Getting Started
Core Protection
Scanning & Monitoring
Hardening
Spam Protection
Integrations
Configuration
Troubleshooting
Resources

Documentation

Everything you need to know about installing, configuring, and using WP Folder Shield - the complete WordPress security solution with 30+ protection features.

Installation

WP Folder Shield can be installed like any other WordPress plugin. Follow these steps to get started:

Method 1: Upload via WordPress Admin

  1. Download the plugin ZIP file from your Customer Portal or purchase confirmation email
  2. Log in to your WordPress admin dashboard
  3. Navigate to Plugins → Add New → Upload Plugin
  4. Click Choose File and select the downloaded ZIP file
  5. Click Install Now and wait for the installation to complete
  6. Click Activate Plugin

Method 2: Upload via FTP

  1. Extract the plugin ZIP file on your computer
  2. Connect to your server using an FTP client (FileZilla, etc.)
  3. Navigate to /wp-content/plugins/
  4. Upload the wp-folder-shield folder
  5. Go to Plugins in WordPress admin and activate WP Folder Shield
Requirements: WordPress 5.0+, PHP 7.4+, Apache or LiteSpeed with mod_rewrite enabled

License Activation

After installation, you need to activate your license to enable all security features and receive updates.

  1. Go to WP Folder Shield → License in your WordPress admin
  2. Enter your license key (found in your purchase confirmation email)
  3. Click Activate License
  4. You should see a success message confirming activation

License Types

Plan Sites Features
Personal 1 site All security features
Professional 5 sites All features + Priority support + Multisite
Agency Up to 100 All features + Priority support + Multisite + White-label ready
Note: Each site activation counts toward your license limit. Deactivate unused sites to free up slots.

Setup Wizard NEW

The Setup Wizard guides new users through initial configuration with security presets that match your needs.

Wizard Steps

  1. Welcome - Overview of WP Folder Shield features
  2. License Activation - Enter and validate your license key
  3. Protection Level - Choose from three security presets
  4. Login Security - Configure 2FA, custom login URL, notifications
  5. Firewall Options - Enable WAF, headers, upload scanner, threat intel
  6. Complete - View your security score and start protecting

Security Presets

Essential
  • Uploads protection
  • Basic firewall
  • Login protection
  • Version hiding
Recommended
  • Everything in Essential
  • wp-includes protection
  • Two-factor authentication
  • Auto-blocking
  • Security headers
  • Bot blocking
Maximum
  • Everything in Recommended
  • Admin assets protection
  • File editing disabled
  • File monitoring
  • REST API restriction
  • Upload scanner
  • Threat intelligence
The wizard automatically appears after plugin activation. You can skip it and configure settings manually if preferred.

Security Score Dashboard NEW

Get a comprehensive view of your site's security health with the Security Score feature. The score is calculated based on 7 security categories and provides actionable recommendations.

Score Categories & Weights

Category Weight Checks
License & Updates 10% Valid license, plugin up-to-date
Login Security 20% Brute force, 2FA, custom URL, reCAPTCHA, auto-block
Firewall & WAF 15% Firewall enabled, bot blocking, country blocking
WordPress Hardening 15% XML-RPC, version hiding, file editing, headers, REST API
File Protection 15% Uploads protected, upload scanner, core monitoring
Monitoring & Alerts 15% Email alerts, login notifications, traffic monitor, threat intel
Advanced Features 10% Form protection, Cloudflare, session timeout

Grade Scale

A+ (90-100)
A (85-89)
A- (80-84)
B+ (75-79)
B (70-74)
C (55-64)
D (35-49)
F (0-34)
Track Progress: The Security Score is tracked daily for the last 30 days so you can see your improvement over time.

Directory Protection

The core feature of WP Folder Shield prevents PHP execution in directories that should only contain uploads and static files.

