coreSecurity Pro is a feature rich plugin with over 20 features aiming to improve security of the WordPress powered websites. This includes antispam, firewall, security headers, login and registration protection, file scanner and more.
Very important part of the requirements for coreSecurity Pro, is the additional plugin that deals with the logging, also developed by Dev4Press called coreActivity.
If the coreActivity is not installed and active, coreSecurity will work, and only some plugin features will be functional. Any feature that deals with tracking activity, events and depending on them to ban access to offending visitors, will not be able to work, because those features require the logging capabilities implemented by coreActivity plugin.
Getting Plugin Ready
If you installed and activated coreActivity, you are ready for coreSecurity Pro.
To get started, you need to install coreSecurity Pro. Check out the installation and plugin update article. Once you install and activate the plugin, and you have gone through the Installation confirmation screen, you get to the plugin setup.
coreSecurity Pro requires license code for activation, and without the license code, plugin can’t be used. More about the license is included in this article. If you have your license code, it is best to start with the Setup Wizard , where you can add this code as the first step, and then proceed to configure several basic plugin settings and features.
Regular Plugin Updates
It is very important to keep plugin regularly updated. Each update is going to bring new filters, banned domains and emails, and all that will improve plugins ability to detect spam, stop bad bots and other malicious activity. More about updating the plugin is available in this Article.
The Plugin Interface
Plugin adds various plugin panels, depending on the active features and system configuration. Main panel for getting started with using the coreSecurity is dahsboard.
It is best to start with the Settings panel. It has only few settings there, but it is very important to know about it. There you can also configure the license code, and see the license code validation status. All the plugin features can be enabled/disabled and controlled via the Features panel.
Panel Dictionary holds huge list of entries used by various plugin features to match and filter for spam, registration, firewall and more. And, panel Banned IPs shows all IPs currently banned from accessing the website. If your server supports use of .HTACCESS file, panel .HTACCESS will be added too.
Next, there are two Logs panels, one for the list of CSP Reports (if you have Content Security Policy active, and reports enabled) and the other is main Security Logs panel. Security Logs is based on the coreActivity Logs, and it depends on coreActivity. coreSecurity Pro registers number of new Events for logging security related information.
Finally, there are two Tools panels, one with the Inspection tools and general plugin tools for import/export settings and more.
The core of the plugin are features, and you have few features that are always enabled, with the rest being optional.
Best place to start, is the user guide with the overview of All the Security Features. From there you can get information about every plugin feature, including configuration and how to use it.
One of the most complex features is File Scanner, and for that one, you can get more information with the dedicated user guide Explaining the File Scanner.
Recommended Features to have active
Which features to use, depends on your website, and it is not easy to have universal recommendations. Your server configuration, third party plugins and interaction with users will inform which features to use. Recommending all the plugins to be active, is also not a perfect recommendation.
First, here is the list of highly recommended features to use:
- Enable all the DNSBL third party services supported by the plugin.
- Enable the Vulnerabilities feature to monitor publicly disclosed vulnerabilities in PHP, WordPress, plugins, and themes.
- Enable all the Security Headers along with CSP and Permissions Policy. They may be harder to configure, but they are well worth it and important to prevent a lot of malicious activity.
- If your server supports .HTACCESS file (Apache and LiteSpeed), make sure to use it for everything it supports.
- Enable Bridge feature to get aggregated banned IPs from Dev4Press Network.
And, here are more recommendations, depending on your website and active plugins.
- If you use supported contact form plugin, and you have contact form with free access, use the Antispam feature for that plugin.
- If you have public comments feature, use the Antispam for Comments.
- If you still use trackbacks (and you have not disabled them), use the Antispam for Trackbacks.
- If you use bbPress forums, it is highly recommended to use Antispam for Topics and Replies features.
- If you allow free user accounts registration, it is recommended to use Registration Control feature to stop spam and bots accounts.
- If you want to track browser reported errors related to website connectivity and other network errors, you should use NEL security header.
- Enable all login related feature to stop brute force attacks, attempts to find exploits and more.
Finally, there is a File Scanner available, and I recommend using it from time to time, to make sure that there are no issues with files integrity or malware infections.
Advanced Setup Information
The plugin should work with any plugin for WordPress without issues. But, there is a group of plugins that changes the way WordPress work and serves pages: cache plugins. There are few things you should know when using coreSecurity Pro with Cache Plugins.
It is not recommended to use coreSecurity Pro with other security plugins. It is generally not recommended to use two or more security plugins in the same time, due to the conflicts that will happen.
There are few features (Firewall, IP Banning and Security Headers) that can be set in different ways, and you need to learn more about that, and decide what is the best solution for your website.
Third Party plugin Solutions
coreSecurity Pro protects whole website information, it can integrate with various plugins, and adds features for some third party plugins. But, for some plugins, there is more in store, and you can learn more about support for bbPress plugin and Security for bbPress Forums.
And, plugin has Antispam support for several popular forms plugins, and that will be expanded in the future with more plugins that allow front end user posting of any kind, as long as those plugins support modification through WordPress actions and filters system.
Linking websites via Bridge to improve security
If you have more than one website, and you use coreSecurity Pro on each of these websites, it is highly recommended to use Bridge feature. This feature allows you to link websites to share list of banned IPs. This way, if the IP is banned on one website, via Bridge that can be retrieved by other websites you have, and they will also ban the same IPs.
Bridge allows you to also get all latest banned IPs from the Dev4Press Network, which can include long list of temporary and permanently banned IPs, collected from main Dev4Press website, and 10 more websites developed and maintained by the Dev4Press Web Development company.
While you sure can setup this plugin and leave it running, and you make sure it is updated at all times to get all the latest relevant scanner information and dictionary entries, the best approach to security is to be proactive, and to check the plugin status every day or at least once a week, to go over the security logs and make sure that no legitimate activity has been flagged or stopped by the plugin.
It is very important to check the security logs, review the registration, spam, login attempts, and if needed, manually ban certain IPs, add domains or emails to deny lists.
Other Important Information
- Like with any other security plugin, or security solution, there are limitation to what coreSecurity Pro can do. There is no guarantee that every possible vulnerability, malware or attack vector can be identified and stopped!
- coreSecurity Pro File Scanner is a scanner only, and it can’t clean infected files! No security plugin can cleanup infected files without intervention from the trained security specialist.
- Plugin can’t stop any form of attack that comes through the compromised server where attackers can get direct access to your website file through server based exploits, leaked passwords or compromised administrator accounts.