wpmgr
Security Suite

WordPress security hardening and vulnerability scanning in one dashboard

Per-site hardening, IP ban lists, file integrity monitoring, vulnerability scanning via Wordfence Intelligence, and site-user 2FA, all opt-in and default-off, built so a mistake can never lock you out of your own sites.

Security plugins that are on by default and cannot be undone are a liability, not a safeguard

Hardening rules that cannot be reversed lock operators out of their own sites. Ban lists without an operator allow-list block the person managing the site. File integrity checks without a review workflow advance the baseline past unreviewed changes silently. WPMgr's security suite is default-off, every control has an explicit undo path, and the operator can always recover via wp-config constants.

How it works

Under the hood

The steps that make it work, and what each one does.

1

Enable hardening controls per site

Push hardening rules from the dashboard: disable the file editor, restrict XML-RPC and the REST API, force SSL with HSTS, block PHP in uploads, and protect system files. All controls are opt-in and can be reversed from the dashboard.

2

Manage the IP and user-agent ban list

Block individual IPs, CIDR ranges, and user agents at early-boot and at the web-server level. The operator allow-list is always honoured so a ban rule can never lock out the operator.

3

Scan for file changes and vulnerabilities

File hashes are compared against WordPress.org checksums for core, hosted plugins, and themes, and against a learned per-site baseline for everything else. Plugins, themes, and core are checked against the Wordfence Intelligence vulnerability feed with severity, affected version, and CVE references.

4

Enforce 2FA and password policy for site users

Require TOTP, email codes, or backup codes for chosen WordPress user roles, enforced at the login screen. Set a minimum password strength, block known-compromised passwords, and optionally expire passwords. Grace logins and wp-config recovery constants mean operators are never locked out.

Security overview2 findings
Hardening controls
File editor disabledON
XML-RPC restrictedON
PHP in uploads blockedON
SSL / HSTS enforcedON
REST API public accessOFF
Vulnerability findings
my-seo-plugin
mediumFix: 2.4.1
wp-core
lowFix: 6.5.4
File integrity scan
No changes detected

What's included

Every capability ships in the open-source release.

WordPress hardening controls

Disable the file editor, restrict XML-RPC and the REST API, force SSL with HSTS, block PHP in uploads, and protect system files. All opt-in and default-off.

IP and user-agent ban list

Block IPs, CIDR ranges, and user agents at early-boot and at the web-server level. The operator allow-list is always honoured so bans can never lock out the operator.

File integrity monitoring

Hashes compared against WordPress.org checksums and a learned per-site baseline. Changed, added, and removed files are reported and stay flagged until an operator explicitly reviews them.

Vulnerability scanner

Plugins, themes, and core checked against the Wordfence Intelligence vulnerability feed. One-click remediation updates the vulnerable component through the existing update flow. Requires a free Wordfence Intelligence API key.

Client-side encrypted backups

Optional end-to-end encryption for backups: the control plane stores only ciphertext and never holds the decryption key.

Password policy for site users

Set minimum strength, block compromised passwords via a privacy-preserving prefix query, block reuse, and optionally expire passwords with a forced-change screen.

FAQ

Questions answered

Common questions about this feature.

Self-host it, read the code, and run your whole fleet.

Free and open source. No per-site fee. The full release is on GitHub.