Protected Directories

  • wp-content/uploads - Blocks PHP malware in uploads
  • wp-content/cache - Protects cache directories
  • wp-includes - Prevents direct access to core files
  • wp-admin/css - Protects admin CSS directory
  • wp-admin/js - Protects admin JS directory
  • wp-admin/images - Protects admin images directory

How It Works

WP Folder Shield adds .htaccess rules that block PHP execution while allowing legitimate file types (images, CSS, JS) to be served normally.

# Example .htaccess rule added by WP Folder Shield
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
This protection works at the server level, meaning it has zero performance impact on your site.

Web Application Firewall (WAF)

The WAF inspects incoming requests and blocks malicious traffic before it reaches your WordPress installation. It includes 30+ attack patterns and 26 known malicious bot signatures.

Attack Types Blocked

SQL Injection (9 patterns)

UNION SELECT, information_schema, exec sp_, stacked queries, and more

XSS Attacks (5 patterns)

<script> tags, javascript: URLs, event handlers like onclick=

File Inclusion (8 patterns)

Path traversal (../), /etc/passwd, PHP wrappers (php://filter, php://input)

Command Injection (6 patterns)

Shell metacharacters (;, |, backticks), cat, ls, $() expressions

WordPress Specific (3 patterns)

wp-config.php access, eval/assert functions, base64_decode calls

Bad Bots (26 types)

scanners (masscan, nikto, nmap), sqlmap, AI bots (gptbot, claudebot), SEO scrapers

Sensitive Files Protected

The firewall automatically blocks access to sensitive files:

  • Configuration: wp-config-sample.php, .htaccess, .htpasswd, .env
  • Version control: .git, .svn
  • Package files: composer.json, package.json
  • Debug files: phpinfo.php, info.php, debug.php
  • WordPress: readme.html, license.txt, wp-admin/install.php

Login Security

Comprehensive protection for your WordPress login page against brute force attacks and unauthorized access attempts.

Brute Force Protection

Automatically limit failed login attempts and block attackers:

Setting Default Description
Max Login Attempts 5 Number of failed attempts before lockout
Lockout Duration 30 minutes How long the IP is locked out
Auto-Block Threshold 10 attempts Total attempts before automatic IP block
Auto-Block Duration 24 hours How long auto-blocked IPs stay blocked

How Lockout Works

  1. Failed login attempt increments counter
  2. After 5 failures → temporary lockout (30 min)
  3. After 10 total failures → automatic IP block (24 hours)
  4. Blocked IPs reported to Threat Intelligence network

Custom Login URL

Hide your login page from automated attacks by changing the default wp-login.php URL:

  1. Go to WP Folder Shield → Settings → Login Security
  2. Enter your custom login slug (e.g., "my-secret-login")
  3. Save settings - your new login URL will be yoursite.com/my-secret-login
Important: Save your custom login URL! If you forget it, you'll need FTP access to disable the plugin.

Additional Features

  • Hide Login Errors - Don't reveal whether username or password was wrong
  • Login Activity Logging - Track all login attempts with IP, username, and timestamp
  • Failed Login Notifications - Get email alerts for suspicious activity
  • Disable XML-RPC - Block XML-RPC brute force attacks
  • Restrict REST API - Require authentication for REST API access

Two-Factor Authentication

Add an extra layer of security with TOTP-based (Time-based One-Time Password) 2FA, compatible with all major authenticator apps.

