wildcards are not supported. Any visitor accessing your site from these specific IP addresses will bypass the reCAPTCHA challenge entirely—ideal for pinning office networks or dedicated developer IPs. User Agents: Enter specific browser or bot User Agent strings into this field, entering one per line. Visitors or web scrapers utilizing matching User Agents will not be prompted with the reCAPTCHA challenge. This is highly useful for allowing trusted internal tools, specific APIs, or search crawlers to access forms smoothly. reCAPTCHA Logs The reCAPTCHA logging feature allows you to monitor and audit Google reCAPTCHA verification attempts across your website forms. It acts as an essential debugging tool if users report submission errors or if you suspect API authentication failures. Debug Log Settings Enable reCAPTCHA Logs: Toggle this switch to activate or deactivate the logging system. When enabled, WP Ultimate Security will begin recording validation request payloads, server responses, and failure statuses. Recent Activity: This real-time console displays a chronological feed of recent reCAPTCHA verification attempts. If no form submissions have occurred since activating the logs, it will display a "No logs found. " message. Refresh Button: Click the purple Refresh button on the right side of the screen to manually pull the latest validation events and update the data log view instantly without having to reload the entire WordPress admin dashboard. Note: Once you are happy with your settings, scroll to the bottom and click the blue button that says Save Changes. If you made a mistake and want to go back to how things were before you started editing, click Discard Changes How to Check if it’s Working After you click Save Changes, it’s a good idea to make sure the protection is active on your site. Follow these two simple steps: Step 1: Open your site in a "Private" window Since you are already logged in as an Admin, the security check might not show up for you. To see what your visitors see: Open a new Incognito or Private window in your browser (usually by pressing Ctrl + Shift + N). Go to your website’s admin login page. Look for the Google reCAPTCHA box (or the small blue badge in the bottom corner of your screen). Step 2: Try to log in without the check To make sure the shield is actually blocking bots: Type in a random username and password. Do not click the "I'm not a robot" box. Click the Login button. Your website should stop you and show a message like "Please complete the CAPTCHA" or "Security check failed. " If you see that message, congratulations! Your site is now protected from automated bots. - Published: 2026-02-15 - Modified: 2026-06-21 - URL: https://docs.wpultimatesecurity.com/docs/bot-protection/cloudflare-turnstile/ - Docs Categories: Bot Protection, Threat Protection Cloudflare Turnstile is a smart, privacy-focused alternative to traditional CAPTCHAs. It helps keep bots away from your website forms while ensuring your real visitors have a smooth, frustration-free experience. Default WordPress Forms You can choose exactly where you want to add this layer of protection. Under the Default WordPress Forms section, you will see a list of key areas on your site that are prime targets for automated spam bots. You can toggle the switch next to each form to enable protection: Master Toggle: Use the primary "Enable" switch to turn Cloudflare Turnstile protection on or off for all default WordPress forms simultaneously. Individual Form Protection: You can also toggle protection for specific forms individually, depending on your security needs: WordPress Login: Enable this to protect your login page. WordPress Register: Toggle this to secure your user registration process. WordPress Reset Password: Enable this to add protection to the password reset flow. WordPress Comment: Toggle this to stop spam in your website’s comment section. WooCommerce Forms If you are running an e-commerce store, protecting your checkout and account pages is essential. The Cloudflare Turnstile integration allows you to add an extra layer of security to your WooCommerce-specific forms, ensuring that only genuine customers can interact with your store. You have full flexibility in how you apply this security. You can manage these settings using the WooCommerce Forms section: Master Switch: Use the top "Enable" toggle to quickly turn protection on or off for all WooCommerce forms at once. Individual Control: If you prefer to protect only specific areas, you can use the individual toggles to enable or disable Turnstile for: WooCommerce Login: Protects customer account access. WooCommerce Register: Prevents fake customer account creation. WooCommerce Lost Password: Secures the account recovery process. WooCommerce Checkout: Adds a vital security step to your purchase process to stop bot activity. Enter Your Keys (Site Key & Secret Key) To activate Cloudflare Turnstile on your WordPress site, you must connect the plugin to your Cloudflare account using two specific keys. These keys act as a secure bridge that allows our plugin to communicate with Cloudflare’s verification service. Get your keys from the Cloudflare Dashboard. You have to log in to have these keys How to Add and Verify Your Keys Obtain Your Keys: If you do not already have them, click the Cloudflare Dashboard link provided under the input fields to generate your unique Site Key and Secret Key. Enter Keys: Copy and paste your Site Key and Secret Key into their respective fields. Verify & Save: Once both keys are entered, click the Verify & Save Keys button. The system will confirm the connection, and the status label will update from "Not verified" to indicate your keys are active. Reset: If you ever need to change your keys, you can click the Reset Keys button to clear the current entries and start the process again. Once the keys are verified, you will notice a Green Badge indicating "Verified. " General Settings These settings control how the Turnstile check looks and works on your site. Theme: You can choose between "Light" and "Dark" themes. Pick the one that matches your website's look. Language: You can let the plugin automatically detect the language, or you can choose a specific language for the Turnstile check. Disable Submit Button: This option can stop people from submitting a form until they pass the security check. It's usually a good idea to leave this "Enable. " Advanced Settings These are for more experienced users, but you can still use them Widget Size: Choose the size of the security check. Appearance Mode: Choose when the security check appears. "Always" means it will always be there. Defer Scripts: This can make your website load faster. It's usually best to leave this "Enable. " Custom Error Message: If someone fails the security check, you can show them a special message. The default is "Please verify that you are human. " Extra Failure Message: Add another message if the check fails. It's usually best to leave this "Disable. " Whitelist Settings This lets certain people skip the security check. Logged In Users: If you "Enable" this, people who are logged into your website won't see the security check. IP Addresses: You can add IP addresses here. If you add an IP address, anyone using that address won't see the security check. User Agents: You can add "User Agents" here. This is like a browser's name. If you add a User Agent, anyone using that browser won't see the check. Turnstile Logs If you "Enable" this, the plugin will keep a record of when the security check is used. Don't forget to click the "Save Changes" button at the bottom of the page. How to Check if it’s Working After you click Save Changes, it’s a good idea to make sure the protection is active on your site. Follow these two simple steps: Open your site in a "Private" window Since you are already logged in as an "admin", the security check might not show up for you. To see what your visitors see: Open a new Incognito or Private window in your browser (usually by pressing Ctrl + Shift + N). Go to your website’s admin login page. Look for the Cloudflare Turnstile box in the login form If you see that check, your site is now protected with Turnstile - Published: 2026-02-15 - Modified: 2026-05-05 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-attempts/ - Docs Categories: Brute Force Protection, Threat Protection This setting helps you stop automated robots from guessing your password. Login Limit This is the main switch that activates the protection. Login Attempts  This tells the plugin how many times someone is allowed to type the wrong password. If someone guesses wrong 4(the default) times, we immediately block them. Lockout Duration This is how long the person is "put in timeout" after guessing wrong too many times. They will have to wait certain time before they can try again. Increase Login attempts If the same person gets locked out in hours, the plugin decides they are a serious threat and gets tougher. Increase Lockout Duration: Once they are marked as a serious threat, we Increase Lockout time in hours after first lockout. Retries Reset Duration Sometimes a real user just forgets their password. This setting tells the plugin: If they haven't tried to log in for a particular hour, forget about their past mistakes and let them start fresh. Block Users Stop a specific person from logging into your website. In the input box, type the exact username of the person you want to block. Select All: Click this if you want to highlight every user currently on your blocked list at the same time. Remove All: Click this to clear the entire list and unblock everyone. Recovery URL Use this link if you ever get locked out of your account. So please keep it private and store it somewhere safe offline Follow these steps: Generate Key: Click the Generate Key button. The plugin will create a secret link just for you. Copy: Click the Copy button to save that link to your clipboard. Save It Somewhere Safe If you get locked out, this is the only way you can get back in to manage your site. Keep it private and do not share it with anyone. Once you have these settings how you like them, click Save Changes - Published: 2026-02-15 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/lockout-notifications/ - Docs Categories: Brute Force Protection, Threat Protection Lockout Notifications The switch controls the configuration setting Notification Email Enter the email address where you want to receive these alerts. After you type your email, click "send text" button. It will send a test email to make sure everything is working correctly. Check the Spam folder if it's not found in the inbox Notify On User Lockout Sends an email when someone is blocked for trying the wrong password too many times. Extended Lockout Sends an email when a persistent hacker is blocked for a long time (usually because they kept trying to break in). Recovery URL Used Sends an email if someone uses the secret "Emergency Unlock Key. " Email Rate Limit If your site is under attack, you might get hundreds of alerts in a few minutes. This setting stops that. It limits the emails to 10 (default) per hour. This way, you stay informed, but your inbox doesn't get completely clogged up. Once you have your email address set and your choices made, click Save Changes at the bottom of the page. - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/text-protection/ - Docs Categories: Content Protection, Site Hardening This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors from right-clicking on your site. This prevents them from copying your text or saving your images. Disable Text Selection This stops visitors from selecting text on your pages by highlighting it, making it impossible to copy text. Disable Copy (Ctrl+C) This blocks the standard keyboard shortcut (Ctrl+C) on Windows or Command+C on (Mac) that people use to copy selected text. Disable Cut (Ctrl+X) This blocks the standard keyboard shortcut (Ctrl+X) on Windows or Command+X on (Mac) that people use to cut selected text. Save or Discard button to apply changes - Published: 2026-02-15 - Modified: 2026-04-22 - URL: https://docs.wpultimatesecurity.com/docs/security-hardening/security-hardening/ - Docs Categories: Security Hardening, Site Hardening This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra locks and security features to protect your website from potential threats. Progress Tracking The number at the top shows how many security features you've turned on out of the total available. Navigation Tabs You can switch between different security categories using the tabs: Access & Identity: User login and account security Files & Directories: Protecting your website files Headers & Fingerprinting: Hiding technical information APIs & Remote Access: Controlling external connections Frontend & Features: Website appearance and functionality Access & Identity This section helps protect user accounts and login processes: Disable "Anyone can register": Prevents random people from creating accounts on your site Prevent login feedback: Stops giving hints about whether a username or email exists Disable user enumeration: Makes it harder for attackers to discover user accounts Block common usernames: Prevents using easy-to-guess usernames like "admin" or "root" Force unique display names: Ensures all users have different names Hide Admin Bar from Frontend: Removes the admin toolbar from the public part of your site Hide Admin Bar from Backend: Removes the admin toolbar from the dashboard Files & Directories This section helps protect your website's files and folders: Disable the built-in file editors: Turns off WordPress's built-in code editor, which prevents people from editing your files directly through the dashboard Prevent code execution in Uploads folder: Stops malicious code from running in your uploads folder Disable directory browsing: Prevents visitors from seeing a list of files in your folders Block Sensitive