BD Security Firewall

Security Settings & Configuration

Updated March 9, 2026 11 min read

Overview

All BD Security Firewall settings are managed from Security → Settings in your WordPress admin. The settings page is divided into clearly labeled sections. This article explains every option in detail.

After making changes, click the Save Settings button at the bottom of the page. Changes take effect immediately.

Login Security

These settings control how users access the WordPress login page and how sessions are managed.

Custom Login URL

Type: Text field (slug)
Default: Empty (disabled)

When you enter a custom slug (for example, my-secret-login), your WordPress login page moves from /wp-login.php to yoursite.com/my-secret-login/. The original /wp-login.php, /wp-login, /login, and /wp-admin paths will return a 404 error for visitors who are not logged in.

This significantly reduces automated brute-force attacks because bots target the default login URL.

  • The custom URL field is displayed as a password field for security. Click the Show button to reveal it.
  • Once set, a green “Custom URL Active” indicator appears along with a Copy button for your convenience.
  • The following login-related actions continue to work through the custom URL: logout, password reset, lost password, and registration.
  • Admin AJAX (admin-ajax.php) and admin POST (admin-post.php) endpoints remain accessible regardless of this setting.
  • Attempts to access the hidden login page are logged in the security threat log with a severity of “low.”

Warning: Bookmark your custom login URL immediately after saving. If you forget it, you will need FTP/SSH access to disable the plugin or modify the bestdid_security_settings option in the database to clear the custom_login_slug value.

Hide Login Error Messages

Type: Toggle (on/off)
Default: ON

When enabled, WordPress login error messages are replaced with a generic message: “Invalid login credentials. Please try again.” This prevents attackers from determining whether a username exists on your site by observing different error messages for invalid usernames vs. invalid passwords.

Auto Logout (minutes)

Type: Number
Default: 0 (disabled)
Range: 0–1440

Sets the maximum session duration in minutes. After this period of time, users are automatically logged out regardless of activity. Set to 0 to disable and use WordPress’s default session handling.

Common values:

  • 60 — 1 hour (high-security environments)
  • 480 — 8 hours (recommended for most sites)
  • 1440 — 24 hours (maximum allowed)

Two-Factor Authentication (2FA)

These settings control the global 2FA policy. Individual user setup is covered in the Two-Factor Authentication Setup article.

Enable Two-Factor Authentication

Type: Toggle (on/off)
Default: OFF

The master switch for 2FA. When enabled, the 2FA system is activated and users in the selected roles can (or must) set up two-factor authentication. When disabled, 2FA is completely bypassed during login even if individual users have it configured.

Enforce for Roles

Type: Checkboxes
Default: Administrator only
Options: Administrator, Editor, Author

Select which user roles can use two-factor authentication. Only users with one of the selected roles will see the 2FA setup section on their profile page and be prompted for a second factor during login.

Force Setup

Type: Toggle (on/off)
Default: OFF

When enabled, users in the selected roles who have not yet set up 2FA will be required to complete setup on their next login. They are redirected to their profile page with a warning notice and cannot access any other admin page until 2FA is configured. During the login flow itself, if a user has not set up 2FA, they are presented with the QR code setup screen before being allowed to proceed.

Attack Prevention

These settings enable the Web Application Firewall (WAF) rules that inspect incoming requests for malicious patterns.

SQL Injection Protection

Type: Toggle (on/off)
Default: ON

Inspects query strings and request parameters for common SQL injection patterns such as UNION SELECT, DROP TABLE, and other malicious SQL syntax. Suspicious requests are blocked and logged.

XSS Attack Prevention

Type: Toggle (on/off)
Default: ON

Scans incoming requests for cross-site scripting payloads, including <script> tags, JavaScript event handlers, and other XSS vectors. Malicious requests are blocked before they reach WordPress.

Block Bad Bots

Type: Toggle (on/off)
Default: ON

Maintains a list of known malicious bot user-agent strings and blocks requests from those bots. This includes vulnerability scanners, scraping tools, and known attack bots.