Compatible Apps

  • Google Authenticator - iOS and Android
  • Microsoft Authenticator - iOS and Android
  • Authy - iOS, Android, Desktop
  • 1Password - Built-in TOTP support
  • Any TOTP-compatible authenticator app

Technical Details

  • Base32 encoding for secrets
  • SHA-1 HMAC for code generation
  • 30-second time window with ±1 window for clock drift
  • 6-digit codes (000000-999999)
  • Timing-safe verification (prevents timing attacks)

Setting Up 2FA

  1. Go to Users → Profile in WordPress admin
  2. Scroll to Two-Factor Authentication section
  3. Click Enable 2FA to generate your secret key
  4. Scan the QR code with your authenticator app
  5. Enter the 6-digit code displayed in your app to verify setup
  6. Save your 10 backup codes in a secure location

Backup Codes

When you enable 2FA, you'll receive 10 backup codes. Each code can only be used once:

  • Store backup codes in a secure location (password manager, safe)
  • Use a backup code if you lose access to your authenticator app
  • Generate new backup codes anytime from your profile page
Critical: If you lose both your authenticator app AND backup codes, you'll be locked out. Always save your backup codes!

IP Manager

Manually control which IP addresses can access your site with whitelist and blacklist functionality.

IP Whitelist

Whitelisted IPs will never be blocked by the firewall, login security, or country blocking:

  • Add your own IP address to prevent accidental lockouts
  • Add office or VPN IP addresses for trusted access
  • Supports individual IPs and CIDR notation (e.g., 192.168.1.0/24)
  • Add notes to each entry for reference

IP Blacklist

Permanently block malicious IP addresses:

  • Block individual IPs that are causing issues
  • Block entire IP ranges using CIDR notation
  • Blocked IPs receive a 403 Forbidden response
  • Optionally sync blocks to Cloudflare

Auto-Blocking

WP Folder Shield automatically blocks IPs that trigger security rules:

  • IPs blocked after exceeding failed login attempts
  • IPs blocked for firewall rule violations
  • Auto-blocks expire after 24 hours by default
  • View and manage auto-blocked IPs in the Security Logs
CIDR Notation: Use 192.168.1.0/24 to block/whitelist the entire range 192.168.1.0 - 192.168.1.255

Country Blocking

Block or allow traffic based on geographic location using GeoIP technology. Ideal for businesses that only serve specific regions.

Blocking Modes

Blacklist Mode

Block specific countries while allowing all others. Use when you want to block a few high-risk countries.

Whitelist Mode

Only allow specific countries while blocking all others. Use when you only serve specific regions.

How It Works

  • GeoIP lookup determines visitor's country from their IP address
  • Results are cached for 24 hours to improve performance
  • Blocked visitors see a customizable block message
  • Whitelisted IPs bypass country blocking
Example: If your business only serves the US, Canada, and UK, use Whitelist mode and select only those three countries.

Full Site Malware Scanner PRO

Comprehensive malware scanning of your entire WordPress installation with database-driven signatures and heuristic analysis.

Scan Types

Quick Scan

Fast scan of high-risk areas: plugins directory, uploads folder, and root directory. Best for routine checks.

Full Scan

Comprehensive scan of entire WordPress installation including themes, plugins, uploads, and core files.

Detection Methods

  • Signature Matching - 200+ malware signatures synced from Threat Intelligence
  • Heuristic Analysis - Detects unknown threats using behavior patterns
  • Entropy Detection - Identifies heavily obfuscated code (5.5+ threshold)
  • Encoding Detection - Finds multiple base64/gzip encoding layers
  • Hidden PHP Detection - Catches PHP code hidden in image headers

Heuristic Checks

Code Detection
HEUR-001High entropy detection (obfuscated code)
HEUR-002Extremely long lines (5000+ characters)
HEUR-003Multiple encoding layers (3+ nested)
HEUR-004Unusual non-printable character ratio
HEUR-005PHP code hidden after image headers (GIF89a, PNG, JPEG)

Quarantine System

Suspicious files can be quarantined rather than deleted:

  • Files moved to protected wp-content/wpfs-quarantine/ directory
  • Original path and metadata preserved
  • Files can be restored if needed
  • Auto-quarantine available for high-threat files

Whitelist System

  • Automatically excludes known security plugins
  • Hash-based safe list (mark files as safe by MD5)
  • Path-based whitelist for custom exclusions
  • Own plugin directory automatically whitelisted

Root Directory Monitor PRO

Monitors your WordPress root directory for unauthorized PHP files that may be uploaded via FTP, SFTP, or exploits.