Files: Protects important configuration files from being accessed Headers & Fingerprinting This section helps hide technical information about your website: Hide your WordPress version: Prevents showing which version of WordPress you're using Unset X Powered by header: Removes information about what software powers your site Hide CSS File Version: Hides version numbers in your CSS files Hide JS File Version: Hides version numbers in your JavaScript files Strict Content Security Policy on the frontend and login screen: This is an advanced security setting that might affect how your site works API & Remote Access This section helps protect your website from unauthorized external connections: Disable XML-RPC: Controls a feature that allows external systems to connect to your site Disable REST API for guests: Restricts access to the API for people who aren't logged in Disable Trackbacks & Pingbacks: Turns off notifications between websites Remove RSD Link: Hides a technical link used by some blogging tools Remove WLW Manifest Link: Hides a link used by Windows Live Writer Remove Shortlink: Hides a special short URL for your posts Frontend & Features Options This section helps optimize and secure how your website appears to visitors: Turns off special icons used in WordPress Disable WordPress Emojis: Stops emoji support on your site Remove RSS Feed Links: Hides links to your RSS feeds Add Featured Image to RSS Feed: Includes your post images in RSS feeds Disable Embeds in Widgets: Prevents embedding content in widgets Enable Shortcodes in Widgets: Allows using shortcodes in widgets Disable RSS Feed: Turns off your website's RSS feed completely - Published: 2026-02-15 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/update-manager/update-history/ - Docs Categories: Update Manager This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you keep track of what's been updated, when, and whether those updates were successful. Update Statistics (Last 30 Days) At the top of the page, you'll see five important numbers: Total Updates: Shows how many updates were attempted in the last 30 days Successful: Shows how many updates completed without problems Failed: Shows how many updates didn't work properly Auto Updates: Shows how many updates happened automatically Manual Updates: Shows how many updates you or someone else did manually Filter Options You can use the dropdown menus to filter what you see: All Types: Filter by plugins, themes, or WordPress core All Statuses: Show only successful, failed, or all updates All Update Types: Show auto or manual updates Action Buttons Refresh: Click this to get the latest update information Export CSV: Download this data as a spreadsheet file Clear Old: Remove old update records (use carefully! ) - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/site-hardening/theme-updates/ - Docs Categories: Site Hardening, Update Manager Themes are the visual designs and layouts of your website - they control how your site looks and feels to visitors. Just like plugins, themes need regular updates to stay secure and work properly. Theme Updates Section This page helps you manage updates for your website's themes (the visual designs). Filter Tabs You can filter themes by their status: All: Shows every theme Active: Shows only themes currently being used Inactive: Shows themes that aren't active Update Available: Shows themes that need updates Search and Refresh Search themes: Find specific themes quickly Refresh: Get the latest update information Theme Control Options For each theme, you can control: Disable Updates: Turn OFF to stop this theme from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Theme: Hide the theme from your dashboard (advanced option) - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/site-hardening/plugin-updates/ - Docs Categories: Site Hardening, Update Manager This page helps you control how your website updates itself. Updates are important because they: Fix security issues Add new features Keep your site running smoothly Plugin Updates Section This specific section shows updates for the plugins (extra features) installed on your website. Filter Tabs You can filter plugins by their status: All: Shows every plugin Active: Shows only plugins that are currently working Inactive: Shows plugins that are turned off Update Available: Shows plugins that need updates Abandoned: Shows plugins that aren't maintained anymore Search and Refresh Search plugins: Find specific plugins quickly Refresh: Get the latest update information Plugin List Your page shows two security plugins: Ultimate Security (version 1. 0. 17) Ultimate Security Pro (version 1. 0. 4) Plugin Control Options For each plugin, you can control: Disable Updates: Turn OFF to stop this plugin from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Plugin: Hide the plugin from your dashboard (advanced option) - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/api-data-privacy/api-data-privacy/ - Docs Categories: API & Data Privacy, Site Hardening API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think of it like putting curtains on your windows - it keeps prying eyes from seeing what's inside. Enable API Privacy This toggle turns API privacy ON or OFF. When ON: Your website hides sensitive information from outsiders When OFF: Your website shows more information (less secure) User-Agent & URL Behavior This setting controls how your website handles web addresses (URLs) in API requests. Options These are extra privacy protections you can enable: Strip WordPress version information from User-Agent What it does: Hides which version of WordPress you're using Why helpful: Hackers can't target known vulnerabilities in your specific WordPress version Strip external plugins from API calls What it does: Hides information about plugins you've installed Why helpful: Prevents hackers from knowing which plugins might have security issues Strip external themes from API calls What it does: Hides information about your website's theme Why helpful: Stops hackers from targeting theme-specific vulnerabilities Modify data sent to core update API What it does: Changes how update information is sent Why helpful: Adds an extra layer of security during updates Strip wp_blog and wp_install headers What it does: Removes identifying headers from your site Why helpful: Makes it harder for attackers to gather information about your site Strip user login info from JSON API What it does: Hides user login details in API responses Why helpful: Protects your users' login information Debug Settings Disable HTTPS for packet sniffing What it does: Temporarily turns off secure connections (only for testing) Important: Should only be used by advanced users during testing Warning: Not for regular use - keeps your site less secure Save Changes: Applies all your privacy settings Discard Changes: Ignores any changes you've made - Published: 2026-02-15 - Modified: 2026-06-04 - URL: https://docs.wpultimatesecurity.com/docs/security-keys/wordpress-security-keys/ - Docs Categories: Security Keys WordPress Security Keys and Salts are cryptographic tokens that secure your site’s authentication cookies and password encryption. This feature helps you manage, monitor, and automate the rotation of these keys to protect your site against session hijacking and brute-force attacks. Current Salt Keys The Current Salt Keys panel provides a visual breakdown of the eight unique cryptographic strings currently active on your website. These keys are automatically read directly from your site's wp-config. php file. Each of the eight standard WordPress keys features an automated security assessment badge: The 8 Keys Managed: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. Cryptographic Strength Badge: Next to each key name, a percentage badge indicates its structural complexity (e. g. , 70%, 80%, or 90%). These badges are color-coded (Green for high strength, Purple for moderate/acceptable strength) to give you an instant health check on your site's encryption. Action Buttons Four action buttons at the top right allow you to safely manage your active keys: Hide/Show Keys: Toggles the visibility of the raw key values on your screen. Mask Values: Partially replaces the middle of each key with bullet points (••••••••). This lets you safely verify the start and end patterns without exposing the full string to onlookers or screen recorders. Copy All: Copies all eight active keys to your clipboard with a single click. Download Backup: Downloads a secure backup file of your current keys. Always use this before regenerating new salts for a quick recovery point. Automatic Salt Key Rotation WordPress uses a set of security keys and salts to encrypt data stored in user cookies (like keeping you logged in). Periodically changing, or "rotating," these keys enhances your site's security by instantly invalidating all active sessions. This feature allows you to automate the entire process, ensuring your site stays hardened without manual intervention. If you haven't enabled a schedule, the status card will show rotation is off. Scheduled Change Follow these simple steps to automate your salt key rotation Toggle the switch next to Scheduled Change to enable it. (If you ever need to pause automatic rotation, simply click this switch again to turn it off). Choose the Frequency: Select how often you want the keys to change (e. g. , Daily, Weekly, Monthly, Biannually) from the dropdown menu. Pick a Time: Set the exact time you want the change to happen. It is smart to pick a time when your website gets the least amount of traffic. Do Not Rotate During If you want to absolutely guarantee that the system never changes keys during your busiest work hours, you can set up a blackout window. Flip the Do Not Rotate During toggle switch to On. Set the Hours: Choose the start and end times when you want to block updates (for example, between 09:00 and 18:00). Select the Days: Check the boxes for the days of the week you want this rule to apply (like Monday through Friday). If an update is supposed to happen during these hours, the system will safely skip it so your users stay logged in and uninterrupted. Reminders and Notifications This section allows you to control how you want to be notified about salt key changes and gives you tools to pause schedules or change your keys instantly. Staying informed ensures you are never caught off guard when a session logout occurs. Manual Salt Key Reminder: Turn this on to get a reminder on your WordPress dashboard if your keys haven't been changed in a while. Note: You can choose how long to wait before seeing this reminder by adjusting the Manual Reminder Interval dropdown (e. g. , 7 days). Notification After Change: Turn this on to receive an email notification the moment an automatic salt key rotation successfully takes place. Pre-Change Notification: Turn this on if you want an advance warning before a scheduled change happens. You can select exactly how early you want the alert (e. g. , 24 hours before) from the dropdown menu. This gives you time to prepare or skip the rotation if needed. Manual Controls and History Logs This section provides advanced tools to manually manage your salt key schedule, view historical data, or trigger an immediate security refresh. Manual Reminder Interval The Manual Reminder Interval acts as a security safety net for your website. It controls how many days the system waits after your last salt key change before showing a reminder notification on your WordPress dashboard. Click the dropdown menu to choose exactly how long you want to wait between a key change and the next reminder notification. Pause Schedule There are times when you need to stop scheduled rotations, such as during critical website maintenance, database migrations, or live product launches, to prevent users from being logged out unexpectedly. What it does: Temporarily stops automatic key changes When to use: During website maintenance or when you're moving your site to a new server How it works: Click this button to pause automatic updates until you're ready to resume Pause Until: Temporarily halts your automated salt rotation schedule to prevent background updates from interrupting your active maintenance work. Skip Next: Skips only the single, upcoming scheduled rotation date. Your regular automation timeline will automatically resume normally right after that skipped date passes. Salt Change History Keeping track of when your security configurations change is essential for maintaining a clear security audit trail. Click the View History button to open a detailed log of all past salt key changes. This allows you to verify that automated rotations are running successfully on schedule and track any manual changes. What it shows: A detailed log of all your security key changes Why it's useful: Lets you see when keys were changed and track your security updates How to access: Click the "View History" button to see all past changes Immediate Change If your website experiences a security scare, or if you suspect unauthorized access, you do not have to wait for the next scheduled update. Click the Regenerate Salt Keys button to instantly generate entirely new security keys and salts. What it does: Changes your security keys right away, without waiting for the schedule When to use: If you're concerned about security and want immediate protection How to use: Click the "Regenerate Salt Keys" button Important note: After clicking, all logged-in users will need to log in again Frequently Asked Questions Who gets logged out when salt keys change? All users will be logged out immediately, including administrators. This is a security feature - it ensures that any potentially compromised sessions are invalidated. Will changing salt keys break anything? No, changing salt keys will not break your website. Users will simply need to log in again. All functionality remains unchanged. How often should I change