Documentation

for WP Security Safe

WP Security / Documentation / Plugin / Security Policies

Security Policies

What is a security policy?

In the context of the WP Security Safe plugin, a security policy is a specific rule or feature that protects your website. An example of a security policy would be “Disable XML-RPC”. Enabling this policy would help protect your site from brute force attacks via the built-in WordPress XML-RPC remote access method.

All of the plugin security policies have been organized into 5 groups: Privacy, Files, Access, Content, and Firewall. The icon menu at the top of every WP Security Safe admin page will help you easily navigate between these categories.

Security policy groups identified in the top icon menu.
The icon menu is displayed at the top of WP Security Safe admin pages.

If you troubleshoot a potential issue with the plugin’s security policies or need to quickly and temporarily disable multiple policies at once, you have three options:

  1. Disable All Security Policies
  2. Disable A Security Policy Group
  3. Disable A Specific Policy

Disable All Security Policies

Warning: If you disable all security policies, the Firewall will be disabled leaving your site unprotected.

Navigate to the Plugin page by clicking on “Plugin” icon in the icon menu at the top of any WP Security Safe admin page or by clicking on the top-level “WP Security Safe” menu located in the left WordPress admin menu panel.

On the Plugin page within the Settings tab, you will notice a section called General Settings. Within that section, change the setting All Security Policies from Enabled to Disabled and scroll to the bottom of the page and click the Save Settings button.

Plugin admin page shows the Settings tab with the option to disable All Security Policies.
It is rare that you would ever need to disabled all policies. This is typically used by the plugin author to troubleshoot issues.

Once the settings have been saved, all policies within the Privacy, Files, Access, Content, and Firewall categories will be disabled. You should see a confirmation notice at the top of the page confirming that the settings have been successfully saved and another warning you that all policies are currently disabled. If you are using a caching plugin, clear your cache to make sure the changes take effect.

Plugin admin page displaying a message saying "Your settings have been saved." and a warning, "WP Security Safe: All security policies are disabled."
The warning notice will be visible on all WordPress admin pages including those outside of the scope of the plugin’s pages. This should help prevent the user from accidentally leaving the website in a vulnerable state long-term.

Disable A Security Policy Group

If you need to disable multiple security policies at once, you could disable policies within the group Privacy, Files, Access, Content, or Firewall. Disabling an entire group will disable all policies and functionality related to that group.

Notice: If a group policy is disabled, WP Security Safe will not load any code to control or execute the policies within that group. More info: Security Policy Groups: Policies And Functionality Disabled

To disable an entire group, navigate to the group using the icon menu at the top of one of the plugin admin pages. At the top of the Settings tab, change the specific policy group from Enabled to Disabled and scroll to the bottom of the page and click Save Settings.

Privacy admin page displaying the option to disable all Privacy Policies.
This is an example of how to disable the specific security policy group: Privacy. Each policy group has a similar option located towards the top of the Settings tab on the group’s specific admin page.

Once you have saved the settings, the page displays a notice at the top of the page confirming that the settings were saved successfully and a warning informing you that the particular security policy group is disabled. If you are using a caching plugin, clear your cache to make sure the changes take effect.

Security Policy Groups: Policies And Functionality Disabled

Privacy Group

Disabling the Privacy security policy group will disable the following policies and functionality:

  • WordPress Version – Hide WordPress Version Publicly
  • WordPress Version – Hide WordPress Version in Admin Footer
  • Script Versions – Hide Script Versions
  • Website Information – Make Website Anonymous

Files Group

Disabling the Files security policy group will disable the following policies and functionality:

  • Dev Core Updates – Automatic Nightly Core Updates
  • Major Core Updates – Automatic Major Core Updates
  • Minor Core Updates – Automatic Minor Core Updates
  • Plugin Updates – Automatic Plugin Updates
  • Theme Updates – Automatic Theme Updates
  • Theme File Editing – Disable Theme Editing
  • WordPress Version Files – Prevent Access
  • Plugin Version Files – Prevent Access
  • Theme Version Files – Prevent Access

Notice: The tabs Core, Theme, Uploads, and Plugins which display files and their permissions will continue to work. You will still be able to manually change file permissions on these tabs with the Files policy group disabled.

Access Group

Disabling the Access security policy group will disable the following policies and functionality:

  • Login Errors – Make login errors generic
  • Password Reset – Disable Password Reset
  • Remember Me – Disable Remember Me Checkbox
  • Local Logins – Only Allow Local Logins
  • XML-RPC – Disable XML-RPC

Notice: The Logins tab will continue to function fully and all login attempts will continue to be logged with the Access policy group disabled. Of course, malicious login attempts will only be blocked by active security policies.

Content Group

Disabling the Content security policy group will disable the following policies and functionality:

  • Highlight Text – Disable Text Highlighting
  • Right-Click – Disable Right-Click
  • Hide Posts – Hide All Protected Posts

Notice: The 404 Errors tab will continue to function and log 404 errors with the Content group policy disabled. 404 error logging cannot be disabled within the plugin.

Firewall Group

Disabling the Firewall security policy group will disable the following policies and functionality:

  • Whitelisted IP Addresses
  • Blacklisted IP Addresses
  • Automatic Blacklisting IP Addresses

Notice: The Threats tab will continue to log all threats and those blocked by active security policies. The Allow / Deny IP tab will continue to allow the use to add and remove IP addresses to the list, however, none of the entries will be actively enforced while the Firewall group policy is disabled.

Disable A Specific Security Policy

Navigate to a specific policy group of your choice using the top icon menu. On the policy group admin page be sure to click on the Settings tab if it is not already selected. As you scroll down the content of the tab, you will see various policies listed. You can uncheck a specific policy to disable or turn it off and then scroll to the bottom of the page and click Save Settings. The page will then display a message at the top of the screen confirming that your settings have been saved. If you are using a caching plugin, clear your cache to make sure the changes take effect.

If you notice any incorrect or missing information on this page, please let us know.