What It Detects

  • Unauthorized PHP files not part of WordPress core
  • Malicious code injected into legitimate core files
  • Webshells (FilesMan, WSO, r57, c99, b374k, Cyborg)
  • Backdoors hidden in seemingly innocent files

Threat Scoring System

Category Score Examples
Critical 80-100 Known webshells (FilesMan, WSO, r57)
High 50-79 Code execution (eval, assert, create_function)
Medium 30-49 Obfuscation (base64_decode, gzinflate)
Low 1-29 Suspicious patterns, potential false positives

Scan Frequency Options

  • Every 15 minutes (high-security sites)
  • Every 30 minutes
  • Hourly (recommended)
  • Daily

Configuration

  • Auto-Quarantine - Automatically quarantine high-threat files
  • Email Alerts - Receive notifications when threats detected
  • Custom Whitelist - Exclude legitimate custom files
  • Root .htaccess Hardening - Add PHP execution rules to root

Core File Integrity PRO

Monitors wp-admin and wp-includes directories for unauthorized files and verifies WordPress core files against official checksums.

What It Checks

  • Unauthorized Files - Files in wp-admin/wp-includes not in WordPress checksums
  • Modified Core Files - Files that don't match official checksums
  • Missing Files - Core files that have been deleted
  • Infected Files - Core files with malicious code injected

How Verification Works

  1. Downloads official checksums from WordPress.org API for your exact WordPress version
  2. Compares each file's MD5 hash against the official checksum
  3. Identifies any files not present in the official checksums (unauthorized)
  4. Scans unauthorized/modified files for malicious patterns

Actions Available

  • Delete - Remove unauthorized files safely
  • Restore - Reinstall modified core files from WordPress.org
  • Whitelist - Mark custom files as safe (e.g., language files)
  • Harden Permissions - Set core files to read-only (0444)
Critical Alert: If unauthorized files are detected, you'll see a prominent alert in WordPress admin. Take action immediately!

AI Scanner PRO

The AI Scanner uses machine learning to detect sophisticated malware that traditional signature-based scanners miss. Powered by Advanced AI Models and Agents for intelligent code analysis.

Available AI Models (Free)

Model Best For
Llama 3.3 70B InstructHighest quality analysis (GPT-4 level)
Gemini 2.5 ProLarge context window (1M tokens)
DeepSeek Chat V3Fast and accurate
DeepSeek R1Advanced reasoning
DeepSeek R1 Distill 70BBalanced quality/speed
NVIDIA Nemotron 8BLightweight and fast
Mistral DevstralCode-focused analysis

Analysis Types

  • Malware Detection - Backdoors, webshells, cryptominers, code injection
  • Vulnerability Analysis - SQL injection, XSS, CSRF, LFI/RFI, insecure deserialization
  • Log Analysis - Attack pattern identification, threat actor profiling
  • Security Reports - Human-readable summaries for non-technical users

How It Works

  1. Run Full Site Scanner or Vulnerability Scanner to detect findings
  2. Go to WP Folder Shield → AI Scanner
  3. Review flagged files and click Analyze with AI
  4. AI provides detailed analysis with fix suggestions
  5. Take action: quarantine, delete, or mark as safe
Privacy: Only code snippets are sent for analysis. No personal data, database content, or user information is transmitted.

File Upload Scanner PRO

Real-time scanning of all file uploads before they are saved to your server. Prevents malicious files from ever reaching your site.