salt keys? Security experts recommend changing salt keys every 3–6 months for optimal security. You should also change them immediately after a suspected security breach, when removing a user's access, or after any staff changes. What happens during the regeneration process? The plugin fetches new random keys from the WordPress API (or generates them locally if unavailable), updates your wp-config. php file atomically, and then forces a page reload to apply the changes. - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/display-settings/ - Docs Categories: Content Protection, Site Hardening You can customize the message when visitors try to do something that is blocked. Notification Type You can select from the drop-down menu how visitors will be notified when they try to do something blocked. "Alert Popup" shows a browser popup message "Toast" shows a subtle notification at the bottom of the screen "Silent" blocks the action without any message Custom Messages You can set specific messages for: Right-Click Message Copy Blocked Message Keyboard shortcut Message Mobile Protection You can enable two mobile-specific protections: Disable Mobile Long-Press - Prevents the long-press menu that appears on mobile devices Disable Touch Callout (iOS) - Disables the iOS touch callout menu that appears on images and links This section helps you control both what visitors see when protection is triggered and how your protection works on mobile devices. - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/image-protection/ - Docs Categories: Content Protection, Site Hardening This helps you stop people from stealing the images on your website. It makes it much harder for visitors to save your original work to their devices. Disable Image Right-Click This prevents visitors from right-clicking on your images, which stops them from accessing the "Save Image As" option. Disable Image Dragging Stop visitors from dragging your images to their device. This makes it impossible for them to save your pictures just by pulling them off the page. Image Overlay Protection This adds an "invisible shield" over your photos. If a user tries to find another way to download the image, they will end up with a blank photo. Hotlink Protection "Hotlinking" is when another website displays your images by linking directly to your server. This feature blocks other sites from using your images. Save or Discard button to apply changes - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/content-protection-overview/ - Docs Categories: Content Protection, Site Hardening Content Protection Overview page helps you protect your website's content from being copied by visitors. Enable Content Protection This main toggle turns the entire content protection feature on or off. It prevents visitors from copying your text, images, and other content. Protection Scope You can choose to protect either your entire website ("Whole Site") or only specific pages ("Specific Pages"). Protect WooCommerce Product This toggle specifically protects your store's product pages. Add categories to protection-specific product categories. Custom URLs Patterns You can add custom URL patterns to protect specific sections of your site that aren't covered by the other options. Exclude User Roles You can choose which user roles should be able to bypass the content protection (administrators are always excluded by default). Save or Discard button to apply changes - Published: 2026-01-28 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/monitoring-diagnostics/ - Docs Categories: How It Works? Site Health The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is built and if it is running smoothly. If you ever need to ask a professional for help, all the information they need is right here. The Action Buttons At the top of the page, you have three main tools: Copy site info: This copies all your technical details so you can easily paste them into an email for support. Refresh: This updates the page to show the most recent information. Export: This saves a copy of all this information to your computer. The Information Tabs There are six different "folders" of information you can look through: 1. WordPress This shows your site’s "ID card. " It tells you which version of WordPress you are using (like 6. 9) and if your site is using a "secure lock" (HTTPS). If you see "HTTPS is not enabled," you should fix this to keep your site safe. 2. Environment This shows details about the computer (server) where your website lives. PHP Version: This is the main "engine" version your site runs on. Memory Limit: This shows how much "brain power" your site is allowed to use. WP_DEBUG: If this says "Enabled" with a red warning, it might show technical errors to your visitors. It is usually safer to have this "Disabled". 3. Database This is the "filing cabinet" where all your posts, pages, and settings are stored. It lists the technical names and versions of your database so experts can see how it is organized. 4. Filesystem This section checks the "drawers" on your server to make sure WordPress is allowed to save and move files. It shows where your plugins, themes, and images are kept on the computer. 5. Themes This lists the different designs (Themes) you have installed. Active: The design you are currently using for your site. Inactive: Other designs you have downloaded but are not using right now. 6. Plugins This shows the extra "tools" (Plugins) you have added to your site, like Ultimate Security. It tells you if they are Active and which version you are using. Error Notifications Page This page helps you set up how you want to get alerts when something goes wrong with your website. What You Can Do Here: Notification Email: You can choose which email address gets error messages Right now it's set to: youremail@gmail. com Send Test Email: Click the "Send Test" button to check if your email notifications work Remember to check your spam folder if you don't see the test email Slack Channel: You can send error alerts to a Slack channel The channel name is: #security-alerts The channel must already exist in your Slack workspace Slack Webhook URL: This is a special link that connects your website to Slack It should look like: https://hooks. slack. com/services/xxxxxx Send Test Message: Click "Send Slack" to test if your Slack notifications work Error Levels To Notify: These are different types of errors your site might have You can turn each type ON or OFF using the toggle switches Right now, "E_ERROR" is turned ON (green switch) Other types like warnings, notices, and user errors can be turned on or off Test Mode Page This page helps you test your security settings without actually blocking real users. Enable Test Mode: When ON, it simulates security features without really blocking anyone User Roles: You can choose which user types to test with: Administrator (always active) Editor Author Contributor Subscriber Each has its own toggle switch Safety Options: Always exclude administrators (recommended) - keeps you safe from being blocked Log simulated blocks to activity logs - keeps records of test runs Show test mode notice in admin dashboard - reminds you it's in test mode Simulation Statistics: Shows how many test blocks happened: Today: 0 This Week: 0 This Month: 0 Total: 0 You can "Refresh Stats" or "Clear All Logs" Recent Simulations: Shows your test results Right now it says: "No simulation logs yet. Enable test mode and wait for security events to be simulated. " Vulnerability Scanner This is the Vulnerability Scanner page. It helps you check if your plugins and themes have any security problems. Top Section: Scans your plugins and themes against security databases Two buttons: "Scan Now" and "Settings" Search and Filter: Search bar to look for specific plugins or themes Filter tabs: Plugins, Themes, WordPress Core Settings (Popup) This is a popup window that opens when you click the "Settings" button. It helps you configure the scanner. What You Can Configure: API Configuration: WPScan API Key: Enter your WPScan API key Patchstack API Key: Enter your Patchstack API key Schedule: Scan Frequency: Choose how often to scan (currently set to "Daily") Abandoned Threshold: Set how many days to check for abandoned plugins/themes Notifications: Email Notifications: Toggle ON/OFF (currently ON) Notification Email: Enter the email address to receive alerts Severity Levels: Choose which types of issues to notify about (Critical, High, Medium, Low) Buttons: Cancel: Close without saving Continue: Save your settings - Published: 2026-01-28 - Modified: 2026-02-02 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/maintenance-tools/ - Docs Categories: How It Works? Comments Management Global Comments This section lets you decide where people are allowed to leave comments. What it does: You can turn off comments for your whole website or just for specific types of pages. How to use it: Use the dropdown menu to choose if you want to disable comments everywhere or only on certain parts of your site. 2. Select Post Types If you chose to turn off comments on "certain post types," this is where you pick them. What it does: You can flip the switch for Posts, Pages, Media (like images), or Products. Why use it: Sometimes you want people to comment on your blog posts, but not on your "Contact Us" page or product images. 3. Comment Settings (The Spam Blockers) Spammers love to leave links to other websites. These settings stop them. Remove "url" in the comment form: This hides the box where people normally type their website address. If they can't put their link, they usually won't leave a spam comment. Remove external links in the comments: If a spammer does leave a link, this tool will strip it out. Replace external links from author bio: This stops people from using their profile name to advertise other websites. 4. Cleaning Up Old Comments The bottom sections are for deleting comments that are already there. Remove All Comments: Use this to wipe the slate clean and delete every single comment on your site. Remove Spam Comments: This deletes comments that WordPress has already flagged as "Spam. " Remove Unapproved Comments: This clears out comments waiting for you to say "Yes" or "No" to them. Remove Trashed Comments: This empties the "Trash" bin for your comments, like taking the garbage out to the curb. Always click the purple Save Changes button at the very bottom left after you make a choice. If you don't, the plugin won't remember what you picked! Backup & Restore Backup Settings This section lets you save your current settings into a file that lives on your computer. What it does: It turns all your switches and buttons into a special file (called a JSON file). Select sections to export: You can choose exactly what to save. You can check boxes for things like Login Settings, Security Settings, or Access Restrictions. Download Backup: When you click this purple button, the file downloads to your computer. Copy: This button lets you copy the settings as text if you just want to paste them somewhere else. Restore Settings If you move to a new website or accidentally mess up your settings, use this area to fix it. What it does: It takes a file you saved earlier and puts all those settings back onto your site. How to use it: You can Drag & drop your saved file into the gray box, or click Select JSON File to find it on your computer. Import Settings: Once the file is uploaded, click this to turn the settings on. Security Tools REST API Methods The REST API uses four main types of messages to manage your website's data: GET (The "Reader"): This is used when your site wants to read or look at information. It’s like opening a book to see what is written inside. POST (The "Creator"): This is used to add or create something new. It’s like writing a brand-new page and adding it to your book. PUT (The "Editor"): This is used to update or fix something that is already there. It’s like taking an eraser to a mistake and writing the correct information over it. DELETE (The "Eraser"): This is used to remove information. It’s like ripping a page out of the book and throwing it away. What the Status Colors Mean Active (Green): The "door" is open, and your website can use this method to talk to other apps. Inactive (Red): The "door" is locked. This might be for safety, but sometimes it can stop certain features from working. Server Resources This part shows you how hard your website's "brain" is working. Memory Limit: This is the total amount of "thinking space" your website has (for example, 256M). Current Usage: This shows how much of that space you are using right now. If the green bar gets too full, your site might slow down. Max Execution Time: This is the amount of time (in seconds) your site is allowed to work on a single task before it gives up. Copy & Print: You can use these buttons to save this information if you ever need to show it to a tech expert for help. 3. Scheduled Tasks This is the "To-Do List" for your security plugin. Event Name: This is the name of the specific job the plugin needs to do, like checking your files for changes or sending alerts. Schedule: This tells you how often the job happens (for example, "every minute" or "hourly"). Next Run: This shows a countdown of when the job will start again. Actions (Run Button): If you don't want to wait for the timer, you can click the Run button to make the plugin do that task immediately. You don't usually need to change anything here. This page is mostly for checking that everything is working exactly as it should! Advanced Settings Data Management This section decides what happens if you ever decide to stop using the plugin and delete it. Delete plugin data on uninstall: * What it does: If you turn this switch ON, the plugin will erase everything it ever recorded (like settings and security logs) when you delete it from WordPress. Why use it: Use this if you want to make sure no leftover "digital trash" is left behind on your website. Warning: Once this data is deleted, you can never get it back! Emergency Access (The "Spare Key") This is one of the most important parts of the plugin. Sometimes, security settings might accidentally lock you out of your own website. Emergency URL: This is a secret web link made just for you. What it does: If you are locked out, you can paste this secret link into your browser. It will automatically turn off the security plugin so you can get back into your site. How to use it: 1. Save it: Copy this link and save it somewhere safe, like a notebook or a private file on your phone. 