Block Dangerous Uploads

Type: Toggle (on/off)
Default: ON

Prevents uploading files with dangerous extensions through the WordPress media uploader. Blocked extensions include:

  • PHP: .php, .php3, .php4, .php5, .php7, .phtml, .phar
  • Executables: .exe, .com, .bat, .cmd
  • Scripts: .sh, .bash, .cgi, .pl, .py, .rb
  • Server-side: .asp, .aspx, .jsp
  • Configuration: .htaccess

The plugin also detects double-extension tricks (e.g., malware.php.jpg) and blocks those as well.

Brute Force Protection

These settings protect the WordPress login form from automated password-guessing attacks.

Enable Brute Force Protection

Type: Toggle (on/off)
Default: ON

When enabled, failed login attempts are tracked per IP address. After exceeding the maximum number of attempts, the IP is temporarily locked out.

Max Login Attempts

Type: Number
Default: 5
Range: 1–20

The number of failed login attempts allowed before an IP address is locked out. Lower values provide stronger protection but may inconvenience legitimate users who mistype their passwords.

Recommended: 3–5 attempts.

Lockout Duration (minutes)

Type: Number
Default: 30
Range: 5–1440

How long (in minutes) a locked-out IP address must wait before attempting to log in again. During this period, all login attempts from the blocked IP are rejected immediately.

Recommended: 30–60 minutes.

Tip: If you lock yourself out, you can wait for the lockout duration to expire, or ask another administrator to unblock your IP from the Security Dashboard. You can also add your IP to the whitelist to prevent future lockouts.

Force Strong Passwords

Type: Toggle (on/off)
Default: ON

When enabled, all users must set passwords that meet the following requirements:

  • At least 12 characters long
  • Contains at least one uppercase letter (A–Z)
  • Contains at least one lowercase letter (a–z)
  • Contains at least one number (0–9)
  • Contains at least one special character (!@#$%^&* etc.)

This is enforced when creating or updating user accounts from the WordPress admin.

Rate Limiting

Rate limiting protects your site from abuse by restricting how many requests a single IP address can make per minute.

Enable Rate Limiting

Type: Toggle (on/off)
Default: ON

When enabled, the plugin tracks requests per IP and blocks IPs that exceed the configured threshold.

Requests Per Minute

Type: Number
Default: 60
Range: 10–500

The maximum number of requests a single IP address can make per minute before being rate-limited. When exceeded, the IP receives a block response and the event is logged as a “rate_limit_exceeded” threat.

  • 30–60: Suitable for most websites.
  • 100+: Appropriate for sites with AJAX-heavy frontends or single-page applications.
  • Under 30: Use with caution; legitimate users browsing quickly may be affected.

Note: Rate limiting does not apply to requests from localhost (127.0.0.1, ::1) or local network IPs (192.168.x.x), admin pages, AJAX calls, or WP-CLI commands.

IP Whitelist

Whitelisted IPs are exempted from brute force lockouts and rate limiting.

Whitelisted IP Addresses

Type: Textarea
Default: Empty

Enter one IP address per line. These IPs will never be blocked by brute force protection or rate limiting. You can find your current IP address at whatismyip.com.

Tip: Always add your own IP address to prevent accidentally locking yourself out of your site.

Whitelist Logged-in Admins

Type: Toggle (on/off)
Default: OFF

When enabled, any user who is currently logged in with the Administrator role will never be blocked by rate limiting or brute force protection, regardless of their IP address.

Additional Hardening

These settings apply miscellaneous security hardening measures to your WordPress installation.

Hide WordPress Version

Type: Toggle (on/off)
Default: ON

Removes the WordPress version number from:

  • The <meta name="generator"> tag in the HTML source
  • RSS feed generator tags
  • The ?ver= query string on all enqueued scripts and stylesheets

This makes it harder for attackers to identify the exact WordPress version and target known vulnerabilities.