Protection Features

  • Dangerous Extension Blocking - Blocks .php, .phtml, .php5, .phar, .pgif, and other executable files
  • Double Extension Prevention - Catches tricks like image.php.jpg or shell.png.php
  • Content Scanning - Scans file contents for malicious patterns
  • PHP in Images - Detects PHP code hidden in image files
  • AI Analysis - Optional deep analysis for suspicious uploads

Webshell Signatures Detected (25+)

FilesMan
WSO
r57shell
c99shell
b374k
Cyborg
eval()
assert()
base64_decode
gzinflate
shell_exec
system()

Configuration

Go to Settings → Forms & Scanning to:

  • Enable/disable real-time scanning
  • Configure blocked file extensions
  • Enable content scanning
  • Enable AI analysis for images

Vulnerability Scanner

Scan your themes and plugins for known security vulnerabilities and suspicious code patterns.

What It Scans

  • Plugin Vulnerabilities - Checks against known CVE database
  • Theme Vulnerabilities - Scans for known theme security issues
  • Suspicious Code - Detects potentially dangerous functions (eval, base64_decode, etc.)
  • Outdated Software - Flags plugins/themes that need updates

Running a Scan

  1. Go to WP Folder Shield → Vulnerability Scanner
  2. Click Start Scan
  3. Review the results and severity levels
  4. Click Analyze with AI for fix suggestions

Live Traffic Monitor PRO

Real-time dashboard showing all website traffic with threat detection. Designed for zero performance impact.

Features

  • Real-Time Updates - See traffic as it happens via AJAX polling
  • Threat Detection - Automatic flagging of blocked requests
  • Geographic Visualization - See visitor locations via GeoIP
  • Request Details - View full request headers and parameters
  • Quick Actions - Block IPs directly from the monitor
  • CSV Export - Export traffic logs for analysis

Logging Modes

Security Mode (Default)

Only logs blocked requests and security events. Minimal storage usage.

All Traffic Mode

Logs all traffic with configurable exclusions (admin AJAX, cron, REST).

Performance Optimizations

  • Async logging via WordPress shutdown hook
  • Batch database writes (20 entries per flush)
  • GeoIP processing deferred to hourly cron
  • Automatic cleanup (100K entries max)
  • Single IP cache lookup per request

Traffic Data Captured

  • IP address and GeoIP (City/Country)
  • Request method (GET/POST) and path
  • User agent and HTTP status code
  • Response time in milliseconds
  • Threat type (if blocked)

Threat Intelligence PRO

Crowdsourced threat data from the WP Folder Shield network of 10,000+ installations. Get protected from known attackers before they reach your site.

How It Works

  1. When any WP Folder Shield site blocks an attack, that IP is reported to the network
  2. Our servers aggregate data from multiple sources (Spamhaus, FireHOL, etc.)
  3. Your site receives blocklist updates automatically every 6 hours
  4. Known malicious IPs are blocked before they can attack your site

Data Sources & Confidence

Source Type Confidence
Spamhaus DROP/EDROPCIDR ranges95%
FireHOL Level 1Aggregated threats90%
Blocklist.deBrute force attackers85%
Emerging ThreatsMalware IPs88%
AbuseIPDBCommunity reports80%
WP Folder Shield NetworkUser reports60-95%

Threat Feed Includes

  • IP Blocklist - 12,000+ known malicious IPs with confidence scoring
  • CIDR Ranges - 350+ network ranges from known bad actors
  • WAF Rules - Updated attack pattern signatures
  • Malware Signatures - Latest webshell and backdoor patterns

Performance

  • O(1) IP Lookup - Uses PHP hash file for instant IP checking
  • Local Storage - Data stored in wp-content/uploads/wpfs-threat-data/
  • No API Calls - All checks done locally after sync
  • Sub-millisecond - Less than 1ms overhead per request
Zero-Day Protection: When a new attack is detected anywhere in the network, all connected sites are protected automatically within 6 hours.

Security Headers

HTTP security headers protect your site from clickjacking, XSS, and other browser-based attacks.