2. Test URL: Click this to make sure the link works. 3. Regenerate URL: If you think someone else saw your secret link, click this to create a brand-new one. Reset & Cache (The "Fresh Start") If the plugin is acting strangely or you just want to go back to the beginning, use these buttons. Reset to Defaults: * What it does: This pushes the "Reset" button on every setting in the plugin. It will go back to exactly how it looked when you first installed it. Clear Cache: * What it does: This clears out "temporary memory" that the plugin uses. Why use it: If you changed a setting but don't see the change happening on your site, clicking this can usually fix the problem. Always remember to click the Save Changes button at the bottom left after turning on the "Delete plugin data" switch! Database Cleanup Database Stats At the top, you'll see four important numbers: Total Database Size: How big your database is (right now it shows 0 B) Total Records: How many things are stored in your database (right now it shows 0) 30-Day Growth Estimate: How much your database might grow in 30 days Avg. Daily Records: How many new things are added each day Step 2: Turn On Automatic Cleanup You'll see two toggle switches: Enable Automatic Cleanup - This automatically removes old, unnecessary data from your database Enable Archiving Before Deletion - This saves a copy of data before removing it (good for safety) Both are turned ON by default, which is usually best for most websites. Step 3: Clean Up Your Database In the "Database Cleanup" section, you can: Select which tables (parts of your database) to clean Delete old records that you don't need anymore Right now, it shows "No log tables found" which means your database is already clean! Overview Tab This is the main dashboard that shows you: Your total database size How many records (items) are in your database How your database is growing Average daily records being added It gives you a quick look at how healthy your database is right now. Retention Policies Tab This tab helps you control how long data stays in your database. What It Does: Configure Retention Periods: You can set how many days to keep records in each part of your database Save Retention Policies: Click this blue button to save your settings Why This Matters: Keeping your database clean means your website runs faster You can choose how long to keep different types of data This helps prevent your database from getting too big and slow Archives Tab This tab shows you archived records - data that has been saved before being deleted. What You'll See: Archived Records: Any data that was archived (saved) before cleanup Right now it shows "No archives found" which means your database is clean! Why Archives Are Good: They act like a backup before data gets deleted You can review what was removed if needed Makes cleanup safer because you can always restore archived data History Tab This tab keeps track of all the cleanup activities. What It Shows: Cleanup History: A log of everything the plugin has cleaned up Right now it shows "No cleanup history found" which means the plugin hasn't done any cleanups yet, or it's a new installation Why History Is Helpful: You can see what was cleaned and when Helps you track how your database is being maintained Good for troubleshooting if something goes wrong Important Tips: Always save your changes by clicking "Save Changes" at the bottom If you make a mistake, you can "Discard Changes" to go back Start with the default settings if you're not sure what to do These features help keep your website fast and secure! Important Notes Automatic cleanup helps keep your site running fast Archiving before deletion is like making a backup before cleaning - it's safer You can always turn these features off if you prefer to clean your database manually Click "Save Changes" to keep your settings, or "Discard Changes" to go back to how things were Self Defense Protection This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: When this is ON (green), it means: No one can easily turn off your security plugin If someone tries to turn it off, they'll need to prove who they are first Your website stays protected File Integrity Monitoring This feature watches your security plugin files to make sure no one changes them. Enable file integrity checks: When this is ON (green), it means: The plugin checks if any files have been changed If someone tries to mess with your plugin code, you'll get an alert Your security stays strong and trustworthy Deactivation Alerts This feature tells you when someone tries to turn off your security plugin. Send alerts on deactivation: When this is ON (green), it means: You'll get a message if someone tries to turn off your security Alerts can come to your email or other places you set up You'll know right away if something suspicious happens Important Warning If you ever need to turn off this security plugin (maybe to fix something), remember: You can use the "Emergency Access URL" from the Advanced Settings page Or you'll need to prove it's really you trying to turn it off - Published: 2026-01-26 - Modified: 2026-02-01 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/site-hardening/ - Docs Categories: How It Works? Content Protection Content Protection Overview page helps you protect your website's content from being copied by visitors. Enable Content Protection This main toggle turns the entire content protection feature on or off. It prevents visitors from copying your text, images, and other content. Select Protection Scope You can choose to protect either your entire website ("Whole Site") or only specific pages ("Specific Pages"). Protect WooCommerce Product This toggle specifically protects your store's product pages. Add categories to protection-specific product categories. Protect Custom URLs You can add custom URL patterns to protect specific sections of your site that aren't covered by the other options. Exclude User Roles You can choose which user roles should be able to bypass the content protection (administrators are always excluded by default). Save or Discard button to apply changes Text Protection This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors from right-clicking on your site. This prevents them from copying your text or saving your images. Disable Text Selection This stops visitors from selecting text on your pages by highlighting it, making it impossible to copy text. Disable Copy (Ctrl+C) This blocks the standard keyboard shortcut (Ctrl+C) on Windows or Command+C on (Mac) that people use to copy selected text. Disable Cut (Ctrl+X) This blocks the standard keyboard shortcut (Ctrl+X) on Windows or Command+X on (Mac) that people use to cut selected text. Save or Discard button to apply changes Image Protection This helps you stop people from stealing the images on your website. It makes it much harder for visitors to save your original work to their devices. Disable Image Right-Click This prevents visitors from right-clicking on your images, which stops them from accessing the "Save Image As" option. Disable Image Dragging Stop visitors from dragging your images to their device. This makes it impossible for them to save your pictures just by pulling them off the page. Image Overlay Protection This adds an "invisible shield" over your photos. If a user tries to find another way to download the image, they will end up with a blank photo. Hotlink Protection "Hotlinking" is when another website displays your images by linking directly to your server. This feature blocks other sites from using your images. Save or Discard button to apply changes Keyboard Shortcut Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks keyboard shortcuts like F12, Ctrl+Shift+I, and Ctrl+Shift+J that people use to open browser developer tools. This prevents visitors from inspecting your website's code. Disable View Source This blocks the Ctrl+U shortcut that allows visitors to view the HTML source code of your pages. Disable Save Page This blocks the Ctrl+S shortcut that lets visitors save your entire webpage. Disable Print This blocks the Ctrl+P shortcut and hides the print content option from printing your website content. Save or Discard button to apply changes Display Settings You can customize the message when visitors try to do something that is blocked. Notification Type You can select from the drop-down menu how visitors will be notified when they try to do something blocked. "Alert Popup" shows a browser popup message "Toast" shows a subtle notification at the bottom of the screen "Silent" blocks the action without any message Custom Messages You can set specific messages for: Right-click attempts Copy attempts Keyboard shortcut attempts Mobile Protection You can enable two mobile-specific protections: Disable Mobile Long-Press - Prevents the long-press menu that appears on mobile devices Disable Touch Callout (iOS) - Disables the iOS touch callout menu that appears on images and links This section helps you control both what visitors see when protection is triggered and how your protection works on mobile devices. Security Keys Settings WordPress security keys (also called "salts") are special codes that help protect your website from hackers Current Salt Keys The page shows several important security keys: AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT Each one has a 100% strength rating. Action Buttons Hide Keys - Hides the key values (for extra security) Reveal Values - Shows the actual key codes Copy All - Copies all keys to your clipboard Download Backup - Saves a copy of all keys to your computer Changing WordPress salt keys will force all logged-in users to login again Scheduled Change What it does: This feature automatically changes your WordPress security keys on a regular schedule. How to use it: The toggle switch turns automatic key changes ON or OFF The dropdown menu lets you choose how often: "Daily" is currently selected When turned on, your keys will be updated automatically without you needing to do anything Why this is helpful: Regularly changing keys makes your site more secure by invalidating any potential threats. Set Manual Time What it does: Lets you choose a specific time for automatic key changes. How to use it: Use the day dropdown (currently set to "Saturday") Set the time using the hour and minute selectors (currently 08:00 or 8:00 AM) This means your keys will update automatically at 8:00 AM on Saturdays Reminder for Changing Salt Keys What it does: This toggle turns on/off reminders about manually updating your keys. Why you might want this: Even with automatic updates, it's good to stay aware of your site's security practices. Notification After Change What it does: When turned on, you'll get a notification after your keys have been automatically updated. Why this is useful: You'll know when your site's security has been refreshed. Pre-Change Notification What it does: This gives you a heads-up before scheduled key changes happen. How it works: The toggle turns this feature ON or OFF The dropdown lets you choose when to be notified (currently "24 hours before") This gives you time to prepare or skip the change if needed Reminder Interval What it does: Sets how often you receive reminders about key changes. Current setting: "7 days" - meaning you'll get reminders every week Pause Until... Button What it does: Temporarily stops automatic key changes When to use: During website maintenance or when you're moving your site to a new server How it works: Click this button to pause automatic updates until you're ready to resume Skip Next Button What it does: Skips the next scheduled key change When to use: If you know you'll be doing maintenance soon, or if you don't want the next update to happen Temporary control: Gives you quick control over the next update Salt Change History What it shows: A detailed log of all your security key changes Why it's useful: Lets you see when keys were changed and track your security updates How to access: Click the "View History" button to see all past changes Immediate Change What it does: Changes your security keys right away, without waiting for the schedule When to use: If you're concerned about security and want immediate protection How to use: Click the "Regenerate Salt Keys" button Important note: After clicking, all logged-in users will need to log in again Action Buttons Save Changes: Saves any settings you've adjusted Discard Changes: Ignores any changes you've made (goes back to previous settings) Unsaved changes: This warning appears if you've made changes but haven't saved them yet API & Data Privacy API Privacy? API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think of it like putting curtains on your windows - it keeps prying eyes from seeing what's inside. Enable API Privacy This toggle turns API privacy ON or OFF. When ON: Your website hides sensitive information from outsiders When OFF: Your website shows more information (less secure) Recommendation: Keep this ENABLED for better security. User-Agent & URL Behavior This setting controls how your website handles web addresses (URLs) in API requests. Current setting: "No changes" - meaning your website shows normal URL behavior Why it matters: How URLs are handled can affect your site's privacy Privacy Options (Advanced Settings) These are extra privacy protections