Disable XML-RPC

Type: Toggle (on/off)
Default: ON

Completely disables the WordPress XML-RPC interface (xmlrpc.php). XML-RPC is a legacy API frequently exploited for:

  • Brute-force password attacks (the system.multicall method allows hundreds of login attempts in a single request)
  • DDoS amplification via pingback

Most modern WordPress sites do not need XML-RPC. Disable it unless you use the WordPress mobile app, Jetpack, or other tools that specifically require it.

Disable File Editor

Type: Toggle (on/off)
Default: ON

Removes the Appearance → Theme File Editor and Plugins → Plugin File Editor pages from the WordPress admin. This sets the DISALLOW_FILE_EDIT constant to true.

This is strongly recommended because if an attacker gains admin access to your site, the file editor allows them to inject malicious PHP code directly into your theme or plugin files.

Disable RSS Feeds

Type: Toggle (on/off)
Default: OFF

Disables all RSS, RDF, and Atom feeds and removes feed links from your HTML head. Visitors who try to access a feed URL will see a “403 Forbidden” page with the message “RSS feeds are disabled on this site.”

Enable this if you do not want your content syndicated via RSS and want to prevent content scraping.

Log Retention Days

Type: Number
Default: 30
Range: 7–365

Security threat logs older than this number of days are automatically deleted by a daily cron job. Higher values provide a longer audit trail but consume more database space.

Enable HSTS

Type: Toggle (on/off)
Default: OFF

Adds the Strict-Transport-Security HTTP header with a max-age of 1 year (31,536,000 seconds), including subdomains and preload.

This tells browsers to always use HTTPS when connecting to your site, preventing SSL-stripping attacks.

Warning: Only enable HSTS if your site is fully configured for HTTPS with a valid SSL certificate. Once browsers cache the HSTS header, your site will be inaccessible over plain HTTP for up to one year.

Malware Scanner

The built-in malware scanner checks your WordPress files for known malware signatures, verifies core file integrity, and detects suspicious files in the uploads directory.

Enable Scanner

Type: Toggle (on/off)
Default: OFF

Activates the malware scanner feature. When enabled, you can run on-demand scans from the Security → Scanner page and configure automated scanning.

Scan Schedule

Type: Dropdown
Default: Manual Only
Options: Manual Only, Daily, Weekly

Sets how often automated scans run in the background via WordPress cron:

  • Manual Only: Scans only run when you click “Start Scan” on the Scanner page.
  • Daily: A full scan runs automatically once per day.
  • Weekly: A full scan runs automatically once per week.

Check Core Integrity

Type: Toggle (on/off)
Default: ON

Compares your WordPress core files against the official checksums published by WordPress.org. Any modified, missing, or extra files in the core directories are flagged.

Check Malware Patterns

Type: Toggle (on/off)
Default: ON

Scans PHP files for known malware signatures and obfuscated code patterns. The scanner uses a database of 50+ malware signatures covering common backdoors, web shells, and code injection techniques.

Check PHP in Uploads

Type: Toggle (on/off)
Default: ON

Detects PHP files in the wp-content/uploads/ directory. PHP files in the uploads folder are a common indicator of a compromised site, as the uploads directory should normally contain only media files (images, documents, etc.).

Email Alerts on Critical Findings

Type: Toggle (on/off)
Default: OFF

When enabled, the site administrator receives an email notification whenever a scheduled scan finds threats rated as critical severity.

Auto-Quarantine Critical Threats

Type: Toggle (on/off)
Default: OFF

When enabled, files rated as critical threats during scheduled scans are automatically moved to quarantine. Quarantined files are stored securely and can be restored from the Scanner page if needed.

Tip: Enable both Email Alerts and Auto-Quarantine for maximum automated protection. You will be notified by email whenever a critical threat is found and quarantined.

Geo-Blocking

Geo-blocking allows you to restrict access to your site based on the visitor’s geographic location (country). Country detection is performed using the visitor’s IP address.

Enable Geo-Blocking

Type: Toggle (on/off)
Default: OFF

Activates the geo-blocking system. When enabled, incoming requests are checked against your country rules before the page loads.

