Security Policies
What is a security policy?
In the context of the WP Security Safe plugin, a security policy is a specific rule or feature that protects your website. An example of a security policy would be “Disable XML-RPC”. Enabling this policy would help protect your site from brute force attacks via the built-in WordPress XML-RPC remote access method.
All of the plugin security policies have been organized into 5 groups: Privacy, Files, Access, Content, and Firewall. The icon menu at the top of every WP Security Safe admin page will help you easily navigate between these categories.
If you troubleshoot a potential issue with the plugin’s security policies or need to quickly and temporarily disable multiple policies at once, you have three options:
Disable All Security Policies
Warning: If you disable all security policies, the Firewall will be disabled leaving your site unprotected.
Navigate to the Plugin page by clicking on “Plugin” icon in the icon menu at the top of any WP Security Safe admin page or by clicking on the top-level “WP Security Safe” menu located in the left WordPress admin menu panel.
On the Plugin page within the Settings tab, you will notice a section called General Settings. Within that section, change the setting All Security Policies from Enabled to Disabled and scroll to the bottom of the page and click the Save Settings button.
Once the settings have been saved, all policies within the Privacy, Files, Access, Content, and Firewall categories will be disabled. You should see a confirmation notice at the top of the page confirming that the settings have been successfully saved and another warning you that all policies are currently disabled. If you are using a caching plugin, clear your cache to make sure the changes take effect.
Disable A Security Policy Group
If you need to disable multiple security policies at once, you could disable policies within the group Privacy, Files, Access, Content, or Firewall. Disabling an entire group will disable all policies and functionality related to that group.
Notice: If a group policy is disabled, WP Security Safe will not load any code to control or execute the policies within that group. More info: Security Policy Groups: Policies And Functionality Disabled
To disable an entire group, navigate to the group using the icon menu at the top of one of the plugin admin pages. At the top of the Settings tab, change the specific policy group from Enabled to Disabled and scroll to the bottom of the page and click Save Settings.
Once you have saved the settings, the page displays a notice at the top of the page confirming that the settings were saved successfully and a warning informing you that the particular security policy group is disabled. If you are using a caching plugin, clear your cache to make sure the changes take effect.
Security Policy Groups: Policies And Functionality Disabled
Privacy Group
Disabling the Privacy security policy group will disable the following policies and functionality:
- WordPress Version – Hide WordPress Version Publicly
- WordPress Version – Hide WordPress Version in Admin Footer
- Script Versions – Hide Script Versions
- Website Information – Make Website Anonymous
Files Group
Disabling the Files security policy group will disable the following policies and functionality:
- Dev Core Updates – Automatic Nightly Core Updates
- Major Core Updates – Automatic Major Core Updates
- Minor Core Updates – Automatic Minor Core Updates
- Plugin Updates – Automatic Plugin Updates
- Theme Updates – Automatic Theme Updates
- Theme File Editing – Disable Theme Editing
- WordPress Version Files – Prevent Access
- Plugin Version Files – Prevent Access
- Theme Version Files – Prevent Access
Notice: The tabs Core, Theme, Uploads, and Plugins which display files and their permissions will continue to work. You will still be able to manually change file permissions on these tabs with the Files policy group disabled.
Access Group
Disabling the Access security policy group will disable the following policies and functionality:
- Login Errors – Make login errors generic
- Password Reset – Disable Password Reset
- Remember Me – Disable Remember Me Checkbox
- Local Logins – Only Allow Local Logins
- XML-RPC – Disable XML-RPC
Notice: The Logins tab will continue to function fully and all login attempts will continue to be logged with the Access policy group disabled. Of course, malicious login attempts will only be blocked by active security policies.
Content Group
Disabling the Content security policy group will disable the following policies and functionality:
- Highlight Text – Disable Text Highlighting
- Right-Click – Disable Right-Click
- Hide Posts – Hide All Protected Posts
Notice: The 404 Errors tab will continue to function and log 404 errors with the Content group policy disabled. 404 error logging cannot be disabled within the plugin.
Firewall Group
Disabling the Firewall security policy group will disable the following policies and functionality:
- Whitelisted IP Addresses
- Blacklisted IP Addresses
- Automatic Blacklisting IP Addresses
Notice: The Threats tab will continue to log all threats and those blocked by active security policies. The Allow / Deny IP tab will continue to allow the use to add and remove IP addresses to the list, however, none of the entries will be actively enforced while the Firewall group policy is disabled.
Disable A Specific Security Policy
Navigate to a specific policy group of your choice using the top icon menu. On the policy group admin page be sure to click on the Settings tab if it is not already selected. As you scroll down the content of the tab, you will see various policies listed. You can uncheck a specific policy to disable or turn it off and then scroll to the bottom of the page and click Save Settings. The page will then display a message at the top of the screen confirming that your settings have been saved. If you are using a caching plugin, clear your cache to make sure the changes take effect.