you can enable: Strip WordPress version information from User-Agent What it does: Hides which version of WordPress you're using Why helpful: Hackers can't target known vulnerabilities in your specific WordPress version Strip external plugins from API calls What it does: Hides information about plugins you've installed Why helpful: Prevents hackers from knowing which plugins might have security issues Strip external themes from API calls What it does: Hides information about your website's theme Why helpful: Stops hackers from targeting theme-specific vulnerabilities Modify data sent to core update API What it does: Changes how update information is sent Why helpful: Adds an extra layer of security during updates Strip wp_blog and wp_install headers What it does: Removes identifying headers from your site Why helpful: Makes it harder for attackers to gather information about your site Strip user login info from JSON API What it does: Hides user login details in API responses Why helpful: Protects your users' login information Debug Settings Disable HTTPS for packet sniffing What it does: Temporarily turns off secure connections (only for testing) Important: Should only be used by advanced users during testing Warning: Not for regular use - keeps your site less secure Save Your Changes Save Changes: Applies all your privacy settings Discard Changes: Ignores any changes you've made Plugin Updates Update Management This page helps you control how your website updates itself. Updates are important because they: Fix security issues Add new features Keep your site running smoothly Plugin Updates Section This specific section shows updates for the plugins (extra features) installed on your website. Filter Tabs You can filter plugins by their status: All: Shows every plugin Active: Shows only plugins that are currently working Inactive: Shows plugins that are turned off Update Available: Shows plugins that need updates Abandoned: Shows plugins that aren't maintained anymore Search and Refresh Search plugins: Find specific plugins quickly Refresh: Get the latest update information Plugin List Your page shows two security plugins: Ultimate Security (version 1. 0. 17) Ultimate Security Pro (version 1. 0. 4) Plugin Control Options For each plugin, you can control: Disable Updates: Turn OFF to stop this plugin from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Plugin: Hide the plugin from your dashboard (advanced option) Theme Updates What is Theme Management? Themes are the visual designs and layouts of your website - they control how your site looks and feels to visitors. Just like plugins, themes need regular updates to stay secure and work properly. Theme Updates Section This page helps you manage updates for your website's themes (the visual designs). Filter Tabs You can filter themes by their status: All: Shows every theme Active: Shows only themes currently being used Inactive: Shows themes that aren't active Update Available: Shows themes that need updates Search and Refresh Search themes: Find specific themes quickly Refresh: Get the latest update information Theme List Your page shows three WordPress themes: Twenty Twenty-Five (version 1. 4) Twenty Twenty-Four (version 1. 4) Twenty Twenty-Three (version 1. 6) Theme Control Options For each theme, you can control: Disable Updates: Turn OFF to stop this theme from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Theme: Hide the theme from your dashboard (advanced option) Update Manager What Are These Settings For? This page helps you control how your website updates itself. Updates are like getting new, improved versions of things on your website - they fix problems, add new features, and keep everything secure. General Update Settings WordPress Core Updates This controls how your main WordPress software gets updated. Current setting: "Manual updates" - meaning you need to click a button to update WordPress Other options you might see: Automatic updates: WordPress updates itself without you doing anything Daily updates: Checks for updates every day Weekly updates: Checks for updates once a week Plugin Updates This controls how your plugins (extra features) get updated. Current setting: "Manual updates" - you need to update plugins yourself Why this matters: Plugins can have security issues that need fixing, just like apps on your phone. Theme Updates This controls how your website's design (themes) gets updated. Current setting: "Manual updates" - you need to update themes yourself Why this matters: Theme updates often fix design problems and security issues. Toggle Switch Options Disable Automatic Translation Updates What it does: Stops translations from updating automatically When to use: If you don't need translated content or want to control translations yourself Enable updates for VCS Installations What it does: Allows updates for version-controlled installations When to use: If you're using advanced version control (most users don't need this) Updates nags only for Admin What it does: Only shows update notifications to website administrators Why helpful: Keeps regular users from seeing technical messages Enable Update Schedule Window What it does: Lets you choose specific hours for updates Why helpful: You can avoid updating during your website's busiest times (when most visitors are online) Example: If your site gets lots of traffic in the afternoon, you can schedule updates for early morning Auto-Update Delay Current setting: "No delay" - updates happen right away Other options: You can add a delay (like 1 hour, 6 hours, or 24 hours) Why helpful: Gives time for any problems with new updates to be discovered before your site gets updated Enable Maintenance Mode During Updates What it does: Puts your site in "maintenance mode" during updates Why helpful: Visitors see a friendly message instead of error pages while updates are happening Day-of-Week Scheduling What it does: Lets you choose which days updates can happen Why helpful: You can avoid updating on your website's busiest days Example: If weekends are your busiest, you can schedule updates for weekdays only Freeze Periods What it does: Creates "freeze" periods when updates are completely blocked How to use: Click "Add" to create a new freeze period Choose start and end dates Updates won't happen during these times Why helpful: Perfect for important events, sales, or when you can't have any disruptions Email Notifications What it does: Sends you email updates about your website's updates Why helpful: You'll know exactly when updates happen and if there are any issues How often: Once a day, with a summary of what happened WordPress Core Email Notification Core Notifications This toggle controls whether you get email updates about your WordPress core (the main software). Important Note: These core notifications are handled by WordPress itself, not by this security plugin. Changing settings here only affects this plugin's notifications. What Core Notifications Include Core notifications typically tell you about: WordPress version updates Security patches Important maintenance information Advanced Options This section has powerful tools for managing your website updates. Proceed with caution - these options can affect how your site works. Force Automatic Updates This is a powerful feature that lets you manually trigger updates for everything on your website at once. What it does: Updates your plugins (extra features) Updates your themes (website designs) Updates WordPress core (main software) Save Changes: Applies any changes you've made Discard Changes: Ignores any changes (goes back to previous settings) Update History What is this page for? This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you keep track of what's been updated, when, and whether those updates were successful. Understanding the Dashboard Top Statistics (Last 30 Days) At the top of the page, you'll see five important numbers: Total Updates: Shows how many updates were attempted in the last 30 days Successful: Shows how many updates completed without problems Failed: Shows how many updates didn't work properly Auto Updates: Shows how many updates happened automatically Manual Updates: Shows how many updates you or someone else did manually Filter Options You can use the dropdown menus to filter what you see: All Types: Filter by plugins, themes, or WordPress core All Statuses: Show only successful, failed, or all updates All Update Types: Show auto or manual updates Action Buttons Refresh: Click this to get the latest update information Export CSV: Download this data as a spreadsheet file Clear Old: Remove old update records (use carefully! ) Security Hardening What is Security Hardening? This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra locks and security features to protect your website from potential threats. Understanding the Dashboard Color-Coded Recommendations Green tags: These are recommended settings that should be enabled for most websites Orange tags: These settings might affect how your website works - review them carefully before enabling Progress Tracking The number at the top (currently "0 / 35 features enabled") shows how many security features you've turned on out of the total available. Navigation Tabs You can switch between different security categories using the tabs: Access & Identity: User login and account security Files & Directories: Protecting your website files Headers & Fingerprinting: Hiding technical information APIs & Remote Access: Controlling external connections Frontend & Features: Website appearance and functionality Access & Identity Security Options This section helps protect user accounts and login processes: Recommended Settings (Green Tags) Disable "Anyone can register": Prevents random people from creating accounts on your site Prevent login feedback: Stops giving hints about whether a username or email exists Disable user enumeration: Makes it harder for attackers to discover user accounts Block common usernames: Prevents using easy-to-guess usernames like "admin" or "root" Force unique display names: Ensures all users have different names Hide Admin Bar from Frontend: Removes the admin toolbar from the public part of your site Hide Admin Bar from Backend: Removes the admin toolbar from the dashboard File & Directory Security Options This section helps protect your website's files and folders: Recommended Settings (Green Tags) Disable the built-in file editors: Turns off WordPress's built-in code editor, which prevents people from editing your files directly through the dashboard Prevent code execution in Uploads folder: Stops malicious code from running in your uploads folder Disable directory browsing: Prevents visitors from seeing a list of files in your folders Block Sensitive Files: Protects important configuration files from being accessed Header Security Options This section helps hide technical information about your website: Recommended Settings (Green Tags) Hide your WordPress version: Prevents showing which version of WordPress you're using Unset X Powered by header: Removes information about what software powers your site Hide CSS File Version: Hides version numbers in your CSS files Hide JS File Version: Hides version numbers in your JavaScript files Caution Setting (Orange Tag) Strict Content Security Policy on the frontend and login screen: This is an advanced security setting that might affect how your site works API & Remote Access Options This section helps protect your website from unauthorized external connections: Disable XML-RPC: Controls a feature that allows external systems to connect to your site Disable REST API for guests: Restricts access to the API for people who aren't logged in Disable Trackbacks & Pingbacks: Turns off notifications between websites Remove RSD Link: Hides a technical link used by some blogging tools Remove WLW Manifest Link: Hides a link used by Windows Live Writer Remove Shortlink: Hides a special short URL for your posts Frontend & Features Options This section helps optimize and secure how your website appears to visitors: Frontend & Features: Turns off special icons used in WordPress Disable WordPress Emojis: Stops emoji support on your site Remove RSS Feed Links: Hides links to your RSS feeds Add Featured Image to RSS Feed: Includes your post images in RSS feeds Disable Embeds in Widgets: Prevents embedding content in widgets Enable Shortcodes in Widgets: Allows using shortcodes in widgets Disable RSS Feed: Turns off your website's RSS feed completely - Published: 2026-01-25 - Modified: 2026-01-29 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/login-authentication/ - Docs Categories: How It Works? - Docs Tags: Beginner Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Overview Navigate to Ultimate Security > Login Authentication > 2FA > At the top of the page, you will find three key metrics: Security Status  Indicates the 2FA system is active and working correctly Active Methods  See your 2FA options here. Click 'Compare method' to see a table at the bottom that explains the differences between each method. User Adoption Tracks how many users on your site have actually set up 2FA for their account. Quick Actions This section provides shortcuts to manage your two-factor authentication settings: Test 2FA: Verify your current setup by clicking here. You will be taken to a dashboard where you can choose to test either email or an authenticator app. Setup Wizard: Follow a guided flow to configure 2FA. You can select email OTP or an authenticator app. The wizard walks you through Level -> Method -> Roles -> Review steps before leading you to the final configuration page. View User Status: See which users on your site currently have 2FA enabled. Audit Logs: Review a history of authentication events and activities Authentication Methods Comparison This section helps you compare the two available security methods to decide which one to use. Email Verification: This method