Headers Applied

Header Value Protection
X-Frame-Options SAMEORIGIN Prevents clickjacking attacks
X-XSS-Protection 1; mode=block Enables browser XSS filter
X-Content-Type-Options nosniff Prevents MIME type sniffing
Referrer-Policy strict-origin-when-cross-origin Controls referrer information
Permissions-Policy Customizable Controls browser feature access
Content-Security-Policy Optional/Customizable Controls resource loading
Content-Security-Policy: This header can break some plugins. Test thoroughly before enabling in production.

WordPress Hardening

Reduce your attack surface by disabling unnecessary WordPress features and hiding sensitive information.

Information Hiding

  • Hide WordPress Version - Remove version from scripts, styles, feeds, and HTML
  • Remove Generator Meta Tag - Hide WordPress identification in page source
  • Remove RSD Link - Hide Really Simple Discovery endpoint
  • Remove WLW Manifest - Hide Windows Live Writer endpoint
  • Remove Shortlink Header - Remove X-Shortlink HTTP header

API & Remote Access

  • Disable XML-RPC - Block remote publishing and brute force via XML-RPC
  • Restrict REST API - Require authentication for REST API access
  • Block User Enumeration - Prevent discovery of usernames via REST API or ?author=N
  • Disable Application Passwords - Block WordPress 5.6+ application passwords

Remote Features

  • Disable Pingbacks - Prevent DDoS amplification via pingbacks
  • Disable Trackbacks - Block trackback spam and attacks
  • Disable oEmbed - Remove oEmbed discovery and auto-embed functionality

File Security

  • Disable File Editing - Remove Theme/Plugin Editor from WordPress admin
  • Protect wp-config.php - Block direct access via .htaccess rules
  • Disable Author Archives - Return 404 for author archive pages

Login Notifications PRO

Get email alerts when someone logs into your WordPress site from a new device, IP address, or location.

Detection Methods

  • New Device - Uses daily-rotating browser cookie to recognize devices
  • New IP Address - Tracks known IPs per user account
  • New Location - GeoIP lookup for City/Region/Country changes

Email Alert Includes

  • Username that logged in
  • IP address and location
  • Browser and device information
  • Login timestamp
  • Link to security settings

Configuration Options

  • Notify on new device - Alert when unrecognized device logs in
  • Notify on new IP - Alert when login from new IP address
  • Notify admin on all logins - Admins receive all login alerts
  • Per-user preferences - Users can manage their own notifications
Device recognition cookie lasts 30 days. After that, logging in from the same device will trigger a "new device" alert.

Form Spam Protection PRO

Universal spam protection for all major WordPress form plugins. No configuration needed - just enable and it works.

Supported Form Plugins

Contact Form 7
WPForms
Gravity Forms
Ninja Forms
Formidable Forms
Elementor Forms
Fluent Forms
WS Form
Happyforms
WooCommerce Checkout
WordPress Comments
Generic POST Forms

Protection Methods

  • Honeypot Fields - Invisible traps that catch bots (daily-rotating field names)
  • Time-Based Validation - Blocks instant bot submissions (minimum 3 seconds)
  • Rate Limiting - Max 5 submissions per IP per 60 seconds
  • Spam Keyword Filter - 40+ spam patterns (pharmaceutical, gambling, adult, crypto scams)
  • Malicious URL Detection - Max 3 URLs, blocks suspicious TLDs (.tk, .xyz, etc.)

Blocked Spam Keywords

viagra
cialis
casino
poker
lottery
bitcoin doubler
buy backlinks
guest post
make money fast
and 30+ more...

Configuration

Setting Default
Enable honeypotOn
Enable time checkOn
Minimum time (seconds)3
Enable rate limitingOn
Max submissions per window5
Rate limit window (seconds)60
Enable spam filterOn
Enable URL checkOn
Max URLs per submission3

Comment Spam Protection

Comprehensive protection for WordPress comments, pingbacks, and trackbacks.