Mode

Type: Dropdown
Default: Disabled
Options: Disabled, Blacklist, Whitelist

  • Disabled: No geo-blocking is applied (even if the toggle above is on).
  • Blacklist: All countries are allowed except the ones you list. Use this to block specific countries known for generating attack traffic.
  • Whitelist: All countries are blocked except the ones you list. Use this if your site only serves a specific region or country.

Country selection is configured on the Security → Geo-Blocking page, where you can select countries from a full list and test specific IP addresses.

Log Blocked Requests

Type: Toggle (on/off)
Default: ON

When enabled, every request blocked by geo-blocking is recorded in a log that you can view on the Security → Geo-Blocking page. The log includes the IP address, country, request URI, and timestamp.

Activity Logging

The activity log tracks important administrative actions on your site, providing an audit trail for security and compliance.

Enable Activity Logging

Type: Toggle (on/off)
Default: OFF

When enabled, the following events are automatically recorded:

  • Authentication: Successful logins, failed login attempts, logouts
  • User management: User registration, deletion, role changes, password resets, profile updates
  • Content: Post/page status transitions (draft → published, published → trashed, etc.), post deletions
  • Plugins & themes: Plugin and theme activations, deactivations, and updates
  • Core: WordPress core updates
  • Settings: Changes to WordPress options

All logged events are viewable from Security → Activity Log with filtering, search, and CSV export capabilities.

Retention Days

Type: Number
Default: 90
Range: 1–365

Activity log entries older than this number of days are automatically deleted by a daily cron job. Adjust based on your compliance requirements and database capacity.

File Integrity Monitor

The File Integrity Monitor (FIM) creates a hash-based baseline of your WordPress files and periodically checks for unauthorized modifications.

Enable File Integrity Monitor

Type: Toggle (on/off)
Default: OFF

Activates the file integrity monitoring system. When first enabled, you should create a baseline from the Security → File Integrity page. The baseline records the SHA-256 hash of every core, theme, and plugin file.

Check Schedule

Type: Dropdown
Default: Daily
Options: Manual Only, Daily, Weekly

How often the integrity check runs automatically via WordPress cron:

  • Manual Only: You must manually trigger checks from the File Integrity page.
  • Daily: Every file is re-hashed and compared to the baseline once per day.
  • Weekly: Checks run once per week.

Email Alerts on Changes

Type: Toggle (on/off)
Default: OFF

When enabled, the site administrator receives an email notification whenever a scheduled integrity check detects file changes (modified, added, or deleted files).

Security Headers (Automatic)

The following HTTP security headers are automatically added to every page response when BD Security Firewall is active. These are not individually configurable — they are applied as best-practice defaults:

  • X-Frame-Options: SAMEORIGIN — Prevents your site from being embedded in iframes on other domains (clickjacking protection).
  • X-Content-Type-Options: nosniff — Prevents browsers from MIME-type sniffing, forcing them to respect the declared content type.
  • X-XSS-Protection: 1; mode=block — Enables the browser’s built-in XSS filter.
  • Referrer-Policy: strict-origin-when-cross-origin — Controls how much referrer information is shared in cross-origin requests.
  • Permissions-Policy: geolocation=(), microphone=(), camera=() — Disables access to geolocation, microphone, and camera APIs.
  • Content-Security-Policy — A comprehensive CSP that restricts script, style, font, image, and frame sources to trusted origins.

Additional Automatic Protections

The following protections are always active when the plugin has a valid license and cannot be individually toggled:

  • User enumeration blocking: The ?author=N query parameter, author archive pages, and the /wp-json/wp/v2/users REST endpoint are all blocked for non-authenticated visitors.
  • Sensitive file blocking: Direct access to /readme.html, /readme.txt, /license.txt, /wp-admin/install.php, and plugin/theme readme/changelog files is blocked for non-authenticated visitors.
  • REST API filtering: Internal REST API namespaces (WooCommerce admin, LiteSpeed, Fluent SMTP, license endpoints, etc.) are hidden from the public REST API index.
  • Path traversal detection: Requests containing directory traversal sequences (../) are blocked.
  • Null byte sanitization: Null bytes are stripped from all incoming request data.