is easy to set up and does not require any extra applications. Authenticator App (Recommended): This option is very secure and easy to use. It requires a smartphone. You can view the security rating, pros, and cons for each method. To start setting up a method, click the Configure button. Email OTP This page lets you set up email verification. When turned on, users will get a one-time code in their email every time they log in. Enable Email Verification There is a toggle switch. Enable for Roles This setting allows you to choose which user groups are required to use email 2FA. You may choose to disable this for regular subscribers to avoid friction during simple logins, unless your site deals with sensitive user data. NB: "Save Changes" or "Discard Changes" button will apply the settings Next Steps for Users Once you have enabled this feature on this page, your users must: Go to their WordPress Dashboard > Users > Profile page  Scroll down and find the Ultimate Security Select the email method. Get OTP from the email address for verification Save Settings to apply Security Considerations Please keep the following in mind: Email delivery is not always instant. Network issues or server load can cause delays, making the verification code expire before the user finds it. If a hacker has already compromised a user's email password, they can access the 2FA code, rendering this layer of security ineffective. Occasionally, verification codes can be flagged as spam and end up in the user's junk folder. Authentication Apps Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet or phone signal. For extra protection, your login code changes every 30 seconds Authenticator Applications Toggle This switch enables or disables two-factor authentication. Enable for Roles This setting allows you to select which user roles are allowed to use the Authenticator App. Advanced Settings This section allows you to select the algorithm used to generate your OTP. You can choose between two options: TOTP (Time-Based): This is the most common algorithm and is used by virtually all authenticators. It generates a new verification code every 30 seconds based on the current time. HOTP (Event-Based): This option generates codes based on a counter. The code only changes when an event occurs (like a login attempt), rather than based on the time. XML-RPC  XML-RPC is a feature in WordPress that allows external services to communicate with your site remotely. You will see a dropdown menu with two specific options. This setting decides if 2FA is required when these external services try to connect. Option 1: Do not require 2FA over XMLRPC (default). External tools and mobile apps can connect to your site using just a username and password. They will not be asked for a 2FA code. Option 2: Do require 2FA over XMLRPC Any connection attempt via XML-RPC (including mobile apps) must provide a valid two-factor authentication code in addition to the password. Note: Only enable this requirement if you are sure your external apps support Two-Factor Authentication, or if you do not use external apps to manage your site Encrypt Keys in Database This feature locks your security codes inside the database to keep them hidden. It adds an extra layer of protection so that even if a hacker gets into your database, they cannot see or steal your login secrets. Note: Once you enable this feature, it cannot be disabled. However, it is completely safe to keep it enabled. Important Notice:  For the highest level of security, we strongly recommend using the Authentication App method (if available) instead of Email OTP. Authentication apps generate codes offline on your device, are immune to email delays, and are virtually impossible to intercept remotely. Use email OTP primarily as a backup method or for users who are unable to use an authentication app. Next Steps for Users Once you have enabled this feature on this page, your users must: Go to their WordPress Dashboard > Users > Profile page  Scroll down and find the Ultimate Security Select the Authentication App method. Click Setup Scan the provided QR code with their preferred mobile app to finish the connection. Reset 2FA Method settings to restore all settings Login Hardening This page helps you protect your website by hiding your login page. By changing the address of your login page, you can stop automated robots and hackers from finding it. Custom Login URL Security It states that modifying the default login URL helps defend against brute force attacks and scanner attacks. Login Page URL Below, you will see the login page URL field. This displays the default address for your login page. In the type box, you can change the default login URL and create a new private entrance. Old Login Page Redirect This option lets you redirect anyone who tries to access the default WordPress login page URL The default setting is 404. If a bot or hacker tries the old default link, they will receive a "Page Not Found" error. You can also add a custom URL in the box to redirect them to another link Show a Consent Message This option lets you show a custom message in the login form This feature has a toggle switch. Next to it, there is a text box containing a default message. This is the text that users will see when they reach your login page. You can type a custom message or welcome message here. Save Your Changes At the bottom of the section; You must click the button to apply any changes you made to the URL or settings. Important Reminder: Before changing your login URL: Bookmark your new login URL or write it down Save the Plugin Deactivation URL from Settings > More > Extra Test the new URL in an incognito window before logging out If locked out, you can deactivate the plugin via FTP or use the deactivation URL Password Requirements This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that all users create strong, hard-to-guess passwords. Enable Password Policies You will see the main option labeled "Enable password policies. " This is the switch for this entire page. If you turn this off, none of the password rules below will apply to your users. Quick Presets Below the main switch, you will see a row of tabs labeled "Quick presets. " These are shortcuts to quickly set how strict you want the password rules to be. The available tabs are Basic: Sets simple, easy-to-follow rules. Strong: Sets stricter rules for better security. Enterprise: Sets the highest level of security for professional environments. NB: Clicking one of these tabs automatically fills in the settings below (like length and character types) to match that level of security. Minimum Length Under the presets, you will find the setting for "Minimum length. " This controls how many characters a password must have. You can adjust the number (e. g. , 8, 12, 16) to make passwords shorter or longer. Require Uppercase & Lowercase Next, there is a checkbox labeled "Require uppercase & lowercase. " It means users cannot use all lowercase letters. They must be mixed in capital letters Require Numbers Below that, there is a checkbox labeled "Require numbers. " It means users must include at least one number in their password. Require Special Characters Finally, there is a checkbox labeled "Require special characters. " What this means: Users must include at least one special symbol (like ! , @, #, $, or %) in their password. Exclude Characters Located right below the "Require special characters" option, you will see an input box. While you force users to use special characters, you might want to ban specific ones that cause technical problems or are hard to type. If you type characters into this box (like " '), users will not be allowed to use those specific symbols in their passwords. Password History Next, you will see the setting for "Password history. " This is set to 1 by default This stops users from reusing their old passwords. A setting of "1" means a user cannot reuse their most recent password. They must pick a new one. If you set it to "5," they couldn't reuse their last 5 passwords. Expiration Period Below that, there is an option labeled "Expiration period. " This makes users pick a new password after a certain amount of time. Setting it to "0" (zero) means passwords never expire. Users can keep their password forever. If you want them to change it every 3 months or even in a year, you would enter "3" here and select the month/year near the box. Warning Days Next to the expiration setting, you will see "Warning days. " If you have an expiration period set, this setting warns the user before their password runs out. Setting any number means the user will receive a notice before their password expires, reminding them to update it. Grace Period Below the warning days, there is the "Grace period" setting. This gives users a few extra chances to log in after their password has technically expired. Setting any number means the user can still log in for the certain number of days after the expiration date. During this time, the site will usually force them to pick a new password immediately. After the days are over, they are locked out completely. Email Notification You will see a toggle switch labeled "Email notification. " The system will automatically send emails to users regarding their password. This ensures users get notified about upcoming expirations or required changes without you having to tell them manually. First Login Reset At the bottom of this section, there is a toggle labeled "First login reset. " This is useful for new accounts. When you create a new user and they log in for the very first time, the system will force them to change their password immediately. This ensures that only the actual user knows their password, not the admin who created the account Disable Self-Service Reset You will see a toggle switch labeled "Disable self-service reset. " Normally, users can click a "Lost your password? " link to reset their own password via email. By turning this on, you are disabling that feature. This is useful for high-security sites where you want to personally verify who is asking for a password reset. It prevents hackers from trying to take over accounts by using the reset tool. Custom Reset Message Below the toggle, there is a text box labeled "Custom reset message. The box currently contains the text "Contact site administrator to reset your password. " What this means: Since the standard reset link is now hidden, this is the message users will see instead. You can type any instructions you want here. For example, you could provide an email address telling users exactly how to reach you to get their password fixed. Custom Reset URL Next, there is an input field labeled "Custom reset URL. " What this means: If you have created a specific custom page or form on your website for users to request help, you can paste that link here. If you do not have a custom page, you can leave this as is. If you enter a URL, the system might redirect users to that specific page when they try to reset their password. Save or Discard Changes At the very bottom of the page, you will see buttons to control your settings. Session Management This page helps secure accounts by limiting current logins, terminating idle sessions, and tracking all login attempts About Active Logins When you look at the About Active Logins box, you will see a simple explanation of why this feature is good for your site. Enable Active Logins Logic There is a toggle switch to enable this feature Maximum Active Sessions This setting allows you to control how many devices can stay logged in at a time. Set your preferred session numbers in the box to limit login devices. Recommendations At the bottom of the page, you will see a Recommendations section. This gives you helpful advice on how many sessions to allow for different types of users. Note: If you aren't sure what number to pick, following the recommendations is the safest choice Use the buttons at the bottom of the page to save and discard changes. - Published: 2026-01-25 - Modified: 2026-02-01 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/threat-protection/ - Docs Categories: How It Works? - Docs Tags: Beginner Bot Protection reCAPTCHA Settings This section helps you block bots from spamming your website's form. It uses a tool from Google to check if a real person is trying to submit the form. Enable reCAPTCHA on Signup There is a switch labeled "Enable reCAPTCHA" to control this feature. reCAPTCHA Version You can choose between two versions of this method: v2: Usually shows the familiar "I'm not a robot" checkbox. v3: Works silently in the background without bothering your users unless it detects suspicious behavior. Enter Your Keys (Site Key & Secret Key) To make these features work, you need two special codes from Google. Site Key: This is a public code that goes into your website's form. Secret Key: This is a private code that stays on your server (in the plugin settings) to verify the check. How to fill this out: You will need to get these keys for free from the Google reCAPTCHA website. Once you have them, copy and paste the "Site Key" into the first box. Copy and paste the "Secret Key" into the second box. reCAPTCHA verification failed Use this box to change the message people see when they fail the security check. This message appears if someone gets the puzzle wrong or if the system thinks they are a robot. A default message is pre-filled in the text box, but you can overwrite it with your own custom text. Can not connect to server Use this box to write a message for when the security check doesn't work. This error might show up if your internet is down or if a security setting is stopping the connection. There is already a default message here, but you can change it. reCAPTCHA Field Title This setting allows you to change the text label that appears above the checkbox on your form. The default text is already set. You can change it too. reCAPTCHA Theme You can select