Features

  • Pingback/Trackback Blocking - Blocks DDoS amplification vectors
  • Author URL Validation - Detects spammy website URLs
  • Comment Flood Protection - Rate limiting for comment submissions
  • Disallowed Keys Integration - Uses WordPress built-in blocklist
  • Trusted Commenter System - Skips checks for approved commenters
Tip: Combine with reCAPTCHA for maximum comment spam protection.

reCAPTCHA Integration

Add Google reCAPTCHA to your login, registration, and comment forms to block bots.

Supported Versions

reCAPTCHA v2 (Checkbox)

Shows "I'm not a robot" checkbox. User-friendly but requires interaction.

reCAPTCHA v3 (Invisible)

Runs invisibly in background. Scores visitors 0.0-1.0 based on behavior.

Setup Instructions

  1. Go to Google reCAPTCHA Admin and create a new site
  2. Choose reCAPTCHA v2 or v3 and add your domain
  3. Copy your Site Key and Secret Key
  4. In WP Folder Shield, go to Settings → Integrations
  5. Paste your keys and select which forms to protect

Protected Forms

  • WordPress Login Form
  • WordPress Registration Form
  • Lost Password Form
  • Comment Forms

Cloudflare Integration PRO

Sync your WP Folder Shield protections with Cloudflare for edge-level security.

Features

  • IP Sync - Automatically sync blocked IPs to Cloudflare firewall
  • Security Level Control - Change Cloudflare security level from WordPress (off to under_attack)
  • Under Attack Mode - One-click enable/disable from dashboard
  • IP Range Updates - Auto-update Cloudflare IP ranges for accurate visitor IP detection
  • Firewall Rules - Manage Cloudflare rules directly

Security Levels

Off
Essentially Off
Low
Medium
High
Under Attack

Setup

  1. Get your Cloudflare API Token from the Cloudflare dashboard (Zone:Firewall:Edit permission)
  2. Get your Zone ID from the Cloudflare dashboard (Overview page)
  3. Go to WP Folder Shield → Settings → Integrations
  4. Enter your API Token and Zone ID
  5. Enable IP syncing to push blocks to Cloudflare

WP-CLI Commands

Full command-line support for managing WP Folder Shield. Perfect for automation and managing multiple sites.

Available Commands

Command Description
wp folder-shield status Show protection status and configuration
wp folder-shield license Show license information
wp folder-shield scan [--type=TYPE] Run security scan (quick, full, malware, core)
wp folder-shield block <ip> Block an IP address
wp folder-shield unblock <ip> Unblock an IP address
wp folder-shield whitelist <ip> Add IP to whitelist
wp folder-shield list-blocked List all blocked IPs
wp folder-shield enable <module> Enable a security module
wp folder-shield disable <module> Disable a security module
wp folder-shield clear-logs Clear security logs
wp folder-shield firewall-stats Show firewall statistics

Module Names

Use these names with enable and disable commands:

firewall
login-security
2fa
country-blocking
form-protection
cloudflare
xml-rpc
rest-api
upload-scanner
traffic-monitor
threat-intel

Examples

# Check security status
wp folder-shield status --format=json

# Run a full malware scan
wp folder-shield scan --type=full

# Block an attacker with reason
wp folder-shield block 192.168.1.100 --reason="Brute force" --duration=48

# Enable firewall and threat intelligence
wp folder-shield enable firewall
wp folder-shield enable threat-intel

# List blocked IPs with limit
wp folder-shield list-blocked --limit=100

# Clear all firewall logs
wp folder-shield clear-logs --type=firewall

General Settings

Configure WP Folder Shield to match your security requirements. Settings are organized into 6 tabs for easy navigation.

