FP Site Security

سوالات متداول

What does this plugin actually do?

It hardens login (brute-force lockout, optional two-factor), runs a built-in firewall with country and IP blocklists, scans your files for malware signatures and integrity changes, offers optional WordPress.org checksum and update verification when you opt in, takes scheduled local backups, and sends you alerts when something looks wrong.

Is anything required to use it? Do I need an account?

No. Activate the plugin and the defaults turn on login protection, the firewall, and local file integrity monitoring. WordPress.org verification lookups are off by default and must be enabled explicitly. There’s no signup, no API key, and no paid tier.

Does the plugin send any data off my site?

By default it does not send visitor IP addresses to third-party geo-location services. Country-based checks only work when your stack already provides country data locally, such as the CF-IPCountry header from Cloudflare, an equivalent server-side header, or the optional PHP GeoIP extension. Slack, Sentry, Google reCAPTCHA, and WordPress.org verification requests are all feature-driven and only occur when the relevant feature is enabled or used.

Will it work behind Cloudflare or another reverse proxy?

Yes, but you need to opt in. By default the plugin trusts only REMOTE_ADDR, so behind a proxy every visitor will look like the proxy IP. To honor CF-Connecting-IP / X-Forwarded-For, set the trust_proxy_headers option to 1 and add your proxy IPs to trusted_proxy_ips (comma- or whitespace-separated). With WP-CLI: wp option patch update firssise_options trust_proxy_headers 1 and wp option patch update firssise_options trusted_proxy_ips "203.0.113.10, 203.0.113.11". Without an allowlist, forwarded headers are spoofable and the firewall would be trivial to bypass.

How do I enable two-factor authentication?

In the WordPress admin, go to FP Security → Security → Login Security. Scroll to the “Two-factor authentication” section, scan the QR code with any TOTP app (Google Authenticator, 1Password, Authy, Bitwarden), enter the 6-digit code in the “Verify code” field to confirm, and save. TOTP will be required on every subsequent login for that user.

I got locked out. How do I get back in?

The plugin generates an emergency unlock token on activation, stored in the firssise_options row of wp_options. Three ways to retrieve it:

1. WP-CLI: wp option get firssise_options --format=json and copy the emergency_unlock_token value.
2. phpMyAdmin / database: open the wp_options table, find option_name = 'firssise_options', and read the serialized array — the token is the value of emergency_unlock_token.
3. Last resort (always works): rename the plugin folder via SFTP (firstpage-site-security → _disabled) to deactivate the plugin and log in normally.

Once you have the token, append it to your login URL: /wp-login.php?firssise_unlock=YOUR_TOKEN. That bypasses the lockout for a single login. For repeated lockouts, raise the brute-force threshold in FP Security → Security → Login Security.

Will scans slow down my site?

The default mode is “low resource” — scans run in background cron batches, not on visitor requests. The realtime watcher only fingerprints files modified in the last ten minutes and skips known-large directories like cache/ and upgrade/. On a small or medium site you should not see any measurable impact.

What happens when the plugin finds something?

It records an event in the activity log, raises an admin notice, and (if you’ve enabled them) pushes notifications to Slack, Sentry, or your admin email. From the Findings panel you can quarantine the file or delete it after review.

Can I run this alongside Wordfence, Sucuri, or another security plugin?

You can, but you probably don’t want to — two firewalls fighting over the same hooks tends to cause double-blocking, lockouts, and slow login. The plugin detects common security plugins on activation and shows a one-time admin notice listing what it found so you can pick one. There is no functional conflict, just duplicated work.

How do I uninstall it cleanly?

Deactivate the plugin from the Plugins screen, then delete it. The plugin’s options, transients, and event log are removed by the uninstall hook. Backups stored under wp-content/uploads/firssise-backups/ are intentionally NOT removed automatically — delete them manually if you don’t want them.