Light or Dark theme based on your preferences reCAPTCHA Size You can select Normal or Compact size based on your preference No-Conflict Mode Enable No-Conflict Mode to prevent conflict from other themes or plugins and ensure your system runs smoothly. WooCommerce Registration If you are running an online store, enable this feature to secure your customer signup process. Enable reCAPTCHA on Signup: Toggle this to ON. This adds a security verification to the registration page during checkout, preventing automated bots from creating fraudulent customer accounts. Note: Once you are happy with your settings, scroll to the bottom and click the blue button that says Save Changes. If you made a mistake and want to go back to how things were before you started editing, click Discard Changes Cloudflare Turnstile This guide will help you set up and use the Cloudflare Turnstile plugin. This keeps your website safe without making it hard for your visitors Default WordPress Forms These settings determine where you want to use Cloudflare Enable toggle activates the following settings: WordPress Login WordPress Register WordPress Reset Password WordPress Comment. Your Keys Put those keys into the field. "Site Key" field. Paste your Site Key here. "Secret Key" field. Paste your Secret Key here. General Settings These settings control how the Turnstile check looks and works on your site. Theme: You can choose between "Light" and "Dark" themes. Pick the one that matches your website's look. Language: You can let the plugin automatically detect the language, or you can choose a specific language for the Turnstile check. Disable Submit Button: This option can stop people from submitting a form until they pass the security check. It's usually a good idea to leave this "Enable. " Advanced Settings These are for more experienced users, but you can still use them Widget Size: Choose the size of the security check. Appearance Mode: Choose when the security check appears. "Always" means it will always be there. Defer Scripts: This can make your website load faster. It's usually best to leave this "Enable. " Custom Error Message: If someone fails the security check, you can show them a special message. The default is "Please verify that you are human. " Extra Failure Message: Add another message if the check fails. It's usually best to leave this "Disable. " Whitelist Settings This lets certain people skip the security check. Logged In Users: If you "Enable" this, people who are logged into your website won't see the security check. IP Addresses: You can add IP addresses here. If you add an IP address, anyone using that address won't see the security check. User Agents: You can add "User Agents" here. This is like a browser's name. If you add a User Agent, anyone using that browser won't see the check. Turnstile Logs: If you "Enable" this, the plugin will keep a record of when the security check is used. Don't forget to click the "Save Changes" button at the bottom of the page. Brute Force Protection Login Attempts This Setting helps you stop automated robots from guessing your password. Login Limit This is the main switch that activates the protection. Login Attempts  This tells the plugin how many times someone is allowed to type the wrong password. If someone guesses wrong 4(the default) times, we immediately block them. Lockout Duration:  This is how long the person is "put in timeout" after guessing wrong too many times. They will have to wait certain time before they can try again. Increase Login attempts: If the same person gets locked out in hours, the plugin decides they are a serious threat and gets tougher. Increase Lockout Duration:  Once they are marked as a serious threat, we Increase Lockout time in hours after first lockout. Retries Reset Duration:  Sometimes a real user just forgets their password. This setting tells the plugin: If they haven't tried to log in for a particular hour, forget about their past mistakes and let them start fresh. Block Users Stop a specific person from logging into your website. In the input box, type the exact username of the person you want to block. Select All: Click this if you want to highlight every user currently on your blocked list at the same time. Remove All: Click this to clear the entire list and unblock everyone. Recovery URL Use this link if you ever get locked out of your account. So please keep it private and store it somewhere safe offline Please follow these steps carefully: Generate Key: Click the Generate Key button. The plugin will create a secret link just for you. Copy: Click the Copy button to save that link to your computer's clipboard. Save It Somewhere Safe: This is the most important step. Paste that link into a document on your computer, write it in a notebook, or save it in a password manager. Important Warning: Do not lose this link. If you get locked out, this is the only way you can get back in to manage your site. Keep it private and do not share it with anyone. NOTE: Once you have these settings how you like them, click Save Changes Lockout Notifications The switch controls the configuration setting Notification Email Enter the email address where you want to receive these alerts. After you type your email, click "send text" button. It will send a test email to make sure everything is working correctly. Check the Spam folder if it's not found in the inbox Notify On User Lockout Sends an email when someone is blocked for trying the wrong password too many times. Extended Lockout Sends an email when a persistent hacker is blocked for a long time (usually because they kept trying to break in). Recovery URL Used Sends an email if someone uses the secret "Emergency Unlock Key. " Email Rate Limit If your site is under attack, you might get hundreds of alerts in a few minutes. This setting stops that. It limits the emails to 10 (default) per hour. This way, you stay informed, but your inbox doesn't get completely clogged up. Once you have your email address set and your choices made, click Save Changes at the bottom of the page. Locked Users This table shows users locked out for too many login failures. You can unlock them manually here At the top of the list, you will see tabs labeled "All," "Phase 1," and "Phase 2. " These simply separate users based on how long they are locked out for. All: Shows everyone combined. Phase 1: These are people who made a few mistakes. They are locked out for a short time (like 10 minutes). Phase 2: These are people who kept trying to break in. They are "Serious Offenders" and are locked out for a much longer time. Manually Unlocking a User Sometimes, a real person might forget their password and get locked out by mistake. If this happens, you can let them back in early. Step 1: Find the username in the list and check the box next to their name. Step 2: Look for the box that says "Select Option. " Click it to open the menu. Step 3: Choose "Unlock selected users" from the list that appears. Step 4: Click the blue "Apply" button. The user will be able to log in again immediately after you do this. Other Tools Search Box: If you have a long list, type a username here to find them quickly. Refresh: Click this if you want to update the list to see the very latest status. URL - Request Guard Enable URL Guard At the top, you will see a switch labeled Enable URL Guard. What it does: When this is turned ON (showing blue/green), your site is actively protected against common attacks that try to sneak in through URLs. Request Methods This section lets you choose "how" information is sent to your website. The Default: Most websites only need the standard methods (like GET and POST) to work perfectly. The plugin handles this automatically. The Dropdown Menu: You will see a list that includes options like PUT, PATCH, DELETE, etc. Important Warning: If you select methods other than the standard ones (like PUT or PATCH), you might accidentally lock yourself out of your own website dashboard. If this happens: You would need to delete a specific log file in your database to get back in. It is much safer to leave this setting on its default options! IP Whitelist Bypass Think of this as your "VIP List. " What it does: If you add an IP address here, the URL Guard will never block that person, no matter what. Why use it: This is useful if you have a specific office computer or a developer who needs access to the site and you want to make sure they never get stopped by the security guard by mistake. Log Retention This setting decides how long the plugin remembers (keeps a record of) the attacks it stops. The plugin will save a history of blocked requests for a month. Save and Clear Always click this button if you make any changes to the settings above. Request History This page keeps a list of the requests (visits) that your plugin has checked. Dashboard Stats (At the Top) Right in the middle of the screen, you will see two big numbers. These give you a quick "health check" of your site's traffic. Today's Requests Requests in Last 7 Days Test URL The Request Logs Table  Below the numbers, you will see a detailed table. This is the main record of specific events. Here is what each column means: Path Query Params Date Status Navigating the List If you have a lot of logs, you won't be able to see them all on one screen. Look at the bottom of the table. You will see buttons like or page numbers (e. g. , Page 1 of 5). Click these to flip through the pages of history, just like turning pages in a notebook. Managing Your Logs If your list gets too long, or if you just want to clean things up, you can manage the data here. Delete: You can select specific items (or all items) and delete them. This is useful if you want to clear out old records to make the list easier to read. Refresh: If you are waiting to see new activity, click the refresh button to update the list. Note: It is a good idea to check this page every now and then. If you see the same strange "Path" showing up many times in a row, it might mean someone is trying very hard to find a way in Query String Filtering This page is where you can set up specific "Banned Words" or codes for your website's links. It sounds technical, but the idea is simple: if you know a specific code that hackers use, you can tell the plugin to block it instantly. Here is a guide to using this page. Query String Before you use this page, it helps to know what we mean by "Query String. " Think of a URL (a web address) like a letter sent to your website. Sometimes, that letter has a P. S. at the end, like ? id=123 or ? search=shoes. That part after the question mark is the Query String. Hackers often try to hide dangerous codes inside this "P. S. " section. This page helps you catch them. Adding a New Rule  In the middle of the page, you will see a large empty text box. How to use it: If you have a specific code or text string that you want to ban (for example, a suspicious word you found in your logs), type it into this box. Submit: Once you have typed the code, click the Submit button. What happens next: The plugin will remember this code. If anyone tries to use it in a link on your site, the plugin will block them immediately to keep you safe from things like SQL Injection (a type of attack). The Query Strings List  Below the input box, there is a section that lists all the rules you have created. Current Status: Right now, it says "No Query Strings found. " What this means: You haven't added any banned words yet, so the list is empty. This is perfectly normal! Future Use: As you add rules using the box above, they will appear here in a list. You can come back to this list later if you want to delete old rules you don't need anymore. This page gives you extra control. While the plugin does a lot of work automatically, this feature lets you say, "Block THIS specific thing, no matter what. " It is a powerful tool to stop specific attacks that target your website. User Agent Filtering This page helps you stop bad robots and annoying crawlers from visiting your website. To understand how this works, imagine that every visitor to your site is wearing a Name Tag. What is a "User Agent"? In the computer world, a "User Agent" is just that: a digital name tag. When a real person visits your site using Google Chrome, their name tag says something like "Chrome Browser. " When a search engine (like Google) visits your site to read your pages, their name tag says "Google Bot. " However, some bad robots wear "fake name tags" or use specific names to try and sneak in. This page lets you ban specific name tags. Blocking a Bad Bot In the middle of the page, you will see an empty box and a Submit button. This is where you tell the plugin which name tags to ban. How to use it: If you know a specific name or keyword that a bad bot uses (for example, a tool that scrapes content or spams your site), type it into this box. Why use keywords: You don't always need the exact name. You can type just a part of the name. If a bot's name tag contains that word, it will be blocked. Submit: After typing the word, click the Submit button to add it to your block list. The User Agents List Below the input box, you will see a section labeled User Agents. Current Status: It currently says "No user agents found. " What this means: You haven't added any bots to your block list yet. This is completely normal! Future Use: Once you start adding rules using the box above, they will appear in this list. You can look here anytime to see exactly which name tags you have banned. Time Filters (Today, Past 7 Days) Above the list, you will see options to filter by time, such as Today or Past 7 Days. What they do: These buttons act like a pair of glasses that help you focus on a specific time period. How to use them: If you have been using the plugin for a long time and have a big list, you can click "Today" to only see things that happened in the last 24 hours. It helps you keep track of recent activity. Bulk Actions If you