Settings Tabs

  1. Protection - Directory protection, firewall, bot blocking
  2. Login Security - Brute force, 2FA, custom URL, lockout settings
  3. API & Hardening - XML-RPC, REST API, headers, version hiding
  4. Forms & Scanning - Form protection, upload scanner, malware scanning
  5. Integrations - Cloudflare, reCAPTCHA, threat intelligence
  6. Advanced - Traffic monitor, notifications, logging, debug

Key Settings

  • Email Notifications - Configure email addresses for security alerts
  • Logging - Set log retention period (days)
  • Auto-Updates - Enable automatic plugin updates
  • Trusted Proxies - Configure if behind Cloudflare, load balancer, etc.

Settings Protection

Protect your security settings from unauthorized changes:

  • Settings Lock - Require password to modify security settings
  • Audit Logging - Track all setting changes with timestamps and user

Multisite Support PRO

WP Folder Shield fully supports WordPress Multisite networks with network-wide management.

License Modes

Network License

Single license covers entire network. All subsites share one activation.

Per-Site License

Each subsite requires separate activation. Good for client sites.

Network Features

  • Network Dashboard - View security status across all sites
  • Propagate Settings - Push settings to all subsites at once
  • Auto-Protect New Sites - Automatically protect new subsites
  • Site Exclusions - Exclude specific sites from network settings
  • Sunrise.php Support - Early loading for maximum protection
  • MU-Plugin Support - Must-use plugin for early security
Note: Professional and Agency plans include Multisite support. Personal plans work on individual sites only.

Cache Plugin Compatibility

WP Folder Shield automatically detects and protects cache directories from 15+ popular caching plugins.

Supported Caching Plugins

WP Rocket
WP Super Cache
W3 Total Cache
LiteSpeed Cache
WP Fastest Cache
Autoptimize
Cache Enabler
Comet Cache
Hummingbird
Breeze
Swift Performance
SG Optimizer
NitroPack
FlyingPress
Perfmatters

How It Works

WP Folder Shield automatically:

  • Detects which caching plugins you're using
  • Identifies all cache directories created by those plugins
  • Adds .htaccess protection to block PHP execution in cache folders

Common Issues

Images not loading after enabling protection

This usually indicates a misconfigured .htaccess. Go to Directory Protection and click "Repair" to regenerate the rules.

Plugin conflicts

Some caching or security plugins may conflict with WP Folder Shield. Go to WP Folder Shield → Conflicts to see detected conflicts and recommendations.

Security alert persists after deleting files

If you've deleted unauthorized files but still see the security alert, click "Verify Core Files" to rescan and clear the cache. This was fixed in version 5.7.7.

2FA codes not working

  • Ensure your phone's time is correct (TOTP is time-based)
  • Try a code from ±30 seconds (clock drift tolerance)
  • Use a backup code if available
  • Check that you're scanning the correct QR code for this site

Threat Intelligence not syncing

  • Ensure your license is active and valid
  • Check that WordPress cron is running (some hosts disable it)
  • Click "Force Sync" on the Threat Intelligence page
  • Check your server can reach wpfoldershield.com

Locked Out?

If you're locked out of your WordPress site, follow these steps:

Method 1: Wait for lockout to expire

Lockouts typically expire after 30 minutes by default. Auto-blocks expire after 24 hours.

Method 2: FTP/File Manager

  1. Connect to your site via FTP or hosting file manager
  2. Navigate to /wp-content/plugins/
  3. Rename wp-folder-shield to wp-folder-shield-disabled
  4. Log in to WordPress
  5. Whitelist your IP address in WP Folder Shield settings
  6. Rename the folder back to wp-folder-shield

Method 3: Database (for custom login URL)

If you forgot your custom login URL:

  1. Access phpMyAdmin via your hosting panel
  2. Find the wp_options table
  3. Search for wpfs_custom_login_url
  4. Delete or edit that row
  5. Access wp-login.php normally

Method 4: 2FA Recovery

If you've lost access to your authenticator app:

  • Use one of your 10 backup codes
  • If no backup codes: access database and delete wpfs_2fa_secret from wp_usermeta for your user
Need help? Contact us at support@wpfoldershield.com