end up with a long list of blocked bots and want to clean it up, you can use the Bulk Action menu. How to use it: Select the items you want to change from the list. Choose an action: Pick what you want to do with them (like Delete). Apply: Click the Apply button to make it happen. Think of this page as the Bouncer at a club. If someone shows up with a name tag you don't like, the Bouncer stops them at the door Email & Address Blacklist Email Blacklist This page helps you control who is allowed to sign up or interact with your website based on their email address. Email Enable Blacklist By enabling this switch, you can add email addresses you want to block. Blocking these email addresses Type the email address you want to ban. After typing the email, click the Submit button. Blocked List Below the input box, you will see a list area. Blocked emails will appear in this list. You can check this list to see which email addresses are currently banned. You can delete the email address from the block list. Use the search box at the top right to find email addresses fast. You can also tap the refresh button to update your block list right away Once deleted, that person will be able to sign up again. Address Blacklist Block certain addresses at forms and checkout to keep your store safe. Enable Address Blacklist At the very top of the page, you will see a switch labeled "Enable Address Blacklist. " This activates the protection. Similarity Percentage Below the main switch, you will see a setting called Similarity Percentage, set to 60%. This setting tells the plugin: "If a new address looks more than 60% like a blacklisted address, block it. " Adding a Suspicious Address In the middle of the page, you will see a form to add address. Enter the details of the address you want to block. Address 1 & 2: The street address (Required). City: The city name (Required). State: The state or region (Required). Postcode: The zip or postal code (Required). Country: The country (Required). NB: Once you have filled in the boxes, click the Add to Blacklist button. That address is now banned. Viewing Blocked Addresses The bottom part of the page shows the history of what has happened. Time Filters: You can click Today, Last 7 days, or This Month to see only the activity from that specific time. The Table: The table shows the details (Address, City, State, Postcode) of any addresses that have been flagged. At the very bottom of the page, you will see action buttons to apply settings. Save Changes or Discard Changes - Published: 2026-01-25 - Modified: 2026-04-07 - URL: https://docs.wpultimatesecurity.com/docs/getting-started/installation/ - Docs Categories: Getting Started - Docs Tags: Beginner You can install the plugin in two ways. The easiest way is through the WordPress Dashboard. Method 1: Install via WordPress Dashboard (Recommended) Log in to your WordPress Dashboard. Navigate to Plugins → Add New. In the search bar (top right), type "wpultimatesecurity" Find the plugin "WP Ultimate Security--Firewall, Login Security, 2FA Protection & More" by wpultimatesecurity. Click the Install Now button. Once the installation is complete, press Activate. Method 2: Manual Zip file Download Download the plugin zip file from the WordPress repository. Log in to your WordPress dashboard → Plugins → Add Plugins → Upload.   Select the downloaded zip file from your computer, then upload it, and WordPress will automatically install it. Once the installation is complete, click to activate the plugin - Published: 2026-01-25 - Modified: 2026-05-14 - URL: https://docs.wpultimatesecurity.com/docs/dashboard/dashboard/ - Docs Categories: Dashboard - Docs Tags: Beginner Once the plugin is activated, you will see a new menu item in your WP dashboard called Ultimate Security. Click on it to enter the plugin's dashboard. This is the first screen; you will see a greeting pop-up. After heading to the next steps, the "Just an emergency" pop-up will appear. It will provide you with an emergency URL that deactivates the plugin if you encounter any issues. Here is the first dashboard you will be exploring: It provides a real-time data of your website's security.   Top right, you will find a refresh button to update all the cards. Security Level At the top left corner, you will see "Security Level. " The Security Level displays the current protection status of your system, providing a clear visual representation of your security posture. Protection Status: Shows whether your system is currently "PROTECTED" or requires attention Security Level Progress: Displays your current level and overall progression Security Points: Shows your accumulated security points Blocking Issues: Identifies any items preventing you from reaching higher security levels Press on 'View Details' button for more security info. Current Security Level The Security Level provides a detailed analysis of your website's security posture. It breaks down your protection into different categories and priorities. Requirements for Hardened This section shows what you need to complete strengthening your website's security: CAPTCHA Protection: It prevents automated bots and spam attacks Password Policy: It ensures strong password requirements Score Breakdown These are essential security measures that significantly impact your protection: Two-Factor Authentication SSL/HTTPS Login Rate limiting These three security options add up to 45 points overall High Priority Important security features that provide substantial protection including: CAPTCHA Protection Password Policy WordPress Core Updated These three security options add up to 30 points overall Medium Priority These medium-priority security options include: All Plugins Updated Audit Logs File Integrity Monitoring Both combine for 15 points Additional Hardening These are optional security features,; Hide Login URL Disable File Editing API Privacy Content Protection Custom Login Consent Total 10 points will be added when you enable all of them Issue Counters and Critical Threats Near the "Security Level," there are four important signs that help you prioritize your actions: Issues Found: It shows recommendations or vulnerabilities that are not currently active threats but pose a risk if left unaddressed. Critical Threats: This counts the number of immediate, high-risk dangers currently detected on your site. Outdated Plugins: The number shows how many of your installed plugins are currently running on old versions Failed Logins: It counts how many times someone tried to log in to your website recently but failed to access it. Site Health This section shows your website's overall health WP Health: It depends on PHP version, security scans, and system configuration. SSL: This checks if your site has a security certificate. Response: This tracks how quickly your site starts loading. File Integrity This section acts like a security guard. It monitors WordPress's core files. The purple button will show you exactly which file is different. You can then see if it is a safe change or if you need to delete it to protect your site "View Results" Button This screen appears after clicking the View Results button. It scans a detailed report on any files that have been changed, added, or removed from your WordPress installation. Scan Summary At the top of the page, you will see a quick summary of the findings based on the scan time. Modified: It indicates that if any modified file has been detected Missing: It shows that if any files are missing Unknown: It indicates if there are any unfamiliar files. Total issues: The sum of all issues found. Important Note: You will see a yellow notification box on this screen. Not all modified files are malicious. Sometimes, changes are made by legitimate plugins or themes you installed. Check 'Unknown' files to ensure they belong to a trusted plugin. If they aren't recognized, investigate or delete them File List Details A list displays the specific files that triggered the alert. Finding any specific files from the search box can save time. File Name: Shows the file Status: Indicates the type of change. Risk: Indicates the threat level. Size: Shows the size of the file  Action Buttons: At the bottom of the screen, you have three options: Export Report: Download your scan report. Rescan: Run rescan to update your results after fixing or deleting files Close: Click this to return to the main Dashboard Server Protection The Server Protection component highlights security measures that can be implemented at the infrastructure level, independent of the WordPress application. Adding these layers ensures that malicious traffic is mitigated before it interacts with your site's codebase. Cloudflare — A free service that blocks malicious traffic before it even reaches your server Fail2ban — A server-side tool that automatically bans IP addresses after too many failed login attempts Who’s Online The Who’s Online feature in Ultimate Security provides a real-time overview of everyone currently logged into your WordPress site. This tool is essential for monitoring site activity and ensuring that only authorized users are accessing your dashboard. This feature requires WordPress 7. 0 or higher. If you see an "Upgrade Required" message, please update your WordPress core Key Components Real-Time Status: The "Live" indicator shows that the data is being updated automatically. You can also manually refresh the list using the Refresh Icon next to the timestamp. Active User Count: Show you exactly how many people are online at a glance. Search & Filter: Use this to find a specific user Status Dropdown: Filter users based on their current activity status. User Cards: Each active user is displayed with their name, current status, and exactly where they are on your site. It also shows the last time their activity was recorded. How to Use This Section Monitor Team Activity: If you have multiple editors or administrators, you can see who is currently making changes to prevent overlapping work. Security Auditing: Check the "All Admin" filter regularly. If you see an administrator account online that shouldn't be, it may be a sign of a compromised account. Track Locations: By observing the location data in the search/filter area, you can verify if users are logging in from recognized regions or IP addresses. Bottom Cards Access Logs The Access Logs panel on your main dashboard provides an immediate snapshot of recent login activity. Green Checkmark: Indicates a successful login. Red Warning Icon: Indicates a failed login attempt. Each entry displays the username used and the time elapsed since the attempt. Clicking the eye icon opens the Review Access Activity window. You can see the full log data. The activity table provides several columns of data for every event: Type a specific username, IP address, or device type into the search box to filter the results instantly. Use the category buttons to view All, Successful, Failed, or Logout events individually. A clear label showing if the attempt was successful or failed. The specific account name that was entered. The IP address of the visitor. The precise date and timestamp of the activity. Details regarding the visitor's browser and platform. Plugin Updates This section shows any available updates for your plugins. Critical Threats This section displays critical security threats found on your website. Quick Action This section provides easy access to the most important security features of your WordPress site. These are common security tasks that you can set up quickly with just a few clicks. Enable 2FA Adds an extra layer of security to your login process Requires a second verification step when logging in Click "Configure" to set up two-factor authentication Brute Force Protection Blocks repeated login attempts from suspicious sources Prevents automated password guessing attacks Click "Configure" to enable this protection Limit Login Attempts Restricts the number of failed login tries Helps prevent brute force attacks on your login page Click "Configure" to set your preferred limits Hide Login URL Changes the default WordPress login path (wp-login. php) Makes it harder for attackers to find your login page Click "Configure" to set a custom login URL Disable File Editing Prevents unauthorized changes to your theme and plugin files Adds an extra security layer to your site's core files Click "Configure" to enable this protection Each action has a "Configure" button that will take you to the specific settings page where you can customize that security feature according to your needs. These quick actions help you strengthen your site's security without needing to navigate through multiple menus. Security Recommendations This section shows important security improvements for your WordPress site. The plugin analyzes your current security setup and recommends actions to make your site more secure. System Information The System Information card provides an overview of the current WordPress environment and the Ultimate Security plugin's active configuration. This component is designed for quick diagnostics and environment verification. You will see the following; WordPress Version PHP Version Active Plugins Active Theme Database Version Memory Limit HTTPS Status Plugin Version At the bottom of the card, you'll find two functional buttons: Full Site Health: Accesses the detailed WordPress health report page Debug Info: Displays comprehensive site health information specific to the plugin This card serves as a quick reference for monitoring your WordPress environment and accessing deeper diagnostic tools when needed. - Published: 2026-01-25 - Modified: 2026-01-25 - URL: https://docs.wpultimatesecurity.com/docs/getting-started/system-requirements/ - Docs Categories: Getting Started - Docs Tags: Beginner Before installing WP Ultimate Security, please ensure your server meets the following minimum requirements: WordPress Version: 5. 8 or greater PHP Version: 8. 1 or greater